[libav-devel] [PATCH] hls: Add a blacklist option

Rémi Denis-Courmont remi at remlab.net
Sat Jan 16 15:32:34 CET 2016


On Wednesday 13 January 2016 18:14:16 Luca Barbato wrote:
> concat can be abused to leak local file contents as url parameter.

I now managed to reproduce the problem, and indeed confirms that there is a 
real problem. However, this patch does not fix it because the issue is not 
specific to HLS.

I would suggest either:
1) removing concat completely, or
2) ignoring the concat locator string, and passing the list of concatenated 
URIs through AV options (similarly to what VLC does).

-- 
Rémi Denis-Courmont
http://www.remlab.net/



More information about the libav-devel mailing list