[FFmpeg-devel] [PATCH]Auto-detection for concat demuxer
Nicolas George
nicolas.george at normalesup.org
Sun Feb 3 11:05:46 CET 2013
Le quintidi 15 pluviôse, an CCXXI, Carl Eugen Hoyos a écrit :
> Sorry, but I both fail to understand how your version
> is less security-risky than mine and how misdetection
> is possible with my version.
Security: a script containing "file /path/to/sensible/data" would be
rejected if it was automatically probed, it would only be accepted if the
user specifies options, either "-safe 0" or explicitly "-f concat".
Misdetection: file is a very common word in English, especially when
talking about computing. A lot of text files can have the word
file in them, including at the beginning of lines. The string "ffconcat
version 1.0", on the other hand, is not very common, the only reason a
file would have it as its very first line would be that it is actually a
file meant for the concat demuxer.
(Note: this very mail has thrice the "file " string at the beginning of
lines, which would have it detected as a ffconcat script by your patch. The
same is true for doc/muxers.texi.)
> I actually think that it is much easier to edit a real
> file that is currently correctly detected by FFmpeg to
> a file that is misdetected by your version than to make
> it a file that is misdetected with my patch.
I do not get your point here.
Regards,
--
Nicolas George
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20130203/077d8fd8/attachment.asc>
More information about the ffmpeg-devel
mailing list