[FFmpeg-devel] [PATCH] lavf/img2dec: change the default pattern to none
Marton Balint
cus at passwd.hu
Sun Jan 17 20:28:32 CET 2016
On Sun, 17 Jan 2016, Carl Eugen Hoyos wrote:
> Marton Balint <cus <at> passwd.hu> writes:
>
>> The current default pattern type, glob_sequence is
>> deprecated for almost 3.5 years,
>
> Sorry if I misunderstand: When was it deprecated?
>
In commit 3a06ea84 at 2012-08-06 by Stefano.
>> before removing it, we need a new, sensible pattern
>> default. I suggest "none" which turns off pattern
>> matching, because using the filename as a pattern
>> can be a security risk exposing other files in the
>> source directory,
>
> Is the current default a security risk or would
> another default be?
The current pattern matching is a risk, any pattern matching by default
can be a risk, that is why I proposed "none".
Think about a web application putting user uploaded content to a
directory, then the web application transcodes it with ffmpeg. If a
malicous user uploads a file with a crafted name which is interpreted as a
pattern, then the output of the transcoding can contain some or all of the
existing files in the source folder leaking other user's data.
>> and can also cause problems for file names which
>> are patterns by themselves.
Have you tried transcoding an image with a percent sign in the file name?
It won't work because % is interpreted as a pattern so you have to use
god know's what escaping... But you only have to do that for file names
which are handled by the image2 demuxer...
> I apparently don't understand why this patch is
> necessary but it certainly will make many users
> unhappy.
You, and wm4 are right about that. It does break compatibility, but to fix
this issue, I think it is inevitable sooner or later.
When is a good time to break compatibility? The next release will be a
new major ffmpeg version, IMHO we should do this before that.
Regards,
Marton
More information about the ffmpeg-devel
mailing list