[FFmpeg-devel] [PATCH 3/9] lavf/file: implement EXCL flag.

wm4 nfxjfg at googlemail.com
Sat Apr 19 13:14:29 CEST 2014

On Sat, 19 Apr 2014 10:49:02 +0200
Nicolas George <george at nsup.org> wrote:

> I can explain why I wrote that series now: I intend to write an
> "attachments" muxer that would dump each attachment into a file, based on
> the attachment name. For example:
> 	ffmpeg -i fansub.mkv -f attachments -map 0:t fonts/
> to extract all attachments in a Matroska file into a directory.
> Such an option would be severely dangerous, because a crafted file could
> have an attachment named ../../.ssh/authorized_keys for example. I intend to
> document it as such with prominent warnings in the documentation, but an
> extra safety is a good thing.

Uh, that sounds severely misdirected. You shouldn't use any relative
paths for extracting such attachments, and trying to make sure no files
get overwritten during extraction just seems like a very weak way to
limit the potential damage such a very unsafe mechanism could cause. I
don't think it's very secure if an attacker can create arbitrary files
on your filesystem, even if it can't _overwrite_ existing files.

Why extract all attachments at once? What's the possible use case (I
see none)? You could just extract individual attachments, reporting
their name in ffprobe and making the user provide a destination
filename, like mkvextract does. In fact, why not just leave this to

More information about the ffmpeg-devel mailing list