yt-dlp/yt_dlp/utils
Simon Sawicki ff07792676
[core] Prevent RCE when using --exec with %q (CVE-2024-22423)
The shell escape function now properly escapes `%`, `\\` and `\n`. `utils.Popen` as well as `%q` output template expansion have been patched accordingly.

Prior to this fix using `--exec` together with `%q` when on Windows could cause remote code to execute. See https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-hjq6-52gw-2g7p for more details.

Authored by: Grub4K
2024-04-09 18:36:13 +02:00
..
__init__.py [compat] Ensure submodules are imported correctly 2023-07-22 18:10:35 +05:30
_deprecated.py [compat, networking] Deprecate old functions (#2861) 2023-07-15 16:18:35 +05:30
_legacy.py [cleanup] Misc (#8968) 2024-03-11 00:52:28 +05:30
_utils.py [core] Prevent RCE when using --exec with %q (CVE-2024-22423) 2024-04-09 18:36:13 +02:00
networking.py [networking] Strip whitespace around header values (#8802) 2023-12-20 19:15:38 +13:00
progress.py [fd/fragment] Improve progress calculation (#8241) 2023-10-08 02:01:01 +02:00
traversal.py [utils] traverse_obj: Convenience improvements (#9577) 2024-04-01 02:12:03 +02:00