451938 - stealing frames from <video> via canvas

Status: RESOLVED FIXED

(Core :: Graphics: Canvas2D, defect, P1)

Description

[georgi - hopefully not receiving bugspam]

Attachment: canvim4 - stealing video pron

it is possible to steal frames from arbitrary videos that the luser can load via
canvas + drawImage or fillRect

as of now works directly - no need for http redirects

Comment 1

[georgi - hopefully not receiving bugspam]

this seems to works with "file:///" uris, basically allowing stealing homemade pron with known filename

Comment 2

[Jesse Ruderman]

<video> being able to refer to file:/// URLs might be a separate bug.

Comment 3

[georgi - hopefully not receiving bugspam]

> <video> being able to refer to file:/// URLs might be a separate bug.


sure, it allows checking for existence of local files. soon to file a new bug + testcase

Comment 4

[georgi - hopefully not receiving bugspam]

checking for file existence via <video> is Bug 451958

Comment 5

[Vladimir Vukicevic [:vlad] [:vladv] (needinfo me, slow to respond)]

Indeed, the wrong principal is being used here -- http://hg.mozilla.org/mozilla-central/index.cgi/file/tip/content/canvas/src/nsCanvasRenderingContext2D.cpp#l2826 .  How do I get the principal of the actual video stream, e.g. what happens at http://hg.mozilla.org/mozilla-central/index.cgi/file/tip/content/canvas/src/nsCanvasRenderingContext2D.cpp#l2854 ?

Comment 6

[cajbir (:cajbir)]

You can get the actual URI of the video being played (ie. the one that was selected from the multiple sources to play) with GetCurrentSrc on the media element.

Comment 7

[Vladimir Vukicevic [:vlad] [:vladv] (needinfo me, slow to respond)]

I don't want the URI though, I want the principal -- or can I turn that URI into a principal?

Comment 8

[Vladimir Vukicevic [:vlad] [:vladv] (needinfo me, slow to respond)]

Attachment: pass the principal down the relay line...

Here's a fix -- this passes the principal down the chain so that canvas can get at it.

Comment 9

[Boris Zbarsky [:bzbarsky]]

Comment on attachment 336699 [details] [diff] [review]
pass the principal down the relay line...

I wish -p -U 8 worked for these diffs....


>+++ b/content/canvas/src/nsCanvasRenderingContext2D.cpp
>@@ -2823,7 +2823,8 @@
>+        video->GetCurrentPrincipal(prinOut);
>+

So... right now now callers of this method assume the principal is never null.  In particular, DoDrawImageSecurityCheck certainly does.  Your newly added code looks like it might return null sometimes.  So we either need to add null-checks in various places or make ThebesSurfaceFromElement throw on a null principal.  The latter is probably better.

The rest looks fine, though I'd just have the methods return nsIPrincipal* instead of doing the COM-like dance.

Comment 10

[Vladimir Vukicevic [:vlad] [:vladv] (needinfo me, slow to respond)]

Attachment: updated

Updated; note that this depends on bug 417836 which I'll land shortly.  I changed the interface to just return a nsIPrincipal*, and explicitly check for null (and throw an error in that case).

Comment 11

[Boris Zbarsky [:bzbarsky]]

Comment on attachment 336933 [details] [diff] [review]
updated

>+++ b/content/canvas/src/nsCanvasRenderingContext2D.cpp
>+        *prinOut = principal.forget().get();

  principal.forget(prinOut);

r+sr=bzbarsky with that.

Comment 12

[Vladimir Vukicevic [:vlad] [:vladv] (needinfo me, slow to respond)]

Fix checked in:

18910[tip]   ad53051ebd43   2008-09-06 16:47 -0700   vladimir
  b=451938; ensure correct principal is used in case of <video> and drawImage; r=bz

Comment 13

[georgi - hopefully not receiving bugspam]

seems fixed on trunk according to my tests.

tried fillRect and http redirects - both seem fixed

Comment 14

[georgi - hopefully not receiving bugspam]

do some svg filters or similar stuff alter images so they can be stolen?

some tests with filter feImage show the image yet when drawn to canvas the original image is drawn, i.e. no theft.