From: James Bunton <jamesbunton@delx.net.au>
Date: Sun, 20 Jan 2019 13:52:49 +0000 (+1100)
Subject: Don't try to download from non-YouTube sites
X-Git-Url: https://code.delx.au/youtube-cgi/commitdiff_plain/54ec2bd49d2fac136d706647cff50fe67f3264d1

Don't try to download from non-YouTube sites
---

diff --git a/youtube.cgi b/youtube.cgi
index b94febf..d1cb666 100755
--- a/youtube.cgi
+++ b/youtube.cgi
@@ -36,8 +36,11 @@ QUALITIES = {
 class VideoUnavailable(Exception):
     pass
 
+class NotYouTube(Exception):
+    pass
+
 def print_form(url="", msg=""):
-    script_url = "http://%s%s" % (os.environ["HTTP_HOST"], os.environ["REQUEST_URI"])
+    script_url = "https://%s%s" % (os.environ["HTTP_HOST"], os.environ["REQUEST_URI"])
     sys.stdout.write("Content-Type: text/html\r\n\r\n")
     sys.stdout.write("""
 <!DOCTYPE html>
@@ -103,6 +106,16 @@ def urlopen(url, offset=None):
         assert start == offset
     return res
 
+def validate_url(url):
+    parsed_url = urllib.parse.urlparse(url)
+    scheme_ok = parsed_url.scheme == "https"
+    host_ok = parsed_url.netloc.lstrip("www.") in ["youtube.com", "youtu.be"]
+
+    if scheme_ok and host_ok:
+        return
+    else:
+        raise NotYouTube()
+
 def parse_url(url, parser):
     f = urlopen(url)
     parser.feed(f.read().decode("utf-8"))
@@ -343,11 +356,12 @@ def cgimain():
     try:
         url = args["url"][0]
     except:
-        print_form(url="http://www.youtube.com/watch?v=FOOBAR")
+        print_form(url="https://www.youtube.com/watch?v=FOOBAR")
         return
 
     try:
         page = YouTubeVideoPageParser()
+        validate_url(url)
         parse_url(url, page)
         video_url, filename = get_video_url(page)
         video_data = urlopen(video_url)
@@ -356,10 +370,15 @@ def cgimain():
             url=url,
             msg="<p class='error'>Sorry, there was an error: %s</p>" % cgi.escape(e.args[0])
         )
+    except NotYouTube:
+        print_form(
+            url=url,
+            msg="<p class='error'>Sorry, that does not look like a YouTube page!</p>"
+        )
     except Exception as e:
         print_form(
             url=url,
-            msg="<p class='error'>Sorry, there was an error. Check your URL?</p>"
+            msg="<p class='error'>Sorry, there was an unknown error.</p>"
         )
         return
 
@@ -411,7 +430,7 @@ def main():
     try:
         url = sys.argv[1]
     except:
-        print("Usage: %s http://youtube.com/watch?v=FOOBAR" % sys.argv[0], file=sys.stderr)
+        print("Usage: %s https://youtube.com/watch?v=FOOBAR" % sys.argv[0], file=sys.stderr)
         sys.exit(1)
 
     page = YouTubeVideoPageParser()