Re: [FFmpeg-devel] [PATCH 3/3] avformat: set the default whitelist to disable hls

2017-06-06 Thread Marton Balint
On Tue, 6 Jun 2017, Michael Niedermayer wrote: On Mon, Jun 05, 2017 at 05:33:29PM +0200, Nicolas George wrote: Le septidi 17 prairial, an CCXXV, Michael Niedermayer a écrit : [...] You dont need to convince me that the extension check or changes within just hls are not a complete solution. I

Re: [FFmpeg-devel] [PATCH 3/3] avformat: set the default whitelist to disable hls

2017-06-06 Thread wm4
On Tue, 6 Jun 2017 04:59:58 +0200 Michael Niedermayer wrote: > I disagree that the issue is minor and far fetched. > > The exploit that i have was successfully used against multiple > companies (it was a demonstration and AFAIK no harm was done). > That same attack works against all recent relea

Re: [FFmpeg-devel] [PATCH 3/3] avformat: set the default whitelist to disable hls

2017-06-05 Thread Hendrik Leppkes
On Tue, Jun 6, 2017 at 4:59 AM, Michael Niedermayer wrote: >> >> The issue is about subsets of the URL space. Files from one URL should >> be allowed to access data from URLs in the same relevant subset (same >> subdirectory or same web server maybe?), but not outside. > > What percentage of hls f

Re: [FFmpeg-devel] [PATCH 3/3] avformat: set the default whitelist to disable hls

2017-06-05 Thread Michael Niedermayer
On Mon, Jun 05, 2017 at 05:33:29PM +0200, Nicolas George wrote: > Le septidi 17 prairial, an CCXXV, Michael Niedermayer a écrit : [...] > > You dont need to convince me that the extension check or changes > > within just hls are not a complete solution. Iam quite well aware > > of this. This is int

Re: [FFmpeg-devel] [PATCH 3/3] avformat: set the default whitelist to disable hls

2017-06-05 Thread Nicolas George
Le septidi 17 prairial, an CCXXV, Michael Niedermayer a écrit : > thats "ad hominem" I am sorry, I did not realize it was, please forgive me and allow me to reformulate. The pattern is: someone is made aware of a minor security exploit in parts of the code not their direct responsibility. Nonethe

Re: [FFmpeg-devel] [PATCH 3/3] avformat: set the default whitelist to disable hls

2017-06-04 Thread Michael Niedermayer
Hi On Sun, Jun 04, 2017 at 12:46:18PM +0200, Nicolas George wrote: > Le quartidi 14 prairial, an CCXXV, Michael Niedermayer a écrit : > > > Notice a pattern? > > yes > > Security issues are found, i post a fix and people complain, > > No. The pattern is: you rush to produce a bad fix. thats "ad

Re: [FFmpeg-devel] [PATCH 3/3] avformat: set the default whitelist to disable hls

2017-06-04 Thread Nicolas George
Le quartidi 14 prairial, an CCXXV, Michael Niedermayer a écrit : > > Notice a pattern? > yes > Security issues are found, i post a fix and people complain, No. The pattern is: you rush to produce a bad fix. > If you knew a year and a half ago about a security issue and about a > great solution to

Re: [FFmpeg-devel] [PATCH 3/3] avformat: set the default whitelist to disable hls

2017-06-02 Thread Michael Niedermayer
On Fri, Jun 02, 2017 at 09:15:25AM +0200, Nicolas George wrote: > Le tridi 13 prairial, an CCXXV, Michael Niedermayer a écrit : > > This prevents an exploit leading to an information leak > > > > The existing exploit depends on a specific decoder as well. > > It does appear though that the exploit

Re: [FFmpeg-devel] [PATCH 3/3] avformat: set the default whitelist to disable hls

2017-06-02 Thread Nicolas George
Le tridi 13 prairial, an CCXXV, Michael Niedermayer a écrit : > This prevents an exploit leading to an information leak > > The existing exploit depends on a specific decoder as well. > It does appear though that the exploit should be possible with any decoder. > The problem is that as long as sen

Re: [FFmpeg-devel] [PATCH 3/3] avformat: set the default whitelist to disable hls

2017-06-01 Thread Tobias Rapp
On 01.06.2017 13:44, Michael Niedermayer wrote: This prevents an exploit leading to an information leak The existing exploit depends on a specific decoder as well. It does appear though that the exploit should be possible with any decoder. The problem is that as long as sensitive information get