yt-dlp/yt_dlp/utils
Simon Sawicki de015e9307
[core] Prevent RCE when using `--exec` with `%q` (CVE-2023-40581)
The shell escape function is now using `""` instead of `\"`. `utils.Popen` has been patched to properly quote commands.

Prior to this fix using `--exec` together with `%q` when on Windows could cause remote code to execute. See https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-42h4-v29r-42qg for reference.

Authored by: Grub4K
2023-09-24 02:29:01 +02:00
..
__init__.py [compat] Ensure submodules are imported correctly 2023-07-22 18:10:35 +05:30
_deprecated.py [compat, networking] Deprecate old functions (#2861) 2023-07-15 16:18:35 +05:30
_legacy.py [networking] Remove dot segments during URL normalization (#7662) 2023-07-28 22:40:20 +00:00
_utils.py [core] Prevent RCE when using `--exec` with `%q` (CVE-2023-40581) 2023-09-24 02:29:01 +02:00
networking.py [utils] HTTPHeaderDict: Handle byte values 2023-07-30 03:18:10 +05:30
traversal.py [cleanup, utils] Split into submodules (#7090) 2023-05-20 21:56:23 +00:00