[FFmpeg-cvslog] r12241 - trunk/libavformat/mov.c

[Rich Felker]

On Wed, Feb 27, 2008 at 02:02:40PM +0100, Baptiste Coudurier wrote:
> > application. Both url_fopen and callback are insane, especially if the
> > default callback is url_fopen in which case it is insecure by default.
> 
> Nonsense due to the concept of the feature, patch welcome for callback.
> 
> > I think Baptiste totally failed to understand the issue about
> > caller-registered url handlers which are common (e.g. mplayer always
> > uses one to connect to its own stream layer with cache)
> 
> I understand the concerns, again callback patch welcome.

Callback is unwelcome. Read the end of the text you quoted (first
block). Putting the filename in metadata or somewhere else where the
application can read it and use it IF THE APPLICATION DESIRES TO is
the proper solution.

> > and how the
> > existing API does not require them to be 'secure' against malicious
> > urls. For instance, my://0x12345678 (where the number is a pointer)
> > might be valid and the registered url handler might use data stored at
> > 0x12345678 to determine addresses to perform writes to. Thus, if a
> > file can cause an arbitrary address to be passed after my://, there is
> > surely a privilege elevation vulnerability.
> 
> Seriously 1) Read code 2) Read specs.
> Demuxer is reading data through ByteIOContext, if you do insane and ugly
> things with your URLProtocol, well....

This is not insane and ugly; it's the intended use of URLProtocol for
applications that have their own stream layers. This sort of practice
has been recommended MANY times on the list in the past, so going back
and suddenly making it insecure and deprecated is unacceptable.

> > The pay-per-byte internet access is also an extremely serious concern.
> 
> LOL.

???

Rich