0
0
Fork 0
mirror of https://github.com/yt-dlp/yt-dlp.git synced 2024-11-30 03:33:02 +00:00
yt-dlp/yt_dlp/postprocessor/exec.py
Simon Sawicki de015e9307
[core] Prevent RCE when using --exec with %q (CVE-2023-40581)
The shell escape function is now using `""` instead of `\"`. `utils.Popen` has been patched to properly quote commands.

Prior to this fix using `--exec` together with `%q` when on Windows could cause remote code to execute. See https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-42h4-v29r-42qg for reference.

Authored by: Grub4K
2023-09-24 02:29:01 +02:00

41 lines
1.5 KiB
Python

from .common import PostProcessor
from ..compat import compat_shlex_quote
from ..utils import Popen, PostProcessingError, variadic
class ExecPP(PostProcessor):
def __init__(self, downloader, exec_cmd):
PostProcessor.__init__(self, downloader)
self.exec_cmd = variadic(exec_cmd)
def parse_cmd(self, cmd, info):
tmpl, tmpl_dict = self._downloader.prepare_outtmpl(cmd, info)
if tmpl_dict: # if there are no replacements, tmpl_dict = {}
return self._downloader.escape_outtmpl(tmpl) % tmpl_dict
filepath = info.get('filepath', info.get('_filename'))
# If video, and no replacements are found, replace {} for backard compatibility
if filepath:
if '{}' not in cmd:
cmd += ' {}'
cmd = cmd.replace('{}', compat_shlex_quote(filepath))
return cmd
def run(self, info):
for tmpl in self.exec_cmd:
cmd = self.parse_cmd(tmpl, info)
self.to_screen(f'Executing command: {cmd}')
_, _, return_code = Popen.run(cmd, shell=True)
if return_code != 0:
raise PostProcessingError(f'Command returned error code {return_code}')
return [], info
# Deprecated
class ExecAfterDownloadPP(ExecPP):
def __init__(self, *args, **kwargs):
super().__init__(*args, **kwargs)
self.deprecation_warning(
'yt_dlp.postprocessor.ExecAfterDownloadPP is deprecated '
'and may be removed in a future version. Use yt_dlp.postprocessor.ExecPP instead')