Comment by ajsnigrutin
2 years ago
But it has "security"
assert(ffmpeg_command.startswith("ffmpeg"))
assert(";" not in ffmpeg_command)
assert("|" not in ffmpeg_command)
:D
Surely there's no way to avoid those checks... /s
2 years ago
But it has "security"
assert(ffmpeg_command.startswith("ffmpeg"))
assert(";" not in ffmpeg_command)
assert("|" not in ffmpeg_command)
:D
Surely there's no way to avoid those checks... /s
> assert(";" not in ffmpeg_command)
Well that just made it considerably less useful given that ; is the delimiter in ffmpeg filtergraphs.
Also it doesn't defend against && || \n etc.
Invoking an untrusted string with sh (through os.system()) is kind of a facepalm when you can easily shlex and posix_spawn it.
So what kind of scenario do you have in mind?