Opened 4 weeks ago

#10940 new defect

FFmpeg headers and redirect issue

Reported by: Tolriq Owned by:
Priority: normal Component: undetermined
Version: unspecified Keywords:
Cc: Tolriq Blocked By:
Blocking: Reproduced by developer: no
Analyzed by developer: no

Description

Summary of the bug: FFmpeg pass the headers down the redirects and probably should not.

How to reproduce:

ffprobe.exe -headers 'Authorization: Bearer xxxx' -v debug -i https://graph.microsoft.com/v1.0/me/drive/items/xxxx/content

ffprobe version 2023-09-07-git-9c9f48e7f2-full_build-www.gyan.dev Copyright (c) 2007-2023 the FFmpeg developers
  built with gcc 12.2.0 (Rev10, Built by MSYS2 project)
  configuration: --enable-gpl --enable-version3 --enable-static --disable-w32threads --disable-autodetect --enable-fontconfig --enable-iconv --enable-gnutls --enable-libxml2 --enable-gmp --enable-bzlib --enable-lzma --enable-libsnappy --enable-zlib --enable-librist --enable-libsrt --enable-libssh --enable-libzmq --enable-avisynth --enable-libbluray --enable-libcaca --enable-sdl2 --enable-libaribb24 --enable-libaribcaption --enable-libdav1d --enable-libdavs2 --enable-libuavs3d --enable-libzvbi --enable-librav1e --enable-libsvtav1 --enable-libwebp --enable-libx264 --enable-libx265 --enable-libxavs2 --enable-libxvid --enable-libaom --enable-libjxl --enable-libopenjpeg --enable-libvpx --enable-mediafoundation --enable-libass --enable-frei0r --enable-libfreetype --enable-libfribidi --enable-libharfbuzz --enable-liblensfun --enable-libvidstab --enable-libvmaf --enable-libzimg --enable-amf --enable-cuda-llvm --enable-cuvid --enable-ffnvcodec --enable-nvdec --enable-nvenc --enable-dxva2 --enable-d3d11va --enable-libvpl --enable-libshaderc --enable-vulkan --enable-libplacebo --enable-opencl --enable-libcdio --enable-libgme --enable-libmodplug --enable-libopenmpt --enable-libopencore-amrwb --enable-libmp3lame --enable-libshine --enable-libtheora --enable-libtwolame --enable-libvo-amrwbenc --enable-libcodec2 --enable-libilbc --enable-libgsm --enable-libopencore-amrnb --enable-libopus --enable-libspeex --enable-libvorbis --enable-ladspa --enable-libbs2b --enable-libflite --enable-libmysofa --enable-librubberband --enable-libsoxr --enable-chromaprint
  libavutil      58. 19.100 / 58. 19.100
  libavcodec     60. 26.100 / 60. 26.100
  libavformat    60. 11.100 / 60. 11.100
  libavdevice    60.  2.101 / 60.  2.101
  libavfilter     9. 11.100 /  9. 11.100
  libswscale      7.  3.100 /  7.  3.100
  libswresample   4. 11.100 /  4. 11.100
  libpostproc    57.  2.100 / 57.  2.100
[AVFormatContext @ 0000023cf4b988c0] Opening 'https://graph.microsoft.com/v1.0/me/drive/items/xxxx/content' for reading
[https @ 0000023cf4bae3c0] Setting default whitelist 'http,https,tls,rtp,tcp,udp,crypto,httpproxy'
[https @ 0000023cf4bae3c0] No trailing CRLF found in HTTP header. Adding it.
[tcp @ 0000023cf4baf1c0] Original list of addresses:
[tcp @ 0000023cf4baf1c0] Address 20.231.131.224 port 443
[tcp @ 0000023cf4baf1c0] Address 20.20.35.96 port 443
[tcp @ 0000023cf4baf1c0] Address 20.20.35.160 port 443
[tcp @ 0000023cf4baf1c0] Interleaved list of addresses:
[tcp @ 0000023cf4baf1c0] Address 20.231.131.224 port 443
[tcp @ 0000023cf4baf1c0] Address 20.20.35.96 port 443
[tcp @ 0000023cf4baf1c0] Address 20.20.35.160 port 443
[tcp @ 0000023cf4baf1c0] Starting connection attempt to 20.231.131.224 port 443
[tcp @ 0000023cf4baf1c0] Successfully connected to 20.231.131.224 port 443
[https @ 0000023cf4bae3c0] request: GET /v1.0/me/drive/items/xxxxxxx/content HTTP/1.1
User-Agent: Lavf/60.11.100
Accept: */*
Range: bytes=0-
Connection: close
Host: graph.microsoft.com
Icy-MetaData: 1
Authorization: Bearer xxxxxxx


[tcp @ 0000023cf4bae540] Original list of addresses:
[tcp @ 0000023cf4bae540] Address 13.107.137.11 port 443
[tcp @ 0000023cf4bae540] Address 13.107.139.11 port 443
[tcp @ 0000023cf4bae540] Interleaved list of addresses:
[tcp @ 0000023cf4bae540] Address 13.107.137.11 port 443
[tcp @ 0000023cf4bae540] Address 13.107.139.11 port 443
[tcp @ 0000023cf4bae540] Starting connection attempt to 13.107.137.11 port 443
[tcp @ 0000023cf4bae540] Successfully connected to 13.107.137.11 port 443
[https @ 0000023cf4bae3c0] request: GET /personal/xxxxx/_layouts/15/download.aspx?UniqueId=alongurlA&ApiVersion=2.0 HTTP/1.1
User-Agent: Lavf/60.11.100
Accept: */*
Range: bytes=0-
Connection: close
Host: my.microsoftpersonalcontent.com
Icy-MetaData: 1
Authorization: Bearer XXXXX

https://graph.microsoft.com/v1.0/me/drive/items/xxxxxx/content: Server returned 401 Unauthorized (authorization failed)

The bearer authorization is passed down to the redirected url, OneDrive fails as the auth is not wanted there.

Calling ffprobe with the redirected url and without the header works properly.

From a quick search I was not able to find an RFC documenting the proper behavior but it seems that the standard normal default is to not pass down the headers to the redirected urls.

That's why I open this as a defect.

If that's not considered a defect then an option to disable this behavior would be more than welcome.

Same behavior for both ffmpeg and ffprobe.

Change History (0)

Note: See TracTickets for help on using tickets.