-
Notifications
You must be signed in to change notification settings - Fork 218
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[漏洞] 未登录情况下获取用户视频列表 #699
Labels
Comments
将此合并的全部代码照搬即可使用 |
这个 #680 PR里没有加order_avoided这个参数,在未登录情况下会-352。 |
不清楚,我去BAC提下看看 |
还真是,只要一直填写true就行 |
z0z0r4
added a commit
to Nickszy/bilibili-api
that referenced
this issue
Apr 5, 2024
已添加 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
问题类似于 #691
bilibili-api/bilibili_api/user.py
Line 442 in a047487
目前的版本的
user.get_videos()
当未传入credential类时,仍会触发-352风控。但的确未登录情况下是可以获取用户视频列表的。
测试发现,未登录情况下,query的参数里必须要有 order_avoided 参数。如果登录了,那这个参数就不是必须的。
默认值是'true',但似乎改成任意字符串都可以。网上没找到这个参数用处的说明,可能就是和风控相关的。
举例子就是当未登录情况下,cookies有buvid3,headers有UA时,下面是个最小版的成功请求的链接
https://api.bilibili.com/x/space/wbi/arc/search?dm_cover_img_str=QU5HTEUgKEludGVsIEluYy4sIEludGVsIElyaXMgUHJvIE9wZW5HTCBFbmdpbmUsIE9wZW5HTCA0LjEpR29vZ2xlIEluYy4gKEludGVsIEluYy&dm_img_inter=%7B%22ds%22%3A%5B%5D%2C%22wh%22%3A%5B0%2C0%2C0%5D%2C%22of%22%3A%5B0%2C0%2C0%5D%7D&dm_img_list=%5B%5D&dm_img_str=V2ViR0wgMS4wIChPcGVuR0wgRVMgMi4wIENocm9taXVtKQ&mid=7773004&order_avoided=true&web_location=1550101&wts=1709535813&w_rid=3edc96577b50f4d7db2432e750a83058
The text was updated successfully, but these errors were encountered: