commit 701734b9fc565859d6394932f43720598fb95861
parent ead66bcbf3f68d7a28b7462f8c289418f3c53f1e
Author: JayVii <jayvii[AT]posteo[DOT]de>
Date: Sat, 24 Feb 2024 15:54:13 +0100
Provide Video description; Protect against GET-injection
Provides video description as episode description by fixing xml-entries before parsing it. Ensures that GET-parameters do not pose a security issue.
Diffstat:
| M | index.php | | | 42 | +++++++++++++++++++++++++++++------------- |
1 file changed, 29 insertions(+), 13 deletions(-)
diff --git a/index.php b/index.php
@@ -7,12 +7,23 @@
if (!is_null($_GET["channel"])) {
// Fetch Youtube XML Feed
- $channel_xml = simplexml_load_file(
- "https://www.youtube.com/feeds/videos.xml?channel_id=" . $_GET["channel"]
+ $channel_xml = file(
+ "https://www.youtube.com/feeds/videos.xml?channel_id=" . basename($_GET["channel"])
);
+ // Replace un-parsable items
+ $channel_xml = str_replace(
+ array("yt:", "media:"),
+ array("yt_", "media_"),
+ $channel_xml
+ );
+ // Cast Array to string
+ $channel_xml = implode(PHP_EOL, $channel_xml);
+ // Parse XML
+ $channel_xml = simplexml_load_string($channel_xml);
$channel_xml = json_encode($channel_xml);
$channel_xml = json_decode($channel_xml, true);
+
// Construct Podcatcher XML
$rss_xml = "<rss " .
"version=\"2.0\" " .
@@ -31,12 +42,12 @@ if (!is_null($_GET["channel"])) {
$channel_xml["title"]
) . "</title>\n";
$channel_id = str_replace(
- array("yt:channel:"),
+ array("yt_channel:"),
"",
$channel_xml["id"]
);
$rss_xml = $rss_xml . "<link>https://www.youtube.com/channel/" .
- $channel_id . "</link>\n";
+ basename($_GET["channel"]) . "</link>\n";
$rss_xml = $rss_xml . "<description>" .
str_replace(
array("&"),
@@ -48,19 +59,19 @@ if (!is_null($_GET["channel"])) {
"</pubDate>\n";
// FIXME: fetch channel image rather than first video image
$video_id = str_replace(
- array("yt:video:"),
+ array("yt_video:"),
"",
$channel_xml["entry"][0]["id"]
);
$rss_xml = $rss_xml . "<itunes:image href=\"https://i4.ytimg.com/vi/" .
$video_id . "/hqdefault.jpg\"/>\n";
$rss_xml = $rss_xml . "<atom:link href=\"https://" .
- $_SERVER["SERVER_NAME"] . "/?channel=" . $_GET["channel"] . "\"" .
+ $_SERVER["SERVER_NAME"] . "/?channel=" . basename($_GET["channel"]) . "\"" .
" rel=\"self\" type=\"application/rss+xml\"/>\n";
// Add media items
foreach ($channel_xml["entry"] as $entry) {
- $video_id = str_replace(array("yt:video:"), "", $entry["id"]);
+ $video_id = str_replace(array("yt_video:"), "", $entry["id"]);
// Get Video Length
if (file_exists($video_id . ".opus")) {
$video_size = filesize($video_id . ".opus");
@@ -78,7 +89,12 @@ if (!is_null($_GET["channel"])) {
str_replace(array("&"), "&", $entry["title"]) . "</title>\n";
// FIXME: fetch true description!
$rss_xml = $rss_xml . "<description>" .
- $entry["link"]["@attributes"]["href"] . "</description>\n";
+ $entry["link"]["@attributes"]["href"] . PHP_EOL .
+ str_replace(
+ array("&"),
+ "&",
+ $entry["media_group"]["media_description"]
+ ) . "</description>\n";
$rss_xml = $rss_xml . "<itunes:author>" .
str_replace(
array("&"),
@@ -103,22 +119,22 @@ if (!is_null($_GET["channel"])) {
print_r($rss_xml);
} else if (!is_null($_GET["video"])) {
- if (!file_exists($_GET["video"]. ".opus")) {
+ if (!file_exists(basename($_GET["video"]) . ".opus")) {
passthru(
"yt-dlp " .
"-x " .
"--audio-format opus " .
"-o '%(id)s.%(ext)s' " .
- "https://www.youtube.com/watch?v=" . $_GET["video"]
+ "https://www.youtube.com/watch?v=" . basename($_GET["video"])
);
}
header("content-type: audio/ogg; codec=opus");
- header("content-length: " . filesize($_GET["video"] . ".opus"));
+ header("content-length: " . filesize(basename($_GET["video"]) . ".opus"));
header(
"content-disposition: inline; filename=" .
- basename($_GET["video"] . ".opus")
+ basename($_GET["video"]) . ".opus"
);
- readfile("{$_GET['video']}.opus");
+ readfile(basename($_GET['video']) . ".opus");
} else {
echo "<html><head><title>yt2rss</title></head><body>";
echo "<h1>yt2rss</h1>";
