[FFmpeg-devel] [PATCH] fftools/ffmpeg_ffplay_ffprobe_cmdutils: add -safe to replace the user name and password in the protocol address
"zhilizhao(赵志立)"
quinkblack at foxmail.com
Mon Dec 19 09:27:56 EET 2022
> On Dec 19, 2022, at 14:50, Wujian(Chin) <wujian2 at huawei.com> wrote:
>
>
>>> On Dec 17, 2022, at 15:36, Wujian(Chin) <wujian2 at huawei.com> wrote:
>>>
>>> The Protocol address may contain the user name and password. The ps -ef command may expose the plaintext.
>>> The -safe parameter option is added to replace the user name and password in the command line with the asterisk (*).
>
>> The patch reduced the risk to a low level, but I don’t think it fixed the security issue totally. It’s still there with a small time window. The usecase itself is unsafe.
>
> It's still there with a small time window, too short for people to capture.
> Do you have any other better way, if not, this way prevents 99% of the scenes better than not doing it at all.
>
>
>> There is an -safe option in concat demuxer, please make sure there is no conflict.
>> concat demuxer AVOptions:
>> -safe <boolean> .D......... enable safe mode (default true)
>
> There is no conflict because -safe is identified by the second parameter after ffmpeg/ffprobe/ffplay.
Isn’t it break the following use case?
ffmpeg -safe 0 -f concat -i abc -c copy /tmp/test.mp4
>
>
>>> Signed-off-by: wujian_nanjing <wujian2 at huawei.com>
>>> ---
>>> doc/ffmpeg.texi | 7 +++++++
>>> doc/ffplay.texi | 8 ++++++++
>>> doc/ffprobe.texi | 7 +++++++
>>> fftools/cmdutils.c | 47
>>> +++++++++++++++++++++++++++++++++++++++++++----
>>> fftools/cmdutils.h | 15 +++++++++++++++
>>> fftools/ffmpeg.c | 16 +++++++++++++---
>>> fftools/ffplay.c | 15 +++++++++++++--
>>> fftools/ffprobe.c | 18 ++++++++++++++----
>>> 8 files changed, 120 insertions(+), 13 deletions(-)
>>>
>>> diff --git a/doc/ffmpeg.texi b/doc/ffmpeg.texi index 0367930..e905542
>>> 100644
>>> --- a/doc/ffmpeg.texi
>>> +++ b/doc/ffmpeg.texi
>>> @@ -50,6 +50,13 @@ output files. Also do not mix options which belong
>>> to different files. All options apply ONLY to the next input or output file and are reset between files.
>>>
>>> @itemize
>>> + at item -safe
>>> +The Protocol address may contain the user name and password. The ps -ef command may expose the plaintext.
>>> +The -safe parameter option is added to replace the user name and password in the command line with the asterisk (*).
>>> + at example
>>> +ffmpeg -safe -i rtsp://username@password.xxxx.com @end example
>>> +
>>> @item
>>> To set the video bitrate of the output file to 64 kbit/s:
>>> @example
>>> diff --git a/doc/ffplay.texi b/doc/ffplay.texi index 5dd860b..f46ca91
>>> 100644
>>> --- a/doc/ffplay.texi
>>> +++ b/doc/ffplay.texi
>>> @@ -122,6 +122,14 @@ Read @var{input_url}.
>>>
>>> @section Advanced options
>>> @table @option
>>> +
>>> + at item -safe
>>> +The Protocol address may contain the user name and password. The ps -ef command may expose the plaintext.
>>> +The -safe parameter option is added to replace the user name and password in the command line with the asterisk (*).
>>> + at example
>>> +ffplay -safe -i rtsp://username@password.xxxx.com @end example
>>> +
>>> @item -stats
>>> Print several playback statistics, in particular show the stream
>>> duration, the codec parameters, the current position in the stream and
>>> diff --git a/doc/ffprobe.texi b/doc/ffprobe.texi index
>>> 4dc9f57..92b13cf 100644
>>> --- a/doc/ffprobe.texi
>>> +++ b/doc/ffprobe.texi
>>> @@ -89,6 +89,13 @@ Set the output printing format.
>>> @var{writer_name} specifies the name of the writer, and
>>> @var{writer_options} specifies the options to be passed to the writer.
>>>
>>> + at item -safe
>>> +The Protocol address may contain the user name and password. The ps -ef command may expose the plaintext.
>>> +The -safe parameter option is added to replace the user name and password in the command line with the asterisk (*).
>>> + at example
>>> +ffprobe -safe -i rtsp://username@password.xxxx.com @end example
>>> +
>>> For example for printing the output in JSON format, specify:
>>> @example
>>> -print_format json
>>> diff --git a/fftools/cmdutils.c b/fftools/cmdutils.c index
>>> a1de621..22407f8 100644
>>> --- a/fftools/cmdutils.c
>>> +++ b/fftools/cmdutils.c
>>> @@ -61,6 +61,40 @@ AVDictionary *format_opts, *codec_opts;
>>>
>>> int hide_banner = 0;
>>>
>>> +void param_masking(int argc, char **argv) {
>>> + int i, j;
>>> + for (i = 1; i < argc; i++) {
>>> + char *match = strstr(argv[i], "://");
>>> + if (match) {
>>> + int total = strlen(argv[i]);
>>> + for (j = 0; j < total; j++) {
>>> + argv[i][j] = '*';
>>> + }
>>> + }
>>> + }
>>> +}
>>> +
>>> +char **copy_argv(int argc, char **argv) {
>>> + char **argv2;
>>> + argv2 = av_mallocz(argc * sizeof(char *));
>>> + if (!argv2)
>>> + exit_program(1);
>>> +
>>> + for (int i = 0; i < argc; i++) {
>>> + int length = strlen(argv[i]) + 1;
>>> + argv2[i] = av_mallocz(length * sizeof(char *));
>>> + if (!argv2[i])
>>> + exit_program(1);
>>> + memcpy(argv2[i], argv[i], length - 1);
>>> + }
>>> + return argv2;
>>> +}
>>> +
>>> +void free_pp(int argc, char **argv) {
>>> + for (int i = 0; i < argc; i++)
>>> + av_free(argv[i]);
>>> + av_free(argv);
>>> +}
>>> void uninit_opts(void)
>>> {
>>> av_dict_free(&swr_opts);
>>> @@ -215,13 +249,13 @@ static void prepare_app_arguments(int *argc_ptr, char ***argv_ptr)
>>> if (win32_argv_utf8) {
>>> *argc_ptr = win32_argc;
>>> *argv_ptr = win32_argv_utf8;
>>> - return;
>>> + goto end;
>>> }
>>>
>>> win32_argc = 0;
>>> argv_w = CommandLineToArgvW(GetCommandLineW(), &win32_argc);
>>> if (win32_argc <= 0 || !argv_w)
>>> - return;
>>> + goto end;
>>>
>>> /* determine the UTF-8 buffer size (including NULL-termination symbols) */
>>> for (i = 0; i < win32_argc; i++)
>>> @@ -232,7 +266,7 @@ static void prepare_app_arguments(int *argc_ptr, char ***argv_ptr)
>>> argstr_flat = (char *)win32_argv_utf8 + sizeof(char *) * (win32_argc + 1);
>>> if (!win32_argv_utf8) {
>>> LocalFree(argv_w);
>>> - return;
>>> + goto end;
>>> }
>>>
>>> for (i = 0; i < win32_argc; i++) { @@ -243,9 +277,14 @@ static
>>> void prepare_app_arguments(int *argc_ptr, char ***argv_ptr)
>>> }
>>> win32_argv_utf8[i] = NULL;
>>> LocalFree(argv_w);
>>> -
>>> *argc_ptr = win32_argc;
>>> *argv_ptr = win32_argv_utf8;
>>> +end:
>>> + if (*argc_ptr > 1 && !strcmp((*argv_ptr)[1], "-safe")) {
>>> + (*argv_ptr)[1] = (*argv_ptr)[0];
>>> + (*argc_ptr)--;
>>> + (*argv_ptr)++;
>>> + }
>>> }
>>> #else
>>> static inline void prepare_app_arguments(int *argc_ptr, char
>>> ***argv_ptr) diff --git a/fftools/cmdutils.h b/fftools/cmdutils.h
>>> index 4496221..ce4c1db 100644
>>> --- a/fftools/cmdutils.h
>>> +++ b/fftools/cmdutils.h
>>> @@ -50,6 +50,21 @@ extern AVDictionary *format_opts, *codec_opts;
>>> extern int hide_banner;
>>>
>>> /**
>>> + * Using to masking sensitive info.
>>> + */
>>> +void param_masking(int argc, char **argv);
>>> +
>>> +/**
>>> + * Using to copy ori argv.
>>> + */
>>> +char **copy_argv(int argc, char **argv);
>>> +
>>> +/**
>>> + * Free **
>>> + */
>> +void free_pp(int argc, char **argv);
>>>> +
>>> +/**
>>> * Register a program-specific cleanup routine.
>>> */
>>> void register_exit(void (*cb)(int ret)); diff --git a/fftools/ffmpeg.c
>>> b/fftools/ffmpeg.c index 881d6f0..f77e850 100644
>>> --- a/fftools/ffmpeg.c
>>> +++ b/fftools/ffmpeg.c
>>> @@ -3865,9 +3865,9 @@ static int64_t getmaxrss(void)
>>>
>>> int main(int argc, char **argv)
>>> {
>>> - int ret;
>>> + int ret, safeFlag;
>>> BenchmarkTimeStamps ti;
>>> -
>>> + char **argv2;
>>> init_dynload();
>>>
>>> register_exit(ffmpeg_cleanup);
>>> @@ -3877,15 +3877,25 @@ int main(int argc, char **argv)
>>> av_log_set_flags(AV_LOG_SKIP_REPEATED);
>>> parse_loglevel(argc, argv, options);
>>>
>>> + safeFlag = 0;
>>> + if (argc > 1 && !strcmp(argv[1], "-safe")) {
>>> + argv[1] = argv[0];
>>> + safeFlag = 1;
>>> + argc--;
>>> + argv++;
>>> + }
>>> #if CONFIG_AVDEVICE
>>> avdevice_register_all();
>>> #endif
>>> avformat_network_init();
>>>
>>> show_banner(argc, argv, options);
>>> + argv2 = copy_argv(argc, argv);
>>> + if (safeFlag)
>>> + param_masking(argc, argv);
>>>
>>> /* parse options and open all input/output files */
>>> - ret = ffmpeg_parse_options(argc, argv);
>>> + ret = ffmpeg_parse_options(argc, argv2);
>>> if (ret < 0)
>>> exit_program(1);
>>>
>>> diff --git a/fftools/ffplay.c b/fftools/ffplay.c index
>>> fc7e1c2..f9e6c91 100644
>>> --- a/fftools/ffplay.c
>>> +++ b/fftools/ffplay.c
>>> @@ -3663,10 +3663,18 @@ void show_help_default(const char *opt, const
>>> char *arg)
>>> /* Called from the main */
>>> int main(int argc, char **argv)
>>> {
>>> - int flags;
>>> + int flags, safeFlag;
>>> + char **argv2;
>>> VideoState *is;
>>>
>>> init_dynload();
>>> + safeFlag = 0;
>>> + if (argc > 1 && !strcmp(argv[1], "-safe")) {
>>> + argv[1] = argv[0];
>>> + safeFlag = 1;
>>> + argc--;
>>> + argv++;
>>> + }
>>>
>>> av_log_set_flags(AV_LOG_SKIP_REPEATED);
>>> parse_loglevel(argc, argv, options); @@ -3682,7 +3690,10 @@ int
>>> main(int argc, char **argv)
>>>
>>> show_banner(argc, argv, options);
>>>
>>> - parse_options(NULL, argc, argv, options, opt_input_file);
>>> + argv2 = copy_argv(argc, argv);
>>> + parse_options(NULL, argc, argv2, options, opt_input_file);
>>> + if (safeFlag)
>>> + param_masking(argc, argv);
>>>
>>> if (!input_filename) {
>>> show_usage();
>>> diff --git a/fftools/ffprobe.c b/fftools/ffprobe.c index
>>> d2f126d..8d4d1e9 100644
>>> --- a/fftools/ffprobe.c
>>> +++ b/fftools/ffprobe.c
>>> @@ -4035,9 +4035,16 @@ int main(int argc, char **argv)
>>> WriterContext *wctx;
>>> char *buf;
>>> char *w_name = NULL, *w_args = NULL;
>>> - int ret, input_ret, i;
>>> -
>>> + int ret, input_ret, i, safeFlag;
>>> + char **argv2;
>>> init_dynload();
>>> + safeFlag = 0;
>>> + if (argc > 1 && !strcmp(argv[1], "-safe")) {
>>> + argv[1] = argv[0];
>>> + safeFlag = 1;
>>> + argc--;
>>> + argv++;
>>> + }
>>>
>>> #if HAVE_THREADS
>>> ret = pthread_mutex_init(&log_mutex, NULL); @@ -4056,8 +4063,10 @@
>>> int main(int argc, char **argv) #endif
>>>
>>> show_banner(argc, argv, options);
>>> - parse_options(NULL, argc, argv, options, opt_input_file);
>>> -
>>> + argv2 = copy_argv(argc, argv);
>>> + parse_options(NULL, argc, argv2, options, opt_input_file);
>>> + if (safeFlag)
>>> + param_masking(argc, argv);
>>> if (do_show_log)
>>> av_log_set_callback(log_callback);
>>>
>>> @@ -4173,6 +4182,7 @@ end:
>>> av_freep(&print_format);
>>> av_freep(&read_intervals);
>>> av_hash_freep(&hash);
>>> + free_pp(argc, argv2);
>>>
>>> uninit_opts();
>>> for (i = 0; i < FF_ARRAY_ELEMS(sections); i++)
>>> --
>>> 2.7.4
>>>
>>> _______________________________________________
>>> ffmpeg-devel mailing list
>>> ffmpeg-devel at ffmpeg.org
>>> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>>>
>>> To unsubscribe, visit link above, or email
>>> ffmpeg-devel-request at ffmpeg.org with subject "unsubscribe".
>
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel at ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email ffmpeg-devel-request at ffmpeg.org with subject "unsubscribe".
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel at ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request at ffmpeg.org with subject "unsubscribe".
More information about the ffmpeg-devel
mailing list