[Security Advisory] File Downloader cookie leak

[dirkf]

During file downloads, youtube-dl (or the external downloaders that it invokes) may leak cookies on HTTP redirects to a different host, or when the host for fragments being downloaded differs from their parent manifest's host.

Please refer to this security advisory for further details.

Youtube-dl users who are concerned about this issue should install a new version of the program from the nightly build repository: versions dated 2023-07-18 or later incorporate changes to remediate the issue. The next stable release will also include these remediations.

If updating is not possible, please refer to the linked advisory for suggested work-arounds.

[a-pav]

From the advisory:

At the file download stage, all cookies are passed by youtube-dl to the file downloader as a Cookie header, thereby losing their scope.

Looks like youtube-dl version 2021.12.17 is affected, even when the cookies are passed as scoped, Netscape-formatted text file like --cookies ./cookies.txt. Right?

Can I apply the patch to my youtube-dl 2021.12.17 installation, or does it require a newer base?

[dirkf]

Do read the issue text:

Youtube-dl users who are concerned about this issue should install a new version of the program from the nightly build repository

The changes are quite extensive and relate to a master code version 18 months later than the 2021.12 release.