[FFmpeg-devel] [RFC][PATCH] configure: Disable unsafe demuxers by default

James Darnley james.darnley at gmail.com
Fri May 11 00:11:00 EEST 2018

On 2018-05-10 17:44, Derek Buitenhuis wrote:
> These demuxers have probes that mainly probe based on file extension,
> and map to codec IDs that render text as video. The result is that
> ffmpeg will, by default, happily render, for example, .txt files
> as images. This is not exactly a good security practice, an only
> makes it easier for potential attackers to gain the contents of
> system files.
> Disable building these by default.
> Signed-off-by: Derek Buitenhuis <derek.buitenhuis at gmail.com>
> ---
> I've been hard disabling these at $dayjob for a long time, after some
> "interesting" upload attempts, but it should probably be done for
> everyone.
> I'm not overly attached implementaion details like the option name
> or whether it's done at build time ot runtime, but I think the concept
> of "don't render arbitrary system text files" is an important one.
> ---

You web people already have options for the various annoying whitelists.
 Is this not covered by one of them?

More information about the ffmpeg-devel mailing list