[FFmpeg-devel] [PATCH 2/2] avformat: add protocol_whitelist

Michael Niedermayer michael at niedermayer.cc
Sun Jan 24 15:06:12 CET 2016

On Sun, Jan 24, 2016 at 01:56:51PM +0100, Nicolas George wrote:
> Le quintidi 5 pluviôse, an CCXXIV, Clement Boesch a écrit :
> > Why not an entry in the AVDictionary options?
> That could be a short-term solution to avoid introducing a new API with
> ad-hoc parameters, but AVDictionary is still based on strings exclusively,
> that is very unpractical for applications. Furthermore, as I pointed out
> earlier, just a whitelist at protocol level is not enough to fix all
> security issues raised by playlists, especially all kind of cross-site
> information leak. Furthermore, this AVGlobalSettings structure could be the
> first step in getting rid of global state.

> Still, you are probably right: people seem to be rushed about patching this
> particularly visible instance of the issue, an entry in the AVDictionary
> options is probably the simplest way of doing it right now without
> introducing API changes that will need to be reverted after proper
> designing.

I avoided AVDictionaries a bit in the patch for 2 reasons

the first is that its more code, setting a whitelist in a AVDictionary
can always fail (ENOMEM), also depending on later failure pathes
the added whitelist needs to be freed
that would be duplicated code around *_open() which ive added in a
new *_open_whitelist(), that of course coulde be kept as a private
function in libavformat if preferred ?

the 2nd reason is that option semantics remove "consumed" parameters
from the AVDictionary options. So the whitelist has a tendency to be
removed from the AVDictionary. Which is not good security wise when
NULL is considered "everything"


Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Dictatorship: All citizens are under surveillance, all their steps and
actions recorded, for the politicians to enforce control.
Democracy: All politicians are under surveillance, all their steps and
actions recorded, for the citizens to enforce control.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20160124/b1271d8f/attachment.sig>

More information about the ffmpeg-devel mailing list