Use a dedicated endpoind for downloads
This allows us to not pass file name ("title") in the form data and to enforce some sanity checks
This commit is contained in:
parent
fe057c7873
commit
2f335b3d2c
@ -236,6 +236,7 @@ before_all do |env|
|
|||||||
"/api/manifest/",
|
"/api/manifest/",
|
||||||
"/videoplayback",
|
"/videoplayback",
|
||||||
"/latest_version",
|
"/latest_version",
|
||||||
|
"/download",
|
||||||
}.any? { |r| env.request.resource.starts_with? r }
|
}.any? { |r| env.request.resource.starts_with? r }
|
||||||
|
|
||||||
if env.request.cookies.has_key? "SID"
|
if env.request.cookies.has_key? "SID"
|
||||||
@ -348,6 +349,8 @@ end
|
|||||||
Invidious::Routing.get "/e/:id", Invidious::Routes::Watch, :redirect
|
Invidious::Routing.get "/e/:id", Invidious::Routes::Watch, :redirect
|
||||||
Invidious::Routing.get "/redirect", Invidious::Routes::Misc, :cross_instance_redirect
|
Invidious::Routing.get "/redirect", Invidious::Routes::Misc, :cross_instance_redirect
|
||||||
|
|
||||||
|
Invidious::Routing.post "/download", Invidious::Routes::Watch, :download
|
||||||
|
|
||||||
Invidious::Routing.get "/embed/", Invidious::Routes::Embed, :redirect
|
Invidious::Routing.get "/embed/", Invidious::Routes::Embed, :redirect
|
||||||
Invidious::Routing.get "/embed/:id", Invidious::Routes::Embed, :show
|
Invidious::Routing.get "/embed/:id", Invidious::Routes::Embed, :show
|
||||||
|
|
||||||
|
@ -26,12 +26,16 @@ module Invidious::Frontend::WatchPage
|
|||||||
return String.build(4000) do |str|
|
return String.build(4000) do |str|
|
||||||
str << "<form"
|
str << "<form"
|
||||||
str << " class=\"pure-form pure-form-stacked\""
|
str << " class=\"pure-form pure-form-stacked\""
|
||||||
str << " action='/latest_version'"
|
str << " action='/download'"
|
||||||
str << " method='get'"
|
str << " method='post'"
|
||||||
str << " rel='noopener'"
|
str << " rel='noopener'"
|
||||||
str << " target='_blank'>"
|
str << " target='_blank'>"
|
||||||
str << '\n'
|
str << '\n'
|
||||||
|
|
||||||
|
# Hidden inputs for video id and title
|
||||||
|
str << "<input type='hidden' name='id' value='" << video.id << "'/>\n"
|
||||||
|
str << "<input type='hidden' name='title' value='" << HTML.escape(video.title) << "'/>\n"
|
||||||
|
|
||||||
str << "\t<div class=\"pure-control-group\">\n"
|
str << "\t<div class=\"pure-control-group\">\n"
|
||||||
|
|
||||||
str << "\t\t<label for='download_widget'>"
|
str << "\t\t<label for='download_widget'>"
|
||||||
@ -48,8 +52,7 @@ module Invidious::Frontend::WatchPage
|
|||||||
|
|
||||||
height = itag_to_metadata?(option["itag"]).try &.["height"]?
|
height = itag_to_metadata?(option["itag"]).try &.["height"]?
|
||||||
|
|
||||||
title = URI.encode_www_form("#{video.title}-#{video.id}.#{mimetype.split("/")[1]}")
|
value = {"itag": option["itag"], "ext": mimetype.split("/")[1]}.to_json
|
||||||
value = {"id": video.id, "itag": option["itag"], "title": title}.to_json
|
|
||||||
|
|
||||||
str << "\t\t\t<option value='" << value << "'>"
|
str << "\t\t\t<option value='" << value << "'>"
|
||||||
str << (height || "~240") << "p - " << mimetype
|
str << (height || "~240") << "p - " << mimetype
|
||||||
@ -61,8 +64,7 @@ module Invidious::Frontend::WatchPage
|
|||||||
video_assets.video_streams.each do |option|
|
video_assets.video_streams.each do |option|
|
||||||
mimetype = option["mimeType"].as_s.split(";")[0]
|
mimetype = option["mimeType"].as_s.split(";")[0]
|
||||||
|
|
||||||
title = URI.encode_www_form("#{video.title}-#{video.id}.#{mimetype.split("/")[1]}")
|
value = {"itag": option["itag"], "ext": mimetype.split("/")[1]}.to_json
|
||||||
value = {"id": video.id, "itag": option["itag"], "title": title}.to_json
|
|
||||||
|
|
||||||
str << "\t\t\t<option value='" << value << "'>"
|
str << "\t\t\t<option value='" << value << "'>"
|
||||||
str << option["qualityLabel"] << " - " << mimetype << " @ " << option["fps"] << "fps - video only"
|
str << option["qualityLabel"] << " - " << mimetype << " @ " << option["fps"] << "fps - video only"
|
||||||
@ -74,8 +76,7 @@ module Invidious::Frontend::WatchPage
|
|||||||
video_assets.audio_streams.each do |option|
|
video_assets.audio_streams.each do |option|
|
||||||
mimetype = option["mimeType"].as_s.split(";")[0]
|
mimetype = option["mimeType"].as_s.split(";")[0]
|
||||||
|
|
||||||
title = URI.encode_www_form("#{video.title}-#{video.id}.#{mimetype.split("/")[1]}")
|
value = {"itag": option["itag"], "ext": mimetype.split("/")[1]}.to_json
|
||||||
value = {"id": video.id, "itag": option["itag"], "title": title}.to_json
|
|
||||||
|
|
||||||
str << "\t\t\t<option value='" << value << "'>"
|
str << "\t\t\t<option value='" << value << "'>"
|
||||||
str << mimetype << " @ " << (option["bitrate"]?.try &.as_i./ 1000) << "k - audio only"
|
str << mimetype << " @ " << (option["bitrate"]?.try &.as_i./ 1000) << "k - audio only"
|
||||||
@ -85,8 +86,7 @@ module Invidious::Frontend::WatchPage
|
|||||||
# Subtitles (a.k.a "closed captions")
|
# Subtitles (a.k.a "closed captions")
|
||||||
|
|
||||||
video_assets.captions.each do |caption|
|
video_assets.captions.each do |caption|
|
||||||
title = URI.encode_www_form("#{video.title}-#{video.id}.#{caption.language_code}.vtt")
|
value = {"label": caption.name, "ext": "#{caption.language_code}.vtt"}.to_json
|
||||||
value = {"id": video.id, "label": caption.name, "title": title}.to_json
|
|
||||||
|
|
||||||
str << "\t\t\t<option value='" << value << "'>"
|
str << "\t\t\t<option value='" << value << "'>"
|
||||||
str << translate(locale, "download_subtitles", translate(locale, caption.name))
|
str << translate(locale, "download_subtitles", translate(locale, caption.name))
|
||||||
|
@ -23,7 +23,11 @@ module Invidious::Routes::API::V1::Videos
|
|||||||
env.response.content_type = "application/json"
|
env.response.content_type = "application/json"
|
||||||
|
|
||||||
id = env.params.url["id"]
|
id = env.params.url["id"]
|
||||||
region = env.params.query["region"]?
|
region = env.params.query["region"]? || env.params.body["region"]?
|
||||||
|
|
||||||
|
if id.nil? || id.size != 11 || !id.matches?(/^[\w-]+$/)
|
||||||
|
return error_json(400, "Invalid video ID")
|
||||||
|
end
|
||||||
|
|
||||||
# See https://github.com/ytdl-org/youtube-dl/blob/6ab30ff50bf6bd0585927cb73c7421bef184f87a/youtube_dl/extractor/youtube.py#L1354
|
# See https://github.com/ytdl-org/youtube-dl/blob/6ab30ff50bf6bd0585927cb73c7421bef184f87a/youtube_dl/extractor/youtube.py#L1354
|
||||||
# It is possible to use `/api/timedtext?type=list&v=#{id}` and
|
# It is possible to use `/api/timedtext?type=list&v=#{id}` and
|
||||||
|
@ -242,31 +242,25 @@ module Invidious::Routes::VideoPlayback
|
|||||||
# YouTube /videoplayback links expire after 6 hours,
|
# YouTube /videoplayback links expire after 6 hours,
|
||||||
# so we have a mechanism here to redirect to the latest version
|
# so we have a mechanism here to redirect to the latest version
|
||||||
def self.latest_version(env)
|
def self.latest_version(env)
|
||||||
if env.params.query["download_widget"]?
|
id = env.params.query["id"]?
|
||||||
download_widget = JSON.parse(env.params.query["download_widget"])
|
itag = env.params.query["itag"]?.try &.to_i?
|
||||||
|
|
||||||
id = download_widget["id"].as_s
|
# Sanity checks
|
||||||
title = URI.decode_www_form(download_widget["title"].as_s)
|
if id.nil? || id.size != 11 || !id.matches?(/^[\w-]+$/)
|
||||||
|
return error_template(400, "Invalid video ID")
|
||||||
if label = download_widget["label"]?
|
|
||||||
return env.redirect "/api/v1/captions/#{id}?label=#{label}&title=#{title}"
|
|
||||||
else
|
|
||||||
itag = download_widget["itag"].as_s.to_i
|
|
||||||
local = "true"
|
|
||||||
end
|
|
||||||
end
|
end
|
||||||
|
|
||||||
id ||= env.params.query["id"]?
|
if itag.nil? || itag <= 0 || itag >= 1000
|
||||||
itag ||= env.params.query["itag"]?.try &.to_i
|
return error_template(400, "Invalid itag")
|
||||||
|
end
|
||||||
|
|
||||||
region = env.params.query["region"]?
|
region = env.params.query["region"]?
|
||||||
|
local = (env.params.query["local"]? == "true")
|
||||||
|
|
||||||
local ||= env.params.query["local"]?
|
title = env.params.query["title"]?
|
||||||
local ||= "false"
|
|
||||||
local = local == "true"
|
|
||||||
|
|
||||||
if !id || !itag
|
if title && CONFIG.disabled?("downloads")
|
||||||
haltf env, status_code: 400, response: "TESTING"
|
return error_template(403, "Administrator has disabled this endpoint.")
|
||||||
end
|
end
|
||||||
|
|
||||||
video = get_video(id, region: region)
|
video = get_video(id, region: region)
|
||||||
@ -278,8 +272,10 @@ module Invidious::Routes::VideoPlayback
|
|||||||
haltf env, status_code: 404
|
haltf env, status_code: 404
|
||||||
end
|
end
|
||||||
|
|
||||||
url = URI.parse(url).request_target.not_nil! if local
|
if local
|
||||||
url = "#{url}&title=#{title}" if title
|
url = URI.parse(url).request_target.not_nil!
|
||||||
|
url += "&title=#{URI.encode_www_form(title, space_to_plus: false)}" if title
|
||||||
|
end
|
||||||
|
|
||||||
return env.redirect url
|
return env.redirect url
|
||||||
end
|
end
|
||||||
|
@ -289,4 +289,52 @@ module Invidious::Routes::Watch
|
|||||||
return error_template(404, "The requested clip doesn't exist")
|
return error_template(404, "The requested clip doesn't exist")
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def self.download(env)
|
||||||
|
if CONFIG.disabled?("downloads")
|
||||||
|
return error_template(403, "Administrator has disabled this endpoint.")
|
||||||
|
end
|
||||||
|
|
||||||
|
title = env.params.body["title"]? || ""
|
||||||
|
video_id = env.params.body["id"]? || ""
|
||||||
|
selection = env.params.body["download_widget"]?
|
||||||
|
|
||||||
|
if title.empty? || video_id.empty? || selection.nil?
|
||||||
|
return error_template(400, "Missing form data")
|
||||||
|
end
|
||||||
|
|
||||||
|
download_widget = JSON.parse(selection)
|
||||||
|
extension = download_widget["ext"].as_s
|
||||||
|
|
||||||
|
filename = URI.encode_www_form(
|
||||||
|
"#{video_id}-#{title}.#{extension}",
|
||||||
|
space_to_plus: false
|
||||||
|
)
|
||||||
|
|
||||||
|
# Pass form parameters as URL parameters for the handlers of both
|
||||||
|
# /latest_version and /api/v1/captions. This avoids an un-necessary
|
||||||
|
# redirect and duplicated (and hazardous) sanity checks.
|
||||||
|
env.params.query["id"] = video_id
|
||||||
|
env.params.query["title"] = filename
|
||||||
|
|
||||||
|
# Delete the useless ones
|
||||||
|
env.params.body.delete("id")
|
||||||
|
env.params.body.delete("title")
|
||||||
|
env.params.body.delete("download_widget")
|
||||||
|
|
||||||
|
if label = download_widget["label"]?
|
||||||
|
# URL params specific to /api/v1/captions/:id
|
||||||
|
env.params.query["label"] = URI.encode_www_form(label.as_s, space_to_plus: false)
|
||||||
|
|
||||||
|
return Invidious::Routes::API::V1::Videos.captions(env)
|
||||||
|
elsif itag = download_widget["itag"]?.try &.as_i
|
||||||
|
# URL params specific to /latest_version
|
||||||
|
env.params.query["itag"] = itag.to_s
|
||||||
|
env.params.query["local"] = "true"
|
||||||
|
|
||||||
|
return Invidious::Routes::VideoPlayback.latest_version(env)
|
||||||
|
else
|
||||||
|
return error_template(400, "Invalid label or itag")
|
||||||
|
end
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
Loading…
Reference in New Issue
Block a user