[FFmpeg-devel] [patch] allow wordexp globs in image2 file sequence import (original) (raw)
Brian Olson icic
Fri Jan 7 17:39:03 CET 2011
- Previous message: [FFmpeg-devel] [patch] allow wordexp globs in image2 file sequence import
- Next message: [FFmpeg-devel] [patch] allow wordexp globs in image2 file sequence import
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
- possible wide ranging new feature proposal below
On Jan 6, 2011, at 6:23 PM, Michael Niedermayer wrote:
What does your code do if someone has a file named exactly: Supercuteporn---------$(echo alias su='su -c "rm -rf --no-preserve-root /"' >> ~/.bashrc).avi on a webserver
Huh, I guess web sites where you upload image sequences (my change only applies to image sequences) to a server that runs ffmpeg should be careful about sanitizing their inputs.
web sites ... should be careful about sanitizing their inputs
Not to trivialize the problem too much, okay, yes, this could be a weird unexpected attack vector. To resume trivializing the problem, if someone types in on the command line: ffmpeg -i 'foo$(evil command line).jpg' I uphold their right to shoot themselves in the foot.
- Possible solution:
Keep
-i filenamedoing flat names and trivial %d patterns. Introduce a new option for smarter patterns. '--input-pattern' or something. This second way could even hook in system wide, emulating multiple -i arguments, for any input type not just image file sequences.
- Previous message: [FFmpeg-devel] [patch] allow wordexp globs in image2 file sequence import
- Next message: [FFmpeg-devel] [patch] allow wordexp globs in image2 file sequence import
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]