[FFmpeg-devel] avformat/hls: Check file extensions

Submitted by Michael Niedermayer on June 3, 2017, 1 p.m.

Details

Message ID 20170603130008.16979-1-michael@niedermayer.cc
State New
Headers show

Commit Message

Michael Niedermayer June 3, 2017, 1 p.m.
This reduces the attack surface of local file-system and local network
information leaking.

It prevents the existing exploit leading to an information leak. As
well as similar hypothetical attacks.

Leaks of information from files and symlinks ending in common multimedia extensions
are still possible. But files with sensitive information like private keys and passwords
generally do not use common multimedia filename extensions.

The existing exploit depends on a specific decoder as well.
It does appear though that the exploit should be possible with any decoder.
The problem is that as long as sensitive information gets into the decoder,
the output of the decoder becomes sensitive as well.
The only obvious solution is to prevent access to sensitive information. Or to
disable hls or possibly some of its feature. More complex solutions like
checking the path to limit access to only subdirectories of the hls path may
work as an alternative. But such solutions are fragile and tricky to implement
portably and would not stop every possible attack nor would they work with all
valid hls files.

Developers have expressed their dislike / objected to disabling hls by default as well
as disabling hls with local files. This here is a less robust but also lower
inconvenience solution.
It can be applied stand alone or together with other solutions.

Found-by: Emil Lerner and Pavel Cheremushkin
Reported-by: Thierry Foucu <tfoucu@google.com>

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/hls.c | 31 ++++++++++++++++++++++++++++++-
 1 file changed, 30 insertions(+), 1 deletion(-)

Patch hide | download patch | download mbox

diff --git a/libavformat/hls.c b/libavformat/hls.c
index 4b8fb19a52..9a26b2a3bd 100644
--- a/libavformat/hls.c
+++ b/libavformat/hls.c
@@ -204,6 +204,7 @@  typedef struct HLSContext {
     char *http_proxy;                    ///< holds the address of the HTTP proxy server
     AVDictionary *avio_opts;
     int strict_std_compliance;
+    char *allowed_extensions;
 } HLSContext;
 
 static int read_chomp_line(AVIOContext *s, char *buf, int maxlen)
@@ -602,6 +603,8 @@  static int open_url(AVFormatContext *s, AVIOContext **pb, const char *url,
     AVDictionary *tmp = NULL;
     const char *proto_name = NULL;
     int ret;
+    char filename_buffer[1024];
+    const char *filename;
 
     av_dict_copy(&tmp, opts, 0);
     av_dict_copy(&tmp, opts2, 0);
@@ -618,8 +621,30 @@  static int open_url(AVFormatContext *s, AVIOContext **pb, const char *url,
         return AVERROR_INVALIDDATA;
 
     // only http(s) & file are allowed
-    if (!av_strstart(proto_name, "http", NULL) && !av_strstart(proto_name, "file", NULL))
+    if (av_strstart(proto_name, "file", NULL)) {
+        filename = url;
+    } else if (av_strstart(proto_name, "http", NULL)) {
+        char *queryp;
+        filename = filename_buffer;
+        av_url_split(NULL, 0, NULL, 0, NULL, 0,NULL,
+                     filename_buffer, sizeof(filename_buffer),
+                     url);
+        if (strlen(filename_buffer) + 1 >= sizeof(filename_buffer))
+            return AVERROR_INVALIDDATA;
+        queryp = strchr(filename_buffer, '?');
+        if (queryp)
+            *queryp = 0;
+    } else
+        return AVERROR_INVALIDDATA;
+
+    if (strcmp(c->allowed_extensions, "ALL") && !av_match_ext(filename, c->allowed_extensions)) {
+        av_log(s, AV_LOG_ERROR,
+               "Filename extension of \'%s\' is not a common multimedia extension, blocked for security reasons.\n"
+               "If you wish to override this adjust allowed_extensions, you can set it to \'ALL\' to allow all\n",
+               filename);
         return AVERROR_INVALIDDATA;
+    }
+
     if (!strncmp(proto_name, url, strlen(proto_name)) && url[strlen(proto_name)] == ':')
         ;
     else if (av_strstart(url, "crypto", NULL) && !strncmp(proto_name, url + 7, strlen(proto_name)) && url[7 + strlen(proto_name)] == ':')
@@ -2134,6 +2159,10 @@  static int hls_probe(AVProbeData *p)
 static const AVOption hls_options[] = {
     {"live_start_index", "segment index to start live streams at (negative values are from the end)",
         OFFSET(live_start_index), AV_OPT_TYPE_INT, {.i64 = -3}, INT_MIN, INT_MAX, FLAGS},
+    {"allowed_extensions", "List of file extensions that hls is allowed to access",
+        OFFSET(allowed_extensions), AV_OPT_TYPE_STRING,
+        {.str = "3gp,aac,avi,flac,mkv,m3u8,m4a,m4s,m4v,mpg,mov,mp2,mp3,mp4,mpeg,mpegts,ogg,ogv,oga,ts,vob,wav"},
+        INT_MIN, INT_MAX, FLAGS},
     {NULL}
 };