Changeset 658b4f830b832b19a6de708764f91e1398e501a1

Show
Ignore:
Timestamp:
01/16/08 20:30:12 (8 months ago)
Author:
Damien Fouilleul <damienf@videolan.org>
git-committer:
Damien Fouilleul <damienf@videolan.org> 1200511812 +0000
git-parent:

[4f028428053d0342c55deb6ba8b8da114c6a0caa]

git-author:
Damien Fouilleul <damienf@videolan.org> 1200511812 +0000
Message:

vlc security: As i've seen very little improvement on that front, i've decided to check in my take on handling the problem of managing harmful options. I'm pretty sure this is going to be very controversial, but I think my approach is quite simple and yet very effective Anyway, my approach makes the following assumptions:

- most vlc options are considered safe, only a handful are particularily unsafe and need be declared as such in their definition (they mostly deal with writing to an output file or URL)
- unsafe options are only considered potentially harmful when used as an input option, ie. the ':option' format. Configuration options are always considered safe 'i.e --option'
- unsafe options are associated with a global security policy, which dictates how these are handled. At the moment, The policy can be either block, allow or prompt, and is set using the '--security-policy' option (which itself is considered unsafe ;)

the policy can be set by the user at the command line or in the preferences, it curently defaults to prompt, which is the desirable state for deskop use. However, it can be overriden depending on context, for example, the activex and mozilla will force the security-policy to block regardless of preference settins.

the code is a bit rough at the moment, but i will optimize/clean it up if the dev community this approach is worth keeping.

try the following example, and you'll see quickly what i mean:

./vlc -vvv <a mrl> :sout=#transcode{vcodec=mp1v,vb=1024,acodec=mpga,ab=192}:standard{mux=ts,dst=vlc-output.ts,access=file}"

Enjoy,

Damien

Files:

Legend:

Unmodified
Added
Removed
Modified
Copied
Moved

  • include/vlc_configuration.h

    r4f02842 r658b4f8  
    192192    vlc_bool_t   b_unsaveable;                    /* Config should be saved */ 
    193193 
    194     vlc_bool_t   b_safe; 
     194    vlc_bool_t   b_unsafe; 
    195195}; 
    196196 
     
    283283    /* former option name (args=const char *) */ 
    284284 
    285     VLC_CONFIG_SAFE, 
     285    VLC_CONFIG_UNSAFE, 
    286286    /* tag as modifiable by untrusted input item "sources" (args=none) */ 
    287287}; 
     
    473473    vlc_config_set (p_config, VLC_CONFIG_VOLATILE) 
    474474 
    475 #define change_safe() \ 
    476     vlc_config_set (p_config, VLC_CONFIG_SAFE) 
     475#define change_unsafe() \ 
     476    vlc_config_set (p_config, VLC_CONFIG_UNSAFE) 
    477477 
    478478/**************************************************************************** 

  • modules/access_filter/record.c

    r4f02842 r658b4f8  
    5858    add_directory( "record-path", NULL, NULL, 
    5959                   RECORD_PATH_TXT, RECORD_PATH_LONGTXT, VLC_TRUE ); 
     60        change_unsafe(); 
    6061 
    6162    set_callbacks( Open, Close ); 

  • modules/access_filter/timeshift.c

    r4f02842 r658b4f8  
    6666                 GRANULARITY_LONGTEXT, VLC_TRUE ); 
    6767    add_directory( "timeshift-dir", 0, 0, DIR_TEXT, DIR_LONGTEXT, VLC_FALSE ); 
     68        change_unsafe(); 
    6869    add_bool( "timeshift-force", VLC_FALSE, NULL, FORCE_TEXT, FORCE_LONGTEXT, 
    6970              VLC_FALSE ); 

  • modules/audio_output/file.c

    r4f02842 r658b4f8  
    117117    add_file( "audiofile-file", "audiofile.wav", NULL, FILE_TEXT, 
    118118              FILE_LONGTEXT, VLC_FALSE ); 
     119        change_unsafe(); 
    119120    add_bool( "audiofile-wav", 1, NULL, WAV_TEXT, WAV_LONGTEXT, VLC_TRUE ); 
    120121 

  • modules/demux/demuxdump.c

    r4f02842 r658b4f8  
    5252    add_file( "demuxdump-file", "stream-demux.dump", NULL, FILE_TEXT, 
    5353              FILE_LONGTEXT, VLC_FALSE ); 
     54        change_unsafe(); 
    5455    add_bool( "demuxdump-append", 0, NULL, APPEND_TEXT, APPEND_LONGTEXT, 
    5556              VLC_FALSE ); 

  • modules/demux/ts.c

    r4f02842 r658b4f8  
    149149 
    150150    add_file( "ts-dump-file", NULL, NULL, TSDUMP_TEXT, TSDUMP_LONGTEXT, VLC_FALSE ); 
     151        change_unsafe(); 
    151152    add_bool( "ts-dump-append", 0, NULL, APPEND_TEXT, APPEND_LONGTEXT, VLC_FALSE ); 
    152153    add_integer( "ts-dump-size", 16384, NULL, DUMPSIZE_TEXT, 

  • modules/misc/logger.c

    r5d7d4cf r658b4f8  
    136136    add_file( "logfile", NULL, NULL, 
    137137             N_("Log filename"), N_("Specify the log filename."), VLC_FALSE ); 
     138        change_unsafe(); 
    138139    add_string( "logmode", "text", NULL, LOGMODE_TEXT, LOGMODE_LONGTEXT, 
    139140                VLC_FALSE ); 

  • modules/stream_out/es.c

    r6ee1e19 r658b4f8  
    9494    add_string( SOUT_CFG_PREFIX "dst", "", NULL, DEST_TEXT, 
    9595                DEST_LONGTEXT, VLC_TRUE ); 
     96        change_unsafe(); 
    9697    add_string( SOUT_CFG_PREFIX "dst-audio", "", NULL, DESTA_TEXT, 
    9798                DESTA_LONGTEXT, VLC_TRUE ); 
     99        change_unsafe(); 
    98100    add_string( SOUT_CFG_PREFIX "dst-video", "", NULL, DESTV_TEXT, 
    99101                DESTV_LONGTEXT, VLC_TRUE ); 
     102        change_unsafe(); 
    100103 
    101104    set_callbacks( Open, Close ); 

  • modules/stream_out/rtp.c

    r14fae49 r658b4f8  
    148148    add_string( SOUT_CFG_PREFIX "dst", "", NULL, DST_TEXT, 
    149149                DST_LONGTEXT, VLC_TRUE ); 
     150        change_unsafe(); 
    150151    add_string( SOUT_CFG_PREFIX "sdp", "", NULL, SDP_TEXT, 
    151152                SDP_LONGTEXT, VLC_TRUE ); 

  • modules/stream_out/standard.c

    r17d26df r658b4f8  
    9696    add_string( SOUT_CFG_PREFIX "dst", "", NULL, DST_TEXT, 
    9797                DST_LONGTEXT, VLC_FALSE ); 
     98        change_unsafe(); 
    9899 
    99100    add_bool( SOUT_CFG_PREFIX "sap", VLC_FALSE, NULL, SAP_TEXT, SAP_LONGTEXT, 

  • src/config/chain.c

    r3655c1c r658b4f8  
    3131#include "libvlc.h" 
    3232 
     33#include "vlc_interface.h" 
     34 
    3335/***************************************************************************** 
    3436 * Local prototypes 
     
    315317                           name, psz_name ); 
    316318            } 
     319            if( p_conf->b_unsafe ) 
     320            { 
     321                int policy = config_GetInt( p_this, "security-policy" ); 
     322                switch( policy ) 
     323                { 
     324                    case 0: /* block */ 
     325                        msg_Err( p_this, "option %s is unsafe and is blocked by security policy", psz_name ); 
     326                        return; 
     327                    case 1: /* allow */ 
     328                        break; 
     329                    case 2: /* prompt */ 
     330                    { 
     331                        char description[256]; 
     332                        snprintf(description, sizeof(description), _("playlist item is making use of the following unsafe option '%s', which may be harmful if used in a malicious way, authorize it ?"), psz_name); 
     333                        if( DIALOG_OK_YES != intf_UserYesNo( p_this, _("WARNING: Unsafe Playlist"), description, _("Yes"), _("No"), NULL) ) 
     334                        { 
     335                            msg_Err( p_this, "option %s is unsafe and is blocked by security policy", psz_name ); 
     336                            return; 
     337                        } 
     338                    } 
     339                    default: 
     340                        ; 
     341                } 
     342            } 
    317343        } 
    318344        /* </Check if the option is deprecated> */ 

  • src/libvlc-module.c

    r4f02842 r658b4f8  
    977977#define MINIMIZE_THREADS_LONGTEXT N_( \ 
    978978     "This option minimizes the number of threads needed to run VLC.") 
     979 
     980#define SECURITY_POLICY_TEXT N_("Policy for handling unsafe options.") 
     981#define SECURITY_POLICY_LONGTEXT N_( \ 
     982     "This option dictates the default policy when processing options " \ 
     983     "which may be harmful when used in a malicious way.") 
     984 
     985static int pi_secpolicy_values[] = { 0, 1, 2 }; 
     986static const char *ppsz_secpolicy_descriptions[] = { N_("Block"), N_("Allow"), N_("Prompt") }; 
    979987 
    980988#define PLUGIN_PATH_TEXT N_("Modules search path") 
     
    14821490    add_directory( "snapshot-path", NULL, NULL, SNAP_PATH_TEXT, 
    14831491                   SNAP_PATH_LONGTEXT, VLC_FALSE ); 
     1492        change_unsafe(); 
    14841493    add_string( "snapshot-prefix", "vlcsnap-", NULL, SNAP_PREFIX_TEXT, 
    14851494                   SNAP_PREFIX_LONGTEXT, VLC_FALSE ); 
     
    17871796                   PLUGIN_PATH_LONGTEXT, VLC_TRUE ); 
    17881797        change_need_restart(); 
     1798        change_unsafe(); 
    17891799 
    17901800    set_section( N_("Performance options"), NULL ); 
    17911801    add_bool( "minimize-threads", 0, NULL, MINIMIZE_THREADS_TEXT, 
    17921802              MINIMIZE_THREADS_LONGTEXT, VLC_TRUE ); 
     1803        change_need_restart(); 
     1804 
     1805    set_section( N_("Security options"), NULL ); 
     1806    add_integer( "security-policy", 2, NULL, SECURITY_POLICY_TEXT, 
     1807              SECURITY_POLICY_LONGTEXT, VLC_TRUE ); 
     1808        change_integer_list( pi_secpolicy_values, ppsz_secpolicy_descriptions, 0 ); 
     1809        change_unsafe(); 
    17931810        change_need_restart(); 
    17941811 

  • src/misc/variables.c

    re387114 r658b4f8  
    3030#include "libvlc.h" 
    3131 
     32#include "vlc_interface.h" 
     33 
    3234/***************************************************************************** 
    3335 * Private types 
     
    10911093        ( !psz_value || !*psz_value ) ) goto cleanup; /* Invalid value */ 
    10921094 
     1095    /* check if option is unsafe */ 
     1096    { 
     1097        module_config_t *p_config = config_FindConfig( p_obj, psz_name ); 
     1098        if( p_config->b_unsafe ) 
     1099        { 
     1100            int policy = config_GetInt( p_obj, "security-policy" ); 
     1101            switch( policy ) 
     1102            { 
     1103                case 0: /* block */ 
     1104                    msg_Err( p_obj, "option %s is unsafe and is blocked by security policy", psz_name ); 
     1105                    return; 
     1106                case 1: /* allow */ 
     1107                    break; 
     1108                case 2: /* prompt */ 
     1109                { 
     1110                    char description[256]; 
     1111                    snprintf(description, sizeof(description), _("playlist item is making use of the following unsafe option '%s', which may be harmful if used in a malicious way, authorize it ?"), psz_name); 
     1112                    if( DIALOG_OK_YES != intf_UserYesNo( p_obj, _("WARNING: Unsafe Playlist"), description, _("Yes"), _("No"), NULL) ) 
     1113                    { 
     1114                        msg_Err( p_obj, "option %s is unsafe and is blocked by security policy", psz_name ); 
     1115                        return; 
     1116                    } 
     1117                } 
     1118                default: 
     1119                    ; 
     1120            } 
     1121        } 
     1122    } 
     1123 
    10931124    /* Create the variable in the input object. 
    10941125     * Children of the input object will be able to retreive this value 

  • src/modules/entry.c

    r3ddbf4b r658b4f8  
    408408        } 
    409409 
    410         case VLC_CONFIG_SAFE: 
    411             item->b_safe = VLC_TRUE; 
     410        case VLC_CONFIG_UNSAFE: 
     411            item->b_unsafe = VLC_TRUE; 
    412412            ret = 0; 
    413413            break;