Opened 11 months ago
#10940 new defect
FFmpeg headers and redirect issue
Reported by: | Tolriq | Owned by: | |
---|---|---|---|
Priority: | normal | Component: | undetermined |
Version: | unspecified | Keywords: | |
Cc: | Tolriq | Blocked By: | |
Blocking: | Reproduced by developer: | no | |
Analyzed by developer: | no |
Description
Summary of the bug: FFmpeg pass the headers down the redirects and probably should not.
How to reproduce:
ffprobe.exe -headers 'Authorization: Bearer xxxx' -v debug -i https://graph.microsoft.com/v1.0/me/drive/items/xxxx/content ffprobe version 2023-09-07-git-9c9f48e7f2-full_build-www.gyan.dev Copyright (c) 2007-2023 the FFmpeg developers built with gcc 12.2.0 (Rev10, Built by MSYS2 project) configuration: --enable-gpl --enable-version3 --enable-static --disable-w32threads --disable-autodetect --enable-fontconfig --enable-iconv --enable-gnutls --enable-libxml2 --enable-gmp --enable-bzlib --enable-lzma --enable-libsnappy --enable-zlib --enable-librist --enable-libsrt --enable-libssh --enable-libzmq --enable-avisynth --enable-libbluray --enable-libcaca --enable-sdl2 --enable-libaribb24 --enable-libaribcaption --enable-libdav1d --enable-libdavs2 --enable-libuavs3d --enable-libzvbi --enable-librav1e --enable-libsvtav1 --enable-libwebp --enable-libx264 --enable-libx265 --enable-libxavs2 --enable-libxvid --enable-libaom --enable-libjxl --enable-libopenjpeg --enable-libvpx --enable-mediafoundation --enable-libass --enable-frei0r --enable-libfreetype --enable-libfribidi --enable-libharfbuzz --enable-liblensfun --enable-libvidstab --enable-libvmaf --enable-libzimg --enable-amf --enable-cuda-llvm --enable-cuvid --enable-ffnvcodec --enable-nvdec --enable-nvenc --enable-dxva2 --enable-d3d11va --enable-libvpl --enable-libshaderc --enable-vulkan --enable-libplacebo --enable-opencl --enable-libcdio --enable-libgme --enable-libmodplug --enable-libopenmpt --enable-libopencore-amrwb --enable-libmp3lame --enable-libshine --enable-libtheora --enable-libtwolame --enable-libvo-amrwbenc --enable-libcodec2 --enable-libilbc --enable-libgsm --enable-libopencore-amrnb --enable-libopus --enable-libspeex --enable-libvorbis --enable-ladspa --enable-libbs2b --enable-libflite --enable-libmysofa --enable-librubberband --enable-libsoxr --enable-chromaprint libavutil 58. 19.100 / 58. 19.100 libavcodec 60. 26.100 / 60. 26.100 libavformat 60. 11.100 / 60. 11.100 libavdevice 60. 2.101 / 60. 2.101 libavfilter 9. 11.100 / 9. 11.100 libswscale 7. 3.100 / 7. 3.100 libswresample 4. 11.100 / 4. 11.100 libpostproc 57. 2.100 / 57. 2.100 [AVFormatContext @ 0000023cf4b988c0] Opening 'https://graph.microsoft.com/v1.0/me/drive/items/xxxx/content' for reading [https @ 0000023cf4bae3c0] Setting default whitelist 'http,https,tls,rtp,tcp,udp,crypto,httpproxy' [https @ 0000023cf4bae3c0] No trailing CRLF found in HTTP header. Adding it. [tcp @ 0000023cf4baf1c0] Original list of addresses: [tcp @ 0000023cf4baf1c0] Address 20.231.131.224 port 443 [tcp @ 0000023cf4baf1c0] Address 20.20.35.96 port 443 [tcp @ 0000023cf4baf1c0] Address 20.20.35.160 port 443 [tcp @ 0000023cf4baf1c0] Interleaved list of addresses: [tcp @ 0000023cf4baf1c0] Address 20.231.131.224 port 443 [tcp @ 0000023cf4baf1c0] Address 20.20.35.96 port 443 [tcp @ 0000023cf4baf1c0] Address 20.20.35.160 port 443 [tcp @ 0000023cf4baf1c0] Starting connection attempt to 20.231.131.224 port 443 [tcp @ 0000023cf4baf1c0] Successfully connected to 20.231.131.224 port 443 [https @ 0000023cf4bae3c0] request: GET /v1.0/me/drive/items/xxxxxxx/content HTTP/1.1 User-Agent: Lavf/60.11.100 Accept: */* Range: bytes=0- Connection: close Host: graph.microsoft.com Icy-MetaData: 1 Authorization: Bearer xxxxxxx [tcp @ 0000023cf4bae540] Original list of addresses: [tcp @ 0000023cf4bae540] Address 13.107.137.11 port 443 [tcp @ 0000023cf4bae540] Address 13.107.139.11 port 443 [tcp @ 0000023cf4bae540] Interleaved list of addresses: [tcp @ 0000023cf4bae540] Address 13.107.137.11 port 443 [tcp @ 0000023cf4bae540] Address 13.107.139.11 port 443 [tcp @ 0000023cf4bae540] Starting connection attempt to 13.107.137.11 port 443 [tcp @ 0000023cf4bae540] Successfully connected to 13.107.137.11 port 443 [https @ 0000023cf4bae3c0] request: GET /personal/xxxxx/_layouts/15/download.aspx?UniqueId=alongurlA&ApiVersion=2.0 HTTP/1.1 User-Agent: Lavf/60.11.100 Accept: */* Range: bytes=0- Connection: close Host: my.microsoftpersonalcontent.com Icy-MetaData: 1 Authorization: Bearer XXXXX https://graph.microsoft.com/v1.0/me/drive/items/xxxxxx/content: Server returned 401 Unauthorized (authorization failed)
The bearer authorization is passed down to the redirected url, OneDrive fails as the auth is not wanted there.
Calling ffprobe with the redirected url and without the header works properly.
From a quick search I was not able to find an RFC documenting the proper behavior but it seems that the standard normal default is to not pass down the headers to the redirected urls.
That's why I open this as a defect.
If that's not considered a defect then an option to disable this behavior would be more than welcome.
Same behavior for both ffmpeg and ffprobe.