Commit Graph

2996 Commits

Author SHA1 Message Date
Samantaz Fox 0b28054f8a
videos: Fix XSS vulnerability in description/comments
Patch provided by e-mail, thanks to an anonymous user whose cats are named
Yoshi and Yasuo.

Comment is mine
2024-08-15 18:26:17 +02:00
Samantaz Fox e319c35f09
Videos: use intermediary variable when using CONFIG.po_token 2024-08-13 20:56:09 +02:00
Samantaz Fox 2d18ff1f80
Add ability to set po_token and visitordata ID (#4789)
This PR adds two new config option, to pass a PO token (config 'po_token') and
a visitor ID (config 'visitor_data') to Youtube. These two strings are required
to play videos using the WEB client.

Warning: These strings gives much more identifiable information to Google!

If the po_token setting is filled in, then the WEB client is used. If not, the
Android client is used. TvHtml5ScreenEmbed will still be used as a fallback.

Script for generating po_token and visitor_data:
https://github.com/iv-org/youtube-trusted-session-generator

Helps with issue 4734
2024-08-13 20:35:43 +02:00
Samantaz Fox 2d7869b48b
Add support for an external signature server (#4772)
This PR adds support for inv_sig_helper, which offloads the player fetching,
function extraction and signature parsing, which in turn allows to use the
web client to watch videos.

When the new config option "signature_server" is not set, the logic for the
external signature server is not enabled and invidious behaves like before.

This PR also updates the crystal overrides because the stdlib changed quite
a while ago (See issue 11049 at crystal-lang/crystal) and those were required
to properly use TCP/unix sockets.

Closes issue 4649
2024-08-13 20:26:59 +02:00
Samantaz Fox 88b9f17388
Ameba: Fix Naming/VariableNames (#4790)
Related to issue 2231
2024-08-13 20:26:15 +02:00
Emilien Devos e6c39f9e3a add pot= parameter now required by youtube 2024-08-13 14:37:35 +02:00
Samantaz Fox 5e38ef59da
Ameba: Fix Lint/UselessAssign (#4795)
Related to issue 2231
2024-08-11 13:38:29 +02:00
Samantaz Fox 80ffc442f2
HTML: Add rel="noreferrer noopener" to external links (#4667)
Note: Does not add rel="noreferrer noopener" to:
 * links in channel description
 * links in video descriptions
 * links in video comments

Related to issue 4267
2024-08-11 13:35:57 +02:00
Samantaz Fox 9bf754ed4f
Remove unused methods in Invidious::LogHandler (#4812)
Closes issue 4791
2024-08-11 11:45:56 +02:00
Samantaz Fox fa6c5158c5
Ameba: Fix Lint/NotNilAfterNoBang (#4796)
Related to issue 2231
2024-08-11 11:45:05 +02:00
Samantaz Fox b45310c7d4
Ameba: Fix unused argument Lint warnings (#4805)
Related to issue 2231
2024-08-11 11:43:56 +02:00
Samantaz Fox eb2dfe0ab1
Ameba: i18next.cr fixes (#4806)
Related to issue 2231
2024-08-11 11:41:36 +02:00
Samantaz Fox cc36a82933
SigHelper: Fix some logic errors raised during code review 2024-08-07 23:26:10 +02:00
Samantaz Fox 7798faf234
SigHelper: Make signature server optional and configurable 2024-08-07 23:25:35 +02:00
Samantaz Fox ec1bb5db87
SigHelper: Add support for PLAYER_UPDATE_TIMESTAMP opcode 2024-08-07 23:25:32 +02:00
Samantaz Fox 3b7e45b7bc
SigHelper: Small fixes + suggestions from code review 2024-08-07 23:12:38 +02:00
syeopite e098c27a45
Remove unused methods in `Invidious::LogHandler` 2024-07-28 16:44:30 -07:00
syeopite 6506b8dbfc
Ameba: Fix Naming/PredicateName 2024-07-25 20:08:26 -07:00
Samantaz Fox 61d75050e4
SigHelper: Use 'URI.parse' instead of 'URI.new'
Co-authored-by: Brahim Hadriche <brahim.hadriche@gmail.com>
2024-07-25 22:13:08 +02:00
Samantaz Fox 10e5788c21
Videos: Send player sts when required 2024-07-25 22:13:08 +02:00
Samantaz Fox b509aa91d5
SigHelper: Fix many issues 2024-07-25 22:13:08 +02:00
Samantaz Fox ec8b7916fa
Videos: Make use of the video decoding 2024-07-25 22:13:08 +02:00
Samantaz Fox 56a7488161
Helpers: Add inv_sig_helper client 2024-07-25 22:13:08 +02:00
Samantaz Fox a845752fff
Jobs: Remove the signature function update job 2024-07-25 22:13:08 +02:00
Samantaz Fox 63a729998b
Misc: Sync crystal overrides with current stdlib 2024-07-25 22:13:07 +02:00
syeopite 205f988491
Ameba: Fix Naming/MethodNames 2024-07-24 20:04:44 -07:00
syeopite 0db3b830b7
Ameba: Fix Lint/HashDuplicatedKey 2024-07-24 20:03:41 -07:00
syeopite c8fb75e6fd
Ameba: Fix Lint/UnusedBlockArgument 2024-07-24 19:59:20 -07:00
syeopite 636a6d0be2
Ameba: Fix Lint/UnusedArgument 2024-07-24 19:57:54 -07:00
syeopite 3415507e4a
Ameba: undo Lint/NotNilAfterNoBang in signatures.cr
File is set to be removed with #4772
2024-07-24 19:48:34 -07:00
Emilien Devos 53223f99b0 Add ability to set po_token and visitordata ID 2024-07-24 19:28:47 +02:00
Samantaz Fox 325561e755
Channel: parse subscriber count and channel banner (#4785)
This PR adds support for parsing the newer channel header format
(banner + subscription parsing)

Before this change:
* 0 subscribers
* No banner image

After this change:
* Example with Mr Breast channel: 299M
* Image banner is visible

Closes issue 4783
2024-07-21 17:24:09 +02:00
Samantaz Fox 7fdbda612f
Videos: Fix genre url being unusable (#4717)
Closes issue 4700
2024-07-21 17:24:03 +02:00
Samantaz Fox 4f60feee17
API: Fix out of bound error on empty playlists (#4696)
Before this PR, Invidious assumed that every playlist had at least one video.
When a playlist had no videos, Invidious was throwing an "Index out of bounds"
exception.

The following API endpoints were impacted:
* api/v1/playlists/:plid
* api/v1/auth/playlists/:plid

Fixes issue 4679
2024-07-21 17:24:01 +02:00
Samantaz Fox 733bd27a5c
Handle playlists cataloged as Podcast (#4695)
Videos of a playlist cataloged as podcast are called "episodes" therefore
Invidious was not able to find video in the text value inside the stats array.

Test case: "/playlist?list=PLDu-Eh5lUs1a4irCbnxMIB6FrUMaTXgVF"

Fixes issue 4688
2024-07-21 17:23:58 +02:00
Samantaz Fox 1ff0775f4b
API: Fix duplicated query parameters in proxied video URLs (#4587)
This pull request fixes that bug that was causing the query parameters to get
doubled in the streaming URLs when '?local=true' is passed to the
'/api/v1/videos/{id}' API endpoint.

Before: host/path?parameters?parameters
After: host/path?parameters

No associated open issue
2024-07-21 17:23:53 +02:00
Samantaz Fox e62d4db752
API: Return actual stream height, width and fps (#4586)
At the moment Invidious will return hardcoded data for the 'size',
'qualityLabel' and 'fps' fields for streams, when such hardcoded data is
available, otherwise it just omits those fields from the response (e.g. with
the AV1 formats). Those issues are especially noticable when Invidious claims
that 50fps streams have 60fps and when it claims that the dimensions for a
vertical video are landscape. The DASH manifests that Invidious generates
already use the correct information.

This pull request corrects that issue by returning the information that
YouTube provides instead of hardcoded values and also fixes the long
standing bug of Invidious claiming that audio streams have 30 fps.

Here are two test cases:
50/25/13fps: https://youtu.be/GbXYZwUigCM (/api/v1/videos/GbXYZwUigCM)
vertical video: https://youtu.be/hxQwWEOOyU8 (/api/v1/videos/hxQwWEOOyU8)

Originally these problems were going to be solved by the complete refactor
of stream handling in 3620, but as that pull request got closed by the stale
bot over a month ago and has such a massive scope that it would require a
massive amount of work to complete it, I decided to open this pull request
that takes a less radical approach of just fixing bugs instead of a full
on refactoring.

FreeTube generates it's own DASH manifests instead of using Invidious' one,
so that it can support multiple audio tracks and HDR. Unfortunately due to
the missing and inaccurate information in the API responses, FreeTube has
to request the DASH manifest from Invidious to extract the height, width and
fps. With this pull request FreeTube could rely just on the API response,
saving that extra request to the Invidious instance. It would also make it
possible for FreeTube to use the vp9 streams with Invidious, which would
reduce the load on the video proxies.

Closes issue 4131
2024-07-21 17:23:50 +02:00
Samantaz Fox 8b1da2001e
Preferences: Fix handling of modified source code URL(#4437)
Before this PR, setting the modified code repo URL through the preferences
page in Invidious was broken:

* the HTML input tag for this field had invalid type "input"
  (though browser falls back on text input)

* the URL was used to set the "checked" property and not as a plain value,
  which makes no sense for a text-based input (and resulted in a blank field)

* when the submitted field is empty, the retrieved value was an empty 'String'
  instead of 'nil', causing the "modified source code URL" to be an empty
  'href' link which just pointed to the current page

No associated open issue
2024-07-21 17:23:48 +02:00
Samantaz Fox 5a12005b48
API: Fix URL for vtt subtitles (#4221)
For 'fmt=vtt' to work, the 'fmt' parameter needs to be replaced
in the original caption api URL.

No associated open issue
2024-07-21 17:23:44 +02:00
syeopite fad0a4f52d
Ameba: Fix Lint/UselessAssign 2024-07-17 12:39:40 -07:00
syeopite fa50e0abf4
Simplify last_node retrieval
Co-authored-by: Samantaz Fox <coding@samantaz.fr>
2024-07-17 12:21:48 -07:00
syeopite 8258062ec5
Ameba: Fix Lint/NotNilAfterNoBang 2024-07-15 17:36:00 -07:00
syeopite 8a90add310
Ameba: Fix Naming/VariableNames
Fix Naming/VariableNames in comment renderer

Fix Naming/VariableNames in helpers/utils

Fix Naming/VariableNames in api/v1/misc.cr
2024-07-11 20:56:28 -07:00
Samantaz Fox bad92093bf
Channels: Add sort options to streams (#4224) 2024-07-10 22:28:22 +02:00
Samantaz Fox 436a61e3bb
API: Fix error code for disabled popular endpoint (#4296)
When visiting /api/v1/popular and popular endpoint is disabled
Before:

500 {"error":"Closed stream"}

After

403 {"error":"Administrator has disabled this endpoint."}
2024-07-10 22:25:31 +02:00
Samantaz Fox 5e0f55333a
Allow embedding videos in local HTML files (#4450)
The current Content Security Policy does not allow to embed videos
inside local HTML files which are viewed in the browser via the file
protocol. This commit adds the file protocol to the allowed frame
ancestors, so that the embedded videos load correctly in local HTML
files.

This behaviour is consistent which how the official YouTube website
allows to embed videos from itself.

Closes issue 4448
2024-07-10 22:24:18 +02:00
Samantaz Fox 99c7e9e800
YtAPI: Remove API keys like official clients (#4655)
This PR removes API keys from innertube requests, as the official clients
did it too.
2024-07-10 22:19:51 +02:00
Samantaz Fox e9bab06e90
HTML: Use full URL in the og:image property (#4675)
Some opengraph implementations don't support a URL without the domain
therefore failing to fetch the video thumbnail and channel image.
This pull request basically fixes that.
2024-07-10 22:17:45 +02:00
ChunkyProgrammer 911dad6935 Channel: parse subscriber count and channel banner 2024-07-09 14:43:14 -04:00
meatball 248df785d7 Update spec and rollback to last commits changes 2024-06-18 20:55:14 +02:00