>That probably is enough for the interpreted language to be Turing-complete
It seems to be so. On the other hand- and it's no excuse for running
proprietary software- there doesn't seem to be a great deal of functionality:
for example, there seems to be no way to communicate over the Internet,
access a permanent data store, invoke third-party functions, and so on. It
seems relatively harmless from a privacy/security perspective, though of
course it wouldn't take much for that to change.
>But is the interpreter really taking arbitrary code from the Web?
Unfortunately, yes- perhaps not in actual usage, but it's set up to do so.
The module containing the interpreter is imported by
youtube_dl/extractor/youtube.py, and the function _parse_sig_js invokes that
to run some code it's fed. The following block of code then calls that
function with the source of a webpage it downloads:
if player_type == 'js':
code = self._download_webpage(
player_url, video_id,
note=download_note,
errnote='Download of %s failed' % player_url)
res = self._parse_sig_js(code)
This seems to be the only use of the system for YouTube (I haven't looked at
other sites), and what exactly sets the player type to 'js' I don't know. It
may be worth noting that there's also SWF interpreter, which is invoked very
similarly to the way the JS one is (except with player type swf instead).
