This release fixes a vulnerability that could be used to trigger either an open redirect attack or a Server-Side Request Forgery attack (see GHSA-75p7-527p-w8wp).
The fix requires applying a patch to youtube-dl to disable its generic extractor. If you are using the version of youtube-dl bundled with 3.0.3, it is already patched.
However, if you are using your own unpatched version of youtube-dl you might still be vulnerable.
This release fixes a Server-Side Request Forgery vulnerability that could be used to send a request to an internal hostname (see GHSA-r5hc-wm3g-hjw6).
Part of the fix requires applying a patch to youtube-dl to prevent it from following HTTP redirects. If you are using the version of youtube-dl bundled with 3.0.2, it is already patched.
However, if you are using your own unpatched version of youtube-dl you might still be vulnerable.
This release fixes an open redirect vulnerability that could be used to construct a URL redirecting to an arbitrary domain (see GHSA-jmhf-9fj8-88gh).
The Video class is now available as a separate Composer package (rudloff/alltube-library) The release package and Docker image now contain only production dependencies youtube-dl is now a production dependency Composer does not install ffmpeg or phantomjs anymore The "avconv" and "avconvVerbosity" options are now respectively "ffmpeg" and "ffmpegVerbosity" Other changes: Setting the "stream" option to "ask" now works correctly New locales are automatically detected New Italian translation (thanks to @holoitsme) If the "best" format does not exist, it will fall back to "bestvideo" Composer 2 compatibility youtube-dl and ffmpeg commands are now logged when debug mode is enabled 404 and 405 error pages now have the same style as the other pages The new "defaultAudio" option allows converting to audio by default (thanks to @bellington3) The Heroku build now uses Python 3 (thanks to @telegrambotdev) The app now supports the container Heroku stack (thanks to @telegrambotdev) The new "convertSeek" option allows disabling seeking when converting to audio (thanks to @bellington3) Exceptions are now logged AllTube can now run correctly behind a reverse proxy with a custom path or port (thanks to @bellington3)
Composer 2 compatibility Updated youtube-dl to 2020.11.12 Make sure locale is always set, even on first request
Fixed the CSP because it was breaking downloads on Chrome (#327) Upgraded youtube-dl to 2020.11.01.1 (#326)
We now temporarily get youtube-dl from PyPI (because their GitHub rep… …ository is not available anymore) Upgraded alltube-library to 0.1.1 The bookmarklet is now correctly generated when AllTube is behind a reverse proxy The bookmarklet is now compatible with ugly URLs
Changes since the latest beta: Classes have been reorganized in order to simplify PSR-4 loading youtube-dl and ffmpeg commands are now logged when debug mode is enabled The Config and LocaleManager classes now use a factory pattern instead of a singleton 404 and 405 error pages now have the same style as the other pages The new "defaultAudio" option allows converting to audio by default (thanks to @bellington3) The Heroku build now uses Python 3 (thanks to @telegrambotdev) The app now supports the container Heroku stack (thanks to @telegrambotdev) The new "convertSeek" option allows disabling seeking when converting to audio (thanks to @bellington3) Exceptions are now logged AllTube can now run correctly behind a reverse proxy with a custom path or port (thanks to @bellington3)
This beta contains several breaking changes: The Video class is now available as a separate Composer package (rudloff/alltube-library) The release package and Docker image now contain only production dependencies youtube-dl is now a production dependency Composer does not install ffmpeg or phantomjs anymore The "avconv" and "avconvVerbosity" options are now respectively "ffmpeg" and "ffmpegVerbosity" Other fixes: Setting the "stream" option to "ask" now works correctly New locales are automatically detected New Italian translation (thanks to @holoitsme) If the "best" format does not exist, it will fall back to "bestvideo" Composer 2 compatibility
Fall back to "best" for audio conversion when "bestaudio" is not avai… …lable Check if mod_deflate is enabled Fixed an issue when converting a file with an UTF-8 filename Better catching of early errors Fixed support for websites that require a valid referrer (thanks @0x6470) Updated youtube-dl to 2020.05.08 Various dependencies update