[FFmpeg-trac] #10940(undetermined:new): FFmpeg headers and redirect issue

FFmpeg trac at avcodec.org
Thu Mar 28 19:26:41 EET 2024 

#10940: FFmpeg headers and redirect issue
-------------------------------------+-------------------------------------
             Reporter:  Tolriq       |                     Type:  defect
               Status:  new          |                 Priority:  normal
            Component:               |                  Version:
  undetermined                       |  unspecified
             Keywords:               |               Blocked By:
             Blocking:               |  Reproduced by developer:  0
Analyzed by developer:  0            |
-------------------------------------+-------------------------------------
 Summary of the bug: FFmpeg pass the headers down the redirects and
 probably should not.

 How to reproduce:
 {{{

 ffprobe.exe -headers 'Authorization: Bearer xxxx' -v debug -i
 https://graph.microsoft.com/v1.0/me/drive/items/xxxx/content

 ffprobe version 2023-09-07-git-9c9f48e7f2-full_build-www.gyan.dev
 Copyright (c) 2007-2023 the FFmpeg developers
   built with gcc 12.2.0 (Rev10, Built by MSYS2 project)
   configuration: --enable-gpl --enable-version3 --enable-static --disable-
 w32threads --disable-autodetect --enable-fontconfig --enable-iconv
 --enable-gnutls --enable-libxml2 --enable-gmp --enable-bzlib --enable-lzma
 --enable-libsnappy --enable-zlib --enable-librist --enable-libsrt
 --enable-libssh --enable-libzmq --enable-avisynth --enable-libbluray
 --enable-libcaca --enable-sdl2 --enable-libaribb24 --enable-libaribcaption
 --enable-libdav1d --enable-libdavs2 --enable-libuavs3d --enable-libzvbi
 --enable-librav1e --enable-libsvtav1 --enable-libwebp --enable-libx264
 --enable-libx265 --enable-libxavs2 --enable-libxvid --enable-libaom
 --enable-libjxl --enable-libopenjpeg --enable-libvpx --enable-
 mediafoundation --enable-libass --enable-frei0r --enable-libfreetype
 --enable-libfribidi --enable-libharfbuzz --enable-liblensfun --enable-
 libvidstab --enable-libvmaf --enable-libzimg --enable-amf --enable-cuda-
 llvm --enable-cuvid --enable-ffnvcodec --enable-nvdec --enable-nvenc
 --enable-dxva2 --enable-d3d11va --enable-libvpl --enable-libshaderc
 --enable-vulkan --enable-libplacebo --enable-opencl --enable-libcdio
 --enable-libgme --enable-libmodplug --enable-libopenmpt --enable-
 libopencore-amrwb --enable-libmp3lame --enable-libshine --enable-libtheora
 --enable-libtwolame --enable-libvo-amrwbenc --enable-libcodec2 --enable-
 libilbc --enable-libgsm --enable-libopencore-amrnb --enable-libopus
 --enable-libspeex --enable-libvorbis --enable-ladspa --enable-libbs2b
 --enable-libflite --enable-libmysofa --enable-librubberband --enable-
 libsoxr --enable-chromaprint
   libavutil      58. 19.100 / 58. 19.100
   libavcodec     60. 26.100 / 60. 26.100
   libavformat    60. 11.100 / 60. 11.100
   libavdevice    60.  2.101 / 60.  2.101
   libavfilter     9. 11.100 /  9. 11.100
   libswscale      7.  3.100 /  7.  3.100
   libswresample   4. 11.100 /  4. 11.100
   libpostproc    57.  2.100 / 57.  2.100
 [AVFormatContext @ 0000023cf4b988c0] Opening
 'https://graph.microsoft.com/v1.0/me/drive/items/xxxx/content' for reading
 [https @ 0000023cf4bae3c0] Setting default whitelist
 'http,https,tls,rtp,tcp,udp,crypto,httpproxy'
 [https @ 0000023cf4bae3c0] No trailing CRLF found in HTTP header. Adding
 it.
 [tcp @ 0000023cf4baf1c0] Original list of addresses:
 [tcp @ 0000023cf4baf1c0] Address 20.231.131.224 port 443
 [tcp @ 0000023cf4baf1c0] Address 20.20.35.96 port 443
 [tcp @ 0000023cf4baf1c0] Address 20.20.35.160 port 443
 [tcp @ 0000023cf4baf1c0] Interleaved list of addresses:
 [tcp @ 0000023cf4baf1c0] Address 20.231.131.224 port 443
 [tcp @ 0000023cf4baf1c0] Address 20.20.35.96 port 443
 [tcp @ 0000023cf4baf1c0] Address 20.20.35.160 port 443
 [tcp @ 0000023cf4baf1c0] Starting connection attempt to 20.231.131.224
 port 443
 [tcp @ 0000023cf4baf1c0] Successfully connected to 20.231.131.224 port 443
 [https @ 0000023cf4bae3c0] request: GET
 /v1.0/me/drive/items/xxxxxxx/content HTTP/1.1
 User-Agent: Lavf/60.11.100
 Accept: */*
 Range: bytes=0-
 Connection: close
 Host: graph.microsoft.com
 Icy-MetaData: 1
 Authorization: Bearer xxxxxxx


 [tcp @ 0000023cf4bae540] Original list of addresses:
 [tcp @ 0000023cf4bae540] Address 13.107.137.11 port 443
 [tcp @ 0000023cf4bae540] Address 13.107.139.11 port 443
 [tcp @ 0000023cf4bae540] Interleaved list of addresses:
 [tcp @ 0000023cf4bae540] Address 13.107.137.11 port 443
 [tcp @ 0000023cf4bae540] Address 13.107.139.11 port 443
 [tcp @ 0000023cf4bae540] Starting connection attempt to 13.107.137.11 port
 443
 [tcp @ 0000023cf4bae540] Successfully connected to 13.107.137.11 port 443
 [https @ 0000023cf4bae3c0] request: GET
 /personal/xxxxx/_layouts/15/download.aspx?UniqueId=alongurlA&ApiVersion=2.0
 HTTP/1.1
 User-Agent: Lavf/60.11.100
 Accept: */*
 Range: bytes=0-
 Connection: close
 Host: my.microsoftpersonalcontent.com
 Icy-MetaData: 1
 Authorization: Bearer XXXXX

 https://graph.microsoft.com/v1.0/me/drive/items/xxxxxx/content: Server
 returned 401 Unauthorized (authorization failed)

 }}}


 The bearer authorization is passed down to the redirected url, OneDrive
 fails as the auth is not wanted there.

 Calling ffprobe with the redirected url and without the header works
 properly.

 From a quick search I was not able to find an RFC documenting the proper
 behavior but it seems that the standard normal default is to not pass down
 the headers to the redirected urls.

 That's why I open this as a defect.

 If that's not considered a defect then an option to disable this behavior
 would be more than welcome.

 Same behavior for both ffmpeg and ffprobe.
-- 
Ticket URL: <https://trac.ffmpeg.org/ticket/10940>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker

More information about the FFmpeg-trac mailing list