[FFmpeg-devel] [FFmpeg-cvslog] fftools/graphprint: Now, make it a Killer-Feature!
Rémi Denis-Courmont
remi at remlab.net
Sat May 24 18:54:51 EEST 2025
Le perjantaina 16. toukokuuta 2025, 1.19.15 Itä-Euroopan kesäaika softworkz .
a écrit :
> of course I understand that.
> But it isn't constructed from untrusted input.
You're being ridiculous. `system()` has a long history of causign bugs, many
of them security related, and many not fixable.
If you were implementing a command line interface that needs to process
trusted input like the shell would, you would want to use `wordexp()`.
As you merely need to spawn a child process, use the `posix_spawn`*`()` where
available, and `fork()` then `exec`*`()` elsewhere. We don't want to spawn a
shell just to start a well-known executable (other than the shell itself).
--
德尼-库尔蒙‧雷米
Tapio's place new town, former Finnish Republic of Uusimaa
More information about the ffmpeg-devel
mailing list