[FFmpeg-devel] [PATCH 3/3] avformat: add youtube-dl based demuxer
Reimar Döffinger
Reimar.Doeffinger at gmx.de
Fri Apr 10 08:31:59 CEST 2015
On 08.04.2015, at 19:51, Gilles Chanteperdrix <gilles.chanteperdrix at xenomai.org> wrote:
> On Wed, Apr 08, 2015 at 07:44:13PM +0200, wm4 wrote:
>> On Wed, 8 Apr 2015 19:39:00 +0200
>> Gilles Chanteperdrix <gilles.chanteperdrix at xenomai.org> wrote:
>>
>>> On Wed, Apr 08, 2015 at 07:24:27PM +0200, wm4 wrote:
>>>>> + snprintf(buffer, sizeof(buffer), "youtube-dl -f %s -g '%s'",
>>>>> + yc->format, s->filename);
>>>
>>> Ok, missing single quotes here around the format.
>>>
>>
>> Doesn't help. You can't fix it. You need to use something other than
>> system() if you want it to be secure.
>
> You can fix it, you can escape the quotes in the string or refuse a
> string that contains single quotes, but as I said, this starts being
> cumbersome.
Strictly speaking system() does not specify which shell is used, so you can't know for sure which escaping it even supports, and thus you cannot escape the string correctly...
More information about the ffmpeg-devel
mailing list