[FFmpeg-devel] [PATCH] avfilter/image2: Add source file path and basename to each packet side data.

Alexandre Heitor Schmidt alexandre.schmidt at gmail.com
Thu Dec 26 16:11:43 EET 2019

 > About security
 > The file path can reveal a wide range of information like
 > The platform used,
 > The username,
 > A potentially writable location
 > And a lot more depending on how the directories are layed out
 > About privacy
 > The username is commonly related to the users real name, thats
 > sensitive information
 > And a lot more depending on how the directories are layed out
 > consider a doctors office might have directories which use the
 > patients social security numbers in the path
 > The problem here is this is new metadata, the input never contained
 > this sensitive data but depending on what is done downstream with
 > it the output might contain this sensitive metadata
 > converting inputfile to outputfile shouldnt result in outputfile
 > containing sensitive information that wasnt in the input and that
 > the user did not explicitly ask for to be addded
 > To show why for example thers a privacy concern here, a slightly
 > unfunny hypothetical example:
 > A girl gets stalked by some guy online, she takes a screenshoot of
 > the message the guy sent her on facebook. And uploads that picture
 > sadly the picture contains her name, phone number and GPS coordinates
 > without her knowing.

I see your point. I just think that, if the user is generating an 
output, he has access to the input files and path. If he wants to use 
the input information, he can. If he doesn't want to use that 
information, he can just ignore it. Maybe I'm not being able to see the 
whole picture.

 > About "That it won't be applied?"
 > I think the feature makes sense but it must be ensured that sensitive
 > data isnt added or leaking somewhere without the users knowledge and
 > concent

The 'concent' here, in my opinion, is the freedom the user has to either 
use or don't use the metadata. Or are you referring to cases where the 
input and output are not processed by the same person, such as on 
broadcast, streaming, etc?

Anyway, if an extra flag for image2, to make it export/don't export the 
path-related metadata is necessary, it can be implemented.


More information about the ffmpeg-devel mailing list