mirror of
https://github.com/ytdl-org/youtube-dl.git
synced 2024-11-22 02:01:50 +00:00
[core] Remove Cookie
header on redirect to prevent leaks
Adated from yt-dlp/yt-dlp-ghsa-v8mc-9377-rwjj/pull/1/commits/101caac Thx coletdjnz
This commit is contained in:
parent
46fde7caee
commit
b383be9887
2 changed files with 36 additions and 4 deletions
|
@ -183,6 +183,11 @@ class HTTPTestRequestHandler(compat_http_server.BaseHTTPRequestHandler):
|
||||||
self._method('GET')
|
self._method('GET')
|
||||||
elif self.path.startswith('/headers'):
|
elif self.path.startswith('/headers'):
|
||||||
self._headers()
|
self._headers()
|
||||||
|
elif self.path.startswith('/308-to-headers'):
|
||||||
|
self.send_response(308)
|
||||||
|
self.send_header('Location', '/headers')
|
||||||
|
self.send_header('Content-Length', '0')
|
||||||
|
self.end_headers()
|
||||||
elif self.path == '/trailing_garbage':
|
elif self.path == '/trailing_garbage':
|
||||||
payload = b'<html><video src="/vid.mp4" /></html>'
|
payload = b'<html><video src="/vid.mp4" /></html>'
|
||||||
compressed = gzip_compress(payload) + b'trailing garbage'
|
compressed = gzip_compress(payload) + b'trailing garbage'
|
||||||
|
@ -385,8 +390,31 @@ class TestHTTP(unittest.TestCase):
|
||||||
ydl.cookiejar.set_cookie(compat_http_cookiejar_Cookie(
|
ydl.cookiejar.set_cookie(compat_http_cookiejar_Cookie(
|
||||||
0, 'test', 'ytdl', None, False, '127.0.0.1', True,
|
0, 'test', 'ytdl', None, False, '127.0.0.1', True,
|
||||||
False, '/headers', True, False, None, False, None, None, {}))
|
False, '/headers', True, False, None, False, None, None, {}))
|
||||||
data = ydl.urlopen(sanitized_Request(self._test_url('headers'))).read()
|
data = ydl.urlopen(sanitized_Request(
|
||||||
self.assertIn(b'Cookie: test=ytdl', data)
|
self._test_url('headers'))).read().decode('utf-8')
|
||||||
|
self.assertIn('Cookie: test=ytdl', data)
|
||||||
|
|
||||||
|
def test_passed_cookie_header(self):
|
||||||
|
# We should accept a Cookie header being passed as in normal headers and handle it appropriately.
|
||||||
|
with FakeYDL() as ydl:
|
||||||
|
# Specified Cookie header should be used
|
||||||
|
res = ydl.urlopen(sanitized_Request(
|
||||||
|
self._test_url('headers'), headers={'Cookie': 'test=test'})).read().decode('utf-8')
|
||||||
|
self.assertIn('Cookie: test=test', res)
|
||||||
|
|
||||||
|
# Specified Cookie header should be removed on any redirect
|
||||||
|
res = ydl.urlopen(sanitized_Request(
|
||||||
|
self._test_url('308-to-headers'), headers={'Cookie': 'test=test'})).read().decode('utf-8')
|
||||||
|
self.assertNotIn('Cookie: test=test', res)
|
||||||
|
|
||||||
|
# Specified Cookie header should override global cookiejar for that request
|
||||||
|
ydl.cookiejar.set_cookie(compat_http_cookiejar_Cookie(
|
||||||
|
0, 'test', 'ytdlp', None, False, '127.0.0.1', True,
|
||||||
|
False, '/headers', True, False, None, False, None, None, {}))
|
||||||
|
data = ydl.urlopen(sanitized_Request(
|
||||||
|
self._test_url('headers'), headers={'Cookie': 'test=test'})).read().decode('utf-8')
|
||||||
|
self.assertNotIn('Cookie: test=ytdlp', data)
|
||||||
|
self.assertIn('Cookie: test=test', data)
|
||||||
|
|
||||||
def test_no_compression_compat_header(self):
|
def test_no_compression_compat_header(self):
|
||||||
with FakeYDL() as ydl:
|
with FakeYDL() as ydl:
|
||||||
|
|
|
@ -2968,7 +2968,6 @@ class YoutubeDLRedirectHandler(compat_urllib_request.HTTPRedirectHandler):
|
||||||
|
|
||||||
new_method = req.get_method()
|
new_method = req.get_method()
|
||||||
new_data = req.data
|
new_data = req.data
|
||||||
remove_headers = []
|
|
||||||
|
|
||||||
# On python 2 urlh.geturl() may sometimes return redirect URL
|
# On python 2 urlh.geturl() may sometimes return redirect URL
|
||||||
# as a byte string instead of unicode. This workaround forces
|
# as a byte string instead of unicode. This workaround forces
|
||||||
|
@ -2981,6 +2980,11 @@ class YoutubeDLRedirectHandler(compat_urllib_request.HTTPRedirectHandler):
|
||||||
# but it is kept for compatibility with other callers.
|
# but it is kept for compatibility with other callers.
|
||||||
newurl = newurl.replace(' ', '%20')
|
newurl = newurl.replace(' ', '%20')
|
||||||
|
|
||||||
|
# Technically the Cookie header should be in unredirected_hdrs;
|
||||||
|
# however in practice some may set it in normal headers anyway.
|
||||||
|
# We will remove it here to prevent any leaks.
|
||||||
|
remove_headers = ['Cookie']
|
||||||
|
|
||||||
# A 303 must either use GET or HEAD for subsequent request
|
# A 303 must either use GET or HEAD for subsequent request
|
||||||
# https://datatracker.ietf.org/doc/html/rfc7231#section-6.4.4
|
# https://datatracker.ietf.org/doc/html/rfc7231#section-6.4.4
|
||||||
if code == 303 and req.get_method() != 'HEAD':
|
if code == 303 and req.get_method() != 'HEAD':
|
||||||
|
@ -2999,7 +3003,7 @@ class YoutubeDLRedirectHandler(compat_urllib_request.HTTPRedirectHandler):
|
||||||
|
|
||||||
# NB: don't use dict comprehension for python 2.6 compatibility
|
# NB: don't use dict comprehension for python 2.6 compatibility
|
||||||
new_headers = dict((k, v) for k, v in req.header_items()
|
new_headers = dict((k, v) for k, v in req.header_items()
|
||||||
if k.lower() not in remove_headers)
|
if k.title() not in remove_headers)
|
||||||
|
|
||||||
return compat_urllib_request.Request(
|
return compat_urllib_request.Request(
|
||||||
newurl, headers=new_headers, origin_req_host=req.origin_req_host,
|
newurl, headers=new_headers, origin_req_host=req.origin_req_host,
|
||||||
|
|
Loading…
Reference in a new issue