> > Now the question is whether a malicious attacker can craft those two > files to get access to anything they shouldn't. I suppose at the very > least the attacker can get information that the user opened the file (by > adding an asset on an attacker's server) but that will be a danger with > any playlists allowing network resources and can be controlled with > io_open(). Can you think of any other possible issues? >
Some security considerations: - a DDoS can conceivably occur if a malicious CPL+ASSETMAP is widely distributed. Both an ASSETMAP and a CPL are required since (a) the CPL does not contain paths/hyperlinks and (b) only those resources referenced by the CPL are fetched using the ASSETMAP. - the CPL uses XML, which has its own security considerations. For example, XML parsing can result in entities being fetched over the network, but this is disabled by default in libxml AFAIK. - several elements/attributes of the IMF CPL use URIs as unique identifiers. These URIs could conceivably be dereferenced. Dereferencing these URIs is however not a requirement and the IMF demuxer does not do so. - IMF only uses MXF to wrap essence but supports various kinds of essence, e.g. Prores and J2K, each with its own security considerations - IMF has a mechanism to associate arbitrary files with a CPL. This is not required for processing of the CPL and is not implemented by the IMF demuxer. - IMF includes an (optional) XML digital signature mechanism that allows a user to confirm the origin and authenticity of the CPL, preventing malicious insertion of hyperlinks. XML digital signature has its own security considerations. Many of these security considerations are shared with DASH and HLS. _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
