[FFmpeg-devel] [PATCH] fftools/ffmpeg_ffplay_ffprobe_cmdutils: add -mask_url to replace the protocol address in the command with the asterisk (*)

"zhilizhao(赵志立)" quinkblack at foxmail.com
Mon Dec 19 16:51:21 EET 2022 


> On Dec 19, 2022, at 21:40, Marvin Scholz <epirat07 at gmail.com> wrote:
> 
> 
> On 19 Dec 2022, at 14:37, Nicolas George wrote:
> 
>> Marvin Scholz (12022-12-19):
>>> IIUC this means the `-mask_url` option has to be the first option passed,
>>> which seems a bit of an unfortunate requirement and is not documented at
>>> all, as far as I can see. So at least this should be clearly documented
>>> to prevent users being confused why the get an unrecognised option error
>>> when they do not pass it as the first option.
>> 
>> Indeed. And I see no reason to have this option processed specially like
>> that; it requires at least an explanation.
>> 
>>> I am a bit confused how this helps for the issue it tries to solve, as
>>> for some amount of time, until this is done, it would expose the full
>>> plaintext URL still, no?
>> 
>> This is unavoidable. Still, having sensitive information visible for a
>> fraction of a second is better than having sensitive information visible
>> for the length of a playback or transcoding process.
> 
> I agree, but then the docs should probably mention that to not give a false
> sense of absolute security here. And maybe note that it might
> be a better option to pass the password via stdin or hide the process
> from other users to completely avoid leaking the password.

We have options like ‘-password', ‘-key’, ‘-cryptokey' and so on. I prefer 
hide the entire argument lists if we accept this solution. I don’t know about
system administration, hidepid looks like a neat solution.
https://linux-audit.com/linux-system-hardening-adding-hidepid-to-proc/

> 
>> 
>> Regards,
>> 
>> -- 
>>  Nicolas George
>> _______________________________________________
>> ffmpeg-devel mailing list
>> ffmpeg-devel at ffmpeg.org
>> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>> 
>> To unsubscribe, visit link above, or email
>> ffmpeg-devel-request at ffmpeg.org with subject "unsubscribe".
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel at ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
> 
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request at ffmpeg.org with subject "unsubscribe".

More information about the ffmpeg-devel mailing list