[FFmpeg-devel] [FFmpeg-cvslog] fftools/graphprint: Now, make it a Killer-Feature!
softworkz .
softworkz at hotmail.com
Fri May 16 03:19:58 EEST 2025
> -----Original Message-----
> From: ffmpeg-devel <ffmpeg-devel-bounces at ffmpeg.org> On Behalf Of Ramiro Polla
> Sent: Freitag, 16. Mai 2025 01:30
> To: FFmpeg development discussions and patches <ffmpeg-devel at ffmpeg.org>
> Subject: Re: [FFmpeg-devel] [FFmpeg-cvslog] fftools/graphprint: Now, make it a
> Killer-Feature!
>
> On Fri, May 16, 2025 at 1:04 AM softworkz .
> <softworkz-at-hotmail.com at ffmpeg.org> wrote:
> > > From: ffmpeg-devel <ffmpeg-devel-bounces at ffmpeg.org> On Behalf Of Ramiro
> Polla
> > > Sent: Freitag, 16. Mai 2025 00:49
> [...]
> > > What about the user parsing the output from the cli, looking for a
> > > specific string (such as "graph file saved to [...]"), and opening
> > > that?
> >
> > How many user will do that? 0.00001% ? And that's not necessary anyway,
> > You can already do
> >
> > ffmpeg -print_graphs -print_graphs_format mermaidhtml -print_graphs_file
> x.html
> >
> > But when you need that, you don't remember what exactly you need to
> > specify, and look it up and change the file name on each run and
> > launch the browser manually, etc.
> >
> > The reason for the title of this commit is because of adding a highly useful
> > method to get insights into what ffmpeg is doing which everybody can
> > remember and quickly add to a command line without needing to jump through
> > any hoops.
>
> I understand that very few users will remember the proper invocation
> off the top of their heads.
>
> <ChatGPT>
> But at the same time, a malicious user crafting a script, wrapper, or
> even just pasting shell commands into a terminal can absolutely be
> expected to find and exploit any flaw we introduce, especially if it's
> a call to system() with file paths involved. So while the feature is
> aimed at convenience for a large group of users, it also creates a
> non-trivial risk vector that a very small number of malicious users
> could exploit in subtle and damaging ways. And historically, these are
> exactly the kind of paths that get targeted over time.
> </ChatGPT>
This is just bla bla.
Please explain how you believe this could be exploited.
Thanks
sw
More information about the ffmpeg-devel
mailing list