youtube-dl/youtube_dl
Jaime Marquínez Ferrándiz e37afbe0b8 [YoutubeDL] urlopen: disable the 'file:' protocol (#8227)
If someone is running youtube-dl on a server to deliver files, the user could input 'file:///some/important/file' and youtube-dl would save that file as a video giving access to sensitive information to the user.
'file:' urls can be filtered, but the user can use an URL to a crafted m3u8 manifest like:

    #EXTM3U
    #EXT-X-MEDIA-SEQUENCE:0
    #EXTINF:10.0
    file:///etc/passwd
    #EXT-X-ENDLIST

With this patch 'file:' URLs raise URLError like for unknown protocols.
2016-01-14 00:24:04 +01:00
..
downloader [downloader/fragment] Move helper data to context dict 2016-01-13 00:00:31 +06:00
extractor [tudou] Add support for Albums and Playlists and extract more metadata 2016-01-13 13:29:00 +01:00
postprocessor
__init__.py
__main__.py
aes.py
cache.py
compat.py
jsinterp.py
options.py
swfinterp.py Fix typos 2016-01-10 17:24:28 +01:00
update.py
utils.py Revert "fix typos" 2016-01-10 19:27:22 +01:00
version.py release 2016.01.09 2016-01-09 01:16:08 +01:00
YoutubeDL.py [YoutubeDL] urlopen: disable the 'file:' protocol (#8227) 2016-01-14 00:24:04 +01:00