On 31.05.2017 15:42, wm4 wrote:
On Wed, 31 May 2017 14:49:19 +0200
Michael Niedermayer <mich...@niedermayer.cc> wrote:
>> [...]
>>
Security fixes should be as simple as
possible.
Well, your fix isn't simple. It adds yet another exception with
questionable effect. It makes it more complex and harder to predict
what will actually happen, not simpler.
If people want, I can limit the local file check to the case where
the io_open callback is not set?
That way user applications which do their own sanitation would not be
affected by the check or error message and stay in full control of
what access is allowed.
That would have little value and would make it more complex too.
I'd say a good way to make this secure would be disabling the hls
protocol in builds which are security sensitive.
We already have "protocol_whitelist", --disable-protocol and application
sandboxing as supported and generic options. I agree with wm4 that some
special case-handling here just adds complexity.
In general there doesn't seem to be a good way. Feel free to prove me
wrong. (I tried something similar, but in addition to the security vs.
convenience tradeoff, it just didn't work.)
Regards,
Tobias
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
