[FFmpeg-devel] [PATCH] avformat/hls: Disallow local file access by default
Tobias Rapp
t.rapp at noa-archive.com
Wed May 31 18:18:57 EEST 2017
On 31.05.2017 15:42, wm4 wrote:
> On Wed, 31 May 2017 14:49:19 +0200
> Michael Niedermayer <michael at niedermayer.cc> wrote:
>
>> [...]
>>
>> Security fixes should be as simple as
>> possible.
>
> Well, your fix isn't simple. It adds yet another exception with
> questionable effect. It makes it more complex and harder to predict
> what will actually happen, not simpler.
>
>> If people want, I can limit the local file check to the case where
>> the io_open callback is not set?
>> That way user applications which do their own sanitation would not be
>> affected by the check or error message and stay in full control of
>> what access is allowed.
>
> That would have little value and would make it more complex too.
>
> I'd say a good way to make this secure would be disabling the hls
> protocol in builds which are security sensitive.
We already have "protocol_whitelist", --disable-protocol and application
sandboxing as supported and generic options. I agree with wm4 that some
special case-handling here just adds complexity.
> In general there doesn't seem to be a good way. Feel free to prove me
> wrong. (I tried something similar, but in addition to the security vs.
> convenience tradeoff, it just didn't work.)
Regards,
Tobias
More information about the ffmpeg-devel
mailing list