Changeset View
Changeset View
Standalone View
Standalone View
head/multimedia/mythtv/files/patch-CVE-2017-09993a
Property | Old Value | New Value |
---|---|---|
fbsd:nokeywords | null | yes \ No newline at end of property |
svn:eol-style | null | native \ No newline at end of property |
svn:mime-type | null | text/plain \ No newline at end of property |
From 25dac3128b605f2867e3e0f0288b896f84d3a033 Mon Sep 17 00:00:00 2001 | |||||
From: Michael Niedermayer <michael@niedermayer.cc> | |||||
Date: Sat, 3 Jun 2017 21:20:04 +0200 | |||||
Subject: [PATCH] avformat/hls: Check local file extensions | |||||
This reduces the attack surface of local file-system | |||||
information leaking. | |||||
It prevents the existing exploit leading to an information leak. As | |||||
well as similar hypothetical attacks. | |||||
Leaks of information from files and symlinks ending in common multimedia extensions | |||||
are still possible. But files with sensitive information like private keys and passwords | |||||
generally do not use common multimedia filename extensions. | |||||
It does not stop leaks via remote addresses in the LAN. | |||||
The existing exploit depends on a specific decoder as well. | |||||
It does appear though that the exploit should be possible with any decoder. | |||||
The problem is that as long as sensitive information gets into the decoder, | |||||
the output of the decoder becomes sensitive as well. | |||||
The only obvious solution is to prevent access to sensitive information. Or to | |||||
disable hls or possibly some of its feature. More complex solutions like | |||||
checking the path to limit access to only subdirectories of the hls path may | |||||
work as an alternative. But such solutions are fragile and tricky to implement | |||||
portably and would not stop every possible attack nor would they work with all | |||||
valid hls files. | |||||
Developers have expressed their dislike / objected to disabling hls by default as well | |||||
as disabling hls with local files. There also where objections against restricting | |||||
remote url file extensions. This here is a less robust but also lower | |||||
inconvenience solution. | |||||
It can be applied stand alone or together with other solutions. | |||||
limiting the check to local files was suggested by nevcairiel | |||||
This recommits the security fix without the author name joke which was | |||||
originally requested by Nicolas. | |||||
Found-by: Emil Lerner and Pavel Cheremushkin | |||||
Reported-by: Thierry Foucu <tfoucu@google.com> | |||||
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> | |||||
(cherry picked from commit 189ff4219644532bdfa7bab28dfedaee4d6d4021) | |||||
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> | |||||
--- | |||||
libavformat/hls.c | 18 +++++++++++++++++- | |||||
1 file changed, 17 insertions(+), 1 deletion(-) | |||||
diff --git libavformat/hls.c libavformat/hls.c | |||||
index 2bf86fadc64..ffefd284f86 100644 | |||||
--- external/FFmpeg/libavformat/hls.c | |||||
+++ external/FFmpeg/libavformat/hls.c | |||||
@@ -204,6 +204,7 @@ typedef struct HLSContext { | |||||
char *http_proxy; ///< holds the address of the HTTP proxy server | |||||
AVDictionary *avio_opts; | |||||
int strict_std_compliance; | |||||
+ char *allowed_extensions; | |||||
} HLSContext; | |||||
static int read_chomp_line(AVIOContext *s, char *buf, int maxlen) | |||||
@@ -618,8 +619,19 @@ static int open_url(AVFormatContext *s, AVIOContext **pb, const char *url, | |||||
return AVERROR_INVALIDDATA; | |||||
// only http(s) & file are allowed | |||||
- if (!av_strstart(proto_name, "http", NULL) && !av_strstart(proto_name, "file", NULL)) | |||||
+ if (av_strstart(proto_name, "file", NULL)) { | |||||
+ if (strcmp(c->allowed_extensions, "ALL") && !av_match_ext(url, c->allowed_extensions)) { | |||||
+ av_log(s, AV_LOG_ERROR, | |||||
+ "Filename extension of \'%s\' is not a common multimedia extension, blocked for security reasons.\n" | |||||
+ "If you wish to override this adjust allowed_extensions, you can set it to \'ALL\' to allow all\n", | |||||
+ url); | |||||
+ return AVERROR_INVALIDDATA; | |||||
+ } | |||||
+ } else if (av_strstart(proto_name, "http", NULL)) { | |||||
+ ; | |||||
+ } else | |||||
return AVERROR_INVALIDDATA; | |||||
+ | |||||
if (!strncmp(proto_name, url, strlen(proto_name)) && url[strlen(proto_name)] == ':') | |||||
; | |||||
else if (av_strstart(url, "crypto", NULL) && !strncmp(proto_name, url + 7, strlen(proto_name)) && url[7 + strlen(proto_name)] == ':') | |||||
@@ -2127,6 +2139,10 @@ static int hls_probe(AVProbeData *p) | |||||
static const AVOption hls_options[] = { | |||||
{"live_start_index", "segment index to start live streams at (negative values are from the end)", | |||||
OFFSET(live_start_index), AV_OPT_TYPE_INT, {.i64 = -3}, INT_MIN, INT_MAX, FLAGS}, | |||||
+ {"allowed_extensions", "List of file extensions that hls is allowed to access", | |||||
+ OFFSET(allowed_extensions), AV_OPT_TYPE_STRING, | |||||
+ {.str = "3gp,aac,avi,flac,mkv,m3u8,m4a,m4s,m4v,mpg,mov,mp2,mp3,mp4,mpeg,mpegts,ogg,ogv,oga,ts,vob,wav"}, | |||||
+ INT_MIN, INT_MAX, FLAGS}, | |||||
{NULL} | |||||
}; | |||||