Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
 help / color / mirror / Atom feed
From: "Rémi Denis-Courmont" <remi@remlab.net>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Subject: Re: [FFmpeg-devel] [PATCH] [RFC] avformat: Add basic same origin check
Date: Wed, 03 May 2023 19:07:09 +0300
Message-ID: <1846772.vxqQoQgO3c@basile.remlab.net> (raw)
In-Reply-To: <20230503133359.GD1391451@pb2>

Le keskiviikkona 3. toukokuuta 2023, 16.33.59 EEST Michael Niedermayer a écrit 
:
> This patch was inspired by a report on ffmpeg-security about SSRF
> (for which custom io_open() callback or soem sort of sandboxing/VM can be
>  used to avoid it)
>  The patch here was intended to explore if we can provide something thats
>  better tahn currently by default

I am not sure how a dodgy HLS manifest would be any different from the user 
clicking an hyperlink from a dodgy website - or opening a dodgy playlist file 
in their FFmpeg-based media player application for that matter. Either way, it 
can open any URL.

It is obviously not an ideal situation, but any restriction here will most 
definitely break existing use cases (and likely be abused by server operators 
to lock FFmpeg out).

Even the "obvious" blocking of secure (HTTPS) to nonsecure (HTTP) references 
is likely to break stuff. If the end result is that everybody just turns origin 
checking off, it's pretty pointless.

> But the same issue with roles flipped occurs for the end user and the user
> cannot be expected to setup a custom io_open() callback for his player
> The current code can be also used to poke
> around the local network of the user. Which is unexpected by the user
> for example a avi file could be probed as a m3u8 playlist and then
> poke around on the local net while mixing that with remote urls
> from the timing of the remote accesses the remote party should be able
> to infer what happened with the local poking.

I agree, but it is unrealistic to change anything here. People make playlists 
mixed with local files and network file systems or cloud storage services. Yes, 
there is a slight information leakage. For instance, you can probe if a local 
file exists by interleaving local and remote URLs in a playlist.

In practice, this is a well-known issue and has been for two at least decades, 
and the "solution" is to limit what the open file can do. To state the obvious 
extreme, one wouldn't want to execute a shell script or an executable from a 
playlist.

-- 
Rémi Denis-Courmont
http://www.remlab.net/



_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

  reply	other threads:[~2023-05-03 16:07 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-05-02 19:36 Michael Niedermayer
2023-05-02 20:00 ` James Almer
2023-05-02 20:16   ` Michael Niedermayer
2023-05-02 20:57     ` James Almer
2023-05-02 21:15       ` Michael Niedermayer
2023-05-03  9:26         ` Anton Khirnov
2023-05-03 10:05       ` Hendrik Leppkes
2023-05-03 10:49         ` Michael Niedermayer
2023-05-03 12:24           ` Hendrik Leppkes
2023-05-03 19:08             ` Michael Niedermayer
2023-05-03 21:01               ` Timo Rothenpieler
2023-05-03 22:26                 ` Michael Niedermayer
2023-05-03  9:23 ` Anton Khirnov
2023-05-03 11:16 ` Rémi Denis-Courmont
2023-05-03 13:33   ` Michael Niedermayer
2023-05-03 16:07     ` Rémi Denis-Courmont [this message]
2023-05-03 19:05       ` Michael Niedermayer
2023-05-03 19:35         ` Rémi Denis-Courmont

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1846772.vxqQoQgO3c@basile.remlab.net \
    --to=remi@remlab.net \
    --cc=ffmpeg-devel@ffmpeg.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

This inbox may be cloned and mirrored by anyone:

	git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
		ffmpegdev@gitmailbox.com
	public-inbox-index ffmpegdev

Example config snippet for mirrors.


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git