[core] Change how Cookie headers are handled

Cookies are now saved and loaded under `cookies` key in the info dict instead of `http_headers.Cookie`. Cookies passed in headers are auto-scoped to the input URLs with a warning. Ref: https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-v8mc-9377-rwjj Authored by: Grub4K
2025-10-13 09:23:46 +00:00 · 2023-07-06 21:51:04 +05:30
parent f8b4bcc0a7
commit 3121512228
3 changed files with 139 additions and 4 deletions
--- a/yt_dlp/downloader/common.py
+++ b/yt_dlp/downloader/common.py
@@ -32,6 +32,7 @@ from ..utils import (
    timetuple_from_msec,
    try_call,
 )
+from ..utils.traversal import traverse_obj


 class FileDownloader:
@@ -419,7 +420,6 @@ class FileDownloader:
        """Download to a filename using the info from info_dict
        Return True on success and False otherwise
        """
-
        nooverwrites_and_exists = (
            not self.params.get('overwrites', True)
            and os.path.exists(encodeFilename(filename))
@@ -453,6 +453,11 @@ class FileDownloader:
            self.to_screen(f'[download] Sleeping {sleep_interval:.2f} seconds ...')
            time.sleep(sleep_interval)

+        # Filter the `Cookie` header from the info_dict to prevent leaks.
+        # See: https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-v8mc-9377-rwjj
+        info_dict['http_headers'] = dict(traverse_obj(info_dict, (
+            'http_headers', {dict.items}, lambda _, pair: pair[0].lower() != 'cookie'))) or None
+
        ret = self.real_download(filename, info_dict)
        self._finish_multiline_status()
        return ret, True