[FFmpeg-devel] [PATCH 2/2] avformat/hls: Be more picky on extensions
Kieran Kunhya
kieran618 at googlemail.com
Thu Jan 23 23:54:36 EET 2025
On Thu, 23 Jan 2025, 00:11 Michael Niedermayer, <michael at niedermayer.cc>
wrote:
> Hi Kieran
>
> On Wed, Jan 22, 2025 at 10:47:52PM +0000, Kieran Kunhya via ffmpeg-devel
> wrote:
> > On Wed, 22 Jan 2025, 20:36 Michael Niedermayer, <michael at niedermayer.cc>
> > wrote:
> >
> > > This blocks disallowed extensions from probing
> > > It also requires all available segments to have matching extensions to
> the
> > > format
> > > mpegts is treated independent of the extension
> > >
> >
> > Potentially this is a stupid question but what stops an attacker from
> > faking the extension?
>
> How would he fake the extension ?
>
> The attacker generally wants to access a sensitive file, maybe one in
> /etc or maybe .ssh with something like the tty demuxer / ansi decoder
>
> lets pick /etc/passwd as a specific example
>
Is there no control character they can use to fake the extension
potentially?
As an aside, why is this CVE from 2023 being fixed now?
Kieran
>
More information about the ffmpeg-devel
mailing list