Skip to content

Avoid making unintended remote requests

A vulnerability (server-side request forgery) has been pointed out in Tumbler, in its GStreamer plugin. It was possible to cause HTTP requests by submitting a fake mp4 file. This was solved by further checking the mime type and filtering out the file in case of an anomaly.

Do you think that a check of this or another type could be built into GStreamer, to avoid making unintended remote requests?

I noticed on this occasion that FFmpegthumbnailer (perhaps FFmpeg itself upstream) did not make such requests by default (and also did a mime type check), but perhaps such a restriction is not appropriate in the case of GStreamer:

[hls @ 0x7f6478002a00] Opening 'https://eofg1ooiwpn78ep.m.pipedream.net/xxx.mp4' for reading
[https @ 0x7f6478007180] Protocol 'https' not on whitelist 'file,crypto,data'!
[hls @ 0x7f6478002a00] Failed to open segment 0 of playlist 0
Format mov,mp4,m4a,3gp,3g2,mj2 detected only with low score of 1, misdetection possible!

One last note: although this HTTP request seems to come from souphttpsrc, which is part of GStreamer Good Plug-ins, it seems that you have to install GStreamer Bad Plug-ins to reproduce the problem (this is true on Arch Linux and Debian anyway).