vlc | branch: master | Rémi Denis-Courmont <[email protected]> | Sat Feb 25 16:38:44 2017 +0200| [0c166ad1b9798c00a0ce9bf52d561be598c4842c] | committer: Rémi Denis-Courmont
record: protect against arbitrary file overwrite Setting the no-overwrite flag of the file access output ensures that record will not indirectly trigger overwriting of an unintended file. There are two occurences to this problem: - While probing the muxer format, VLC uses the notoriously insecure and obsolescent (in POSIX.2008) tempnam() function. This leads to an arbitrary file overwrite vulnerability via symbolic links. However, the record plugin really should not need to create temporary files to probe a muxer format. - While actually recording content to a permanent file, overwriting an existing file is not a good idea. This is presumably not a vulnerability insofar as the output directory belongs to the user. Regardless, the record plugin should ensure that the output filename does not already exists (e.g. by creating the file). So basically, this is a stopgap measure. > http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=0c166ad1b9798c00a0ce9bf52d561be598c4842c --- modules/stream_out/record.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/stream_out/record.c b/modules/stream_out/record.c index 4b3a84c..5dd0342 100644 --- a/modules/stream_out/record.c +++ b/modules/stream_out/record.c @@ -329,7 +329,8 @@ static int OutputNew( sout_stream_t *p_stream, } free( psz_tmp ); - if( asprintf( &psz_output, "std{access=file{no-append,no-format}," + if( asprintf( &psz_output, + "std{access=file{no-append,no-format,no-overwrite}," "mux='%s',dst='%s'}", psz_muxer, psz_file ) < 0 ) { psz_output = NULL; _______________________________________________ vlc-commits mailing list [email protected] https://mailman.videolan.org/listinfo/vlc-commits
