From: Kieran Kunhya via ffmpeg-devel <ffmpeg-devel@ffmpeg.org>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Cc: Kieran Kunhya <kieran618@googlemail.com>
Subject: Re: [FFmpeg-devel] [PATCH 2/2] avformat/hls: Be more picky on extensions
Date: Thu, 23 Jan 2025 21:54:36 +0000
Message-ID: <CABGuwEnk091j38WTwCVVP9Wcd3pQMCQYEG7t5fHL8HoqQ2czZQ@mail.gmail.com> (raw)
In-Reply-To: <20250123001134.GA4991@pb2>
On Thu, 23 Jan 2025, 00:11 Michael Niedermayer, <michael@niedermayer.cc>
wrote:
> Hi Kieran
>
> On Wed, Jan 22, 2025 at 10:47:52PM +0000, Kieran Kunhya via ffmpeg-devel
> wrote:
> > On Wed, 22 Jan 2025, 20:36 Michael Niedermayer, <michael@niedermayer.cc>
> > wrote:
> >
> > > This blocks disallowed extensions from probing
> > > It also requires all available segments to have matching extensions to
> the
> > > format
> > > mpegts is treated independent of the extension
> > >
> >
> > Potentially this is a stupid question but what stops an attacker from
> > faking the extension?
>
> How would he fake the extension ?
>
> The attacker generally wants to access a sensitive file, maybe one in
> /etc or maybe .ssh with something like the tty demuxer / ansi decoder
>
> lets pick /etc/passwd as a specific example
>
Is there no control character they can use to fake the extension
potentially?
As an aside, why is this CVE from 2023 being fixed now?
Kieran
>
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
next prev parent reply other threads:[~2025-01-23 21:54 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-22 20:36 [FFmpeg-devel] [PATCH 1/2] Revert "avformat/mpegts: Add standard extension so hls can check in extension_picky mode" Michael Niedermayer
2025-01-22 20:36 ` [FFmpeg-devel] [PATCH 2/2] avformat/hls: Be more picky on extensions Michael Niedermayer
2025-01-22 22:47 ` Kieran Kunhya via ffmpeg-devel
2025-01-23 0:11 ` Michael Niedermayer
2025-01-23 21:54 ` Kieran Kunhya via ffmpeg-devel [this message]
2025-01-23 22:35 ` Michael Niedermayer
2025-01-23 21:27 ` Michael Niedermayer
2025-01-25 20:38 ` Michael Niedermayer
2025-01-28 5:11 ` Vittorio Giovara
2025-01-28 12:14 ` Michael Niedermayer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CABGuwEnk091j38WTwCVVP9Wcd3pQMCQYEG7t5fHL8HoqQ2czZQ@mail.gmail.com \
--to=ffmpeg-devel@ffmpeg.org \
--cc=kieran618@googlemail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git