genuineparts/alltube
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge tag '3.0.2' into develop

Browse source 
Fixed a SSRF vulnerability that could be used to send a request to an internal hostname
This commit is contained in:
Pierre Rudloff 2022-02-27 12:34:23 +01:00
commit 7f28275fb0
8 changed files with 866 additions and 147 deletions
Download patch file Download diff file Expand all files Collapse all files

74
classes/Controller/DownloadController.php
View file

@ -19,6 +19,7 @@ use Alltube\Library\Exception\YoutubedlException;
use Alltube\Stream\ConvertedPlaylistArchiveStream;
use Alltube\Stream\PlaylistArchiveStream;
use Alltube\Stream\YoutubeStream;
use Graby\HttpClient\Plugin\ServerSideRequestForgeryProtection\Exception\InvalidURLException;
use Slim\Http\Request;
use Slim\Http\Response;
use Slim\Http\StatusCode;
@ -37,56 +38,53 @@ class DownloadController extends BaseController
*
* @return Response HTTP response
* @throws AlltubeLibraryException
* @throws InvalidURLException
*/
public function download(Request $request, Response $response): Response
{
$url = $request->getQueryParam('url');
$url = $this->getVideoPageUrl($request);
if (isset($url)) {
$this->video = $this->downloader->getVideo($url, $this->getFormat($request), $this->getPassword($request));
$this->video = $this->downloader->getVideo($url, $this->getFormat($request), $this->getPassword($request));
try {
if ($this->config->convert && $request->getQueryParam('audio')) {
// Audio convert.
return $this->getAudioResponse($request, $response);
} elseif ($this->config->convertAdvanced && !is_null($request->getQueryParam('customConvert'))) {
// Advance convert.
return $this->getConvertedResponse($request, $response);
}
try {
if ($this->config->convert && $request->getQueryParam('audio')) {
// Audio convert.
return $this->getAudioResponse($request, $response);
} elseif ($this->config->convertAdvanced && !is_null($request->getQueryParam('customConvert'))) {
// Advance convert.
return $this->getConvertedResponse($request, $response);
}
// Regular download.
return $this->getDownloadResponse($request, $response);
} catch (PasswordException $e) {
$frontController = new FrontController($this->container);
// Regular download.
return $this->getDownloadResponse($request, $response);
} catch (PasswordException $e) {
$frontController = new FrontController($this->container);
return $frontController->password($request, $response);
} catch (WrongPasswordException $e) {
return $this->displayError($request, $response, $this->localeManager->t('Wrong password'));
} catch (PlaylistConversionException $e) {
return $frontController->password($request, $response);
} catch (WrongPasswordException $e) {
return $this->displayError($request, $response, $this->localeManager->t('Wrong password'));
} catch (PlaylistConversionException $e) {
return $this->displayError(
$request,
$response,
$this->localeManager->t('Conversion of playlists is not supported.')
);
} catch (InvalidProtocolConversionException $e) {
if (in_array($this->video->protocol, ['m3u8', 'm3u8_native'])) {
return $this->displayError(
$request,
$response,
$this->localeManager->t('Conversion of playlists is not supported.')
$this->localeManager->t('Conversion of M3U8 files is not supported.')
);
} catch (InvalidProtocolConversionException $e) {
if (in_array($this->video->protocol, ['m3u8', 'm3u8_native'])) {
return $this->displayError(
$request,
$response,
$this->localeManager->t('Conversion of M3U8 files is not supported.')
);
} elseif ($this->video->protocol == 'http_dash_segments') {
return $this->displayError(
$request,
$response,
$this->localeManager->t('Conversion of DASH segments is not supported.')
);
} else {
throw $e;
}
} elseif ($this->video->protocol == 'http_dash_segments') {
return $this->displayError(
$request,
$response,
$this->localeManager->t('Conversion of DASH segments is not supported.')
);
} else {
throw $e;
}
} else {
return $response->withRedirect($this->router->pathFor('index'));
}
}