[FFmpeg-devel] [PATCH 2/2] avformat/hls: .ts is always ok even if its a mov/mp4

Wed Feb 5 20:41:39 EET 2025

Hi Kacper

On Tue, Feb 04, 2025 at 12:45:14PM +0100, Kacper Michajlow wrote:
[...]
> security benefits. I get it. Someone needed to hit their KPI by
> submitting CVEs, and they found a marginally applicable case of a
> highly unrealistic attack scenario.

I think you mis judge the (un)realism of this attack

prior to the patches, i can give you a m3u8 file and it will store
any local file in the output video

This is not even just a matter of video streaming services,
With a bit of social engeneering you can likely get people to
do that.
"Hey i found this odd file that encodes to different gibberish
 on each machien, iam an artist, doing an art project, can you
 just quickly reencode this and send me the mkv it generates ?"

Who would think that above will effectively give the attacker full
access to your machiene. unless you run this in a sandbox that has
no access to sensitve files

> 
> But FFmpeg should be cautious about adopting questionable security
> measures, such as:
> 
> > DASH playlists should restrict URIs to data:// and file:// unless otherwise specified with protocol_whitelist.
> 
> I mean, cool, but isn't DASH a Dynamic Adaptive Streaming over HTTP?
> 
> In summary, I believe the ability of FFmpeg to open or parse certain
> formats is highly dependent on the deployment environment. If you
> provide a service that allows foreign playlists to be opened on your
> server, it is your responsibility to restrict access appropriately,
> whether through sandboxing, firewalls, or by disabling unnecessary
> demuxers and features in your FFmpeg binaries to minimize the attack
> surface. There's even a useful configuration option to disable
> networking if that suits your needs. For example, I fully expect my
> libavformat to open DASH streams using the HTTP protocol, and I don’t
> consider that a CVE issue simply because it has that capability.

A local file by default should not open a network connection.
(otherwise one can count who, when and where a file is played)
The user can set the protocol_whitelist if she wants local files
to open network connections

if a m3u8 / dash / whatever file is remote on http then said file
is not local and can open other remote files but cannot open local
files by default
again the user can override that as she prefers

This is just a basic "same origin" policy

thx

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Democracy is the form of government in which you can choose your dictator
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20250205/10f5e156/attachment.sig>