From 8913f27716400dabf4906a5ad690a5238f73496a Mon Sep 17 00:00:00 2001 From: Pierre Rudloff Date: Tue, 8 Mar 2022 09:29:57 +0100 Subject: [PATCH] Disable the generic extractor entirely It can be used for SSRF attacks even when redirects are disabled --- composer.json | 2 +- composer.lock | 10 +++++----- patches/youtube-dl-disable-generic.diff | 12 ++++++++++++ patches/youtube-dl-redirect.diff | 12 ------------ 4 files changed, 18 insertions(+), 18 deletions(-) create mode 100644 patches/youtube-dl-disable-generic.diff delete mode 100644 patches/youtube-dl-redirect.diff diff --git a/composer.json b/composer.json index c02f102..21640dd 100644 --- a/composer.json +++ b/composer.json @@ -78,7 +78,7 @@ ], "patches": { "ytdl-org/youtube-dl": { - "Disable redirects in generic extractor": "patches/youtube-dl-redirect.diff" + "Disable the generic extractor": "patches/youtube-dl-disable-generic.diff" } } }, diff --git a/composer.lock b/composer.lock index 676e600..4a788ef 100644 --- a/composer.lock +++ b/composer.lock @@ -4,7 +4,7 @@ "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies", "This file is @generated automatically" ], - "content-hash": "b5c12c24e723e5246b8003cd84de873f", + "content-hash": "87b2074ab1d8a7ee59f719e26130ca36", "packages": [ { "name": "aura/session", @@ -4086,12 +4086,12 @@ }, "type": "library", "autoload": { - "psr-4": { - "Amp\\Serialization\\": "src" - }, "files": [ "src/functions.php" - ] + ], + "psr-4": { + "Amp\\Serialization\\": "src" + } }, "notification-url": "https://packagist.org/downloads/", "license": [ diff --git a/patches/youtube-dl-disable-generic.diff b/patches/youtube-dl-disable-generic.diff new file mode 100644 index 0000000..f02f6d4 --- /dev/null +++ b/patches/youtube-dl-disable-generic.diff @@ -0,0 +1,12 @@ +diff --git a/youtube_dl/extractor/__init__.py b/youtube_dl/extractor/__init__.py +index 18d8dbcd6..4d3edfac3 100644 +--- a/youtube_dl/extractor/__init__.py ++++ b/youtube_dl/extractor/__init__.py +@@ -13,7 +13,6 @@ except ImportError: + for name, klass in globals().items() + if name.endswith('IE') and name != 'GenericIE' + ] +- _ALL_CLASSES.append(GenericIE) + + + def gen_extractor_classes(): diff --git a/patches/youtube-dl-redirect.diff b/patches/youtube-dl-redirect.diff deleted file mode 100644 index d3f5530..0000000 --- a/patches/youtube-dl-redirect.diff +++ /dev/null @@ -1,12 +0,0 @@ -diff --git a/youtube_dl/extractor/generic.py b/youtube_dl/extractor/generic.py -index f99d887ca..749ed6ecf 100644 ---- a/youtube_dl/extractor/generic.py -+++ b/youtube_dl/extractor/generic.py -@@ -2252,6 +2252,7 @@ class GenericIE(InfoExtractor): - - def report_following_redirect(self, new_url): - """Report information extraction.""" -+ raise UnsupportedError('Redirects are not allowed') - self._downloader.to_screen('[redirect] Following redirect to %s' % new_url) - - def _extract_rss(self, url, video_id, doc):