[FFmpeg-user] ffmpeg for a joomla video website
Reindl Harald
h.reindl at thelounge.net
Mon Jul 21 21:27:20 CEST 2014
Am 21.07.2014 21:20, schrieb Nicolas George:
> Le tridi 3 thermidor, an CCXXII, Tom Evans a écrit :
>> Shell'ing to run ffprobe gets you the same data; using software with
>> known exploits is much more insecure than making sure you correctly
>> escape filenames.
>
> And it is even better to make sure not to _need_ to escape filenames
that was not the question
the question is between using known unsecure software
where *every* input file could lead to code execution
or escape filenames
using *knowingly unsecure* software in environments
where users can submit input files is just stupid
you have two choices:
* update and find a solution for your needs
* don't offer a specific service if you can't do it secure
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 246 bytes
Desc: OpenPGP digital signature
URL: <https://ffmpeg.org/pipermail/ffmpeg-user/attachments/20140721/09d2e89d/attachment.asc>
More information about the ffmpeg-user
mailing list