1
0
mirror of https://github.com/yt-dlp/yt-dlp.git synced 2024-11-16 16:13:35 +01:00

[ie/douyutv] Do not use dangerous javascript source/URL (#10347)

Ref: https://sansec.io/research/polyfill-supply-chain-attack

Authored by: LeSuisse
This commit is contained in:
Thomas Gerbet 2024-07-04 00:35:24 +02:00 committed by GitHub
parent cc767e9490
commit 6075a029db
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194

View File

@ -24,8 +24,9 @@
class DouyuBaseIE(InfoExtractor):
def _download_cryptojs_md5(self, video_id):
for url in [
# XXX: Do NOT use cdn.bootcdn.net; ref: https://sansec.io/research/polyfill-supply-chain-attack
'https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/rollups/md5.js',
'https://cdn.bootcdn.net/ajax/libs/crypto-js/3.1.2/rollups/md5.js',
'https://unpkg.com/cryptojslib@3.1.2/rollups/md5.js',
]:
js_code = self._download_webpage(
url, video_id, note='Downloading signing dependency', fatal=False)
@ -35,7 +36,8 @@ def _download_cryptojs_md5(self, video_id):
raise ExtractorError('Unable to download JS dependency (crypto-js/md5)')
def _get_cryptojs_md5(self, video_id):
return self.cache.load('douyu', 'crypto-js-md5') or self._download_cryptojs_md5(video_id)
return self.cache.load(
'douyu', 'crypto-js-md5', min_ver='2024.07.04') or self._download_cryptojs_md5(video_id)
def _calc_sign(self, sign_func, video_id, a):
b = uuid.uuid4().hex