3pp-mirror/yt-dlp
1
0
Fork 0
mirror of https://github.com/yt-dlp/yt-dlp.git synced 2025-05-31 17:56:29 +02:00
Code Issues Projects Releases Wiki Activity

[core] Prevent RCE when using --exec with %q (CVE-2024-22423)

Browse source 
The shell escape function now properly escapes `%`, `\\` and `\n`. `utils.Popen` as well as `%q` output template expansion have been patched accordingly.

Prior to this fix using `--exec` together with `%q` when on Windows could cause remote code to execute. See https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-hjq6-52gw-2g7p for more details.

Authored by: Grub4K
This commit is contained in:
Simon Sawicki 2024-04-08 23:18:04 +02:00
parent 216f6a3cb5
commit ff07792676
No known key found for this signature in database
5 changed files with 53 additions and 23 deletions
Download patch file Download diff file Expand all files Collapse all files

4
test/test_utils.py
View file

@ -2069,6 +2069,10 @@ Line 1
# Test escaping
assert run_shell(['echo', 'test"&']) == '"test""&"\n'
assert run_shell(['echo', '%CMDCMDLINE:~-1%&']) == '"%CMDCMDLINE:~-1%&"\n'
assert run_shell(['echo', 'a\nb']) == '"a"\n"b"\n'
assert run_shell(['echo', '"']) == '""""\n'
assert run_shell(['echo', '\\']) == '\\\n'
# Test if delayed expansion is disabled
assert run_shell(['echo', '^!']) == '"^!"\n'
assert run_shell('echo "^!"') == '"^!"\n'