[FFmpeg-devel] [PATCH] avformat/hls: Check local file extensions

Michael Niedermayer michael at niedermayer.cc
Mon Jun 5 14:56:42 EEST 2017


On Mon, Jun 05, 2017 at 11:13:06AM +0200, Paul B Mahol wrote:
> On 6/5/17, Michael Niedermayer <michael at niedermayer.cc> wrote:
> > On Sat, Jun 03, 2017 at 09:20:04PM +0200, Michael Niedermayer wrote:
> >> This reduces the attack surface of local file-system
> >> information leaking.
> >>
> >> It prevents the existing exploit leading to an information leak. As
> >> well as similar hypothetical attacks.
> >>
> >> Leaks of information from files and symlinks ending in common multimedia
> >> extensions
> >> are still possible. But files with sensitive information like private keys
> >> and passwords
> >> generally do not use common multimedia filename extensions.
> >> It does not stop leaks via remote addresses in the LAN.
> >>
> >> The existing exploit depends on a specific decoder as well.
> >> It does appear though that the exploit should be possible with any
> >> decoder.
> >> The problem is that as long as sensitive information gets into the
> >> decoder,
> >> the output of the decoder becomes sensitive as well.
> >> The only obvious solution is to prevent access to sensitive information.
> >> Or to
> >> disable hls or possibly some of its feature. More complex solutions like
> >> checking the path to limit access to only subdirectories of the hls path
> >> may
> >> work as an alternative. But such solutions are fragile and tricky to
> >> implement
> >> portably and would not stop every possible attack nor would they work with
> >> all
> >> valid hls files.
> >>
> >> Developers have expressed their dislike / objected to disabling hls by
> >> default as well
> >> as disabling hls with local files. There also where objections against
> >> restricting
> >> remote url file extensions. This here is a less robust but also lower
> >> inconvenience solution.
> >> It can be applied stand alone or together with other solutions.
> >>
> >> Found-by: Emil Lerner and Pavel Cheremushkin
> >> Reported-by: Thierry Foucu <tfoucu at google.com>
> >>
> >> Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> >> ---
> >>  libavformat/hls.c | 18 +++++++++++++++++-
> >>  1 file changed, 17 insertions(+), 1 deletion(-)
> >
> > Applied with the author name joke suggested by nicolas
> 
> This is joke, please revert this.

ok, done


[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Avoid a single point of failure, be that a person or equipment.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20170605/d851fb1a/attachment.sig>


More information about the ffmpeg-devel mailing list