Web GUI for youtube-dl
This release fixes a vulnerability that could be used to trigger either an open redirect attack or a Server-Side Request Forgery attack (see https://github.com/Rudloff/alltube/security/advisories/GHSA-75p7-527p-w8wp).
The fix requires applying a patch to youtube-dl to disable its generic extractor. If you are using the version of youtube-dl bundled with 3.0.3, it is already patched. However, if you are using your own unpatched version of youtube-dl you might still be vulnerable.
This release fixes a Server-Side Request Forgery vulnerability that could be used to send a request to an internal hostname (see https://github.com/Rudloff/alltube/security/advisories/GHSA-r5hc-wm3g-hjw6).
Part of the fix requires applying a patch to youtube-dl to prevent it from following HTTP redirects. If you are using the version of youtube-dl bundled with 3.0.2, it is already patched. However, if you are using your own unpatched version of youtube-dl you might still be vulnerable.
This release fixes an open redirect vulnerability that could be used to construct a URL redirecting to an arbitrary domain (see https://github.com/Rudloff/alltube/security/advisories/GHSA-jmhf-9fj8-88gh).