From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by master.gitmailbox.com (Postfix) with ESMTP id A061046211
	for <ffmpegdev@gitmailbox.com>; Tue,  9 May 2023 20:44:15 +0000 (UTC)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id CDAF268C230;
	Tue,  9 May 2023 23:44:12 +0300 (EEST)
Received: from relay6-d.mail.gandi.net (relay6-d.mail.gandi.net
 [217.70.183.198])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 08CEC68C213
 for <ffmpeg-devel@ffmpeg.org>; Tue,  9 May 2023 23:44:05 +0300 (EEST)
Received: (Authenticated sender: michael@niedermayer.cc)
 by mail.gandi.net (Postfix) with ESMTPSA id 0EA87C0003
 for <ffmpeg-devel@ffmpeg.org>; Tue,  9 May 2023 20:44:04 +0000 (UTC)
Date: Tue, 9 May 2023 22:44:02 +0200
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Message-ID: <20230509204402.GA1391451@pb2>
References: <20230506132503.9524-1-michael@niedermayer.cc>
 <a73f9e97-da9b-d3d4-0bdb-59e6b98bf967@gmail.com>
 <c9534fe9-0b3c-a977-bf1c-d29635aa48f0@noa-archive.com>
 <20230508223508.GW1391451@pb2>
 <168361317605.3843.15085974109463921278@lain.khirnov.net>
MIME-Version: 1.0
In-Reply-To: <168361317605.3843.15085974109463921278@lain.khirnov.net>
Subject: Re: [FFmpeg-devel] [PATCH 1/3] avformat/dashdec: fail on probing
 non mpd file extension
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Content-Type: multipart/mixed; boundary="===============8667122950620476562=="
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
Archived-At: <https://master.gitmailbox.com/ffmpegdev/20230509204402.GA1391451@pb2/>
List-Archive: <https://master.gitmailbox.com/ffmpegdev/>
List-Post: <mailto:ffmpegdev@gitmailbox.com>


--===============8667122950620476562==
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="q/d9vTEvvdeKbPNw"
Content-Disposition: inline


--q/d9vTEvvdeKbPNw
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, May 09, 2023 at 08:19:36AM +0200, Anton Khirnov wrote:
> Quoting Michael Niedermayer (2023-05-09 00:35:08)
> > On Mon, May 08, 2023 at 04:05:40PM +0200, Tobias Rapp wrote:
> > > On 08/05/2023 14:00, James Almer wrote:
> > >=20
> > > > On 5/6/2023 10:25 AM, Michael Niedermayer wrote:
> > > > > Its unexpected that a .avi or other "standard" file turns into a
> > > > > playlist.
> > > > > The goal of this patch is to avoid this unexpected behavior and p=
ossible
> > > > > privacy or security differences.
> > > > >=20
> > > > > This is similar to the same change to hls
> > > > >=20
> > > > > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > > > > ---
> > > > > =A0 libavformat/dashdec.c | 11 +++++++----
> > > > > =A0 1 file changed, 7 insertions(+), 4 deletions(-)
> > > > >=20
> > > > > diff --git a/libavformat/dashdec.c b/libavformat/dashdec.c
> > > > > index 29d4680c68..294e14150d 100644
> > > > > --- a/libavformat/dashdec.c
> > > > > +++ b/libavformat/dashdec.c
> > > > > @@ -2336,10 +2336,13 @@ static int dash_probe(const AVProbeData *=
p)
> > > > > =A0=A0=A0=A0=A0=A0=A0=A0=A0 av_stristr(p->buf, "dash:profile:isof=
f-live:2011") ||
> > > > > =A0=A0=A0=A0=A0=A0=A0=A0=A0 av_stristr(p->buf, "dash:profile:isof=
f-live:2012") ||
> > > > > =A0=A0=A0=A0=A0=A0=A0=A0=A0 av_stristr(p->buf, "dash:profile:isof=
f-main:2011") ||
> > > > > -=A0=A0=A0=A0=A0=A0=A0 av_stristr(p->buf, "3GPP:PSS:profile:DASH1=
")) {
> > > > > -=A0=A0=A0=A0=A0=A0=A0 return AVPROBE_SCORE_MAX;
> > > > > -=A0=A0=A0 }
> > > > > -=A0=A0=A0 if (av_stristr(p->buf, "dash:profile")) {
> > > > > +=A0=A0=A0=A0=A0=A0=A0 av_stristr(p->buf, "3GPP:PSS:profile:DASH1=
") ||
> > > > > +=A0=A0=A0=A0=A0=A0=A0 av_stristr(p->buf, "dash:profile")) {
> > > > > +=A0=A0=A0=A0=A0=A0=A0 if (!av_match_ext(p->filename, "mpd")) {
> > > > > +=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 av_log(NULL, AV_LOG_ERROR, "No=
t detecting dash with non
> > > > > standard extension\n");
> > > > > +=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 return 0;
> > > > > +=A0=A0=A0=A0=A0=A0=A0 }
> > > > > +
> > > > > =A0=A0=A0=A0=A0=A0=A0=A0=A0 return AVPROBE_SCORE_MAX;
> > > > > =A0=A0=A0=A0=A0 }
> > > >=20
> > > > Failing because it didn't match an extensions sort of goes against =
the
> > > > point of probing, which even has a low score return value that's
> > > > basically "it matched extension" as a sort of last resort.
> > > >=20
> > > > I'd say wrap this in a FF_COMPLIANCE_STRICT check (since i assume t=
he
> > > > spec does state mpd must be the extension), but i think we have no
> > > > access to the AVFormatContext here?
> > >=20
> > > DASH is usually transferred over HTTP where file extensions are of mi=
nor
> > > interest, the relevant type information is in the Mime-Type header.
> >=20
> > would anyone be opposed to return 0 from dash_probe() when
> > both the mime_type and the extension are wrong ?
>=20
> I would.
>=20
> probe() is for probing, not implementing security policies. IMO trying
> to fix security issues at the wrong layer will only lead to more
> confusion, more complexity, and LESS security.

YES i agree, probe is not for security policies

Its for probing but IMHO
If you have a
taxreport.pdf that parses correctly as jar and installs jRAT if you execute=
 it
Then it would be valid for probe() to identify this as type exploit instead
of type jar. And doing so would be more secure.

This is really more along the line of thought here for hls too.
a file with avi/mkv/mov/mxf/mpg/mp4 extension is not a hls playlist
Could someone have added that extension by mistake, yes
similarly your jar file could be named .pdf by mistake. But thats not=20
a good default assumtation and i dont think anyone would assume that
by default.

thx

[...]
--=20
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

If the United States is serious about tackling the national security threat=
s=20
related to an insecure 5G network, it needs to rethink the extent to which =
it
values corporate profits and government espionage over security.-Bruce Schn=
eier

--q/d9vTEvvdeKbPNw
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iFwEABEIAB0WIQSf8hKLFH72cwut8TNhHseHBAsPqwUCZFqwjQAKCRBhHseHBAsP
qxC3AJ43u0s31uy4GE4h9yF+zKVXhX80+wCXXD5zYMi52yqoECOrA1/HWiW6EQ==
=oSy0
-----END PGP SIGNATURE-----

--q/d9vTEvvdeKbPNw--

--===============8667122950620476562==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

--===============8667122950620476562==--