![]() ![]() It is recommended to upgrade yt-dlp to version 2023.09.24 as soon as possible. `\n` will be replaced by `\r` as no way of escaping it has been found. yt-dlp version 2023.09.24 fixes this issue by properly escaping each special character. Support for output template expansion in `-exec`, along with this vulnerable behavior, was added to `yt-dlp` in version 2021.04.11. This vulnerability only impacts `yt-dlp` on Windows, and the vulnerability is present regardless of whether `yt-dlp` is run from `cmd` or from `PowerShell`. ![]() However, the escaping used for `cmd` (the shell used by Python's `subprocess` on Windows) does not properly escape special characters, which can allow for remote code execution if `-exec` is used directly with maliciously crafted remote data. The metadata fields can be combined with the `%q` conversion, which is intended to quote/escape these values so they can be safely passed to the shell. This flag allows output template expansion in its argument, so that metadata values may be used in the shell commands. yt-dlp allows the user to provide shell command lines to be executed at various stages in its download steps through the `-exec` flag. Yt-dlp is a youtube-dl fork with additional features and fixes. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |