Re: [FFmpeg-devel] [PATCH] fftools/ffmpeg_ffplay_ffprobe_cmdutils: add -mask_url to replace the protocol address in the command with the asterisk (*)

Thu, 22 Dec 2022 15:14:24 -0800 


On Mon, 19 Dec 2022, "zhilizhao(赵志立)" wrote:





On Dec 19, 2022, at 21:40, Marvin Scholz <epira...@gmail.com> wrote:


On 19 Dec 2022, at 14:37, Nicolas George wrote:


Marvin Scholz (12022-12-19):

IIUC this means the `-mask_url` option has to be the first option passed,
which seems a bit of an unfortunate requirement and is not documented at
all, as far as I can see. So at least this should be clearly documented
to prevent users being confused why the get an unrecognised option error
when they do not pass it as the first option.


Indeed. And I see no reason to have this option processed specially like
that; it requires at least an explanation.


I am a bit confused how this helps for the issue it tries to solve, as
for some amount of time, until this is done, it would expose the full
plaintext URL still, no?


This is unavoidable. Still, having sensitive information visible for a
fraction of a second is better than having sensitive information visible
for the length of a playback or transcoding process.


I agree, but then the docs should probably mention that to not give a false
sense of absolute security here. And maybe note that it might
be a better option to pass the password via stdin or hide the process
from other users to completely avoid leaking the password.



We have options like ‘-password', ‘-key’, ‘-cryptokey' and so on. I prefer 
hide the entire argument lists if we accept this solution. I don’t know about

system administration, hidepid looks like a neat solution.
https://linux-audit.com/linux-system-hardening-adding-hidepid-to-proc/



I am not a fan of this masking, because the false sense of security, docs 
or not. Does wget or curl mask its command line?



But I agree, if such "feature" is added, it should remove the whole 
command line. And the docs should point to real solutions, like hidepid.


Regards,
Marton
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".























					Reply via email to