[FFmpeg-devel] [PATCH 3/4] avformat/concat: Add concat_enable option that is disable by default

Nicolas George george at nsup.org
Wed Jan 20 17:06:37 CET 2016

Le primidi 1er pluviôse, an CCXXIV, Michael Niedermayer a écrit :
> From: Michael Niedermayer <michael at niedermayer.cc>
> This should prevent the unintended use of concat

I am rather against this patch and the corresponding for subfile: these
protocols are not harmful by themselves, they are dangerous if and only
another protocol or format allows untrusted sources to provide arbitrary
URLs. This kind of preemptive blacklisting is bound to fail (new protocols
are added frequently, and they may be more dangerous than just concat or
subfile) and only mitigates a few of the possible attacks.

If people start to care about playlist-based security issues (Reimar used to
warn about it long ago), a cross-protocol solution needs to be found.


  Nicolas George
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20160120/33641e09/attachment.sig>

More information about the ffmpeg-devel mailing list