mirrors/yt-dlp
1
0
Fork 0
mirror of https://github.com/yt-dlp/yt-dlp.git synced 2025-10-31 22:55:18 +00:00
Code Issues Projects Releases Wiki Activity

[core] Disallow unsafe extensions (CVE-2024-38519)

Browse Source 
Ref: https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-79w7-vh3h-8g4j

Authored by: Grub4K
This commit is contained in:
Simon Sawicki
2024-07-02 00:52:50 +02:00
parent 6aaf96a3d6
commit 5ce582448e
7 changed files with 179 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
README.md
View File

@@ -2229,6 +2229,14 @@ For ease of use, a few more compat options are available:
* `--compat-options 2022`: Same as `--compat-options 2023,playlist-match-filter,no-external-downloader-progress,prefer-legacy-http-handler,manifest-filesize-approx`
* `--compat-options 2023`: Currently does nothing. Use this to enable all future compat options
The following compat options restore vulnerable behavior from before security patches:
* `--compat-options allow-unsafe-ext`: Allow files with any extension (including unsafe ones) to be downloaded ([GHSA-79w7-vh3h-8g4j](<https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-79w7-vh3h-8g4j>))
> :warning: Only use if a valid file download is rejected because its extension is detected as uncommon
>
> **This option can enable remote code execution! Consider [opening an issue](<https://github.com/yt-dlp/yt-dlp/issues/new/choose>) instead!**
### Deprecated options
These are all the deprecated options and the current alternative to achieve the same effect