From 3121512228487c9c690d3d39bfd2579addf96e07 Mon Sep 17 00:00:00 2001 From: Simon Sawicki Date: Thu, 6 Jul 2023 21:51:04 +0530 Subject: [core] Change how `Cookie` headers are handled Cookies are now saved and loaded under `cookies` key in the info dict instead of `http_headers.Cookie`. Cookies passed in headers are auto-scoped to the input URLs with a warning. Ref: https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-v8mc-9377-rwjj Authored by: Grub4K --- yt_dlp/downloader/common.py | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'yt_dlp/downloader/common.py') diff --git a/yt_dlp/downloader/common.py b/yt_dlp/downloader/common.py index 8fe9d9993..2c404ee90 100644 --- a/yt_dlp/downloader/common.py +++ b/yt_dlp/downloader/common.py @@ -32,6 +32,7 @@ from ..utils import ( timetuple_from_msec, try_call, ) +from ..utils.traversal import traverse_obj class FileDownloader: @@ -419,7 +420,6 @@ class FileDownloader: """Download to a filename using the info from info_dict Return True on success and False otherwise """ - nooverwrites_and_exists = ( not self.params.get('overwrites', True) and os.path.exists(encodeFilename(filename)) @@ -453,6 +453,11 @@ class FileDownloader: self.to_screen(f'[download] Sleeping {sleep_interval:.2f} seconds ...') time.sleep(sleep_interval) + # Filter the `Cookie` header from the info_dict to prevent leaks. + # See: https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-v8mc-9377-rwjj + info_dict['http_headers'] = dict(traverse_obj(info_dict, ( + 'http_headers', {dict.items}, lambda _, pair: pair[0].lower() != 'cookie'))) or None + ret = self.real_download(filename, info_dict) self._finish_multiline_status() return ret, True -- cgit v1.2.3