1
0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2024-12-02 03:06:28 +02:00
Commit Graph

157 Commits

Author SHA1 Message Date
Michael Niedermayer
189ff42196 avformat/hls: Check local file extensions
This reduces the attack surface of local file-system
information leaking.

It prevents the existing exploit leading to an information leak. As
well as similar hypothetical attacks.

Leaks of information from files and symlinks ending in common multimedia extensions
are still possible. But files with sensitive information like private keys and passwords
generally do not use common multimedia filename extensions.
It does not stop leaks via remote addresses in the LAN.

The existing exploit depends on a specific decoder as well.
It does appear though that the exploit should be possible with any decoder.
The problem is that as long as sensitive information gets into the decoder,
the output of the decoder becomes sensitive as well.
The only obvious solution is to prevent access to sensitive information. Or to
disable hls or possibly some of its feature. More complex solutions like
checking the path to limit access to only subdirectories of the hls path may
work as an alternative. But such solutions are fragile and tricky to implement
portably and would not stop every possible attack nor would they work with all
valid hls files.

Developers have expressed their dislike / objected to disabling hls by default as well
as disabling hls with local files. There also where objections against restricting
remote url file extensions. This here is a less robust but also lower
inconvenience solution.
It can be applied stand alone or together with other solutions.
limiting the check to local files was suggested by nevcairiel

This recommits the security fix without the author name joke which was
originally requested by Nicolas.

Found-by: Emil Lerner and Pavel Cheremushkin
Reported-by: Thierry Foucu <tfoucu@google.com>

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-05 13:55:01 +02:00
Michael Niedermayer
c0702ab830 Revert "avformat/hls: Check local file extensions"
Requested-by: Paul B Mahol <onemda@gmail.com>
This reverts commit caf7d6178a.
2017-06-05 13:55:01 +02:00
Sysiphus
caf7d6178a avformat/hls: Check local file extensions
This reduces the attack surface of local file-system
information leaking.

It prevents the existing exploit leading to an information leak. As
well as similar hypothetical attacks.

Leaks of information from files and symlinks ending in common multimedia extensions
are still possible. But files with sensitive information like private keys and passwords
generally do not use common multimedia filename extensions.
It does not stop leaks via remote addresses in the LAN.

The existing exploit depends on a specific decoder as well.
It does appear though that the exploit should be possible with any decoder.
The problem is that as long as sensitive information gets into the decoder,
the output of the decoder becomes sensitive as well.
The only obvious solution is to prevent access to sensitive information. Or to
disable hls or possibly some of its feature. More complex solutions like
checking the path to limit access to only subdirectories of the hls path may
work as an alternative. But such solutions are fragile and tricky to implement
portably and would not stop every possible attack nor would they work with all
valid hls files.

Developers have expressed their dislike / objected to disabling hls by default as well
as disabling hls with local files. There also where objections against restricting
remote url file extensions. This here is a less robust but also lower
inconvenience solution.
It can be applied stand alone or together with other solutions.
limiting the check to local files was suggested by nevcairiel

Found-by: Emil Lerner and Pavel Cheremushkin
Reported-by: Thierry Foucu <tfoucu@google.com>

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-06-05 03:03:11 +02:00
Micah Galizia
c4c73020f4 libavformat/hls: Observe Set-Cookie headers
Signed-off-by: Micah Galizia <micahgalizia@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-05-29 02:00:08 +02:00
Clément Bœsch
ef01061225 lavf/hls: do not transfer custom IO flag
See 0dcac9c3f0
2017-05-22 17:31:32 +02:00
Jan Berkel
aff80aa4ec hls: consistent use of user_agent
This came up while debugging a problem with mpv:
https://github.com/mpv-player/mpv/issues/4155

Signed-off-by: wm4 <nfxjfg@googlemail.com>
2017-03-23 12:51:21 +01:00
wm4
597c6b789e hls: pass AVFormatContext flags to sub demuxer 2017-03-09 16:24:00 +01:00
Andreas Cadhalpun
2c90316b46 hls: fix leaking avio_opts on hls_read_header error
Use the hls_close function to reduce code duplication.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-11-07 19:44:41 +01:00
Andreas Cadhalpun
a305e0e5c0 hls: move hls_close above hls_read_header
This is needed for the following commit.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-11-07 19:43:43 +01:00
Anssi Hannula
e2193b53ea avformat/hls: Add missing error check for avcodec_parameters_copy()
Signed-off-by: Anssi Hannula <anssi.hannula@iki.fi>
2016-11-07 18:56:36 +02:00
Anssi Hannula
3d2f636497 avformat/hls: Fix probing mpegts audio streams that use probing
Commit 04964ac311 ("avformat/hls: Fix missing streams in some
cases with MPEG TS") caused a regression where subdemuxer streams that
use probing (e.g. dts/eac3/mp2 in mpegts) no longer get probed properly.

This is because the codec parameters from the subdemuxer stream, once
probed, are not passed on to the main stream.

Fix that by updating the codec parameters if the codec id changes.

Signed-off-by: Anssi Hannula <anssi.hannula@iki.fi>
2016-11-07 18:56:36 +02:00
Anssi Hannula
9a51cd35b8 avformat/hls: Factor copying stream info to a separate function
Signed-off-by: Anssi Hannula <anssi.hannula@iki.fi>
2016-11-07 18:56:36 +02:00
Anssi Hannula
a6f5e25ad9 avformat/hls: Fix handling of EXT-X-BYTERANGE streams over 2GB
Replace uses of atoi() with strtoll() when trying to read values into
int64_t variables.

Fixes Kodi trac #16926:
http://trac.kodi.tv/ticket/16926
2016-09-24 09:46:32 +03:00
Anssi Hannula
04964ac311 avformat/hls: Fix missing streams in some cases with MPEG TS
HLS demuxer calls the subdemuxer avformat_find_stream_info() while
overriding the subdemuxer AVFMTCTX_NOHEADER flag by clearing it.
However, this prevents some streams in some MPEG TS streams from being
detected properly.

Simply removing the clearing of the flag would cause the inner
avformat_find_stream_info() call to take longer in some cases, without
a way to control it.

To fix the issue, do not clear the flag but propagate it to HLS demuxer.
To avoid the above-mentioned mandatory delay, the call to
avformat_find_stream_info() is dropped except in the HLS ID3 timestamped
case. The HLS demuxer user should be calling avformat_find_stream_info()
on the HLS demuxer if it wants to find the stream info.

The main streams are now created dynamically after read_header time if
the subdemuxer uses AVFMTCTX_NOHEADER (mpegts).

Subdemuxer avformat_find_stream_info() is still called for the HLS ID3
timestamped case as the HLS demuxer needs to know the packet durations
to properly interleave ID3 timestamped streams with MPEG TS streams on
sub-segment level.

Fixes ticket #4930.
2016-07-28 01:24:57 +03:00
Anssi Hannula
83db3c84fa avformat/hls: Move stream propagation to a separate function
Creation of main demuxer streams from subdemuxer streams is moved to
update_streams_from_subdemuxer() which can be called repeatedly.

There should be no functional changes.
2016-07-28 01:24:57 +03:00
Anssi Hannula
9884f17e34 avformat/hls: Use an array instead of stream offset for stream mapping
This will be useful when the amount of streams per subdemuxer is not
known at hls_read_header time in a following commit.
2016-07-28 01:24:57 +03:00
Anssi Hannula
4d85069e5d avformat/hls: Sync starting segment across variants on live streams
This will avoid a large time difference between variants in the most
common case.
2016-07-28 01:24:57 +03:00
Anssi Hannula
9cb30f7a88 avformat/hls: Fix regression with ranged media segments
Commit 81306fd4bdf ("hls: eliminate ffurl_* usage", merged in d0fc5de3a6)
changed the hls demuxer to use AVIOContext instead of URLContext for its
HTTP requests.

HLS demuxer uses the "offset" option of the http demuxer, requesting
the initial file offset for the I/O (http URLProtocol uses the "Range:"
HTTP header to try to accommodate that).

However, the code in libavformat/aviobuf.c seems to be doing its own
accounting for the current file offset (AVIOContext.pos), with the
assumption that the initial offset is always zero.

HLS demuxer does an explicit seek after open_url to account for cases
where the "offset" was not effective (due to the URL being a local file
or the HTTP server not obeying it), which should be a no-op in case the
file offset is already at that position.

However, since aviobuf.c code thinks the starting offset is 0, this
doesn't work properly.

This breaks retrieval of ranged media segments.

To fix the regression, just drop the seek call from the HLS demuxer when
the HTTP(S) protocol is used.
2016-07-28 01:24:57 +03:00
Clément Bœsch
8df1dbd798 Merge commit '5afb94c817abffad030c6b94d7003dca8aace3d5'
* commit '5afb94c817abffad030c6b94d7003dca8aace3d5':
  Mark read-only tables as static

Merged-by: Clément Bœsch <u@pkh.me>
2016-06-21 22:09:35 +02:00
Diego Biurrun
5afb94c817 Mark read-only tables as static 2016-05-05 10:48:34 +02:00
Derek Buitenhuis
6f69f7a8bf Merge commit '9200514ad8717c63f82101dc394f4378854325bf'
* commit '9200514ad8717c63f82101dc394f4378854325bf':
  lavf: replace AVStream.codec with AVStream.codecpar

This has been a HUGE effort from:
    - Derek Buitenhuis <derek.buitenhuis@gmail.com>
    - Hendrik Leppkes <h.leppkes@gmail.com>
    - wm4 <nfxjfg@googlemail.com>
    - Clément Bœsch <clement@stupeflix.com>
    - James Almer <jamrial@gmail.com>
    - Michael Niedermayer <michael@niedermayer.cc>
    - Rostislav Pehlivanov <atomnuker@gmail.com>

Merged-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
2016-04-10 20:59:55 +01:00
Hendrik Leppkes
eae2d89bf7 hls: handle crypto in the protocol checks
Fixes issue 5248
2016-03-16 10:31:41 +01:00
Hendrik Leppkes
0d4b8a2c16 hls: read protocol options through the AVIOContext
This reverts commit 9f9ed79d4c.

The hlsopts member was never set anywhere and always NULL, furthermore
the HLS demuxer needs to retrieve the proper options from the underlying
http protocol (cookies, user-agent, etc), so a dummy context won't help.

Instead, use the AVIOContext directly to access the options.
2016-03-16 10:31:36 +01:00
Derek Buitenhuis
93629735d7 avformat: Add a protocol blacklisting API
Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
2016-03-04 16:13:42 +00:00
Derek Buitenhuis
9f9ed79d4c hls: Add and use a memebr of AVIOInternal rather than abuse opaque
Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
2016-02-29 20:10:11 +00:00
Derek Buitenhuis
f1e7c42f08 Merge commit '225e84e74544062706c0159ec0737b0e1d40915f'
* commit '225e84e74544062706c0159ec0737b0e1d40915f':
  hls: disallow opening nested files in child demuxers

Merged-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
2016-02-29 15:50:32 +00:00
Anton Khirnov
9200514ad8 lavf: replace AVStream.codec with AVStream.codecpar
Currently, AVStream contains an embedded AVCodecContext instance, which
is used by demuxers to export stream parameters to the caller and by
muxers to receive stream parameters from the caller. It is also used
internally as the codec context that is passed to parsers.

In addition, it is also widely used by the callers as the decoding (when
demuxer) or encoding (when muxing) context, though this has been
officially discouraged since Libav 11.

There are multiple important problems with this approach:
    - the fields in AVCodecContext are in general one of
        * stream parameters
        * codec options
        * codec state
      However, it's not clear which ones are which. It is consequently
      unclear which fields are a demuxer allowed to set or a muxer allowed to
      read. This leads to erratic behaviour depending on whether decoding or
      encoding is being performed or not (and whether it uses the AVStream
      embedded codec context).
    - various synchronization issues arising from the fact that the same
      context is used by several different APIs (muxers/demuxers,
      parsers, bitstream filters and encoders/decoders) simultaneously, with
      there being no clear rules for who can modify what and the different
      processes being typically delayed with respect to each other.
    - avformat_find_stream_info() making it necessary to support opening
      and closing a single codec context multiple times, thus
      complicating the semantics of freeing various allocated objects in the
      codec context.

Those problems are resolved by replacing the AVStream embedded codec
context with a newly added AVCodecParameters instance, which stores only
the stream parameters exported by the demuxers or read by the muxers.
2016-02-23 17:01:58 +01:00
Anton Khirnov
225e84e745 hls: disallow opening nested files in child demuxers 2016-02-22 11:30:33 +01:00
Michael Niedermayer
58f21b6c93 avformat/hls: fix potential integer overflow
This is not a regression

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-02-16 21:46:00 +01:00
Derek Buitenhuis
d0fc5de3a6 Merge commit '81306fd4bdeb5c17d4db771e4fec684773b5790f'
* commit '81306fd4bdeb5c17d4db771e4fec684773b5790f':
  hls: eliminate ffurl_* usage

Merged-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
2016-02-16 16:27:14 +00:00
Derek Buitenhuis
bc9a5965c8 Merge commit '9f61abc8111c7c43f49ca012e957a108b9cc7610'
This also deprecates our old duplicated callbacks.

* commit '9f61abc8111c7c43f49ca012e957a108b9cc7610':
  lavf: allow custom IO for all files

Merged-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
2016-02-10 14:42:41 +00:00
Michael Niedermayer
fe3fed0b14 Update demuxers and protocols for protocol whitelist support
Reviewed-by: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-02-02 04:16:50 +01:00
Michael Niedermayer
af24b1c0cd Revert "avformat/hls: Require the file extension to be m3u / m3u8 for probing to succeed"
This can cause problems with urls that have arguments after the filename

This reverts commit b0c57206d5.

Reviewed-by: wm4 <nfxjfg@googlemail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-02-01 15:06:34 +01:00
Michael Niedermayer
cde57eee98 avformat/hls: Check that filename is not "" in probe before checking its extension
Possibly the check as a whole causes more problems than it helps, if so dont
hesitate to remove it

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-01-25 00:18:57 +01:00
Anton Khirnov
81306fd4bd hls: eliminate ffurl_* usage
Now all IO should go through the IO callbacks and be interceptable by
the caller.
2016-01-24 16:50:13 +01:00
Anton Khirnov
9f61abc811 lavf: allow custom IO for all files
Some (de)muxers open additional files beyond the main IO context.
Currently, they call avio_open() directly, which prevents the caller
from using custom IO for such streams.

This commit adds callbacks to AVFormatContext that default to
avio_open2()/avio_close(), but can be overridden by the caller. All
muxers and demuxers using AVIO are switched to using those callbacks
instead of calling avio_open()/avio_close() directly.

(de)muxers that use the URLProtocol layer directly instead of AVIO
remain unconverted for now. This should be fixed in later commits.
2016-01-24 16:45:32 +01:00
Michael Niedermayer
b0c57206d5 avformat/hls: Require the file extension to be m3u / m3u8 for probing to succeed
If the filename isnt set by the user application then the code behaves like before

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-01-19 16:46:30 +01:00
Michael Niedermayer
cfda1bea4c avformat/hls: Even stricter URL checks
This fixes a null pointer dereference at least

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-01-15 15:29:22 +01:00
Michael Niedermayer
6ba42b6482 avformat/hls: More strict url checks
No case is known where these are needed

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-01-15 14:11:21 +01:00
Maxim Andreev
7145e80b4f avformat/hls: forbid all protocols except http(s) & file
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-01-14 00:18:00 +01:00
Joel Holdsworth
c48122d731 avformat/hls: Added http_proxy support
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2015-12-27 21:44:15 +01:00
Joel Holdsworth
9cdccd404b avformat/hls: Remember to free HLSContext::headers
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2015-12-27 21:44:15 +01:00
Michael Niedermayer
676a93f2d8 avformat: Add av_program_add_stream_index()
This will be used by the subsequent commit(s)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2015-12-11 22:27:25 +01:00
Hendrik Leppkes
7f5af80ba4 Merge commit 'ce70f28a1732c74a9cd7fec2d56178750bd6e457'
* commit 'ce70f28a1732c74a9cd7fec2d56178750bd6e457':
  avpacket: Replace av_free_packet with av_packet_unref

Merged-by: Hendrik Leppkes <h.leppkes@gmail.com>
2015-10-27 14:28:56 +01:00
Luca Barbato
ce70f28a17 avpacket: Replace av_free_packet with av_packet_unref
`av_packet_unref` matches the AVFrame ref-counted API and can be used as
a drop in replacement.

Deprecate `av_free_packet`.
2015-10-26 18:00:55 +01:00
Anssi Hannula
9099079488 avformat/hls: add support for EXT-X-MAP
Without EXT-X-MAP support we miss the first bytes of some streams.

These streams worked by luck before byte-ranged segment support was added in
da7759b357

Fixes ticket #4797.
2015-10-15 15:04:00 +03:00
Anssi Hannula
fd74d45d51 avformat/hls: fix segment selection regression on track changes of live streams
Commit ad701326b4 ("avformat/hls: open playlists immediately when
AVDISCARD_ALL is dropped") inadvertently caused first_packet to never be
cleared, causing select_cur_seq_no() to not use the specific code for
live streams.

In practice this means that when the user selects a different audio
track during live stream (i.e. non-VOD) playback, there may be some
additional delay as the code might select an incorrect segment at first,
and we have to wait for video to catch audio (if too late segment was
selected) or to download more following audio segments (if too early
segment was selected).

Fix that by restoring the zeroing of first_packet.
2015-10-15 15:04:00 +03:00
Rodger Combs
f00ec7eb1b lavf/hls: don't convert NULL options to empty strings; fixes HTTP CRLF warnings 2015-10-09 04:12:57 -05:00
Rodger Combs
14221b2dd9 lavf/hls: allow subtitles to be read despite incomplete handling
This will give incorrect results in some cases due to not parsing segments
separately, so it currently requires -strict experimental.

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2015-10-03 12:54:44 +02:00
Luca Barbato
74942685cb hls: Check av_opt_set_dict return value as well
Bug-Id: CID 1320426
2015-10-01 13:51:13 +02:00