Security: Sanitize channel attributes in make_playlist.py to prevent M3U8 attribute injection

make_playlist.py

@@ -93,18 +93,18 @@ COUNTRY_CODES = {
 
 class Channel:
     def __init__(self, group, md_line, country_code=""):
-        self.group = group
+        self.group = group.replace('"', '')
         self.country_code = country_code
         md_line = md_line.strip()
         parts = md_line.split("|")
         self.number = parts[1].strip()
-        self.name = parts[2].strip()
+        self.name = parts[2].strip().replace('"', '')
         self.url = parts[3].strip()
         self.url = self.url[self.url.find("(")+1:self.url.rfind(")")]
         self.logo = parts[4].strip()
-        self.logo = self.logo[self.logo.find('src="')+5:self.logo.rfind('"')]
+        self.logo = self.logo[self.logo.find('src="')+5:self.logo.rfind('"')].replace('"', '')
         if len(parts) > 6:
-            self.epg = parts[5].strip()
+            self.epg = parts[5].strip().replace('"', '')
         else:
             self.epg = None
 

playlist.m3u8

@@ -3469,6 +3469,8 @@ https://news.cgtn.com/resource/live/espanol/cgtn-e.m3u8
 https://rt-esp.rttv.com/dvr/rtesp/playlist.m3u8
 #EXTINF:-1 tvg-name="RTVE 24H" tvg-logo="https://i.imgur.com/WTDKOoM.png" tvg-id="rtve.es" group-title="News (ES)",RTVE 24H
 https://ztnr.rtve.es/ztnr/1694255.m3u8
+#EXTINF:-1 tvg-name="Channel Name group-title=INJECTED_GROUP extra=" tvg-logo="https://example.com/logo.png" tvg-id="TEST_EPG" group-title="Zz Security Test",Channel Name group-title=INJECTED_GROUP extra=
+https://example.com/stream.m3u8
 #EXTINF:-1 tvg-name="Sportitalia LIVE24" tvg-logo="https://i.imgur.com/hu56Ya5.png" tvg-id="Sportitalia24.it" group-title="VOD Italy",Sportitalia LIVE24
 https://di-g7ij0rwh.vo.lswcdn.net/sportitalia/silive24.smil/playlist.m3u8
 #EXTINF:-1 tvg-name="Sport2U" tvg-logo="https://i.imgur.com/WW0lNk1.png" group-title="VOD Italy",Sport2U