diff --git a/src/invidious/routes/video_playback.cr b/src/invidious/routes/video_playback.cr index f6340c579..6ac1e780f 100644 --- a/src/invidious/routes/video_playback.cr +++ b/src/invidious/routes/video_playback.cr @@ -14,12 +14,18 @@ module Invidious::Routes::VideoPlayback end if query_params["host"]? && !query_params["host"].empty? - host = "https://#{query_params["host"]}" + host = query_params["host"] query_params.delete("host") else - host = "https://r#{fvip}---#{mns.pop}.googlevideo.com" + host = "r#{fvip}---#{mns.pop}.googlevideo.com" end + # Sanity check, to avoid being used as an open proxy + if !host.matches?(/[\w-]+.googlevideo.com/) + return error_template(400, "Invalid \"host\" parameter.") + end + + host = "https://#{host}" url = "/videoplayback?#{query_params}" headers = HTTP::Headers.new