[FFmpeg-devel] [PATCH 2/2] avformat: add protocol_whitelist

Nicolas George george at nsup.org
Sun Jan 24 13:56:51 CET 2016

Le quintidi 5 pluviôse, an CCXXIV, Clement Boesch a écrit :
> Why not an entry in the AVDictionary options?

That could be a short-term solution to avoid introducing a new API with
ad-hoc parameters, but AVDictionary is still based on strings exclusively,
that is very unpractical for applications. Furthermore, as I pointed out
earlier, just a whitelist at protocol level is not enough to fix all
security issues raised by playlists, especially all kind of cross-site
information leak. Furthermore, this AVGlobalSettings structure could be the
first step in getting rid of global state.

Still, you are probably right: people seem to be rushed about patching this
particularly visible instance of the issue, an entry in the AVDictionary
options is probably the simplest way of doing it right now without
introducing API changes that will need to be reverted after proper


  Nicolas George
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20160124/186ea580/attachment.sig>

More information about the ffmpeg-devel mailing list