Re: [FFmpeg-devel] 答复: [PATCH] fftools/ffmpeg_ffplay_ffprobe_cmdutils: add -safe to replace the user name and password in the protocol address

Mon, 19 Dec 2022 02:10:12 -0800 


On 2022-12-19 02:59 pm, Wujian(Chin) wrote:



On Dec 19, 2022, at 14:50, Wujian(Chin) <wuji...@huawei.com> wrote:



On Dec 17, 2022, at 15:36, Wujian(Chin) <wuji...@huawei.com> wrote:

The Protocol address may contain the user name and password. The ps -ef command 
may expose the plaintext.
The -safe parameter option is added to replace the user name and password in 
the command line with the asterisk (*).

The patch reduced the risk to a low level, but I don’t think it fixed the 
security issue totally. It’s still there with a small time window. The usecase 
itself is unsafe.

It's still there with a small time window, too short for people to capture.
Do you have any other better way, if not, this way prevents 99% of the scenes 
better than not doing it at all.



There is an -safe option in concat demuxer, please make sure there is no 
conflict.
concat demuxer AVOptions:
-safe              <boolean>    .D......... enable safe mode (default true)

There is no conflict because -safe is identified by the second parameter after 
ffmpeg/ffprobe/ffplay.

Isn’t it break the following use case?
ffmpeg -safe 0 -f concat -i abc -c copy /tmp/test.mp4

  


Thanks, zhilizhao.
You're right, we're going to replace -safe with -desensitization,
what other good parameter name suggestions do you have?

-mask_url or -mask_cred or -hide_url or -hide_cred

Regards,
Gyan







Signed-off-by: wujian_nanjing <wuji...@huawei.com>
---
doc/ffmpeg.texi    |  7 +++++++
doc/ffplay.texi    |  8 ++++++++
doc/ffprobe.texi   |  7 +++++++
fftools/cmdutils.c | 47
+++++++++++++++++++++++++++++++++++++++++++----
fftools/cmdutils.h | 15 +++++++++++++++
fftools/ffmpeg.c   | 16 +++++++++++++---
fftools/ffplay.c   | 15 +++++++++++++--
fftools/ffprobe.c  | 18 ++++++++++++++----
8 files changed, 120 insertions(+), 13 deletions(-)

diff --git a/doc/ffmpeg.texi b/doc/ffmpeg.texi index
0367930..e905542
100644
--- a/doc/ffmpeg.texi
+++ b/doc/ffmpeg.texi
@@ -50,6 +50,13 @@ output files. Also do not mix options which
belong to different files. All options apply ONLY to the next input or output 
file and are reset between files.

@itemize
+@item -safe
+The Protocol address may contain the user name and password. The ps -ef 
command may expose the plaintext.
+The -safe parameter option is added to replace the user name and password in 
the command line with the asterisk (*).
+@example
+ffmpeg -safe -i rtsp://usern...@password.xxxx.com @end example
+
@item
To set the video bitrate of the output file to 64 kbit/s:
@example
diff --git a/doc/ffplay.texi b/doc/ffplay.texi index
5dd860b..f46ca91
100644
--- a/doc/ffplay.texi
+++ b/doc/ffplay.texi
@@ -122,6 +122,14 @@ Read @var{input_url}.

@section Advanced options
@table @option
+
+@item -safe
+The Protocol address may contain the user name and password. The ps -ef 
command may expose the plaintext.
+The -safe parameter option is added to replace the user name and password in 
the command line with the asterisk (*).
+@example
+ffplay -safe -i rtsp://usern...@password.xxxx.com @end example
+
@item -stats
Print several playback statistics, in particular show the stream
duration, the codec parameters, the current position in the stream
and diff --git a/doc/ffprobe.texi b/doc/ffprobe.texi index
4dc9f57..92b13cf 100644
--- a/doc/ffprobe.texi
+++ b/doc/ffprobe.texi
@@ -89,6 +89,13 @@ Set the output printing format.
@var{writer_name} specifies the name of the writer, and
@var{writer_options} specifies the options to be passed to the writer.

+@item -safe
+The Protocol address may contain the user name and password. The ps -ef 
command may expose the plaintext.
+The -safe parameter option is added to replace the user name and password in 
the command line with the asterisk (*).
+@example
+ffprobe -safe -i rtsp://usern...@password.xxxx.com @end example
+
For example for printing the output in JSON format, specify:
@example
-print_format json
diff --git a/fftools/cmdutils.c b/fftools/cmdutils.c index
a1de621..22407f8 100644
--- a/fftools/cmdutils.c
+++ b/fftools/cmdutils.c
@@ -61,6 +61,40 @@ AVDictionary *format_opts, *codec_opts;

int hide_banner = 0;

+void param_masking(int argc, char **argv) {
+    int i, j;
+    for (i = 1; i < argc; i++) {
+        char *match = strstr(argv[i], "://");
+        if (match) {
+            int total = strlen(argv[i]);
+            for (j = 0; j < total; j++) {
+                argv[i][j] = '*';
+            }
+        }
+    }
+}
+
+char **copy_argv(int argc, char **argv) {
+    char **argv2;
+    argv2 = av_mallocz(argc * sizeof(char *));
+    if (!argv2)
+        exit_program(1);
+
+    for (int i = 0; i < argc; i++) {
+        int length = strlen(argv[i]) + 1;
+        argv2[i] = av_mallocz(length * sizeof(char *));
+        if (!argv2[i])
+            exit_program(1);
+        memcpy(argv2[i], argv[i], length - 1);
+    }
+    return argv2;
+}
+
+void free_pp(int argc, char **argv) {
+    for (int i = 0; i < argc; i++)
+        av_free(argv[i]);
+    av_free(argv);
+}
void uninit_opts(void)
{
    av_dict_free(&swr_opts);
@@ -215,13 +249,13 @@ static void prepare_app_arguments(int *argc_ptr, char 
***argv_ptr)
    if (win32_argv_utf8) {
        *argc_ptr = win32_argc;
        *argv_ptr = win32_argv_utf8;
-        return;
+        goto end;
    }

    win32_argc = 0;
    argv_w = CommandLineToArgvW(GetCommandLineW(), &win32_argc);
    if (win32_argc <= 0 || !argv_w)
-        return;
+        goto end;

    /* determine the UTF-8 buffer size (including NULL-termination symbols) */
    for (i = 0; i < win32_argc; i++)
@@ -232,7 +266,7 @@ static void prepare_app_arguments(int *argc_ptr, char 
***argv_ptr)
    argstr_flat     = (char *)win32_argv_utf8 + sizeof(char *) * (win32_argc + 
1);
    if (!win32_argv_utf8) {
        LocalFree(argv_w);
-        return;
+        goto end;
    }

    for (i = 0; i < win32_argc; i++) { @@ -243,9 +277,14 @@ static
void prepare_app_arguments(int *argc_ptr, char ***argv_ptr)
    }
    win32_argv_utf8[i] = NULL;
    LocalFree(argv_w);
-
    *argc_ptr = win32_argc;
    *argv_ptr = win32_argv_utf8;
+end:
+    if (*argc_ptr > 1 && !strcmp((*argv_ptr)[1], "-safe")) {
+        (*argv_ptr)[1] = (*argv_ptr)[0];
+        (*argc_ptr)--;
+        (*argv_ptr)++;
+    }
}
#else
static inline void prepare_app_arguments(int *argc_ptr, char
***argv_ptr) diff --git a/fftools/cmdutils.h b/fftools/cmdutils.h
index 4496221..ce4c1db 100644
--- a/fftools/cmdutils.h
+++ b/fftools/cmdutils.h
@@ -50,6 +50,21 @@ extern AVDictionary *format_opts, *codec_opts;
extern int hide_banner;

/**
+ * Using to masking sensitive info.
+ */
+void param_masking(int argc, char **argv);
+
+/**
+ * Using to copy ori argv.
+ */
+char **copy_argv(int argc, char **argv);
+
+/**
+ * Free **
+ */

+void free_pp(int argc, char **argv);

+

+/**
* Register a program-specific cleanup routine.
*/
void register_exit(void (*cb)(int ret)); diff --git
a/fftools/ffmpeg.c b/fftools/ffmpeg.c index 881d6f0..f77e850 100644
--- a/fftools/ffmpeg.c
+++ b/fftools/ffmpeg.c
@@ -3865,9 +3865,9 @@ static int64_t getmaxrss(void)

int main(int argc, char **argv)
{
-    int ret;
+    int ret, safeFlag;
    BenchmarkTimeStamps ti;
-
+    char **argv2;
    init_dynload();

    register_exit(ffmpeg_cleanup);
@@ -3877,15 +3877,25 @@ int main(int argc, char **argv)
    av_log_set_flags(AV_LOG_SKIP_REPEATED);
    parse_loglevel(argc, argv, options);

+    safeFlag = 0;
+    if (argc > 1 && !strcmp(argv[1], "-safe")) {
+        argv[1] = argv[0];
+        safeFlag = 1;
+        argc--;
+        argv++;
+    }
#if CONFIG_AVDEVICE
    avdevice_register_all();
#endif
    avformat_network_init();

    show_banner(argc, argv, options);
+    argv2 = copy_argv(argc, argv);
+    if (safeFlag)
+        param_masking(argc, argv);

    /* parse options and open all input/output files */
-    ret = ffmpeg_parse_options(argc, argv);
+    ret = ffmpeg_parse_options(argc, argv2);
    if (ret < 0)
        exit_program(1);

diff --git a/fftools/ffplay.c b/fftools/ffplay.c index
fc7e1c2..f9e6c91 100644
--- a/fftools/ffplay.c
+++ b/fftools/ffplay.c
@@ -3663,10 +3663,18 @@ void show_help_default(const char *opt,
const char *arg)
/* Called from the main */
int main(int argc, char **argv)
{
-    int flags;
+    int flags, safeFlag;
+    char **argv2;
    VideoState *is;

    init_dynload();
+    safeFlag = 0;
+    if (argc > 1 && !strcmp(argv[1], "-safe")) {
+        argv[1] = argv[0];
+        safeFlag = 1;
+        argc--;
+        argv++;
+    }

    av_log_set_flags(AV_LOG_SKIP_REPEATED);
    parse_loglevel(argc, argv, options); @@ -3682,7 +3690,10 @@ int
main(int argc, char **argv)

    show_banner(argc, argv, options);

-    parse_options(NULL, argc, argv, options, opt_input_file);
+    argv2 = copy_argv(argc, argv);
+    parse_options(NULL, argc, argv2, options, opt_input_file);
+    if (safeFlag)
+        param_masking(argc, argv);

    if (!input_filename) {
        show_usage();
diff --git a/fftools/ffprobe.c b/fftools/ffprobe.c index
d2f126d..8d4d1e9 100644
--- a/fftools/ffprobe.c
+++ b/fftools/ffprobe.c
@@ -4035,9 +4035,16 @@ int main(int argc, char **argv)
    WriterContext *wctx;
    char *buf;
    char *w_name = NULL, *w_args = NULL;
-    int ret, input_ret, i;
-
+    int ret, input_ret, i, safeFlag;
+    char **argv2;
    init_dynload();
+    safeFlag = 0;
+    if (argc > 1 && !strcmp(argv[1], "-safe")) {
+        argv[1] = argv[0];
+        safeFlag = 1;
+        argc--;
+        argv++;
+    }

#if HAVE_THREADS
    ret = pthread_mutex_init(&log_mutex, NULL); @@ -4056,8 +4063,10
@@ int main(int argc, char **argv) #endif

    show_banner(argc, argv, options);
-    parse_options(NULL, argc, argv, options, opt_input_file);
-
+    argv2 = copy_argv(argc, argv);
+    parse_options(NULL, argc, argv2, options, opt_input_file);
+    if (safeFlag)
+        param_masking(argc, argv);
    if (do_show_log)
        av_log_set_callback(log_callback);

@@ -4173,6 +4182,7 @@ end:
    av_freep(&print_format);
    av_freep(&read_intervals);
    av_hash_freep(&hash);
+    free_pp(argc, argv2);

    uninit_opts();
    for (i = 0; i < FF_ARRAY_ELEMS(sections); i++)
--
2.7.4

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject 
"unsubscribe".
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject 
"unsubscribe".
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".


_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".






















					Reply via email to