[FFmpeg-devel] [PATCH v10 1/2] avformat/imf: Demuxer

[Pierre-Anthony Lemieux]

>
> Now the question is whether a malicious attacker can craft those two
> files to get access to anything they shouldn't. I suppose at the very
> least the attacker can get information that the user opened the file (by
> adding an asset on an attacker's server) but that will be a danger with
> any playlists allowing network resources and can be controlled with
> io_open(). Can you think of any other possible issues?
>

Some security considerations:

- a DDoS can conceivably occur if a malicious CPL+ASSETMAP is widely
distributed. Both an ASSETMAP and a CPL are required since (a) the CPL
does not contain paths/hyperlinks and (b) only those resources
referenced by the CPL are fetched using the ASSETMAP.
- the CPL uses XML, which has its own security considerations. For
example, XML parsing can result in entities being fetched over the
network, but this is disabled by default in libxml AFAIK.
- several elements/attributes of the IMF CPL use URIs as unique
identifiers. These URIs could conceivably be dereferenced.
Dereferencing these URIs is however not a requirement and the IMF
demuxer does not do so.
- IMF only uses MXF to wrap essence but supports various kinds of
essence, e.g. Prores and J2K, each with its own security
considerations
- IMF has a mechanism to associate arbitrary files with a CPL. This is
not required for processing of the CPL and is not implemented by the
IMF demuxer.
- IMF includes an (optional) XML digital signature mechanism that
allows a user to confirm the origin and authenticity of the CPL,
preventing malicious insertion of hyperlinks. XML digital signature
has its own security considerations.

Many of these security considerations are shared with DASH and HLS.