[FFmpeg-devel] [PATCH]Auto-detection for concat demuxer
Carl Eugen Hoyos
cehoyos at ag.or.at
Sun Feb 3 13:02:35 CET 2013
Nicolas George <nicolas.george <at> normalesup.org> writes:
> Le quintidi 15 pluviôse, an CCXXI, Carl Eugen Hoyos a écrit :
> > Sorry, but I both fail to understand how your version
> > is less security-risky than mine and how misdetection
> > is possible with my version.
> Security: a script containing "file /path/to/sensible/data" would be
> rejected if it was automatically probed, it would only be accepted if the
> user specifies options, either "-safe 0" or explicitly "-f concat".
But this is only / mostly due to other patches, it is
not related to 3/3 allow probing, or am I wrong?
> Misdetection: file is a very common word in English, especially when
> talking about computing. A lot of text files can have the word
> file in them, including at the beginning of lines. The string "ffconcat
> version 1.0", on the other hand, is not very common, the only reason a
> file would have it as its very first line would be that it is actually a
> file meant for the concat demuxer.
I believe you missed that my patch will not detect
(all) files that start with "file " but only files
that (start with "file " and) actually look like
> (Note: this very mail has thrice the "file " string at the beginning of
> lines, which would have it detected as a ffconcat script by your patch. The
> same is true for doc/muxers.texi.)
I don't think my patch would detect your mail.
> > I actually think that it is much easier to edit a real
> > file that is currently correctly detected by FFmpeg to
> > a file that is misdetected by your version than to make
> > it a file that is misdetected with my patch.
> I do not get your point here.
My point is that if misdetections plays any role here (I
did not claim that) my patch has a significantly lower
chance of leading to a misdetection than yours.
Or in other words: It is trivial to edit a valid file
so it is still working with current FFmpeg and FFmpeg
with my patch, but not with your patch, I don't think
this is as easy for my patch (it is definitely possible
but I have not yet found a file for which it actually
does a misdetection).
I am not opposed to your patches, I just want to
point out that I believe my probe patch has
More information about the ffmpeg-devel