-1

So i'm writing a python discord bot that uses yt-dlp to download a song then send it to a discord channel. Problem is, I need to save the mp3 to a path to reupload it, but i think my code would be vulnerable to an attack where someone does a youtube video with "../../../etc/[something]" in the title, and I don't really know how I'd be able to correct that.

What I ended up doing was using 'restrictfilenames': True in my options. That way, it restrics all non standard characters from the filename that is saved

Here's the code.

@client.command()
async def dl(ctx, arg):
    with yt_dlp.YoutubeDL(ydl_opts) as ydl:
        # ydl.download([arg])
        info = ydl.extract_info(arg)
    await ctx.send("ok goude", file=discord.File(download_path + info['title'] + '.mp3'))

Thanks to any help!

Alexis Leclerc
  • 1
  • 1
  • Please clarify your specific problem or provide additional details to highlight exactly what you need. As it's currently written, it's hard to tell exactly what you're asking. – Community Dec 10 '22 at 21:31

1 Answers1

0

I think you just need to prevent "/" character. You can do it using with replace the title:

title="/usr/bin/attack.mp3"
title=title.replace("/", "_")

If you want to include all special characters, you can look at this answer: Remove all special characters, punctuation and spaces from string

Sezer BOZKIR
  • 534
  • 2
  • 13