From b383be98874d4dded67ee8a679fae30340722709 Mon Sep 17 00:00:00 2001 From: dirkf Date: Wed, 7 Jun 2023 19:38:54 +0100 Subject: [core] Remove `Cookie` header on redirect to prevent leaks Adated from yt-dlp/yt-dlp-ghsa-v8mc-9377-rwjj/pull/1/commits/101caac Thx coletdjnz --- youtube_dl/utils.py | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'youtube_dl/utils.py') diff --git a/youtube_dl/utils.py b/youtube_dl/utils.py index 58c710b08..c21cd3687 100644 --- a/youtube_dl/utils.py +++ b/youtube_dl/utils.py @@ -2968,7 +2968,6 @@ class YoutubeDLRedirectHandler(compat_urllib_request.HTTPRedirectHandler): new_method = req.get_method() new_data = req.data - remove_headers = [] # On python 2 urlh.geturl() may sometimes return redirect URL # as a byte string instead of unicode. This workaround forces @@ -2981,6 +2980,11 @@ class YoutubeDLRedirectHandler(compat_urllib_request.HTTPRedirectHandler): # but it is kept for compatibility with other callers. newurl = newurl.replace(' ', '%20') + # Technically the Cookie header should be in unredirected_hdrs; + # however in practice some may set it in normal headers anyway. + # We will remove it here to prevent any leaks. + remove_headers = ['Cookie'] + # A 303 must either use GET or HEAD for subsequent request # https://datatracker.ietf.org/doc/html/rfc7231#section-6.4.4 if code == 303 and req.get_method() != 'HEAD': @@ -2999,7 +3003,7 @@ class YoutubeDLRedirectHandler(compat_urllib_request.HTTPRedirectHandler): # NB: don't use dict comprehension for python 2.6 compatibility new_headers = dict((k, v) for k, v in req.header_items() - if k.lower() not in remove_headers) + if k.title() not in remove_headers) return compat_urllib_request.Request( newurl, headers=new_headers, origin_req_host=req.origin_req_host, -- cgit 1.4.1