[ie] Do not smuggle http_headers

See: https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-3ch3-jhc6-5r8x Authored by: coletdjnz
2025-09-03 00:25:08 +00:00 · 2023-08-16 18:42:48 -05:00
parent d4f14a72dc
commit f04b5bedad
9 changed files with 19 additions and 15 deletions
--- a/yt_dlp/extractor/vimeo.py
+++ b/yt_dlp/extractor/vimeo.py
@ -37,14 +37,14 @@ class VimeoBaseInfoExtractor(InfoExtractor):

    @staticmethod
    def _smuggle_referrer(url, referrer_url):
-        return smuggle_url(url, {'http_headers': {'Referer': referrer_url}})
+        return smuggle_url(url, {'referer': referrer_url})

    def _unsmuggle_headers(self, url):
        """@returns (url, smuggled_data, headers)"""
        url, data = unsmuggle_url(url, {})
        headers = self.get_param('http_headers').copy()
-        if 'http_headers' in data:
-            headers.update(data['http_headers'])
+        if 'referer' in data:
+            headers['Referer'] = data['referer']
        return url, data, headers

    def _perform_login(self, username, password):