[FFmpeg-devel] [PATCH] avformat/file: add fd protocol
Rémi Denis-Courmont
remi at remlab.net
Tue Dec 13 18:27:59 EET 2022
Le maanantaina 12. joulukuuta 2022, 19.23.52 EET Zhao Zhili a écrit :
> On Mon, 2022-12-12 at 18:31 +0200, Rémi Denis-Courmont wrote:
> > Le maanantaina 5. joulukuuta 2022, 4.51.34 EET zhilizhao(赵志立) a écrit
> >
> > > > On Nov 19, 2022, at 02:48, Zhao Zhili <quinkblack at foxmail.com>
> > > > wrote:
> > > >
> > > > From: Zhao Zhili <zhilizhao at tencent.com>
> > > >
> > > > Unlike the pipe protocol, fd protocol has seek support if it
> > > > corresponding to a regular file.
> > > > ---
> > > > Sometimes it's the only way to access files via file descriptor,
> > > > e.g.,
> > > > requesting a shared file on Android:
> > > > https://developer.android.com/training/secure-file-sharing/request-fil
> > > > e
> > > >
> > > > doc/protocols.texi | 24 +++++++++++++++++++
> > > > libavformat/Makefile | 1 +
> > > > libavformat/file.c | 51
> > > > +++++++++++++++++++++++++++++++++++++++++
> > > > libavformat/protocols.c | 1 +
> > > > libavformat/version.h | 4 ++--
> > > > 5 files changed, 79 insertions(+), 2 deletions(-)
> > >
> > > Ping for review.
> >
> > VLC does this (with a slightly different syntax, i.e. fd://$NUM) and
> > in
> > hindsight, I think that it was a big mistake.
> >
> > It should not be possible to refer to an opaque handle from within
> > the URL.
> > This leads to all sorts of mischief, bordering on security issue, in
> > the
> > common case that the URL string is untrusted.
>
> Could you elaborate on the security issue?
Just guess the FD of some critical process resource (.e.g D-Bus, X11 or
Wayland connection), , and you can easily cause a DoS. It gets potentially
worse if you can guess the FD that is used to carry sensitive data, such as
another clients connection if FFmpeg runs inside some kind of network service.
> > To support this use case, IMO, the file descriptor should be passed
> > explicitly
> > via a trusted channel, *not* the URL.
>
> Does an explicit option works here?
>
> static const AVOption pipe_options[] = {
> { "blocksize", "set I/O operation maximum block size",
> offsetof(FileContext, blocksize), AV_OPT_TYPE_INT, { .i64 = INT_MAX },
> 1, INT_MAX, AV_OPT_FLAG_ENCODING_PARAM },
> + { "fd", "set file descriptor", offsetof(FileContext, fd),
> AV_OPT_TYPE_INT, { .i64 = -1 }, -1, INT_MAX, AV_OPT_FLAG_ENCODING_PARAM
> },
> { NULL }
> };
That seems more reasonable, so I cannot comment on the specifics of AVOption
usage.
--
Реми Дёни-Курмон
http://www.remlab.net/
More information about the ffmpeg-devel
mailing list