#5991: Design issue affecting security ------------------------------------+---------------------------------- Reporter: paulch | Owner: Type: defect | Status: new Priority: critical | Component: ffmpeg Version: git-master | Resolution: Keywords: | Blocked By: Blocking: | Reproduced by developer: 0 Analyzed by developer: 0 | ------------------------------------+---------------------------------- Comment (by michael): URLs for accessing files start with "file:" not with "http:" thus to open a local file with the name "http:localhost:1337.mov" would be done by {{{ ffmpeg -i "file:http:localhost:1337.mov" output.mov }}} This is documented in libavformat/avformat.h {{{ ... * URL strings in libavformat are made of a scheme/protocol, a ':', and a * scheme specific string. URLs without a scheme and ':' used for local files * are supported but deprecated. "file:" should be used for local files. * * It is important that the scheme string is not taken from untrusted * sources without checks. ... }}} I think the issue you describe depends on incorrect use of the APIs or command line tools. Also security issues should be discussed on ffmpeg-security@ffmpeg.org not on the public bug tracker. -- Ticket URL: <https://trac.ffmpeg.org/ticket/5991#comment:1> FFmpeg <https://ffmpeg.org> FFmpeg issue tracker