On 13.01.2016 18:14, Luca Barbato wrote:
> concat can be abused to leak local file contents as url parameter.
>
> CC: [email protected]
> Reported-By: Максим Андреев <[email protected]>
> ---
>
> Not sure if we want to add a whitelist option as well.
>
> libavformat/hls.c | 32 ++++++++++++++++++++++++++++++++
> 1 file changed, 32 insertions(+)
>
> diff --git a/libavformat/hls.c b/libavformat/hls.c
> index dc3ab87..d8d1dcd 100644
> --- a/libavformat/hls.c
> +++ b/libavformat/hls.c
[...]
> @@ -161,6 +175,10 @@ static struct variant *new_variant(HLSContext *c, int
> bandwidth,
> return NULL;
> reset_packet(&var->pkt);
> var->bandwidth = bandwidth;
> +
> + if (in_blacklist(url, c->blacklist))
> + return NULL;
Something should be logged, when a URL is rejected.
> ff_make_absolute_url(var->url, sizeof(var->url), base, url);
> dynarray_add(&c->variants, &c->n_variants, var);
> return var;
> @@ -852,6 +870,19 @@ static int hls_probe(AVProbeData *p)
> return 0;
> }
>
> +#define OFFSET(x) offsetof(HLSContext, x)
> +#define D AV_OPT_FLAG_DECODING_PARAM
> +static const AVOption options[] = {
> + {"blacklist", "Comma-separated list of protocols to reject",
> OFFSET(blacklist), AV_OPT_TYPE_STRING, {.str = "concat"}, 0, 0, D},
> + { NULL },
> +};
I'd also prefer a whitelist containing the few useful protocols
(file, http, https).
Best regards,
Andreas
_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel
