[libav-devel] [PATCH] hls: Add a blacklist option
remi at remlab.net
Sat Jan 16 15:32:34 CET 2016
On Wednesday 13 January 2016 18:14:16 Luca Barbato wrote:
> concat can be abused to leak local file contents as url parameter.
I now managed to reproduce the problem, and indeed confirms that there is a
real problem. However, this patch does not fix it because the issue is not
specific to HLS.
I would suggest either:
1) removing concat completely, or
2) ignoring the concat locator string, and passing the list of concatenated
URIs through AV options (similarly to what VLC does).
More information about the libav-devel