From: Pierre-Anthony Lemieux <pal@sandflow.com>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Subject: Re: [FFmpeg-devel] [PATCH 2/3] avformat/imfdec: fail on probing non xml file extension
Date: Sun, 7 May 2023 22:09:58 -0700
Message-ID: <CAF_7JxCN4jz1oMLdiH4UNU_yCT-H2OMsiZmTZkWvWO1S1izHhg@mail.gmail.com> (raw)
In-Reply-To: <20230507191829.GP1391451@pb2>
On Sun, May 7, 2023 at 12:18 PM Michael Niedermayer
<michael@niedermayer.cc> wrote:
>
> On Sat, May 06, 2023 at 11:01:20AM -0700, Pierre-Anthony Lemieux wrote:
> > On Sat, May 6, 2023 at 6:25 AM Michael Niedermayer
> > <michael@niedermayer.cc> wrote:
> > >
> > > Its unexpected that a .avi or other "standard" file turns into a playlist.
> > > The goal of this patch is to avoid this unexpected behavior and possible
> > > privacy or security differences.
> >
> > Per the IMF specification, a CPL can have any extension or, in fact,
> > no extension. The latter is routinely used.
>
> is there a restriction on the URL/URIs used in it ?
> that is in practice, can they be restricted to the same server,
> child directories, or some other restriction ?
Below is a brief overview of the linkage between the various of
components of an IMF composition:
- the Composition Playlist (CPL) is the file that is passed to FFMPEG
as input (-i)
- the CPL is an XML document and defines a playlist
- each of the components that make up the playlist is identified by a
UUID, i.e. the CPL does not contain file paths/URLs.
- the mapping between UUIDs and URLs is done through separate XML
files called Asset Maps. Paths to Asset Maps can be provided
explicitly through the "-assetmaps" argument, otherwise FFMPEG looks
for a file called "ASSETMAP.xml" in the same directory as the CPL
file.
- according to the standard, all URLs in each Asset Map is relative to
the location of the Asset Map, and thus the CPL and the Asset Map have
the same origin
- some applications have relaxed this constraint and allowed absolute
URLs in the Asset Map
What is the threat scenario? Is the concern that a malicious actor
provides a CPL and Asset Map from origin A that makes malicious
requests to a different origin B?
>
> thx
>
> [...]
> --
> Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
>
> Breaking DRM is a little like attempting to break through a door even
> though the window is wide open and the only thing in the house is a bunch
> of things you dont want and which you would get tomorrow for free anyway
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
next prev parent reply other threads:[~2023-05-08 5:10 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-06 13:25 [FFmpeg-devel] [PATCH 1/3] avformat/dashdec: fail on probing non mpd " Michael Niedermayer
2023-05-06 13:25 ` [FFmpeg-devel] [PATCH 2/3] avformat/imfdec: fail on probing non xml " Michael Niedermayer
2023-05-06 18:01 ` Pierre-Anthony Lemieux
2023-05-07 19:18 ` Michael Niedermayer
2023-05-08 5:09 ` Pierre-Anthony Lemieux [this message]
2023-05-08 18:23 ` Michael Niedermayer
2023-05-08 18:40 ` Pierre-Anthony Lemieux
2023-05-08 22:01 ` Michael Niedermayer
2023-05-08 22:13 ` Pierre-Anthony Lemieux
2023-05-06 13:25 ` [FFmpeg-devel] [PATCH 3/3] avformat/mpeg: Fix filename extension check for subtitle file Michael Niedermayer
2023-05-07 20:41 ` [FFmpeg-devel] [PATCH 1/3] avformat/dashdec: fail on probing non mpd file extension Anton Khirnov
2023-05-08 12:00 ` James Almer
2023-05-08 14:05 ` Tobias Rapp
2023-05-08 14:38 ` Pierre-Anthony Lemieux
2023-05-08 17:10 ` Michael Niedermayer
2023-05-08 17:34 ` Pierre-Anthony Lemieux
2023-05-08 22:35 ` Michael Niedermayer
2023-05-09 6:19 ` Anton Khirnov
2023-05-09 7:35 ` Tobias Rapp
2023-05-09 20:02 ` Michael Niedermayer
2023-05-09 20:44 ` Michael Niedermayer
2023-05-10 6:44 ` Tobias Rapp
2023-05-10 14:01 ` Michael Niedermayer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAF_7JxCN4jz1oMLdiH4UNU_yCT-H2OMsiZmTZkWvWO1S1izHhg@mail.gmail.com \
--to=pal@sandflow.com \
--cc=ffmpeg-devel@ffmpeg.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git