0
0
Fork 0
mirror of https://github.com/yt-dlp/yt-dlp.git synced 2024-12-22 06:00:00 +00:00
yt-dlp/yt_dlp/compat
Simon Sawicki de015e9307
[core] Prevent RCE when using --exec with %q (CVE-2023-40581)
The shell escape function is now using `""` instead of `\"`. `utils.Popen` has been patched to properly quote commands.

Prior to this fix using `--exec` together with `%q` when on Windows could cause remote code to execute. See https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-42h4-v29r-42qg for reference.

Authored by: Grub4K
2023-09-24 02:29:01 +02:00
..
urllib [cleanup] Misc (#8182) 2023-09-23 20:00:31 +00:00
__init__.py [core] Prevent RCE when using --exec with %q (CVE-2023-40581) 2023-09-24 02:29:01 +02:00
_deprecated.py [compat] Ensure submodules are imported correctly 2023-07-22 18:10:35 +05:30
_legacy.py [cleanup] Misc fixes 2023-07-22 09:09:52 +05:30
compat_utils.py [dependencies] Handle deprecation of sqlite3.version (#8167) 2023-09-21 15:58:53 +00:00
functools.py Bugfix for 3a408f9d19 2022-05-20 21:25:07 +05:30
imghdr.py [mhtml, cleanup] Use imghdr 2022-07-31 02:20:12 +05:30
shutil.py [compat] Fix shutils.move in restricted ACL mode on BSD (#5309) 2022-11-07 20:54:30 +05:30
types.py Fix e0c4db04dc for pypy 2023-07-22 10:17:36 +05:30