[FFmpeg-cvslog] r12241 - trunk/libavformat/mov.c
Wed Feb 27 15:44:52 CET 2008
On Wed, Feb 27, 2008 at 03:23:49PM +0100, Baptiste Coudurier wrote:
> Reimar D?ffinger wrote:
> >> This by no means is a guarantee to be safe within your URLProtocol code,
> >> if you used register_protocol, one user could still very well exploit
> >> your code with commandline, and API, giving deliberatly wrong args.
> > Uh. "exploit your code with commandline" sounds to me almost like
> > calling "rm -rf /" a bash-exploit (yes, not quite the same I admit).
> > But anyway, no in e.g. the case of the old MPlayer code this was not
> > possible since _no user data at all_ was _ever_ passed to libavformat
> > code.
> FFmpeg does at least. Mplayer is not the only application using libavformat.
FFmpeg does not use custom url handlers of the form I suggested, so
it's a non-issue. Use of the default internal url handlers and a
custom caller-stream-based one are basically orthogonal. I would never
expect a single app to use both together.
More information about the ffmpeg-cvslog