On 5/10/18, Derek Buitenhuis <derek.buitenh...@gmail.com> wrote: > These demuxers have probes that mainly probe based on file extension, > and map to codec IDs that render text as video. The result is that > ffmpeg will, by default, happily render, for example, .txt files > as images. This is not exactly a good security practice, an only > makes it easier for potential attackers to gain the contents of > system files. > > Disable building these by default. > > Signed-off-by: Derek Buitenhuis <derek.buitenh...@gmail.com> > --- > I've been hard disabling these at $dayjob for a long time, after some > "interesting" upload attempts, but it should probably be done for > everyone. > > I'm not overly attached implementaion details like the option name > or whether it's done at build time ot runtime, but I think the concept > of "don't render arbitrary system text files" is an important one. > --- > Changelog | 1 + > configure | 7 +++++++ > tests/fate.sh | 1 + > 3 files changed, 9 insertions(+) > > diff --git a/Changelog b/Changelog > index d442ced..e3f8e83 100644 > --- a/Changelog > +++ b/Changelog > @@ -6,6 +6,7 @@ version <next>: > - tmix filter > - amplify filter > - fftdnoiz filter > +- unsafe demuxers that render text files now disabled by default >
Against. _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
