From patchwork Thu May 10 15:44:59 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Derek Buitenhuis X-Patchwork-Id: 8913 Delivered-To: ffmpegpatchwork@gmail.com Received: by 2002:a02:155:0:0:0:0:0 with SMTP id c82-v6csp1224284jad; Thu, 10 May 2018 08:50:53 -0700 (PDT) X-Google-Smtp-Source: AB8JxZoQEEb5BDs00nnVvXkVxH5ezp2y7CmrTLTkBw/kEZszarHxH5SSN2nh9usJURiU0wosa68x X-Received: by 2002:adf:8b85:: with SMTP id o5-v6mr1753253wra.169.1525967453247; Thu, 10 May 2018 08:50:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525967453; cv=none; d=google.com; s=arc-20160816; b=Ovt8vf3I/XAJ8LJLw7jPtW2Yvmf3kqCE58v420r61OUXpljHsSlu30aUYwJ3RdhQRw xeVHXQhRw7tF4dP+N/OTGKeVJ0dHETeQYRRqIIvL5HQu1DqBTW0r+qZ8lulbGnmfdRYc e8Ugf/9k6u6OWOqQcP9jMqQpXz4JBk6YkrkFajs6R8+UP2dVsZ7cRNScoH7agHqElMRD sTOapza8nV8bMbt3YTvQFCA/apk1LjHDfdOUydwhnclAonLNcIEZ5X5hUQlnh8G44aAE WZF1bMPyRjm1w+rq62gBmzp9B094iHIB3yhITp9J435ymicYYc7ZY9Tp2hdEqVyypxhQ pUng== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:message-id:date:to:from:dkim-signature :delivered-to:arc-authentication-results; bh=QW/zTCmKxug7UoNQiPZq+eCOYpWJwftiMmR+oC8S2rA=; b=sROap9nxLKi9KSsPP1H86D5POJbMfnWCfWehmaGRjc2recEb/oQETTwZaHTP8gTN1g WXK/lanUU2pWrGGIJj97EdLLI2E94OHQQc2rxtTMWIrS/yONcLAjd3ZieQOYNXbF8RIi 73YDFq44+Mf8C2P8IS8ZBiVlBfeMIdaNTkMVnkyoM3mr/0NrgrsqAaBAbZm8l5RhUym/ XtQZk3xCHPxCMWmUYpeO4DtSc7jtdJSFgf7MKn/jpgxBUksVaC4GrUspvwYPH6euKaRk 4o5T7Ladx+aqbbekE/Re6xXm7pNJfQHNNwRzheHxBBRNF7FKup/X3NkP6gQtzdpduucz WkYQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20161025 header.b=Z+VeA3xf; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id 67-v6si987782wmq.173.2018.05.10.08.50.52; Thu, 10 May 2018 08:50:53 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20161025 header.b=Z+VeA3xf; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id C2F5768A82C; Thu, 10 May 2018 18:50:15 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-wm0-f67.google.com (mail-wm0-f67.google.com [74.125.82.67]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 69AA368A6BC for ; Thu, 10 May 2018 18:50:09 +0300 (EEST) Received: by mail-wm0-f67.google.com with SMTP id a8-v6so4639454wmg.5 for ; Thu, 10 May 2018 08:50:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:subject:date:message-id; bh=HXJ0wroYWihOoiqHV0AaZaj2hnhiufoow3giHhJ+21w=; b=Z+VeA3xfWTNJr4YFCf7LDJ+UUREsL1ShzWRIXw5ZVMlytHizxxixMt1jdkaPuyYjJu 0FkNx6lltOamaTLYXXOQQQ4qDsC6lOJlHUy9/J51F5LnGjodFFVUggOZL6caZaYU2ctl Z6FB1LFJvxWFxQysEvDQOh/V8wQHj0miZGPb6X5LK9M/cogwU79xm4h+buWk/j2GPd4O Z5tbm2k4ggUhHWO9nE7KyNPH2d5gye7DKcvp9pIkm43EL7H/Jdi88kMbGDCLUU8D+b29 94g+l5iRcKW18ezHOfC85Okl8HKPm0Zg0xzFvBCEA78WrJHxPwaxmplSHU121JTBRERz 00qQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id; bh=HXJ0wroYWihOoiqHV0AaZaj2hnhiufoow3giHhJ+21w=; b=OQQDnkEMaKx8VL3USXYd1OHS2w7TG9uR51t2pqaunRh5hkx92nF57jyuCEX/LEj+Ot sOYQ/JDpcm3nSXJ5nk26dep1KCxY2zKpfhJ8Vbk2XYIT7dGdwgZeA5RMc6mCJcEwwijQ JaAAqfOpP7rrv0KDhZ5FhB3nwNh3IKLK4ffcZnJXce4ryuDm2JEfp+2MLYRmB4v5PMmN i0n7+U9dVuVqLptz5o8aaBbsoCREJgGCZH+s6oyNilrD0NJuX9RgL2vLEP7NKfRS51GT VBrMu9Z9ISnn+7kDlECvAPCvWVRXmYRx6iFW+vwbnA54fvymUnozZiyk5QWYFV/F5VTv b+tA== X-Gm-Message-State: ALKqPwc4Lgk1jO7vrew93lnCAPHfrV3fh0uBJ9wyULqbXNw7gtbwdluu mWCYTn6SW4p1enz+7Yj6ZxNMoeti X-Received: by 2002:a1c:3449:: with SMTP id b70-v6mr1549752wma.42.1525967113968; Thu, 10 May 2018 08:45:13 -0700 (PDT) Received: from localhost.localdomain.localdomain ([81.2.155.129]) by smtp.gmail.com with ESMTPSA id z63-v6sm1620349wrb.34.2018.05.10.08.45.12 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 10 May 2018 08:45:13 -0700 (PDT) From: Derek Buitenhuis To: ffmpeg-devel@ffmpeg.org Date: Thu, 10 May 2018 16:44:59 +0100 Message-Id: <1525967099-28195-1-git-send-email-derek.buitenhuis@gmail.com> X-Mailer: git-send-email 1.8.3.1 Subject: [FFmpeg-devel] [RFC][PATCH] configure: Disable unsafe demuxers by default X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" These demuxers have probes that mainly probe based on file extension, and map to codec IDs that render text as video. The result is that ffmpeg will, by default, happily render, for example, .txt files as images. This is not exactly a good security practice, an only makes it easier for potential attackers to gain the contents of system files. Disable building these by default. Signed-off-by: Derek Buitenhuis --- I've been hard disabling these at $dayjob for a long time, after some "interesting" upload attempts, but it should probably be done for everyone. I'm not overly attached implementaion details like the option name or whether it's done at build time ot runtime, but I think the concept of "don't render arbitrary system text files" is an important one. --- Changelog | 1 + configure | 7 +++++++ tests/fate.sh | 1 + 3 files changed, 9 insertions(+) diff --git a/Changelog b/Changelog index d442ced..e3f8e83 100644 --- a/Changelog +++ b/Changelog @@ -6,6 +6,7 @@ version : - tmix filter - amplify filter - fftdnoiz filter +- unsafe demuxers that render text files now disabled by default version 4.0: diff --git a/configure b/configure index a1f13a7..2f2805e 100755 --- a/configure +++ b/configure @@ -107,6 +107,7 @@ Configuration options: --enable-small optimize for size instead of speed --disable-runtime-cpudetect disable detecting CPU capabilities at runtime (smaller binary) --enable-gray enable full grayscale support (slower color) + --enable-unsafe-demuxers enable unsafe-by-default demuxers --disable-swscale-alpha disable alpha channel support in swscale --disable-all disable building components, libraries and programs --disable-autodetect disable automatically detected external libraries [no] @@ -1784,6 +1785,7 @@ FEATURE_LIST=" small static swscale_alpha + unsafe_demuxers " LIBRARY_LIST=" @@ -3100,6 +3102,7 @@ videotoolbox_encoder_deps="videotoolbox VTCompressionSessionPrepareToEncodeFrame # demuxers / muxers ac3_demuxer_select="ac3_parser" +adf_demuxer_deps="unsafe_demuxers" aiff_muxer_select="iso_media" asf_demuxer_select="riffdec" asf_o_demuxer_select="riffdec" @@ -3107,6 +3110,7 @@ asf_muxer_select="riffenc" asf_stream_muxer_select="asf_muxer" avi_demuxer_select="iso_media riffdec exif" avi_muxer_select="riffenc" +bintext_demuxer_deps="unsafe_demuxers" caf_demuxer_select="iso_media riffdec" caf_muxer_select="iso_media" dash_muxer_select="mp4_muxer" @@ -3124,6 +3128,7 @@ flac_demuxer_select="flac_parser" hds_muxer_select="flv_muxer" hls_muxer_select="mpegts_muxer" hls_muxer_suggest="gcrypt openssl" +idf_demuxer_deps="unsafe_demuxers" image2_alias_pix_demuxer_select="image2_demuxer" image2_brender_pix_demuxer_select="image2_demuxer" ipod_muxer_select="mov_muxer" @@ -3167,6 +3172,7 @@ swf_demuxer_suggest="zlib" tak_demuxer_select="tak_parser" tg2_muxer_select="mov_muxer" tgp_muxer_select="mov_muxer" +tty_demuxer_deps="unsafe_demuxers" vobsub_demuxer_select="mpegps_demuxer" w64_demuxer_select="wav_demuxer" w64_muxer_select="wav_muxer" @@ -3176,6 +3182,7 @@ webm_muxer_select="iso_media riffenc" webm_dash_manifest_demuxer_select="matroska_demuxer" wtv_demuxer_select="mpegts_demuxer riffdec" wtv_muxer_select="mpegts_muxer riffenc" +xbin_demuxer_deps="unsafe_demuxers" xmv_demuxer_select="riffdec" xwma_demuxer_select="riffdec" diff --git a/tests/fate.sh b/tests/fate.sh index 0edee7f..6a99d66 100755 --- a/tests/fate.sh +++ b/tests/fate.sh @@ -49,6 +49,7 @@ configure()( --enable-gpl \ --enable-memory-poisoning \ --enable-avresample \ + --enable-unsafe-demuxers \ ${ignore_tests:+--ignore-tests="$ignore_tests"} \ ${arch:+--arch=$arch} \ ${cpu:+--cpu="$cpu"} \