Compare commits

..

1 Commits

Author SHA1 Message Date
Emilien 7b9a8e3456 fix: security issue playlist deletion cross user
fixes #5777
2026-06-28 11:42:25 +02:00
7 changed files with 16 additions and 47 deletions
+2 -2
View File
@@ -65,7 +65,7 @@ jobs:
crystal: ${{ matrix.crystal }}
- name: Cache Shards
uses: actions/cache@v6
uses: actions/cache@v5
with:
path: |
./lib
@@ -137,7 +137,7 @@ jobs:
crystal: latest
- name: Cache Shards
uses: actions/cache@v6
uses: actions/cache@v5
with:
path: |
./lib
+13 -15
View File
@@ -205,6 +205,7 @@ https_only: false
# path: /tmp/invidious.sock
# permissions: 777
# -----------------------------
# Network (outbound)
# -----------------------------
@@ -227,6 +228,7 @@ https_only: false
##
#pool_size: 100
##
## Additional cookies to be sent when requesting the youtube API.
##
@@ -261,6 +263,7 @@ https_only: false
# host:
# port:
##
## Use Innertube's transcripts API instead of timedtext for closed captions
##
@@ -341,6 +344,7 @@ https_only: false
##
#statistics_enabled: false
# -----------------------------
# Users and accounts
# -----------------------------
@@ -452,25 +456,12 @@ full_refresh: false
##
feed_threads: 1
##
## Setting to disable easy to abuse API endpoints that can
## be spammed and therefore blocking your Invidious instance.
##
## Useful for public instance maintainers.
##
## Notes: The following API endpoints will be disabled:
## - /api/v1/videos
## - /api/v1/clips
## - /api/v1/transcripts
##
## Accepted values: true, false
## Default: false
##
disable_abusable_api: false
jobs:
## Options for the database cleaning job
clear_expired_items:
## Enable/Disable job
##
## Accepted values: true, false
@@ -480,6 +471,7 @@ jobs:
## Options for the channels updater job
refresh_channels:
## Enable/Disable job
##
## Accepted values: true, false
@@ -489,6 +481,7 @@ jobs:
## Options for the RSS feeds updater job
refresh_feeds:
## Enable/Disable job
##
## Accepted values: true, false
@@ -496,6 +489,7 @@ jobs:
##
enable: true
# -----------------------------
# Miscellaneous
# -----------------------------
@@ -694,6 +688,7 @@ default_user_preferences:
##
#captions: ["", "", ""]
# -----------------------------
# Interface
# -----------------------------
@@ -795,6 +790,7 @@ default_user_preferences:
##
#related_videos: true
# -----------------------------
# Video player behavior
# -----------------------------
@@ -858,6 +854,7 @@ default_user_preferences:
##
#video_loop: false
# -----------------------------
# Video playback settings
# -----------------------------
@@ -969,6 +966,7 @@ default_user_preferences:
##
#sort: published
# -----------------------------
# Miscellaneous
# -----------------------------
-1
View File
@@ -217,7 +217,6 @@ end
Kemal.config.powered_by_header = false
add_handler FilteredCompressHandler.new
add_handler APIHandler.new
add_handler DisableAbusableAPIHandler.new
add_handler AuthHandler.new
add_handler DenyFrame.new
-3
View File
@@ -183,9 +183,6 @@ class Config
# Playlist length limit
property playlist_length_limit : Int32 = 500
# Disable easy to abuse API endpoints
property disable_abusable_api : Bool = false
def disabled?(option)
case disabled = CONFIG.disable_proxy
when Bool
-20
View File
@@ -133,26 +133,6 @@ class APIHandler < Kemal::Handler
end
end
class DisableAbusableAPIHandler < Kemal::Handler
{% for method in %w(GET HEAD) %}
# This endpoints make a video request to Invidious companion.
{% for endpoint in %w(videos clips transcripts) %}
only ["/api/v1/{{ endpoint.id }}/:id"], {{ method }}
{% end %}
{% end %}
def call(env)
return call_next env unless only_match?(env) && CONFIG.disable_abusable_api
env.response.content_type = "application/json"
env.response.status_code = 403
message = {"error" => "This API endpoint has been disabled by the administrator."}.to_json
env.response.print message
env.response.close
return
end
end
class DenyFrame < Kemal::Handler
exclude ["/embed/*"]
@@ -36,11 +36,6 @@ class Invidious::Jobs::RefreshChannelsJob < Invidious::Jobs::BaseJob
LOGGER.trace("RefreshChannelsJob: #{id} fiber : Updating DB")
Invidious::Database::Channels.update_author(id, channel.author)
if backoff > 2.minutes
backoff /= 2
LOGGER.debug("RefreshChannelsJob: #{id} fiber : decreasing backoff to #{backoff}s")
end
rescue ex
LOGGER.error("RefreshChannelsJob: #{id} : #{ex.message}")
if ex.message == "Deleted or invalid channel"
+1 -1
View File
@@ -106,7 +106,7 @@ end
def add_yt_headers(request)
request.headers.delete("User-Agent") if request.headers["User-Agent"] == "Crystal"
request.headers["User-Agent"] ||= "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/149.0.0.0 Safari/537.36"
request.headers["User-Agent"] ||= "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36"
request.headers["Accept-Charset"] ||= "ISO-8859-1,utf-8;q=0.7,*;q=0.7"
request.headers["Accept"] ||= "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"