Description
This advisory follows the security advisory GHSA-79w7-vh3h-8g4j published by the yt-dlp/yt-dlp project to aid remediation of the issue in the ytdl-org/youtube-dl project.
Vulnerability
youtube-dl does not limit the extensions of downloaded files, which could lead to arbitrary filenames being created in the download folder (and path traversal on Windows).
Impact
Since youtube-dl also reads config from the working directory (and, on Windows, executables will be executed from the youtube-dl directory by default) the vulnerability could allow the unwanted execution of local code, including downloads masquerading as, eg, subtitles.
Patches
The versions of youtube-dl listed as Patched remediate this vulnerability by disallowing path separators and whitelisting allowed extensions. As a result, some very uncommon extensions might not get downloaded.
Master code d42a222 or later and nightly builds tagged 2024-07-03 or later contain the remediation.
Workarounds
Any/all of the below considerations may limit exposure in case it is necessary to use a vulnerable version
- have
.%(ext)s at the end of the output template
- download from websites that you trust
- do not download to a directory within the executable search
PATH or other sensitive locations, such as your user directory or system directories
- in Windows versions that support it, set
NoDefaultCurrentDirectoryInExePath to prevent the cmd shell's executable search adding the default directory before PATH
- consider that the path traversal vulnerability as a result of resolving
non_existent_dir\..\..\target does not exist in Linux or macOS
- ensure the extension of the media to download is a common video/audio/... one (use
--get-filename)
- omit any of the subtitle options (
--write-subs/ --write-srt, --write-auto-subs/--write-automatic-subs, --all-subs).
References
References
Description
This advisory follows the security advisory GHSA-79w7-vh3h-8g4j published by the yt-dlp/yt-dlp project to aid remediation of the issue in the ytdl-org/youtube-dl project.
Vulnerability
youtube-dl does not limit the extensions of downloaded files, which could lead to arbitrary filenames being created in the download folder (and path traversal on Windows).
Impact
Since youtube-dl also reads config from the working directory (and, on Windows, executables will be executed from the youtube-dl directory by default) the vulnerability could allow the unwanted execution of local code, including downloads masquerading as, eg, subtitles.
Patches
The versions of youtube-dl listed as Patched remediate this vulnerability by disallowing path separators and whitelisting allowed extensions. As a result, some very uncommon extensions might not get downloaded.
Master code d42a222 or later and nightly builds tagged 2024-07-03 or later contain the remediation.
Workarounds
Any/all of the below considerations may limit exposure in case it is necessary to use a vulnerable version
.%(ext)sat the end of the output templatePATHor other sensitive locations, such as your user directory or system directoriesNoDefaultCurrentDirectoryInExePathto prevent the cmd shell's executable search adding the default directory beforePATHnon_existent_dir\..\..\targetdoes not exist in Linux or macOS--get-filename)--write-subs/--write-srt,--write-auto-subs/--write-automatic-subs,--all-subs).References
References