Re: [FFmpeg-devel] [PATCH v10 1/2] avformat/imf: Demuxer - Pierre-Anthony Lemieux

From: Pierre-Anthony Lemieux <pal@sandflow.com>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Subject: Re: [FFmpeg-devel] [PATCH v10 1/2] avformat/imf: Demuxer
Date: Wed, 15 Dec 2021 12:41:25 -0800
Message-ID: <CAF_7JxC7uLTL53bn7OA9G7H8brGAmPs-F89o4kz4KOBmMhh4CA@mail.gmail.com> (raw)
In-Reply-To: <163959962513.13029.16441945709966296103@lain.red.khirnov.net>

On Wed, Dec 15, 2021 at 12:20 PM Anton Khirnov <anton@khirnov.net> wrote:
>
> Quoting Pierre-Anthony Lemieux (2021-12-15 01:17:26)
> > >
> > > Now the question is whether a malicious attacker can craft those two
> > > files to get access to anything they shouldn't. I suppose at the very
> > > least the attacker can get information that the user opened the file (by
> > > adding an asset on an attacker's server) but that will be a danger with
> > > any playlists allowing network resources and can be controlled with
> > > io_open(). Can you think of any other possible issues?
> > >
> >
> > Some security considerations:
> >
> > - a DDoS can conceivably occur if a malicious CPL+ASSETMAP is widely
> > distributed. Both an ASSETMAP and a CPL are required since (a) the CPL
> > does not contain paths/hyperlinks and (b) only those resources
> > referenced by the CPL are fetched using the ASSETMAP.
> > - the CPL uses XML, which has its own security considerations. For
> > example, XML parsing can result in entities being fetched over the
> > network, but this is disabled by default in libxml AFAIK.
>
> This is concerning. From a brief glance at libxml2, it seems that you
> need to pass XML_PARSE_NONET as the last parameter to xmlReadMemory() to
> actually disabling network fetching.
> But it is possible I'm misreading the code, so if you or anyone else
> understands this better then clarifications are welcome.

I was referring to entity expansion and the loading of DTDs being
disabled by default -- see XML_PARSE_NOENT and XML_PARSE_DTDLOAD at
[1-2].

[1] http://xmlsoft.org/html/libxml-parser.html
[2] https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html

>
> > - several elements/attributes of the IMF CPL use URIs as unique
> > identifiers. These URIs could conceivably be dereferenced.
> > Dereferencing these URIs is however not a requirement and the IMF
> > demuxer does not do so.
> > - IMF only uses MXF to wrap essence but supports various kinds of
> > essence, e.g. Prores and J2K, each with its own security
> > considerations
>
> The demuxer should not be concerned about what the user does with the
> returned data. Only the behavior of the demuxer itself (and whatever
> code it calls) is the question here.
>
> --
> Anton Khirnov
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".