On Sun, May 7, 2023 at 12:18 PM Michael Niedermayer <mich...@niedermayer.cc> wrote: > > On Sat, May 06, 2023 at 11:01:20AM -0700, Pierre-Anthony Lemieux wrote: > > On Sat, May 6, 2023 at 6:25 AM Michael Niedermayer > > <mich...@niedermayer.cc> wrote: > > > > > > Its unexpected that a .avi or other "standard" file turns into a playlist. > > > The goal of this patch is to avoid this unexpected behavior and possible > > > privacy or security differences. > > > > Per the IMF specification, a CPL can have any extension or, in fact, > > no extension. The latter is routinely used. > > is there a restriction on the URL/URIs used in it ? > that is in practice, can they be restricted to the same server, > child directories, or some other restriction ?
Below is a brief overview of the linkage between the various of components of an IMF composition: - the Composition Playlist (CPL) is the file that is passed to FFMPEG as input (-i) - the CPL is an XML document and defines a playlist - each of the components that make up the playlist is identified by a UUID, i.e. the CPL does not contain file paths/URLs. - the mapping between UUIDs and URLs is done through separate XML files called Asset Maps. Paths to Asset Maps can be provided explicitly through the "-assetmaps" argument, otherwise FFMPEG looks for a file called "ASSETMAP.xml" in the same directory as the CPL file. - according to the standard, all URLs in each Asset Map is relative to the location of the Asset Map, and thus the CPL and the Asset Map have the same origin - some applications have relaxed this constraint and allowed absolute URLs in the Asset Map What is the threat scenario? Is the concern that a malicious actor provides a CPL and Asset Map from origin A that makes malicious requests to a different origin B? > > thx > > [...] > -- > Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB > > Breaking DRM is a little like attempting to break through a door even > though the window is wide open and the only thing in the house is a bunch > of things you dont want and which you would get tomorrow for free anyway > _______________________________________________ > ffmpeg-devel mailing list > ffmpeg-devel@ffmpeg.org > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel > > To unsubscribe, visit link above, or email > ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe". _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".