From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTP id 709F74625A for ; Wed, 10 May 2023 16:24:40 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 05DCD68C13E; Wed, 10 May 2023 19:24:37 +0300 (EEST) Received: from mail-yw1-f181.google.com (mail-yw1-f181.google.com [209.85.128.181]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id E1B4B68BFAF for ; Wed, 10 May 2023 19:24:30 +0300 (EEST) Received: by mail-yw1-f181.google.com with SMTP id 00721157ae682-55dabfbb521so3709367b3.0 for ; Wed, 10 May 2023 09:24:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1683735869; x=1686327869; h=content-transfer-encoding:in-reply-to:from:content-language :references:to:subject:user-agent:mime-version:date:message-id:from :to:cc:subject:date:message-id:reply-to; bh=D5NeZG268PsK3OmspX1P2eQMc0luAqRHPJMZ5+OFQf0=; b=HGxBdIIn8VQVKsBx2sX22NIdfZm1OgZk2vtVsF2/vA6oKWJDhYH1TIjs91jNo4ZXJ/ cPmeEcK1JNlUtvJzhyoPFrvCjTq4eCFFQMX0f3oYxpA8eluQX87Ja4krYw/qiradJVAP H4DvlHjoT8OZ7EoYUBjklHnvhFa4ZaXM8A8fwSyIBzJSFV6TLDjTSQP+BxqABdYGateD wjC43iUY00ONlkB38rlnTjy3HA+yYAUu6aegNF8b+pR6ck5XdZjopWfdR7lPRzIOPt7X ORq3WQBhH5wWADpgheXV8w8JnYtm5cEZSy2gd16E47rM6lbI4TzgBbZxxwrK6syr31AD COLA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1683735869; x=1686327869; h=content-transfer-encoding:in-reply-to:from:content-language :references:to:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=D5NeZG268PsK3OmspX1P2eQMc0luAqRHPJMZ5+OFQf0=; b=Q/YmGfuPSRgjUqkomOrZDIOUDYV/Us4PBet/wStlo81Ll6dAQW8XELMPMuLRIaSMN6 OstPCV5SoLHuLOMj/qGz7bAMvZs9ul9yThXltTIAlh04s7NRXiG12EXXMajNHjCtEMzC C/F9NoeCQ2nCL83Ki1HNSSa8QGE2nBK9l3+mJ220V4t7ngb9c709GlSxf3g4exPCak5k 2yifm7/p+/uX9QbrKH9wB9i8HDXi3/+RcFEs7vayPEb2u9IM2h2WGq4PDeFhrcWEi9bM y/QZihE/Gxx3MSRgWQNasckvQYp3zXmupazaC+ZEhsKGwu6AMNhfr+UlVEtdyIK6nKCf JaZw== X-Gm-Message-State: AC+VfDwesL17E7kRBTt+ka2xLIsWPystLUA1JnHsfdXOFKv1rkEdSaPw dJdxxPd4iQsXElk0dcqsNSjSt0YF138= X-Google-Smtp-Source: ACHHUZ4YcMA300GMzG587ewo3r5y1QO7h6V7c2mxB045cl2MI60QI1K6l7WqJxAvU8RJBZyzjx/49g== X-Received: by 2002:a81:1786:0:b0:55a:6115:98f5 with SMTP id 128-20020a811786000000b0055a611598f5mr18129082ywx.1.1683735868771; Wed, 10 May 2023 09:24:28 -0700 (PDT) Received: from [192.168.1.35] (c-98-224-219-15.hsd1.mi.comcast.net. [98.224.219.15]) by smtp.gmail.com with ESMTPSA id j17-20020a819211000000b0055a581c7f03sm4168307ywg.29.2023.05.10.09.24.28 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 10 May 2023 09:24:28 -0700 (PDT) Message-ID: <3b7194ee-cb09-8a54-d934-e9fbcdf1ebcf@gmail.com> Date: Wed, 10 May 2023 12:24:27 -0400 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.10.1 To: ffmpeg-devel@ffmpeg.org References: <20230503123038.13030-1-michael@niedermayer.cc> <168349217644.3843.294181446257840622@lain.khirnov.net> <20230508232500.GX1391451@pb2> <168361293453.3843.8903966307297202290@lain.khirnov.net> <20230509154109.GY1391451@pb2> Content-Language: en-US-large From: Leo Izen In-Reply-To: <20230509154109.GY1391451@pb2> Subject: Re: [FFmpeg-devel] [PATCH] avformat/hls: fail on probing non hls/m3u8 file extensions X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Archived-At: List-Archive: List-Post: On 5/9/23 11:41, Michael Niedermayer wrote: > On Tue, May 09, 2023 at 08:15:34AM +0200, Anton Khirnov wrote: >> Quoting Michael Niedermayer (2023-05-09 01:25:00) >>> On Sun, May 07, 2023 at 10:42:56PM +0200, Anton Khirnov wrote: >>>> Quoting Michael Niedermayer (2023-05-03 14:30:38) >>>>> Its unexpected that a .avi or other "standard" file turns into a playlist. >>>>> The goal of this patch is to avoid this unexpected behavior and possible >>>>> privacy or security differences. >>>>> >>>> >>>> I very much dislike this approach. >>> >>> What else do you suggest ? >>> >>> We could have a configuration option that specifies one >>> or more trusted directories/files/urls. And everything outside would be >>> limited to selfcontained files >>> The average user can put * as trusted url if thats what they want >>> While someone who cares about their privacy and security could restrict >>> that with little effort to the place where they store their music and >>> videos which they know is ok. While OTOH still throwing random URLs >>> at ffmpeg without expecting overly unexpected results (not considering bugs) >>> Thats similar to how some office software can handle macros. >>> >>> Or do you have some other suggestion ? >>> >> >> I don't see what actual problem is this supposed to address. The commit >> message mentions some vague "possible issues", but >> * this seems like the wrong layer for this kind of policy decisions >> * I think there needs to be a clearly defined thread model before we can >> discuss what the right solution is > > Its not one threat but many. And i already mentioned some but we can pick > one hypothetical example for sake of discussion and detail it more. > (being more detailed this is sadly a longer mail) > > Lets assume an attacker wants to infiltrate a specific company > part of that will require gaining access to the companies internal > network. So the attacker starts chating with some employee, the > medium of communication is irrelevant here. > The attacker cannot just ask the employee to run his network scanner > the employee would realize whats going on and report it (or should at least) > Maybe the attacker asks the emplyee to look at that really funny weblog > of his, but the emplyee might be trained not to open random links in > his webbrowser or the webbrowser might be so locked down that it > cant access the companies internal net. > So our attacker sends him a link to > companyX_boss_and_secretary_sex_hd.avi > So he tries watching that because he now isnt sure if the guy meant that > was about his boss or someone else, after all he knows its safe because he watched > so much porn on so many shady sites with his video player and never got > hacked from it. > in reality that avi file is not a avi, its maybe some playlist allowing > arbitrary URLs. > While the employee watches some boss and secretary the bits any pieces betweem > the scenes scan the companies internal network and the external http > accesses which go back to the attacker, allow him to get all the information of > it. > > The problem is that playing some files allows things like scaning > the network and passing this information on to an attacker. > I dont have a real full testcase so maybe theres something iam missing > why this wouldnt work ... > > compounding that our probing code is really good and detects such attacks > and makes them work even if the file is named incorrectly and has the wrong > mime type. > This makes such an attack easier to do and harder to detect even for a smart > user > > ideal would be if the whole attack wouldnt work at all and network realms > would be clearly seperated and nothing touching the companies private net > or localnet could touch the public internet. > This is not compatible with a playlist randomly mixing local, priavte and > public content. > If its just my own machiene, i have no such playlist and see no use in one > for me. But some people want that i think. > They maybe arent the employee who as part of his job has to protect the > company and not play random playlists. > Also they maybe arent the privacy or security concious users. > > Having default same origin policy and a list of files/directories/urls that are > excempt from it would fix this in the example above. > > The companies employees would not override default security settings to > watch a odd file. Or they could loose their job > A user caring about security / privacy could setup the settings > carefully so safe playlists work and other things are secure > and A user not caring could just disable a same origin check, and > this may be ok for her > One potential issue is that if an open TLS HTTP/2 socket already exists with the server, then the URL isn't being probed, but rather the response from a specific GET request. This issue arose in mpv, because mpv opens an HTTP socket with the server and keeps it alive when running its own probe mechanics, before falling back to lavf's probe. In the event of an already open socket the URL isn't a valid filename, so mpv sends the empty string. The empty string doesn't have the .m3u8 extension, so it fails the validation check. In every other instance of lavf probes, it bases it on content as higher priority than filename. Rename a .avi to .mp4 and it will still properly detect it as .avi, so this seems to be inconsistent with the existing behavior. IMO we should check file contents and MIME type sent by the server rather than just the file extension. If it starts with #EXTM3U and the other headers etc. and has an appropriate Content-type header, that should be sufficient. In either case, it's unclear to me that, if we keep the check in, we should permit empty string as an exception to the check because of the HTTP socket issue, or if we should require clients to pass "foo.m3u8" or something to work around the problem. - Leo Izen (Traneptora / thebombzen) _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".