On Tue, May 09, 2023 at 09:35:09AM +0200, Tobias Rapp wrote: > On 09/05/2023 08:19, Anton Khirnov wrote: > > > Quoting Michael Niedermayer (2023-05-09 00:35:08) > > > On Mon, May 08, 2023 at 04:05:40PM +0200, Tobias Rapp wrote: > > > > [...] > > > > DASH is usually transferred over HTTP where file extensions are of minor > > > > interest, the relevant type information is in the Mime-Type header. > > > would anyone be opposed to return 0 from dash_probe() when > > > both the mime_type and the extension are wrong ? > > I would. > > > > probe() is for probing, not implementing security policies. IMO trying > > to fix security issues at the wrong layer will only lead to more > > confusion, more complexity, and LESS security. > > I agree that probing should be unrelated to the actual format selection > policy. >
> > > example: a crafted image.jpeg uploaded somewhere is played as dash. > > > or am i missing something that would stop that ? > The player application could exclude the dash format (and other playlist > formats) from the format_whitelist I guess? That would push the problem down to every application which is really not a very good solution Its even worse because every player than needs to also know which format is a playlist format. Including all future ones and then also if the user minds them being disabled completely thx [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB "You are 36 times more likely to die in a bathtub than at the hands of a terrorist. Also, you are 2.5 times more likely to become a president and 2 times more likely to become an astronaut, than to die in a terrorist attack." -- Thoughty2
signature.asc
Description: PGP signature
_______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
