Skip to content

Protocol whitelist in ytdl_hook #5456

Closed
@atx

Description

@atx

The recent commits e6e6b0d, f8263e8 and ce42a96 fix and issue whereby mpv could be convinced to play a "non-safe" URL from a remote source.

Reproduction steps

An attacker convinces has the victim play an HTTP(S) URL.

$ mpv https://example.org/play.flv

The URL gets processed by the ytdl_hook script.

youtube-dl attempts to extract videos from the URL by contacting the HTTP server, which
responds with something like (text/html mime typed) :

<html>
  <head>
  </head>
  <body>
    <video>
      <source src="av://lavfi:ladspa=file=/home/user/Downloads/libevil.so"></source>
    </video>
  </body>
</html>

As youtube-dl does not perform any validation on the extracted URLs for <video> tags, the av://lavfi URL gets passed back to the hook script.

Note that there are likely many ways in which youtube-dl can return "bad" URLs.

The hook script then passes the extracted URL to mpv, which does not apply the usual safe-protocol only checks.

As shown in the example above, this URL can be, for instance, used to dlopen() arbitrary files on the filesystem using the ffmpeg lavfi ladspa plugin.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions