[FFmpeg-trac] #5991(ffmpeg:new): Design issue affecting security
FFmpeg
trac at avcodec.org
Mon Dec 5 05:30:07 EET 2016
#5991: Design issue affecting security
------------------------------------+----------------------------------
Reporter: paulch | Owner:
Type: defect | Status: new
Priority: critical | Component: ffmpeg
Version: git-master | Resolution:
Keywords: | Blocked By:
Blocking: | Reproduced by developer: 0
Analyzed by developer: 0 |
------------------------------------+----------------------------------
Comment (by michael):
URLs for accessing files start with "file:" not with "http:" thus to open
a local file with the name "http:localhost:1337.mov" would be done by
{{{
ffmpeg -i "file:http:localhost:1337.mov" output.mov
}}}
This is documented in libavformat/avformat.h
{{{
...
* URL strings in libavformat are made of a scheme/protocol, a ':', and a
* scheme specific string. URLs without a scheme and ':' used for local
files
* are supported but deprecated. "file:" should be used for local files.
*
* It is important that the scheme string is not taken from untrusted
* sources without checks.
...
}}}
I think the issue you describe depends on incorrect use of the APIs or
command line tools.
Also security issues should be discussed on ffmpeg-security at ffmpeg.org not
on the public bug tracker.
--
Ticket URL: <https://trac.ffmpeg.org/ticket/5991#comment:1>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list