[FFmpeg-devel] [PATCH 3/4] avformat/concat: Add concat_enable option that is disable by default

Nicolas George george at nsup.org
Thu Jan 21 09:54:13 CET 2016


Le duodi 2 pluviôse, an CCXXIV, Andreas Cadhalpun a écrit :
> I think introducing protocol_whitelist could be a general solution.
> It could have sensible defaults, e.g. if it is not passed as option
> to avio_open2/ffurl_connect it could default to only local protocols
> unless the protocol to open is a network protocol, in which case
> it could default to only network protocols.
> 
> So when opening 'file:', 'concat:' or other local protocol, the
> protocol_whitelist would default to local protocols.
> When opening 'http:', 'https:' or other network protocols, the
> protocol_whitelist would default to network protocols.
> 
> That should prevent mixing of local and remote data, unless
> specifically requested by the API/CLI user.
> 
> So if e.g. a local playlist 'file:' would contain 'http:' URLs a
> protocol_whitelist allowing this combination would be required
> for playback.

You have the right idea, but a simple white list of protocols is not enough.
If http://example.com/mostly_harmless.m3u pointing to
file:///home/me/sensitive/file is a problem, then we have exactly the same
problem with it pointing http://intranet.local/sensitive/file, even more so
if protocol options can turn it into a POST request.

If we want to take this issue seriously, we need a rather complex mechanism
to ensure information separation, including same-origin policy and such.

Removing or disabling the concat protocol is like double-locking the door
when the window is still wide open.

Regards,

-- 
  Nicolas George
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20160121/5ea746fd/attachment.sig>


More information about the ffmpeg-devel mailing list