This repository has been archived by the owner on Apr 22, 2023. It is now read-only.
Improve SSRF protection when using an unpatched youtube-dl #414
Comments
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
We disabled the generic extractor to prevent SSRF attacks (GHSA-75p7-527p-w8wp) but the way we do this is by patching youtube-dl.
I have seen several AllTube instances using an unpatched version of youtube-dl, so we should improve SSRF protection for them.
We already call httplug-ssrf-plugin on submitted URLs but we should also call it on every URL passed to alltube-library (when generating a stream, a redirect, etc.). There is probably a lot of places in the code to look for (which is why disabling the generic extractor was an easier fix).
The text was updated successfully, but these errors were encountered: