mirrors/yt-dlp
1
0
Fork 0
mirror of https://github.com/yt-dlp/yt-dlp.git synced 2025-10-31 22:55:18 +00:00
Code Issues Projects Releases Wiki Activity

[core] Prevent RCE when using --exec with %q (CVE-2023-40581)

Browse Source 
The shell escape function is now using `""` instead of `\"`. `utils.Popen` has been patched to properly quote commands.

Prior to this fix using `--exec` together with `%q` when on Windows could cause remote code to execute. See https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-42h4-v29r-42qg for reference.

Authored by: Grub4K
This commit is contained in:
Simon Sawicki
2023-09-24 02:29:01 +02:00
parent 61bdf15fc7
commit de015e9307
6 changed files with 46 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
yt_dlp/compat/__init__.py
View File

@@ -30,7 +30,7 @@ compat_os_name = os._name if os.name == 'java' else os.name
if compat_os_name == 'nt':
def compat_shlex_quote(s):
import re
return s if re.match(r'^[-_\w./]+$', s) else '"%s"' % s.replace('"', '\\"')
return s if re.match(r'^[-_\w./]+$', s) else s.replace('"', '""').join('""')
else:
from shlex import quote as compat_shlex_quote # noqa: F401