Committed, thanks

On 6/13/26 8:16 PM, yaydn@protonmail.com wrote:
> Tested on current/amd64 with privsep.
> 
> Some security fixes:
> 
> Usage of vulnerable conversions (e.g. %()s) with the --exec option is an
> all-too-common pitfall. To remedy this, --exec now only allows safe
> conversions in its command templates.
> o Most users can simply replace %(...)s with %(...)q in their --exec
> argument(s). Numeric conversions are unaffected by this change. Using
> unsafe conversions with --exec poses a significant security risk.
> 
> [CVE-2026-50019] File Downloader cookie leak with curl
> o Impact is limited to users of --downloader curl; cookies are now
> properly passed to curl so that it respects their scope
> 
> [CVE-2026-50023] Dangerous file type creation via insufficient filename
> sanitization
> o Writing files with the extensions .desktop, .url, or .webloc is now
> only allowed in the context of --write-link functionality
> 
> [CVE-2026-50574] Arbitrary code execution via manifest downloads with
> aria2c
> o Impact is limited to users of --downloader aria2c
> o Support for downloading HLS and DASH formats with aria2c has been
> removed. Users affected by this change should migrate to use -N for
> concurrent fragment downloads via the native downloader
> 
> Changelog:
> https://github.com/yt-dlp/yt-dlp/releases/tag/2026.06.09
> 
> Comments, testing, and/or okays welcome.
> 
> Hope this helps. May you all have a good one.