mirrors/yt-dlp
1
0
Fork 0
mirror of https://github.com/yt-dlp/yt-dlp.git synced 2026-02-22 16:36:54 +00:00
Code Issues Projects Releases Wiki Activity

[ie] Limit netrc_machine parameter to shell-safe characters

Browse Source 
Also adapts some extractor regexes to adhere to this limitation

See: https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-g3gw-q23r-pgqm

Authored by: Grub4K
This commit is contained in:
Simon Sawicki
2026-02-14 23:34:51 +01:00
parent c105461647
commit 1fbbe29b99
5 changed files with 17 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
test/test_InfoExtractor.py
View File

@@ -76,6 +76,8 @@ class TestInfoExtractor(unittest.TestCase):
self.assertEqual(ie._get_netrc_login_info(netrc_machine='empty_pass'), ('user', ''))
self.assertEqual(ie._get_netrc_login_info(netrc_machine='both_empty'), ('', ''))
self.assertEqual(ie._get_netrc_login_info(netrc_machine='nonexistent'), (None, None))
with self.assertRaises(ExtractorError):
ie._get_netrc_login_info(netrc_machine=';echo rce')
def test_html_search_regex(self):
html = '<p id="foo">Watch this <a href="http://www.youtube.com/watch?v=BaW_jenozKc">video</a></p>'