← Back to context

Comment by LeoPanthera

2 years ago

…by sending your request to the ChatGPT API and then executing the result.

What could possibly go wrong?

4 comments

LeoPanthera

Reply
ajsnigrutin  2 years ago

But it has "security"

    assert(ffmpeg_command.startswith("ffmpeg"))
    assert(";" not in ffmpeg_command)
    assert("|" not in ffmpeg_command)

:D

Surely there's no way to avoid those checks... /s

  • oefrha  2 years ago

    > assert(";" not in ffmpeg_command)

    Well that just made it considerably less useful given that ; is the delimiter in ffmpeg filtergraphs.

    Also it doesn't defend against && || \n etc.

    Invoking an untrusted string with sh (through os.system()) is kind of a facepalm when you can easily shlex and posix_spawn it.