|
|
|
|
|
|
by pwdisswordfishy
215 days ago
|
|
|
I would not put it past them. And I'm not sure I trust the yt-dlp team to implement sandboxing securely. The codebase is already full of shortcuts that lead to vulnerabilities like file extension injection. I mean, this gives me pause: > Both QuickJS and QuickJS-NG do not fully allow executing files from stdin, so yt-dlp will create temporary files for each EJS script execution. This can theoretically lead to time-of-check to time-of-use (TOCTOU) vulnerabilities. https://github.com/yt-dlp/yt-dlp/wiki/EJS TOCTOU from temporary files is a solved problem. |
|
|