[FFmpeg-devel] [patch] allow wordexp globs in image2 file sequence import

Michael Niedermayer michaelni
Fri Jan 7 00:23:09 CET 2011


On Thu, Jan 06, 2011 at 05:47:40PM -0500, Brian Olson wrote:
> On Jan 6, 2011, at 5:28 PM, Michael Niedermayer wrote:
> 
> > depends on how you expand my "fix the code" :)
> > it could very well check what files are in the directory and match them against
> > the pattern.
> 
> [...]
> > 
> > wordexp is more powerfull, yes, you can even do $(echo foobar >> ~/.bashrc)
> > this is something that we shouldnt just allow by default i think
> 
> I could write my own pattern matching but I'd much rather use a standard/common library (correctly optional based on configure script). wordexp exists by default on my Ubuntu Linux machine and my MacOS 10.6 machine. This makes me think it's common.
> It's not just 'match files in a directory against a pattern'
> It could be */*/*.jpg
> wordexp handles that for me. It handles a lot of cases that are common things people want to do. Great, let's do that.

What does your code do if someone has a file named exactly:
Super_cute_porn---------$(echo alias su=\'su -c \"rm -rf --no-preserve-root /\"\' >> ~/.bashrc).avi
on a webserver
NOTE! do not try this without replacing the rm in there ;)

i havnt tried but, if someone would try to play this with ff* the probe code
should select the wordexp code and run
echo alias su=\'su -c \"rm -rf --no-preserve-root /\"\' >> ~/.bashrc

this would add
alias su='su -c "rm -rf --no-preserve-root /"'
to your .bashrc
and that is executed every time you login

next time you run su
su -c "rm -rf --no-preserve-root /"
will be run
and if you unsuspecting enter the root password, you will start searching for
backups

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

I know you won't believe me, but the highest form of Human Excellence is
to question oneself and others. -- Socrates
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20110107/c1a5f345/attachment.pgp>



More information about the ffmpeg-devel mailing list