On Wednesday 13 January 2016 19:29:40 Luca Barbato wrote: > On 13/01/16 18:46, Rémi Denis-Courmont wrote: > > How and to whom? I fail to see a bug. > > In a moderately convoluted way one can upload a m3u8 that references to > the concatenation of a playlist and the file you want to leak
That "leaks" the file to the local user that has read access to it. In other words, it does not leak anything. Or if you want to call that a leak, then a playlist can also "leak" any local file using a file URI, so long as avformat recognizes the file format. Or an Intranet resource using http/https/ftp/ftpes/ftps URI. Etc. So you need to blacklist all protocols (or almost). -- Rémi Denis-Courmont http://www.remlab.net/ _______________________________________________ libav-devel mailing list libav-devel@libav.org https://lists.libav.org/mailman/listinfo/libav-devel
