On Thu, 23 Jan 2025, 00:11 Michael Niedermayer, <mich...@niedermayer.cc> wrote:
> Hi Kieran > > On Wed, Jan 22, 2025 at 10:47:52PM +0000, Kieran Kunhya via ffmpeg-devel > wrote: > > On Wed, 22 Jan 2025, 20:36 Michael Niedermayer, <mich...@niedermayer.cc> > > wrote: > > > > > This blocks disallowed extensions from probing > > > It also requires all available segments to have matching extensions to > the > > > format > > > mpegts is treated independent of the extension > > > > > > > Potentially this is a stupid question but what stops an attacker from > > faking the extension? > > How would he fake the extension ? > > The attacker generally wants to access a sensitive file, maybe one in > /etc or maybe .ssh with something like the tty demuxer / ansi decoder > > lets pick /etc/passwd as a specific example > Is there no control character they can use to fake the extension potentially? As an aside, why is this CVE from 2023 being fixed now? Kieran > _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
