Disable the generic extractor entirely

It can be used for SSRF attacks even when redirects are disabled
This commit is contained in:
Pierre Rudloff 2022-03-08 09:29:57 +01:00
parent 148a171b24
commit 8913f27716
4 changed files with 18 additions and 18 deletions

View file

@ -78,7 +78,7 @@
],
"patches": {
"ytdl-org/youtube-dl": {
"Disable redirects in generic extractor": "patches/youtube-dl-redirect.diff"
"Disable the generic extractor": "patches/youtube-dl-disable-generic.diff"
}
}
},

10
composer.lock generated
View file

@ -4,7 +4,7 @@
"Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
"This file is @generated automatically"
],
"content-hash": "b5c12c24e723e5246b8003cd84de873f",
"content-hash": "87b2074ab1d8a7ee59f719e26130ca36",
"packages": [
{
"name": "aura/session",
@ -4086,12 +4086,12 @@
},
"type": "library",
"autoload": {
"psr-4": {
"Amp\\Serialization\\": "src"
},
"files": [
"src/functions.php"
]
],
"psr-4": {
"Amp\\Serialization\\": "src"
}
},
"notification-url": "https://packagist.org/downloads/",
"license": [

View file

@ -0,0 +1,12 @@
diff --git a/youtube_dl/extractor/__init__.py b/youtube_dl/extractor/__init__.py
index 18d8dbcd6..4d3edfac3 100644
--- a/youtube_dl/extractor/__init__.py
+++ b/youtube_dl/extractor/__init__.py
@@ -13,7 +13,6 @@ except ImportError:
for name, klass in globals().items()
if name.endswith('IE') and name != 'GenericIE'
]
- _ALL_CLASSES.append(GenericIE)
def gen_extractor_classes():

View file

@ -1,12 +0,0 @@
diff --git a/youtube_dl/extractor/generic.py b/youtube_dl/extractor/generic.py
index f99d887ca..749ed6ecf 100644
--- a/youtube_dl/extractor/generic.py
+++ b/youtube_dl/extractor/generic.py
@@ -2252,6 +2252,7 @@ class GenericIE(InfoExtractor):
def report_following_redirect(self, new_url):
"""Report information extraction."""
+ raise UnsupportedError('Redirects are not allowed')
self._downloader.to_screen('[redirect] Following redirect to %s' % new_url)
def _extract_rss(self, url, video_id, doc):