Baldomo / open-in-mpv

Simple web extension to open videos in mpv
GNU General Public License v3.0
118 stars 7 forks source link

Player can run arbitrary code through URLs #15

Closed Vendicated closed 1 year ago

Vendicated commented 1 year ago

As part of the install process, you register the mpv:// protocol to open urls in mpv. Using this feature, any site can run arbitrary .so files on your system

This can be done via mpv:///open?url=${URLENCODE(av://lavfi:ladspa=file=/some/evil/so/here.so)}

See also https://github.com/mpv-player/mpv/issues/7985

Here's a demonstration

https://user-images.githubusercontent.com/45497981/201778821-9330b6b4-5bac-4b2c-ab1c-e7c955bf2b01.mp4

Vendicated commented 1 year ago

I'm pretty sure this is fixed by validating urls to make sure they're https. You should probably also remove the ability to pass custom flags or at least heavily restrict it

Vendicated commented 1 year ago

related #13

Baldomo commented 1 year ago

First of all, sorry for getting back to this only after 1.5 months and thank you so much for this issue. This is a serious oversight on my part and I will address it as soon as I can. I think I'll experiment with the native messaging protocol (which could incorporate quite a bit of the backend's functionality) and test it in the coming days, thank you again.

Baldomo commented 1 year ago

After much testing and pondering, I opted for explicit configuration of which protocols/URI-schemes a player should handle (and strict validation), with the defaults being only HTTP and HTTPS. This should reduce damage as much as possible, but I still feel like such things are issues with player more than the protocol. We can only mitigate abuse and still, the player ultimately is still able to execute code like the example you provided. That said, I am always open for suggestions and debate about things like these, so thank you for the report.