[vlc-commits] record: protect against arbitrary file overwrite

[Rémi Denis-Courmont]

vlc | branch: master | Rémi Denis-Courmont <remi at remlab.net> | Sat Feb 25 16:38:44 2017 +0200| [0c166ad1b9798c00a0ce9bf52d561be598c4842c] | committer: Rémi Denis-Courmont

record: protect against arbitrary file overwrite

Setting the no-overwrite flag of the file access output ensures that
record will not indirectly trigger overwriting of an unintended file.

There are two occurences to this problem:

- While probing the muxer format, VLC uses the notoriously insecure and
  obsolescent (in POSIX.2008) tempnam() function. This leads to an
  arbitrary file overwrite vulnerability via symbolic links.
  However, the record plugin really should not need to create temporary
  files to probe a muxer format.

- While actually recording content to a permanent file, overwriting an
  existing file is not a good idea. This is presumably not a
  vulnerability insofar as the output directory belongs to the user.
  Regardless, the record plugin should ensure that the output filename
  does not already exists (e.g. by creating the file).

So basically, this is a stopgap measure.

> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=0c166ad1b9798c00a0ce9bf52d561be598c4842c
---

 modules/stream_out/record.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/modules/stream_out/record.c b/modules/stream_out/record.c
index 4b3a84c..5dd0342 100644
--- a/modules/stream_out/record.c
+++ b/modules/stream_out/record.c
@@ -329,7 +329,8 @@ static int OutputNew( sout_stream_t *p_stream,
     }
     free( psz_tmp );
 
-    if( asprintf( &psz_output, "std{access=file{no-append,no-format},"
+    if( asprintf( &psz_output,
+                  "std{access=file{no-append,no-format,no-overwrite},"
                   "mux='%s',dst='%s'}", psz_muxer, psz_file ) < 0 )
     {
         psz_output = NULL;