mirror of
https://github.com/yt-dlp/yt-dlp.git
synced 2025-01-04 01:25:54 +01:00
de015e9307
The shell escape function is now using `""` instead of `\"`. `utils.Popen` has been patched to properly quote commands. Prior to this fix using `--exec` together with `%q` when on Windows could cause remote code to execute. See https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-42h4-v29r-42qg for reference. Authored by: Grub4K
42 lines
1.5 KiB
Python
42 lines
1.5 KiB
Python
from .common import PostProcessor
|
|
from ..compat import compat_shlex_quote
|
|
from ..utils import Popen, PostProcessingError, variadic
|
|
|
|
|
|
class ExecPP(PostProcessor):
|
|
|
|
def __init__(self, downloader, exec_cmd):
|
|
PostProcessor.__init__(self, downloader)
|
|
self.exec_cmd = variadic(exec_cmd)
|
|
|
|
def parse_cmd(self, cmd, info):
|
|
tmpl, tmpl_dict = self._downloader.prepare_outtmpl(cmd, info)
|
|
if tmpl_dict: # if there are no replacements, tmpl_dict = {}
|
|
return self._downloader.escape_outtmpl(tmpl) % tmpl_dict
|
|
|
|
filepath = info.get('filepath', info.get('_filename'))
|
|
# If video, and no replacements are found, replace {} for backard compatibility
|
|
if filepath:
|
|
if '{}' not in cmd:
|
|
cmd += ' {}'
|
|
cmd = cmd.replace('{}', compat_shlex_quote(filepath))
|
|
return cmd
|
|
|
|
def run(self, info):
|
|
for tmpl in self.exec_cmd:
|
|
cmd = self.parse_cmd(tmpl, info)
|
|
self.to_screen(f'Executing command: {cmd}')
|
|
_, _, return_code = Popen.run(cmd, shell=True)
|
|
if return_code != 0:
|
|
raise PostProcessingError(f'Command returned error code {return_code}')
|
|
return [], info
|
|
|
|
|
|
# Deprecated
|
|
class ExecAfterDownloadPP(ExecPP):
|
|
def __init__(self, *args, **kwargs):
|
|
super().__init__(*args, **kwargs)
|
|
self.deprecation_warning(
|
|
'yt_dlp.postprocessor.ExecAfterDownloadPP is deprecated '
|
|
'and may be removed in a future version. Use yt_dlp.postprocessor.ExecPP instead')
|