[FFmpeg-devel] [PATCH 1/2] Avoid using the term "file" and prefer "url" in some docs and comments
wm4
nfxjfg at googlemail.com
Fri Dec 9 10:55:52 EET 2016
On Fri, 9 Dec 2016 03:48:39 +0100
Michael Niedermayer <michael at niedermayer.cc> wrote:
> On Thu, Dec 08, 2016 at 11:13:16AM -0900, Lou Logan wrote:
> > On Mon, 5 Dec 2016 13:52:50 +0100, Michael Niedermayer wrote:
> >
> > > This should make it less ambigous that these are URLs
> > >
> > > Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> > > ---
> > > doc/ffmpeg.texi | 18 +++++++++---------
> > > doc/ffplay.texi | 6 +++---
> > > doc/ffprobe.texi | 10 +++++-----
> > > ffmpeg_opt.c | 4 ++--
> > > 4 files changed, 19 insertions(+), 19 deletions(-)
> >
> > Although this is a trivial patch, approximately 7 hours between sending
> > a patch and applying without feedback isn't enough time. At least 24
> > hours would be preferrable.
>
> there were open and fully public security bugs, the use of untrusted
> filenames which look like urls aka files as in
> "http://someserver.com"
> would allow potential remote code execution
I guess "security bugs" now justify any kind of change?
It's clear that a user has to prefix filenames with file: or so, since
it will interpret various strings as not-files (like as an option or an
URL). Thus it's not a security bug, just an user error.
> i applied this quickly as it seemed important to me to clarify that
> the command line arguments are not just normal file names
> in addition to fixing the bug which depended on such files
>
> can you help me clarify and improve this further ?
> I suspect you can reword this quicker yourself than with me messing
> around further
>
> The really important point is that one cannot saftely put a random
> untrusted string or filename in place of these arguments.
> untrusted filenames needs "file:" prefix at least
>
> Thanks and sorry for havning applied this so quickly
>
> [...]
>
More information about the ffmpeg-devel
mailing list