[FFmpeg-user] ffmpeg for a joomla video website

Reindl Harald h.reindl at thelounge.net
Mon Jul 21 21:27:20 CEST 2014



Am 21.07.2014 21:20, schrieb Nicolas George:
> Le tridi 3 thermidor, an CCXXII, Tom Evans a écrit :
>> Shell'ing to run ffprobe gets you the same data; using software with
>> known exploits is much more insecure than making sure you correctly
>> escape filenames.
> 
> And it is even better to make sure not to _need_ to escape filenames

that was not the question

the question is between using known unsecure software
where *every* input file could lead to code execution
or escape filenames

using *knowingly unsecure* software in environments
where users can submit input files is just stupid

you have two choices:

* update and find a solution for your needs
* don't offer a specific service if you can't do it secure

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 246 bytes
Desc: OpenPGP digital signature
URL: <https://ffmpeg.org/pipermail/ffmpeg-user/attachments/20140721/09d2e89d/attachment.asc>


More information about the ffmpeg-user mailing list