[FFmpeg-devel] [RFC][PATCH] configure: Disable unsafe demuxers by default

Derek Buitenhuis derek.buitenhuis at gmail.com
Fri May 11 03:18:18 EEST 2018


On Fri, May 11, 2018 at 12:49 AM, James Darnley <james.darnley at gmail.com> wrote:
> I want to argue some more so here you go: it isn't "by default".

Strange definition of default, but OK.

> It gets rendered because you asked for it to be rendered.  You asked for
> /etc/passwd to be rendered so ffmpeg did that.  It produced a nice 4K
> video of the file with all your secrets clearly legible in it.  Why do
> you care?  Surely nobody will see it.  Surely you're not going to upload
> this file to the public Internet.

I think you might lack some imagination on how people use the API,
nd how people use the FFmpeg cli. This for example, pre-HLS CVE patches,
let someone upload a m3u8 that pointed to e.g. /something/password.txt
and have it rendered. It's not a all-or-nothing sort of thing.

> I don't care that you do encode any random file that someone uploads to
> you.  I don't care that you do put the results on the public net.  I do
> care a little that ffmpeg understands playlist files but not in the same
> way you do.  I do care a little that ffmpeg does so much magic for you
> but not in the same way you do.

So basically you don't care at all about making ffmpeg less exploitable by
various users. Great.

Gotta say, this is one mighty poor attitude towards security. But OK.

> I haven't tried to stand in the way of other bad changes to ffmpeg (like
> the fact that the flac muxer will now mux video streams) and I won't try
> to stand in the way of this one.

Fine. Patch dropped. Have a good day/night. I don't have the mental
energy to deal with this endless infighting, feces-flinging, and insane
approach to safety/sanity. I'm not going to spend my spare time
smashing my head against a wall and being insulted.

This will be my last response in the thread.

- Derek


More information about the ffmpeg-devel mailing list