The patch that addressed CVE-2023-40581 attempted to prevent RCE when using --exec with %q by replacing double quotes with two double quotes.
However, this escaping is not sufficient, and still allows expansion of environment variables.
Support for output template expansion in --exec, along with this vulnerable behavior, was added to yt-dlp in version 2021.04.11.
> yt-dlp "https://youtu.be/42xO6rVqf2E" --ignore-config -f 18 --exec "echo %(title)q"
[youtube] Extracting URL: https://youtu.be/42xO6rVqf2E
[youtube] 42xO6rVqf2E: Downloading webpage
[youtube] 42xO6rVqf2E: Downloading ios player API JSON
[youtube] 42xO6rVqf2E: Downloading android player API JSON
[youtube] 42xO6rVqf2E: Downloading m3u8 information
[info] 42xO6rVqf2E: Downloading 1 format(s): 18
[download] Destination: %CMDCMDLINE:~-1%&echo pwned&calc.exe [42xO6rVqf2E].mp4
[download] 100% of 126.16KiB in 00:00:00 at 2.46MiB/s
[Exec] Executing command: echo "%CMDCMDLINE:~-1%&echo pwned&calc.exe"
""
pwned
Patches
yt-dlp version 2024.04.09 fixes this issue by properly escaping %. It replaces them with %%cd:~,%, a variable that expands to nothing, leaving only the leading percent.
Workarounds
It is recommended to upgrade yt-dlp to version 2024.04.09 as soon as possible. Also, always be careful when using --exec, because while this specific vulnerability has been patched, using unvalidated input in shell commands is inherently dangerous.
For Windows users who are not able to upgrade:
Avoid using any output template expansion in --exec other than {} (filepath).
If expansion in --exec is needed, verify the fields you are using do not contain %, ", | or &.
Instead of using --exec, write the info json and load the fields from it instead.
def compat_shlex_quote(s):
import re
return s if re.match(r'^[-_\w./]+$', s) else s.replace('"', '""').join('""')
It replaces " with "" to balance out the quotes and keep quoting intact if non-allowed characters are included. However, the %CMDCMDLINE% variable can be used to generate a quote using %CMDCMDLINE:~-1%; since the value of %CMDCMDLINE% is the commandline with which cmd.exe was called, and it is always called with the command surrounded by quotes, %CMDCMDLINE:~-1% expands to ". After the quotes have been unbalanced, special characters are no longer quoted and commands can be executed:
This PR contains the following updates:
==2024.3.10
->==2024.4.9
:warning: This is a minor update.
GitHub Vulnerability Alerts
CVE-2024-22423
Summary
The patch that addressed CVE-2023-40581 attempted to prevent RCE when using
--exec
with%q
by replacing double quotes with two double quotes. However, this escaping is not sufficient, and still allows expansion of environment variables.Support for output template expansion in
--exec
, along with this vulnerable behavior, was added toyt-dlp
in version 2021.04.11.Patches
yt-dlp version 2024.04.09 fixes this issue by properly escaping
%
. It replaces them with%%cd:~,%
, a variable that expands to nothing, leaving only the leading percent.Workarounds
It is recommended to upgrade yt-dlp to version 2024.04.09 as soon as possible. Also, always be careful when using
--exec
, because while this specific vulnerability has been patched, using unvalidated input in shell commands is inherently dangerous.For Windows users who are not able to upgrade:
--exec
other than{}
(filepath).--exec
is needed, verify the fields you are using do not contain%
,"
,|
or&
.--exec
, write the info json and load the fields from it instead.Details
When escaping variables, the following code is used for Windows.
yt_dlp/compat/__init__.py
line 31-33It replaces
"
with""
to balance out the quotes and keep quoting intact if non-allowed characters are included. However, the%CMDCMDLINE%
variable can be used to generate a quote using%CMDCMDLINE:~-1%
; since the value of%CMDCMDLINE%
is the commandline with whichcmd.exe
was called, and it is always called with the command surrounded by quotes,%CMDCMDLINE:~-1%
expands to"
. After the quotes have been unbalanced, special characters are no longer quoted and commands can be executed:References
Release Notes
yt-dlp/yt-dlp (yt-dlp)
### [`v2024.4.9`](https://togithub.com/yt-dlp/yt-dlp/compare/2024.03.10...2024.04.09) [Compare Source](https://togithub.com/yt-dlp/yt-dlp/compare/2024.03.10...2024.04.09)Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.