On Tue, Sep 11, 2018 at 11:31:23PM +0200, Carl Eugen Hoyos wrote: > 2018-05-12 18:33 GMT+02:00, Michael Niedermayer <mich...@niedermayer.cc>: > > Iam not sure if this is a good idea or not but it may make some > > attacks harder. So throwing this out for discussions ... > > I am definitely not objecting but I doubt that this patch can make > any attack harder.
files ending with the .txt extension which are not multimedia files contain some other posibly sensitive data. If an attacker can control the input path for ffmpeg and nothing else then being able to read txt files allows leaking the content to the attacker generally. We had bugs that allowed the attacker to control the input path in some cases. So this pre-requesite has evidence for past occurance. We surely can leave txt in the list if people prefer. This is not a clear case of what is better. Its not a true "its buggy and this fixes it" case rather a "this is a steping stone an attacker might find useful in some case of unknown propability" > The main "advantage" of the patch imo is that it stops FFmpeg > from decoding txt files. > > Carl Eugen > _______________________________________________ > ffmpeg-devel mailing list > ffmpeg-devel@ffmpeg.org > http://ffmpeg.org/mailman/listinfo/ffmpeg-devel -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB No snowflake in an avalanche ever feels responsible. -- Voltaire
signature.asc
Description: PGP signature
_______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
