[core] Disallow unsafe extensions (CVE-2024-38519)

Ref: https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-79w7-vh3h-8g4j Authored by: Grub4K
2025-10-31 14:45:14 +00:00 · 2024-07-02 00:52:50 +02:00
parent 6aaf96a3d6
commit 5ce582448e
7 changed files with 179 additions and 12 deletions
--- a/devscripts/changelog_override.json
+++ b/devscripts/changelog_override.json
@@ -175,5 +175,10 @@
        "when": "e6a22834df1776ec4e486526f6df2bf53cb7e06f",
        "short": "[ie/orf:on] Add `prefer_segments_playlist` extractor-arg (#10314)",
        "authors": ["seproDev"]
+    },
+    {
+        "action": "add",
+        "when": "6aaf96a3d6e7d0d426e97e11a2fcf52fda00e733",
+        "short": "[priority] Security: [[CVE-2024-10123](https://nvd.nist.gov/vuln/detail/CVE-2024-10123)] [Properly sanitize file-extension to prevent file system modification and RCE](https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-79w7-vh3h-8g4j)\n    - Unsafe extensions are now blocked from being downloaded"
    }
 ]