[FFmpeg-devel] [RFC] av_tempfile()

Michael Niedermayer michaelni at gmx.at
Sun Oct 16 22:09:24 CEST 2011


On Sun, Oct 16, 2011 at 09:30:10PM +0200, Reimar Döffinger wrote:
> On Sun, Oct 16, 2011 at 09:27:12PM +0200, Reimar Döffinger wrote:
> > > > "Features over security" IMO is not an acceptable behaviour, especially
> > > > if it's not possible to disable it.
> > > 
> > > > Then force the user to specify a file name. That also works far better
> > > > if you want the "download while watching" to work sanely.
> > > 
> > > I did that but that is exploitable
> > > More precissely  cache:~/.bashrc,http://attacker as clickable link
> > > or something along these lines as reference within another file
> > > thus as a result of this i decided to use a temporary file, which is
> > > what i commited.
> > 
> > Whether allowing anyone to create files with arbitrary content (even if
> > only in /tmp) is that great is questionable enough.

we could add a file header before the user data that way an attacker
could not write his own


> 
> Note: if they were to somehow block /tmp it even allows creating files
> with arbitrary content in the current directory.
> Which is one step closer to allowing it to be executed (can't think of
> way right now, Windows likes executing stuff in "." but does not like
> things without the proper extensions, Linux wants execute flag and
> usually does not look in ".", but still...)

anything i should change in the code ?

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Observe your enemies, for they first find out your faults. -- Antisthenes
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20111016/a84c1ffa/attachment.asc>


More information about the ffmpeg-devel mailing list