From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTP id 50EDD46184 for ; Mon, 8 May 2023 18:23:33 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id D835968C11C; Mon, 8 May 2023 21:23:30 +0300 (EEST) Received: from relay10.mail.gandi.net (relay10.mail.gandi.net [217.70.178.230]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id C6FEF68C115 for ; Mon, 8 May 2023 21:23:23 +0300 (EEST) Received: (Authenticated sender: michael@niedermayer.cc) by mail.gandi.net (Postfix) with ESMTPSA id 9488D240005 for ; Mon, 8 May 2023 18:23:22 +0000 (UTC) Date: Mon, 8 May 2023 20:23:19 +0200 From: Michael Niedermayer To: FFmpeg development discussions and patches Message-ID: <20230508182319.GU1391451@pb2> References: <20230506132503.9524-1-michael@niedermayer.cc> <20230506132503.9524-2-michael@niedermayer.cc> <20230507191829.GP1391451@pb2> MIME-Version: 1.0 In-Reply-To: Subject: Re: [FFmpeg-devel] [PATCH 2/3] avformat/imfdec: fail on probing non xml file extension X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Content-Type: multipart/mixed; boundary="===============9119520595412138891==" Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Archived-At: List-Archive: List-Post: --===============9119520595412138891== Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="r+TdwuXy+OXS8TUs" Content-Disposition: inline --r+TdwuXy+OXS8TUs Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, May 07, 2023 at 10:09:58PM -0700, Pierre-Anthony Lemieux wrote: > On Sun, May 7, 2023 at 12:18=E2=80=AFPM Michael Niedermayer > wrote: > > > > On Sat, May 06, 2023 at 11:01:20AM -0700, Pierre-Anthony Lemieux wrote: > > > On Sat, May 6, 2023 at 6:25=E2=80=AFAM Michael Niedermayer > > > wrote: > > > > > > > > Its unexpected that a .avi or other "standard" file turns into a pl= aylist. > > > > The goal of this patch is to avoid this unexpected behavior and pos= sible > > > > privacy or security differences. > > > > > > Per the IMF specification, a CPL can have any extension or, in fact, > > > no extension. The latter is routinely used. > > > > is there a restriction on the URL/URIs used in it ? > > that is in practice, can they be restricted to the same server, > > child directories, or some other restriction ? >=20 > Below is a brief overview of the linkage between the various of > components of an IMF composition: >=20 > - the Composition Playlist (CPL) is the file that is passed to FFMPEG > as input (-i) > - the CPL is an XML document and defines a playlist > - each of the components that make up the playlist is identified by a > UUID, i.e. the CPL does not contain file paths/URLs. > - the mapping between UUIDs and URLs is done through separate XML > files called Asset Maps. Paths to Asset Maps can be provided > explicitly through the "-assetmaps" argument, otherwise FFMPEG looks > for a file called "ASSETMAP.xml" in the same directory as the CPL > file. > - according to the standard, all URLs in each Asset Map is relative to > the location of the Asset Map, and thus the CPL and the Asset Map have > the same origin > - some applications have relaxed this constraint and allowed absolute > URLs in the Asset Map Thank you for this information >=20 > What is the threat scenario? Is the concern that a malicious actor > provides a CPL and Asset Map from origin A that makes malicious > requests to a different origin B? I do not have an exhaustive list of what can be done, but ill list a few things i can think of with some random ideas. First if i pretend to be the attacker, i want one file not 2 because thats easier can i just send the victim a ASSETMAP.xml that parses correctly as CPL too ? If yes, i think that can be checked for and trigger an error because i dont think a valid file would use itself as assetmap we could go a bit further here and play with things like ASSETMAP.xml?video.avi or something like that to make the link look more normal i didint look at if that would work but it just makes it more harmless look= ing now what can one do with this=20 A Spying 1. User downloads a video file now every time she plays the file, the file pings a URL revealing time, fre= quency and IP of the watched file This is probably not expected by the user B1 Poking 1. User downloads or plays a video file now the file refers to various urls testing the users local network and net= work services timing of remote accesses reveals this to an attacker This is probably not expected by the user either B2 same as B1 but a attacker uploads the file to a server where the attacke= r pokes around using it B3 the URL requests to other services may or may not be able to do more tha= n just reading C DOS a attacker uploads a file with many references and lets the server repeatly= attempt connections to them This one is tricky because we liekly want to continue if one reference fail= s=20 but also not do thousands of odd accesses to anything This could plausibly even be used to bruteforcing some auth parameters upload a file with all 4 digit pin codes in their URL and then depending on what is encoding, maybe what length the resulting encoded file has one could maybe figure out which URL access succeeded.=20 Iam not an expert in this so quite likely theres more that can be done that iam not thinking of Thus anything that isnt part of normal use cases, i suggest to not allow by= default (like for example a ASSETMAP.xml thats also a valid CPL file) thx [...] --=20 Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB The real ebay dictionary, page 1 "Used only once" - "Some unspecified defect prevented a second use" "In good condition" - "Can be repaird by experienced expert" "As is" - "You wouldnt want it even if you were payed for it, if you knew .= =2E." --r+TdwuXy+OXS8TUs Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iF0EABEIAB0WIQSf8hKLFH72cwut8TNhHseHBAsPqwUCZFk+EgAKCRBhHseHBAsP q7NFAJ95ON5Cy9qvLLILRooLe8nXkydzzgCfehvFPFjrVQHMSw7zSCXKxXzBMW8= =zNCv -----END PGP SIGNATURE----- --r+TdwuXy+OXS8TUs-- --===============9119520595412138891== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". --===============9119520595412138891==--