Am 21.07.2014 21:20, schrieb Nicolas George: > Le tridi 3 thermidor, an CCXXII, Tom Evans a écrit : >> Shell'ing to run ffprobe gets you the same data; using software with >> known exploits is much more insecure than making sure you correctly >> escape filenames. > > And it is even better to make sure not to _need_ to escape filenames
that was not the question the question is between using known unsecure software where *every* input file could lead to code execution or escape filenames using *knowingly unsecure* software in environments where users can submit input files is just stupid you have two choices: * update and find a solution for your needs * don't offer a specific service if you can't do it secure
signature.asc
Description: OpenPGP digital signature
_______________________________________________ ffmpeg-user mailing list [email protected] http://ffmpeg.org/mailman/listinfo/ffmpeg-user
