On Tue, Dec 14, 2021 at 2:31 AM Anton Khirnov <an...@khirnov.net> wrote: > > Quoting p...@sandflow.com (2021-12-13 06:43:35) > > From: Pierre-Anthony Lemieux <p...@palemieux.com> > > > > Signed-off-by: Pierre-Anthony Lemieux <p...@palemieux.com> > > --- > > > > Notes: > > The IMF demuxer accepts as input an IMF CPL. The assets referenced by > > the CPL can be > > contained in multiple deliveries, each defined by an ASSETMAP file: > > > > ffmpeg -assetmaps <path of ASSETMAP1>,<path of ASSETMAP>,... -i <path > > of CPL> > > > > If -assetmaps is not specified, FFMPEG looks for a file called > > ASSETMAP.xml in the same directory as the CPL. > > > > EXAMPLE: > > ffmpeg -i > > http://ffmpeg-imf-samples-public.s3-website-us-west-1.amazonaws.com/countdown/CPL_f5095caa-f204-4e1c-8a84-7af48c7ae16b.xml > > out.mp4 > > > > The Interoperable Master Format (IMF) is a file-based media format for > > the > > delivery and storage of professional audio-visual masters. > > An IMF Composition consists of an XML playlist (the Composition > > Playlist) > > and a collection of MXF files (the Track Files). The Composition > > Playlist (CPL) > > As far as I can tell, nothing enforces that the files opened are > actually MXF. Perhaps that should be done. Otherwise I can imagine at > least the danger of recursion.
Addressed by v11 of the patchset. Track Files are now constrained to "mxf". > > More generally, I am somewhat concerned about the security implications > of all this. From a brief glance at the patch, the demuxer just opens > whatever arbitrary URLs it finds in the asset maps. Have you considered > what undesirable effects (like information leaks) this might have? The ASSETMAP file, where the demuxer finds the URLs of the Track Files, is an integral part of an IMF delivery and is assumed to be trusted. This is typically achieved by retrieving the ASSETMAP over a trusted channel, e.g. HTTPS to a trusted server or on a trusted local drive, etc. > > -- > Anton Khirnov _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
