Protocol whitelist in ytdl_hook

[atx]

The recent commits e6e6b0d, f8263e8 and ce42a96 fix and issue whereby mpv could be convinced to play a "non-safe" URL from a remote source.

Reproduction steps

An attacker convinces has the victim play an HTTP(S) URL.

$ mpv https://example.org/play.flv

The URL gets processed by the ytdl_hook script.

youtube-dl attempts to extract videos from the URL by contacting the HTTP server, which
responds with something like (text/html mime typed) :

<html>
  <head>
  </head>
  <body>
    <video>
      <source src="av://lavfi:ladspa=file=/home/user/Downloads/libevil.so"></source>
    </video>
  </body>
</html>

As youtube-dl does not perform any validation on the extracted URLs for <video> tags, the av://lavfi URL gets passed back to the hook script.

Note that there are likely many ways in which youtube-dl can return "bad" URLs.

The hook script then passes the extracted URL to mpv, which does not apply the usual safe-protocol only checks.

As shown in the example above, this URL can be, for instance, used to dlopen() arbitrary files on the filesystem using the ffmpeg lavfi ladspa plugin.

[atx]

CVE-2018-6360 has been assigned to this issue

[jcowgill]

@atalax 2a0f9fc seems to depend on 7eb3427 (which would therefore needs adding to your list), but I am wondering if either of these commits are relevant to the security bug at all?

[CounterPillow]

I don't think 2a0f9fc is actually relevant to this CVE at all. The "whitelist" it mentions appears to be related to selecting a media stream from a manifest, and has no security whitelisting implications whatsoever.

[atx]

Hmm, 2a0f9fc really doesn't seem relevant. Ping @wiiaboo

[wiiaboo]

It's a bugfix to 7eb3427, yes, so not related to this issue.

[wiiaboo]

Correct string of commits needed is e6e6b0d (has merge conflicts with v0.27.0 due to a few changes since) + f8263e8 + ce42a96.

[lfam]

I noticed that Debian pushed a fix for this bug but excluded the first commit of the four specified by @wiiaboo, 828bd29.

This can be seen here.

Can you clarify if that commit is necessary to fix the problem?

[kevmitch]

I'll let @wiiaboo give the final word, but it looks like that commit just adds a property. It provides information about which demuxers are available. It is not used in the subsequent white-listing commits which fix the actual problem.

[wiiaboo]

Yeah, nevermind. Being able to use the native dash demuxer is not necessary for the security fixes.

[jcowgill]

FYI I screwed up the fix I applied to Debian's 0.27 and 0.23 and broke YouTube playlists so don't take the patch from there just yet. Hopefully it will be fixed within a day or so.