[FFmpeg-user] FFMPEg security question

Marton Balint cus at passwd.hu
Fri Jul 3 00:32:38 CEST 2015 

On Thu, 2 Jul 2015, Dani A wrote:

> My website allows users to upload video files so they can publish them, 
> and I use ffmpeg to convert the files and move atom to the beginning, 
> can someone upload a malicious file as if it is a video file and ffmpeg 
> can execute that malicious file? If yes, any one knows how to prevent 
> that from happening? Can the Ffprobe help with that?

Not really, no. FFprobe also opens the files and does a tiny bit of 
decoding as well when probing the streams, so running ffprobe on user 
files is almost the same as runnig ffmpeg on them.

There will always be a chance that user videos can exploit a yet unfixed 
issue of ffmpeg, however you can do a lot of things to limit the attack 
surface to a reasonable size.

I would suggest you to recompile ffmpeg and disable everything except the 
demuxers and decoders which your users actually use.

Alternatively you can use the codec_whitelist and the format_whitelist 
feature of ffmpeg as well, but not enabling the unused features is the 
safer way.

Keep a close look on decoders/demuxers/protocols which can open 
reference files and disable them or cripple the reference opening parts in 
their code. Altough ffmpeg usually checks these references if they are 
safe (e.g. if they do not point out of the directory of the original 
file), but better safe than sorry.

Also beware of formats which magically finds additional files in their 
directory (e.g. most image formats automatically searches for image 
sequences) and disable them or make them not do that by default.

Because of the reference file issues it is probably better to create a 
seperate directory for each input file, before you start transcoding them.

Keep your ffmpeg compilation up-to-date with git master to include the 
security fixes as soon as possible.

And of course there's a lot you can do limit the abilities of a malicous 
user if ffmpeg is exploited despite the precautions above. For example 
chroot, like Carl suggested.

Regards,
Marton

More information about the ffmpeg-user mailing list