You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
yt-dlp/yt_dlp/utils
Simon Sawicki ff07792676
[core] Prevent RCE when using `--exec` with `%q` (CVE-2024-22423)
The shell escape function now properly escapes `%`, `\\` and `\n`. `utils.Popen` as well as `%q` output template expansion have been patched accordingly.

Prior to this fix using `--exec` together with `%q` when on Windows could cause remote code to execute. See https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-hjq6-52gw-2g7p for more details.

Authored by: Grub4K
7 months ago
..
__init__.py [compat] Ensure submodules are imported correctly 1 year ago
_deprecated.py [compat, networking] Deprecate old functions (#2861) 1 year ago
_legacy.py [cleanup] Misc (#8968) 8 months ago
_utils.py [core] Prevent RCE when using `--exec` with `%q` (CVE-2024-22423) 7 months ago
networking.py [networking] Strip whitespace around header values (#8802) 11 months ago
progress.py [fd/fragment] Improve progress calculation (#8241) 1 year ago
traversal.py [utils] `traverse_obj`: Convenience improvements (#9577) 8 months ago