Re: [FFmpeg-devel] [PATCH] avformat/hls: Check file extensions

2017-06-04 Thread Nicolas George
Le quintidi 15 prairial, an CCXXV, Hendrik Leppkes a écrit : > I object to breaking a functioning protocol in the name of some > obscure social-engineering attack. I agree, this issue is negligible. As was the issue about the concat protocol. But we obviously have many similar issues all over

Re: [FFmpeg-devel] [PATCH] avformat/hls: Check file extensions

2017-06-03 Thread Hendrik Leppkes
On Sat, Jun 3, 2017 at 2:58 PM, Michael Niedermayer wrote: > On Sat, Jun 03, 2017 at 11:18:46AM +0200, Hendrik Leppkes wrote: >> On Sat, Jun 3, 2017 at 2:31 AM, Michael Niedermayer >> wrote: >> > On Fri, Jun 02, 2017 at 09:27:16PM +0200, Hendrik

Re: [FFmpeg-devel] [PATCH] avformat/hls: Check file extensions

2017-06-03 Thread wm4
On Sat, 3 Jun 2017 14:58:19 +0200 Michael Niedermayer wrote: > Do you object to fixing this security issue that has a working exploit? > Can you provide a testcase the fix breaks ? So i can look into what > can be done about it ? (multiple testcases would be even better

[FFmpeg-devel] [PATCH] avformat/hls: Check file extensions

2017-06-03 Thread Michael Niedermayer
This reduces the attack surface of local file-system and local network information leaking. It prevents the existing exploit leading to an information leak. As well as similar hypothetical attacks. Leaks of information from files and symlinks ending in common multimedia extensions are still

Re: [FFmpeg-devel] [PATCH] avformat/hls: Check file extensions

2017-06-03 Thread Michael Niedermayer
On Sat, Jun 03, 2017 at 11:18:46AM +0200, Hendrik Leppkes wrote: > On Sat, Jun 3, 2017 at 2:31 AM, Michael Niedermayer > wrote: > > On Fri, Jun 02, 2017 at 09:27:16PM +0200, Hendrik Leppkes wrote: > >> On Fri, Jun 2, 2017 at 9:19 PM, Michael Niedermayer > >>

Re: [FFmpeg-devel] [PATCH] avformat/hls: Check file extensions

2017-06-03 Thread Hendrik Leppkes
On Sat, Jun 3, 2017 at 2:31 AM, Michael Niedermayer wrote: > On Fri, Jun 02, 2017 at 09:27:16PM +0200, Hendrik Leppkes wrote: >> On Fri, Jun 2, 2017 at 9:19 PM, Michael Niedermayer >> wrote: >> > This reduces the attack surface of local file-system

Re: [FFmpeg-devel] [PATCH] avformat/hls: Check file extensions

2017-06-02 Thread Michael Niedermayer
On Fri, Jun 02, 2017 at 09:27:16PM +0200, Hendrik Leppkes wrote: > On Fri, Jun 2, 2017 at 9:19 PM, Michael Niedermayer > wrote: > > This reduces the attack surface of local file-system and local network > > information leaking. > > > > It prevents the existing exploit

Re: [FFmpeg-devel] [PATCH] avformat/hls: Check file extensions

2017-06-02 Thread Hendrik Leppkes
On Fri, Jun 2, 2017 at 9:19 PM, Michael Niedermayer wrote: > This reduces the attack surface of local file-system and local network > information leaking. > > It prevents the existing exploit leading to an information leak. As > well as similar hypothetical attacks. > >

[FFmpeg-devel] [PATCH] avformat/hls: Check file extensions

2017-06-02 Thread Michael Niedermayer
This reduces the attack surface of local file-system and local network information leaking. It prevents the existing exploit leading to an information leak. As well as similar hypothetical attacks. Leaks of information from files and symlinks ending in common multimedia extensions are still