Quoting Michael Niedermayer (2023-05-02 23:15:46) > the problem with default-disabled is that the user needs to know > 1. that the option exist > 2. what the option does > 3. what an attacker can do with such urls > 4. that its not enabled by default > > OTOH if its enabled by default, the worst it can do is fail with a error > the user can lookup the error and disable the option > > but i may be missing something here, also comments both from people > who regularly work with hls and anything else contaning urls in files > and also people who dealt with any related attacks is welcome. > > The goal is that this actually does something useful in reality.
This changes behavior in an incompatible way, so IMO this should happen on a major bump. There should also be a note in the changelog. Perhaps there could be a special 'auto' value that would initially default to no effect, but would print a warning if a URL would stop working after the bump. -- Anton Khirnov _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
