Commit Graph

746 Commits (f693213567010ecc108447cba4615ae2932d1c18)

Author SHA1 Message Date
Filippo Valsorda 4d318be195 [update] fix (unexploitable) BB'06 vulnerability in rsa_verify
The rsa_verify code was vulnerable to a BB'06 attack, allowing to forge
signatures for arbitrary messages if and only if the public key exponent is
3.  Since the updates key is hardcoded to 65537, there is no risk for
youtube-dl, but I don't want vulnerable code in the wild.

The new function adopts a way safer approach of encoding-and-comparing to
replace the dangerous parsing code.
9 years ago
Jaime Marquínez Ferrándiz e37afbe0b8 [YoutubeDL] urlopen: disable the 'file:' protocol (#8227)
If someone is running youtube-dl on a server to deliver files, the user could input 'file:///some/important/file' and youtube-dl would save that file as a video giving access to sensitive information to the user.
'file:' urls can be filtered, but the user can use an URL to a crafted m3u8 manifest like:

    #EXTM3U
    #EXT-X-MEDIA-SEQUENCE:0
    #EXTINF:10.0
    file:///etc/passwd
    #EXT-X-ENDLIST

With this patch 'file:' URLs raise URLError like for unknown protocols.
9 years ago
Jakub Wilk dfb1b1468c Fix typos
Closes #8200.
9 years ago
remitamine f11d00fa41 [test_subtitles] remove BlipTV test 9 years ago
Sergey M․ 6b77d52b1f [test_utils] Add tests for encode_compat_str 9 years ago
Yen Chi Hsuan db2fe38b55 [utils] Support alternative timestamp format in TTML
Fixes #7608
9 years ago
Yen Chi Hsuan d631d5f9f2 [utils] Fix TTML conversion
Tolerate invalid timestamps (closes #7909)
9 years ago
Sergey M․ 31b2051e21 [utils] Add remove_quotes 9 years ago
Jaime Marquínez Ferrándiz 47f48f5d85 [test/test_all_urls] Update pbs extractor name
It's in lowercase now (since e15e2ef7a0).
9 years ago
Sergey M․ 9cb9a5df77 [utils] Check ext with trailing slash against the list of known extensions 9 years ago
Sergey M․ 5035536e3f [test_utils] Add tests for determine_ext 9 years ago
Sergey M․ 7aefc49c40 [utils] Skip invalid/non HTML entities (Closes #7518) 9 years ago
Yen Chi Hsuan ff29bf81f8 [jsinterp] Support alternative function definition form 9 years ago
Yen Chi Hsuan 66d041f250 [test/subtitles] Add test for DemocracynowIE 9 years ago
Jaime Marquínez Ferrándiz 6a75040278 [utils] unified_strdate: Return None if the date format can't be recognized (fixes #7340)
This issue was introduced with ae12bc3ebb, it returned 'None'.
9 years ago
Sergey M 30eecc6a04 Merge pull request #7296 from jaimeMF/xml_attrib_unicode
Use a wrapper around xml.etree.ElementTree.fromstring in python 2.x (…
9 years ago
Sergey M․ 578c074575 [utils] Support list of xpath in xpath_element 9 years ago
Sergey M․ 52c3a6e49d [utils] Improve parse_iso8601 9 years ago
Jaime Marquínez Ferrándiz f78546272c [compat] compat_etree_fromstring: also decode the text attribute
Deletes parse_xml from utils, because it also does it.
9 years ago
Jaime Marquínez Ferrándiz 387db16a78 [compat] compat_etree_fromstring: only decode bytes objects 9 years ago
Jaime Marquínez Ferrándiz 36e6f62cd0 Use a wrapper around xml.etree.ElementTree.fromstring in python 2.x (#7178)
Attributes aren't unicode objects, so they couldn't be directly used in info_dict fields (for example '--write-description' doesn't work with bytes).
9 years ago
Jaime Marquínez Ferrándiz 65d49afa48 [test/test_download] Use extract_flat = 'in_playlist' for playlist items
Some playlist extractors return a 'url' result, which wouldn't be resolved.
9 years ago
Sergey M․ d01949dc89 [utils:js_to_json] Fix bad escape in double quoted strings 9 years ago
Sergey M․ 448ef1f31c [extractor/common] Allow angle brackets in attributes in _og_regexes (#7215) 9 years ago
Sergey M․ 8e5b121948 [test_youtube_lists] Add test flat playlist entries' titles 9 years ago
Sergey M․ db0a8ad979 [test_InfoExtractor] Add test for unquoted attribute 9 years ago
Sergey M․ 1c29e81e62 [test_InfoExtractor] Add test for 7a6d76a64d 9 years ago
Jaime Marquínez Ferrándiz 7d0ada5ff9 [test/helper] Fix style
Use the correct indentation to please flake8
9 years ago
Sergey M․ f88f1b40ce [test/helper] Clarify field for list length mismatch 9 years ago
Sergey M․ 386a7b52d5 [test/helper] Spelling 9 years ago
Sergey M․ 2e885de796 [test/helper] Formatting 9 years ago
Qijiang Fan 687c04cbb8 [test] use descriptive variable name 9 years ago
Qijiang Fan 40c931de4b [test] split expect_dict to two functions 9 years ago
Qijiang Fan 93bc7ef165 [test] recursively check dict and list in expect_info_dict
This allows to use md5:, re:, etc within the str inside a list
or dict.
9 years ago
Sergey M․ c6aa838b51 [youtube:history] Enable exractor 9 years ago
Jaime Marquínez Ferrándiz f005f96ea5 [youtube:history] Explain why it has disabled and skip test 9 years ago
remitamine c67a055d16 [test/test_write_annotations] fix test filename
Closes #6781
9 years ago
Sergey M․ 3513d41436 [test_compat] Fix typo 9 years ago
Sergey M․ ee087c79ad [test_compat] Add test for compat_shlex_split 9 years ago
Sergey M․ f71264490c [test_utils] Add tests for cli option converters 9 years ago
Sergey M․ 87f70ab39d [test_utils] Add more tests for xpath 9 years ago
Yen Chi Hsuan f908b74fa3 [test/subtitles] Add test for ThePlatformFeedIE 9 years ago
Sergey M․ 8e2b1be127 [test/helper] Make age_limit checkable field 10 years ago
Sergey M. d5d7bdaeb5 Merge pull request #6428 from dstftw/improve-generic-smil-support
Improve generic SMIL support
10 years ago
Jaime Marquínez Ferrándiz 232541df44 [YoutubeDL] format spec: correctly handle dashes and other unused operators
'mp4-baseline-16x9' must be handled as a single string, but the '-' was treated as an operator.
10 years ago
Jaime Marquínez Ferrándiz d96d604e53 YoutubeDL: format spec: don't accept a bare '/' (#6124) 10 years ago
Jaime Marquínez Ferrándiz 03950c90f7 Merge remote-tracking branch 'jaimemf/format_spec_groups' (closes #6124) 10 years ago
Sergey M․ 645f814544 [test/helper] Allow dicts for mincount 10 years ago
Sergey M․ 308cfe0ab3 [test_downloader] Respect --force-generic-extractor 10 years ago
Sergey M․ ee114368ad [utils] Make value optional for find_xpath_attr
This allows selecting particular attributes by name but without specifying the value and similar to xpath syntax `[@attrib]`
10 years ago