Quoting p...@sandflow.com (2021-12-13 06:43:35) > From: Pierre-Anthony Lemieux <p...@palemieux.com> > > Signed-off-by: Pierre-Anthony Lemieux <p...@palemieux.com> > --- > > Notes: > The IMF demuxer accepts as input an IMF CPL. The assets referenced by the > CPL can be > contained in multiple deliveries, each defined by an ASSETMAP file: > > ffmpeg -assetmaps <path of ASSETMAP1>,<path of ASSETMAP>,... -i <path of > CPL> > > If -assetmaps is not specified, FFMPEG looks for a file called > ASSETMAP.xml in the same directory as the CPL. > > EXAMPLE: > ffmpeg -i > http://ffmpeg-imf-samples-public.s3-website-us-west-1.amazonaws.com/countdown/CPL_f5095caa-f204-4e1c-8a84-7af48c7ae16b.xml > out.mp4 > > The Interoperable Master Format (IMF) is a file-based media format for the > delivery and storage of professional audio-visual masters. > An IMF Composition consists of an XML playlist (the Composition Playlist) > and a collection of MXF files (the Track Files). The Composition Playlist > (CPL)
As far as I can tell, nothing enforces that the files opened are actually MXF. Perhaps that should be done. Otherwise I can imagine at least the danger of recursion. More generally, I am somewhat concerned about the security implications of all this. From a brief glance at the patch, the demuxer just opens whatever arbitrary URLs it finds in the asset maps. Have you considered what undesirable effects (like information leaks) this might have? -- Anton Khirnov _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
