We disabled the generic extractor to prevent SSRF attacks (https://github.com/Rudloff/alltube/security/advisories/GHSA-75p7-527p-w8wp) but the way we do this is by patching youtube-dl.
I have seen several AllTube instances using an unpatched version of youtube-dl, so we should improve SSRF protection for them.
We already call httplug-ssrf-plugin on submitted URLs but we should also call it on every URL passed to alltube-library (when generating a stream, a redirect, etc.). There is probably a lot of places in the code to look for (which is why disabling the generic extractor was an easier fix).
We disabled the generic extractor to prevent SSRF attacks (https://github.com/Rudloff/alltube/security/advisories/GHSA-75p7-527p-w8wp) but the way we do this is by patching youtube-dl. I have seen several AllTube instances using an unpatched version of youtube-dl, so we should improve SSRF protection for them.
We already call httplug-ssrf-plugin on submitted URLs but we should also call it on every URL passed to alltube-library (when generating a stream, a redirect, etc.). There is probably a lot of places in the code to look for (which is why disabling the generic extractor was an easier fix).