[pulseaudio-discuss] [oss-security] Re: Vulnerability in Webkit-GTK and PulseAudio volume handling
Alexander E. Patrakov
patrakov at gmail.com
Fri Oct 11 11:38:35 CEST 2013
Xabier Rodríguez Calvar wrote:
> For Colin to know, before touching anything in WebKitGtk+ the behavior
> was that the volume was ramping up to 100% with every website regardless
> their volume control.
>
> I met Slomo and Lennart at GUADEC and we thought that the best was
> letting the sink, pulsesink in this case, set the volume and we would
> just get that for the slider, regardless the volume model applied. This
> was supposed to be a good compromise for the different situations (using
> PA with or without flat volumes, using another sink) as volume wouldn't
> ramp up to 100% always.
>
> There are some other restrictions we have to observe, though:
>
> 1. We want to be agnostic of the GStreamer sink used and of course,
> to the volume model used by pulse, because we don't know it.
> 2. We want to allow audio passthrough when possible.
> 3. We want to be coherent with the rest of GNOME apps, and the
> volume model they are using.
> 4. We have to comply with the HTML5 W3C standard that says that
> volume will be 100% by default, though user agents can decide to
> restore former volume (perfect if we let pulse decide it).
>
> We would easily add a GStreamer volume element and solve what Alexander
> says, buy we would be breaking 2 and 3 rules and to fulfill 3 and 4, I
> actually tested that with the proposed fix, the volume could still ramp
> up to 100% because in our opinion, it is up to the web developer to
> sanitize their volume management or up to the user to change the volume
> model.
Well, my point is exactly that items (2) or (3) don't (and can't) make
any sense in the context of web apps (or rather, in _any_ context of
potentially untrusted non-native apps), even if a sane (non-flat) volume
model is implemented in PulseAudio. Please don't try to do the impossible.
My current viewpoint is that the root of the problem is not in flat
volumes (they are just an aggravating factor), but in the fact that
untrusted javascript volume is directly connected to a pavucontrol
slider, potentially making that slider disobey the user.
And this is not about sanitizing the volume management in non-malicious
web pages. As I already said, this is about deliberately-malicious
scripts whose (no matter absolute or relative) volume and mute status
cannot be overridden. Think of them as a sound equivalent of a "1000
popups" problem.
P.S. I am not currently registered for GStreamer conference - should I
do so in order to discuss the issue in person with you or with other
GStreamer developers, or is my current LinuxCon registration sufficient?
--
Alexander E. Patrakov
More information about the pulseaudio-discuss
mailing list