[FFmpeg-devel] [RFC][PATCH] configure: Disable unsafe demuxers by default
james.darnley at gmail.com
Fri May 11 00:11:00 EEST 2018
On 2018-05-10 17:44, Derek Buitenhuis wrote:
> These demuxers have probes that mainly probe based on file extension,
> and map to codec IDs that render text as video. The result is that
> ffmpeg will, by default, happily render, for example, .txt files
> as images. This is not exactly a good security practice, an only
> makes it easier for potential attackers to gain the contents of
> system files.
> Disable building these by default.
> Signed-off-by: Derek Buitenhuis <derek.buitenhuis at gmail.com>
> I've been hard disabling these at $dayjob for a long time, after some
> "interesting" upload attempts, but it should probably be done for
> I'm not overly attached implementaion details like the option name
> or whether it's done at build time ot runtime, but I think the concept
> of "don't render arbitrary system text files" is an important one.
You web people already have options for the various annoying whitelists.
Is this not covered by one of them?
More information about the ffmpeg-devel