On Wed, 13 Jan 2016 18:14:16 +0100 Luca Barbato <[email protected]> wrote:
> concat can be abused to leak local file contents as url parameter. > > CC: [email protected] > Reported-By: Максим Андреев <[email protected]> > --- > > Not sure if we want to add a whitelist option as well. > > libavformat/hls.c | 32 ++++++++++++++++++++++++++++++++ > 1 file changed, 32 insertions(+) > > diff --git a/libavformat/hls.c b/libavformat/hls.c > index dc3ab87..d8d1dcd 100644 > --- a/libavformat/hls.c > +++ b/libavformat/hls.c > @@ -104,6 +104,7 @@ typedef struct HLSContext { > int seek_flags; > AVIOInterruptCB *interrupt_callback; > AVDictionary *avio_opts; > + char *blacklist; > } HLSContext; > > static int read_chomp_line(AVIOContext *s, char *buf, int maxlen) > @@ -153,6 +154,19 @@ static void reset_packet(AVPacket *pkt) > pkt->data = NULL; > } > > +static int in_blacklist(const char *url, const char *blacklist) > +{ > + char proto[128]; > + > + av_url_split(proto, sizeof(proto), > + NULL, 0, > + NULL, 0, > + NULL, NULL, 0, > + url); > + > + return av_match_name(proto, blacklist); > +} > + > static struct variant *new_variant(HLSContext *c, int bandwidth, > const char *url, const char *base) > { > @@ -161,6 +175,10 @@ static struct variant *new_variant(HLSContext *c, int > bandwidth, > return NULL; > reset_packet(&var->pkt); > var->bandwidth = bandwidth; > + > + if (in_blacklist(url, c->blacklist)) > + return NULL; > + > ff_make_absolute_url(var->url, sizeof(var->url), base, url); > dynarray_add(&c->variants, &c->n_variants, var); > return var; > @@ -852,6 +870,19 @@ static int hls_probe(AVProbeData *p) > return 0; > } > > +#define OFFSET(x) offsetof(HLSContext, x) > +#define D AV_OPT_FLAG_DECODING_PARAM > +static const AVOption options[] = { > + {"blacklist", "Comma-separated list of protocols to reject", > OFFSET(blacklist), AV_OPT_TYPE_STRING, {.str = "concat"}, 0, 0, D}, > + { NULL }, > +}; > + > +static const AVClass hls_class = { > + .class_name = "hls demuxer", > + .item_name = av_default_item_name, > + .option = options, > + .version = LIBAVUTIL_VERSION_INT, > +}; > AVInputFormat ff_hls_demuxer = { > .name = "hls,applehttp", > .long_name = NULL_IF_CONFIG_SMALL("Apple HTTP Live Streaming"), > @@ -861,4 +892,5 @@ AVInputFormat ff_hls_demuxer = { > .read_packet = hls_read_packet, > .read_close = hls_close, > .read_seek = hls_read_seek, > + .priv_class = &hls_class, > }; > -- > 2.6.1 Should be a whitelist, not blacklist. _______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
