summaryrefslogtreecommitdiffstats
path: root/stream
diff options
context:
space:
mode:
authorwm4 <wm4@nowhere>2014-08-31 19:49:39 +0200
committerwm4 <wm4@nowhere>2014-08-31 19:49:39 +0200
commit866e0e1670f79653203a3da65096841ab37fc903 (patch)
tree2c01331832dc0be8d77954936f1e590a6d2728a4 /stream
parentfc0fa9a221882647da563acc2d22eac0f27b1120 (diff)
downloadmpv-866e0e1670f79653203a3da65096841ab37fc903.tar.bz2
mpv-866e0e1670f79653203a3da65096841ab37fc903.tar.xz
player: always load playlists
Until now, you had to use --load-unsafe-playlists or --playlist to get playlists loaded. Change this and always load playlists by default. This still attempts to reject unsafe URLs. For example, trying to invoke libavdevice pseudo-demuxer is explicitly prevented. Local paths and any http links (and some more) are always allowed.
Diffstat (limited to 'stream')
-rw-r--r--stream/stream.c16
-rw-r--r--stream/stream.h3
-rw-r--r--stream/stream_file.c1
-rw-r--r--stream/stream_lavf.c20
4 files changed, 37 insertions, 3 deletions
diff --git a/stream/stream.c b/stream/stream.c
index cfb3cb6c82..226626cf3c 100644
--- a/stream/stream.c
+++ b/stream/stream.c
@@ -61,6 +61,7 @@ extern const stream_info_t stream_info_null;
extern const stream_info_t stream_info_memory;
extern const stream_info_t stream_info_mf;
extern const stream_info_t stream_info_ffmpeg;
+extern const stream_info_t stream_info_ffmpeg_unsafe;
extern const stream_info_t stream_info_avdevice;
extern const stream_info_t stream_info_file;
extern const stream_info_t stream_info_ifo;
@@ -77,6 +78,7 @@ static const stream_info_t *const stream_list[] = {
&stream_info_cdda,
#endif
&stream_info_ffmpeg,
+ &stream_info_ffmpeg_unsafe,
&stream_info_avdevice,
#if HAVE_DVBIN
&stream_info_dvb,
@@ -257,6 +259,8 @@ static int open_internal(const stream_info_t *sinfo, struct stream *underlying,
return STREAM_NO_MATCH;
if (sinfo->stream_filter && (flags & STREAM_NO_FILTERS))
return STREAM_NO_MATCH;
+ if (!sinfo->is_safe && (flags & STREAM_SAFE_ONLY))
+ return STREAM_UNSAFE;
const char *path = NULL;
// Stream filters use the original URL, with no protocol matching at all.
@@ -335,18 +339,30 @@ struct stream *stream_create(const char *url, int flags, struct mpv_global *glob
assert(url);
// Open stream proper
+ bool unsafe = false;
for (int i = 0; stream_list[i]; i++) {
int r = open_internal(stream_list[i], NULL, url, flags, global, &s);
if (r == STREAM_OK)
break;
if (r == STREAM_NO_MATCH || r == STREAM_UNSUPPORTED)
continue;
+ if (r == STREAM_UNSAFE) {
+ unsafe = true;
+ continue;
+ }
if (r != STREAM_OK) {
mp_err(log, "Failed to open %s.\n", url);
goto done;
}
}
+ if (!s && unsafe) {
+ mp_err(log, "\nRefusing to load potentially unsafe URL from a playlist.\n"
+ "Use --playlist=file or the --load-unsafe-playlists option to "
+ "load it anyway.\n\n");
+ goto done;
+ }
+
if (!s) {
mp_err(log, "No stream found to handle url %s\n", url);
goto done;
diff --git a/stream/stream.h b/stream/stream.h
index a961267aac..94103962c9 100644
--- a/stream/stream.h
+++ b/stream/stream.h
@@ -55,7 +55,9 @@ enum streamtype {
// flags for stream_open_ext (this includes STREAM_READ and STREAM_WRITE)
#define STREAM_NO_FILTERS 2
+#define STREAM_SAFE_ONLY 4
+#define STREAM_UNSAFE -3
#define STREAM_NO_MATCH -2
#define STREAM_UNSUPPORTED -1
#define STREAM_ERROR 0
@@ -141,6 +143,7 @@ typedef struct stream_info_st {
const char *const *url_options;
bool stream_filter;
bool can_write;
+ bool is_safe;
} stream_info_t;
typedef struct stream {
diff --git a/stream/stream_file.c b/stream/stream_file.c
index 12bea3554c..6a10114832 100644
--- a/stream/stream_file.c
+++ b/stream/stream_file.c
@@ -281,4 +281,5 @@ const stream_info_t stream_info_file = {
.open = open_f,
.protocols = (const char*const[]){ "file", "", NULL },
.can_write = true,
+ .is_safe = true,
};
diff --git a/stream/stream_lavf.c b/stream/stream_lavf.c
index 37c6adc51c..2270831b88 100644
--- a/stream/stream_lavf.c
+++ b/stream/stream_lavf.c
@@ -322,10 +322,24 @@ const stream_info_t stream_info_ffmpeg = {
.name = "ffmpeg",
.open = open_f,
.protocols = (const char *const[]){
- "lavf", "ffmpeg", "rtmp", "rtsp", "http", "https", "mms", "mmst", "mmsh",
- "mmshttp", "udp", "ftp", "rtp", "httpproxy", "hls", "rtmpe", "rtmps",
- "rtmpt", "rtmpte", "rtmpts", "srtp", "tcp", "udp", "tls", "unix", "sftp",
+ "rtmp", "rtsp", "http", "https", "mms", "mmst", "mmsh", "mmshttp", "rtp",
+ "httpproxy", "hls", "rtmpe", "rtmps", "rtmpt", "rtmpte", "rtmpts", "srtp",
"md5",
NULL },
.can_write = true,
+ .is_safe = true,
};
+
+// Unlike above, this is not marked as safe, and can contain protocols which
+// may do insecure things. (Such as "ffmpeg", which can access the "lavfi"
+// pseudo-demuxer, which in turn gives access to filters that can access the
+// local filesystem.)
+const stream_info_t stream_info_ffmpeg_unsafe = {
+ .name = "ffmpeg",
+ .open = open_f,
+ .protocols = (const char *const[]){
+ "lavf", "ffmpeg", "udp", "ftp", "tcp", "tls", "unix", "sftp",
+ NULL },
+ .can_write = true,
+};
+