From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTPS id B9DE64CDDC for ; Wed, 28 May 2025 15:25:00 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id 5C7F268D94B; Wed, 28 May 2025 18:24:51 +0300 (EEST) Received: from NAM10-BN7-obe.outbound.protection.outlook.com (mail-bn7nam10olkn2043.outbound.protection.outlook.com [40.92.40.43]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id 7BA8B68D903 for ; Wed, 28 May 2025 18:24:49 +0300 (EEST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=ykXmMVCUc+jE8msuat0dKNZBqHCVB8pGuzBos6+XTNMeEEFRH2VkRy+2TTeOL3W+FTxsIQLKGwTSsjFFtdqCKtPdkxqhc947JCswL25nqVw9AGbOZdL49poy6Ge12hMHgV1lMc2ExBVGdDMyr+P7V32uB0fh4nNdUy5s764LY9r2sRp+cp++RdUAg8Su1OMh4aUaIj+4ZopVrNc32C6tocgFw/CgX732tbQcQZXmHsnlKVSgN3nNXcVasXR4jURUdRV7PGxvP95M0oTDihxVbVhMxqoJMXPXQDFwTKrd0Wn16G+i7w6pxX7vv5+zn6km1g7SDIF3JtElWu7rTUwSxQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=kSubmEIrn7PE8jCaSF+tEl5BQtELqodrAdQ2OBHkuVA=; b=Wag9ka7ALL8SRIWrtOl2n4xYV8NyAMNdZ8U0m10h+olcpxlx5EckETutrpltYw3r8x0NHzroRB9H/DEam44QKgYLVSA4nSZlIODehR5HlQnF4XvDCSLmrGTlyqvGmo9PCvp/M9LOUrnEX3Qjr0zG/VFbF0Y1YT8Iqu49AsVAIsh1XouecuJQ29dmF6t4/BwlGeOab4S0s6Q57vnSStMqvuaA+kjGLxR/DlSVlZa59woRb6OOdH0QEGQnRz99EfZ9vzwkmS+xEYFpjRTyvq6c7RQ4hX6VgZyM+CjTDZY5oZkVNqIzEcJfULZan4pGPV7L5D+scznvH8kcArVreGzilg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=kSubmEIrn7PE8jCaSF+tEl5BQtELqodrAdQ2OBHkuVA=; b=hXgUedVcYhI3kbIugDMnYAEv1QlhCZPxSFjw7W4Gn0ECEVYQAqLjiHyRNmPZRpKe3vqQzzc0PK8H7GtC2oOyZ8s5o+9GZSCGan4V7D13zTN5HmS8TpUmrcRty0V+u7MBD54uFZ6ryMcrW2neWiVJrkfyzngIPyfAd9tQk7vu5/AG7gpgQLQKLfIgbYi9gUJ9brj6yNdEeLNAp53pyymK90yghXG7V7Pb/1T+afrqTkAzHxauBpuXT0iYRfou5WY802EUIXNOvdg8xlRbBA3lIPolAROcmvVo5sj0AUoi266oy2PFsRb/RFyo6ECnxzXMb6vuzp1hDIXWcCe4nJQNVA== Received: from DM8P223MB0365.NAMP223.PROD.OUTLOOK.COM (2603:10b6:8:b::20) by DS7P223MB0408.NAMP223.PROD.OUTLOOK.COM (2603:10b6:8:84::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8769.29; Wed, 28 May 2025 15:24:46 +0000 Received: from DM8P223MB0365.NAMP223.PROD.OUTLOOK.COM ([fe80::bf09:8e9:b07f:98a7]) by DM8P223MB0365.NAMP223.PROD.OUTLOOK.COM ([fe80::bf09:8e9:b07f:98a7%4]) with mapi id 15.20.8769.025; Wed, 28 May 2025 15:24:46 +0000 From: "softworkz ." To: FFmpeg development discussions and patches Thread-Topic: The "bad" Patch Thread-Index: AdvP5A/caz+BEOrrT3qQ8MYT/a5IsA== Date: Wed, 28 May 2025 15:24:46 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-publictraffictype: Email x-ms-traffictypediagnostic: DM8P223MB0365:EE_|DS7P223MB0408:EE_ x-ms-office365-filtering-correlation-id: 94387a9a-3b16-4e3f-9c62-08dd9dfbc75b x-ms-exchange-slblob-mailprops: q6Zzr5Fg03FXVRqeIIRcm724TWS4ubSwYfkuTx9ZiSSS3VCgjlunGZm5Qrix4wjWgtN/0pcd24vw2yRMQ0UFsYUAkv66cQJOkTxuTcsn/W5iNaIkU8NUrOiDvTEW3+EGwdEO4Kyk5flLRcGJlK7U9cOrhs0gK4KFrat/qrxaMOkvxKc+MvTo9/nWQe9dXVxAfHXkhFFUZWwb7gDEm2jGE1niJ2GYdl5oeW0JMPjeOnnDVc4Fdan92bpTWMu6h+tzLv4kvkRTNZLEIS5F6/o0sJDVjQbBemiSeNcAD7V/VdVO5m+RRWrqxwldJCgC6YLZyn1LOTlxvg6tFzI5xJ8RdsCVlVOwKaeRpmfJSK7r7IAjCDMOkoXbjPwb/03JKKiwFNjEEqLZwX9Faf06xnGTfZmy0StrIRVkLhi1mLfw/4pP+IeS8Ya/Mz1jBIa4t+IE2kL/oJPj+N6irDb4f23w61n7myhLkOTB2VXqYpcYeSyhtCznScGE1sxwsRlsDEIAGuw4jF+yzH5xYA9vWlLIbGR6auRC+iFwEjuo1rYPOwZJ18uQqPgmOXXCNOWR8q29tHwj/YF0ULl9L9IXXVYaM13J6Vl0xw+VglBllJgEjH8AasecF0Grx+8bTvhngkDAeTo1ovpFWDjmJo9AVJmWek7JBzf2KsNIHCGWfqjN6hDcDwZEJ3PpoZuWd3S0bT1v x-microsoft-antispam: BCL:0; ARA:14566002|41001999006|8060799009|8062599006|19110799006|15080799009|7092599006|461199028|3412199025|440099028|18061999006|30101999003|102099032; x-microsoft-antispam-message-info: =?us-ascii?Q?uq2gIHJmcYhlRP5YmpxXIMg6ZYFK2BImPsYFSJiVIUajLoeTtoC4tgvsf0ar?= =?us-ascii?Q?knY0ZBSASU9B7oE/vyFGFZEX9cLDoVlxALTg79gtLtKni54Gtv3aq/GP24u9?= =?us-ascii?Q?yoDcVzjprpDPnLCs+iXGVjkupWmQ/nN3yEtFhai+gE7kd9YSYpfzKJQMyEsF?= =?us-ascii?Q?mkbFIu9E45IImhCueDKP4XMlh1FYgQGPrb86nyv0FIVe4j8P1Ed08k6ZtfdM?= =?us-ascii?Q?t1XgLrQp6VqOjwleMVkZyl6V9ZrukHg4FaleL/v0hHC1Pq6CAuGaVDCIk+0h?= =?us-ascii?Q?w5cP1t79P2r/K520P09SGKoXMNwCYPotYtQna955Gkg4kedzSKb+n+fsiEXU?= =?us-ascii?Q?OWGPhO4ToUhJ9A/YH8viJCDE0bYCk8d6vIWFZIogqw4Vzsdd7aIuLQDi70Kc?= =?us-ascii?Q?HP8Xy9+ThlCfoedycfNZ4guCP/ok+YTnayarqLtHRJ4S+S6/P88Om83wLnbL?= =?us-ascii?Q?aUjkjJQzHpyvucZwVdEz3unxRF/Uy26OdKRv3HMsc77o0W/fqXLaZcGxfJz3?= =?us-ascii?Q?S29kf+bWFjDwlF2Pchpy1wONJFSc7EoBqxNpbSaSRS20ZWVzZGm0kun4wmmh?= =?us-ascii?Q?6WyilPh4mYLz675tr/n4bUwbEGDDRiN5/QKFWbk7kpF5/zPj0EsOXmzOb8+w?= =?us-ascii?Q?QAVXhaROLEmx6bqOsgnEOt9KTpt9/jzu7koXSP7oBsJMUeQamEsWqefAwRd+?= =?us-ascii?Q?QAEronS3rYDwcYh8GqZlHOfnEtRpGznp8HnUwQlh56iZ5sgXdkJRq2LCsVXq?= =?us-ascii?Q?zESOOrTEsa85rdpzfy1O8y1d8ZodiP+f3Z8c8qQTFZIjLR+4HYtEYo7ZrSPe?= =?us-ascii?Q?trwWAkKbASzKLetmGv//lOgTUlvSWopHmvRdlJw9SSfmpUy/7U8iOvGcN+AK?= =?us-ascii?Q?BNlm1SOO5holxblbtsnYcx2ojqCmtyDmJ2tzGNaOu0LxwiwkINtHEV0UH2VL?= =?us-ascii?Q?3FrGAAOL/cgAAHYy7tilAYhMj1BTm75IGSCk9NtWdMX+8llVQHeuTB1iw0YP?= =?us-ascii?Q?pLSe7eMOdMcs/CsB2CdmLdDSoN9iBGPty9+pvqrX9XfoW3lp8MNsXsFweKJZ?= =?us-ascii?Q?yPxPWMeRhmnRBlJ+1+eaVKuqb6aVa3Ln1npcQcioqLhqzL5YyY0DGBnVM2CA?= =?us-ascii?Q?veOy71wrEFCXKTO7EizeI5/58htuB4xZNWwNGzFsvtxPknEXMuHriSJLJEk0?= =?us-ascii?Q?4qWq8EhtN1GU1sGIbi/Twceb68NT5TEMzYb3TA=3D=3D?= x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?/QEp5+2q2A50IqzvrF+J3ue+I84uOYNouIAJKGeKwb0lVra1MBslXza6caz3?= =?us-ascii?Q?L+YxJ1fqPO9QsngaUo+7ert/TEGW5BbJyXK/wXdvXnhBRKwljcTtaLMbbKV2?= =?us-ascii?Q?eYumzZOgBwFH5s9rmijHWMPjhkvTFQY7YmOVB0Ndiuvffh9V0GrHGDax5pii?= =?us-ascii?Q?/p2BnPd1vEULqDQqtaO7EUS4Ep/lbtM6fjk9HXeVuISigJp04UQNbj2GOuXi?= =?us-ascii?Q?K/B28+BPFJa3eRhQMQdjInq3gTUfIXB+fRxzpjJkZw3WXpDdM18e8uUAjI1O?= =?us-ascii?Q?LaAxWhwrtKoUcHDc2fgCJrBvFxBhtfFM6IYjxj1Lu02hjKmHc5/9jFxJ8MQk?= =?us-ascii?Q?CqpvjVhIkyPEiWAfI5chconbCbSrIoifFvaJUaaM755PL0/+0uiquM/VE4u3?= =?us-ascii?Q?Vh5tuFVDXTy7sOIh5Gf4RwVX5IldlboQFrvWZtFevO8WMd5bNSa337I04zDY?= =?us-ascii?Q?Dh8BjIdJXLSWkkS0iWkWAzOnAd+CyeCY/jYsbOIUgxSuHbsJIkFlVX+CBuB7?= =?us-ascii?Q?IEr+WDm2NEAoSGMxE7rg5dz2ptqavAqEQmFHnpsczx5q4QJW43nxe1iFjoSz?= =?us-ascii?Q?i9IFCfvSbJFmvlt0QMqXNgTDpI6wWbxqjBOf2X6DvvSgKbGI/Uj16asrSSQz?= =?us-ascii?Q?6ibvBMBUjlBI5C9qu5EVGcYSyfkm/Fg+uPd8VmlL3crGlgr81+BTI1B7x42R?= =?us-ascii?Q?VlO1QLTeiIQ7q6Pk4L8D0sOOBLqrDst4XCp5MeQd6IiqT0zucjN//rgUCg8B?= =?us-ascii?Q?9mdFtQTACCpWGh7cCWptz8d5AO01vKBG+8hhoUws4tlWG46bfTws3lo82Xcg?= =?us-ascii?Q?wks7oQ64Z7HCuq2vWmmH2izw3eTgU/dxly4ZpYMOsR28QFmqwNypI3xfDfTD?= =?us-ascii?Q?0RIYOfS/Whbos5sdyGLzoQa+Me20gRO3WvuqcZSHzVrqduY5XpW+Jx4vejIB?= =?us-ascii?Q?FvveOxWeijzaDIwbJ1dLdiBIjE1SrXQ0BLhHLPNVjL9y1v/8cBNGKtkhuQ//?= =?us-ascii?Q?Ka74XzHSVgLgWic3DpHcymGwMWbVftYIom4Z+k10Fs+9rJpu27gh1A3Mk83J?= =?us-ascii?Q?roJI0c3JyvcwSAc0eHmXHQlg45gAmkI4w/PN1GxtB/KEpnATRgaX8JdR7Pwj?= =?us-ascii?Q?ls5BQO3yDkXv9SMEv5H0A+RtwL8Mi/G1Ls7E9LSfh5MTu/qlETQ975ZJixIr?= =?us-ascii?Q?G5gm2dpCBGHXs2YyQkQ+gtsAUqKfChyeP8lxohJYEOUgbSsgwGEfQzxbfaU?= =?us-ascii?Q?=3D?= MIME-Version: 1.0 X-OriginatorOrg: sct-15-20-8534-20-msonline-outlook-c7cf3.templateTenant X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: DM8P223MB0365.NAMP223.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-CrossTenant-Network-Message-Id: 94387a9a-3b16-4e3f-9c62-08dd9dfbc75b X-MS-Exchange-CrossTenant-originalarrivaltime: 28 May 2025 15:24:46.2974 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS7P223MB0408 Subject: [FFmpeg-devel] The "bad" Patch X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Archived-At: List-Archive: List-Post: Hello everybody, it's about 14 days ago, on Thursday, 2025-05-15, when I had applied my "Execution Graph Printing" patchset after 12 revisions and 3 reminder e-mails sent to the ML. The patch 15/15 had a controversial reception from other FFmpeg developers, ranging from friendly concerns up to aggressive blown-up comments, some with elements of defamation, false accusations which were blindly repeated even after I had rectified them. It has been difficult to navigate for me, as there were very different kinds of arguments, and not all of them were of a type that would have justified immediate reversion. Also, I cannot consider people as trustworthy while they are going crazy. I had hoped for entering a discussion to explain the details, but once the mob had formed and I had realized that a reasonable discussion is not possible, I chose to revert that patch. All-in-all, what remains from that situation is a very wrong picture, that I cannot leave unresolved. I had only decided to wait those 14 days, in order to allow for some cooldown. But now it's really time for clearing a few things up. I had noticed a number of misunderstandings about the patch (many don't even seem to have looked at it). I don't mean to say that everybody misunderstood everything, it was rather mixed and there has also been one very valid comment regarding the way how the temp folder was determined. Misunderstanding 1: What is being launched? =========================================== It appears that many had only read the headlines and assumed the code would launch the executable of a browser in a new process. Those who said that system() is not the right way to launch such a process, are absolutely right. But that's not what's happening. What's really happening: It is invoking a common shell script/command (named xdg-open) which is handling the request and opens the configured application when required, or when already running, it causes it to open the provided file or url. xdg-open does that for many file types, it's not just for opening urls and is a de-facto standard on Linux, similar to ShellExecute() on Windows. Misunderstanding 2: Opening URLs is a big issue and taboo for CLI tools ======================================================================= In fact, so many applications are doing it, that it's almost pointless to name any. Almost all GUI applications are showing URLs somewhere on which you can click to open in the browser, if not part of the actual functionality, then at least in some Help>About dialog. Many text editors are detecting URLs and allow launching them in the browser in some way. The same applies to text in terminal application windows quite often. All these are launching the URLs through xdg-open. It's not a big thing and in no way special. Neither is it unusual for Linux CLI tools to launch URLs in a browser, some prominent examples are docker (Docker), aws (Amazon) or gh (GitHub). Some had reacted as if a CLI that would do browser-launching would be so toxic and unacceptable that they would never use it. Well - think again, because then you'd need to stop using: Git Even Git does it - and you're all using it. Misunderstanding 3: I would not be knowing what I'm doing ========================================================= Some had alluded that I would not be knowing about possible dangers when invoking a shell, like injection attacks. But that's really far from the truth. One of the first things I did when I started working with FFmpeg more than a decade ago was creating a huge .net lib, partially auto-created with about 2k classes, precisely reflecting ffmpeg's codecs, muxers, filters, protocols, etc - with all their options replicated in detail with proper types, value constraints and enums. That lib has a single purpose only: Building valid and safe FFmpeg command lines on all platforms. A simple shell escape is not the only form of injection attacks and - without giving any recipes - FFmpeg command lines are an attractive target for such attacks. Bottom line: No matter how you are launching something - via shell or by starting a process - it is always important to make sure the parameters that you are passing anywhere are valid and sane. "Bad" API? ========== As far as I'm seeing it, an API can hardly be intrinsically bad. It depends on the case and the parameters that are passed. With the wrong parameters, bad things can happen with many APIs. So, let's take a look at the command string that is actually run: xdg-open '...path...' /dev/null 2>&1 & The path is built from two parts combined, temp path and generated file name, e.g. /tmp/ffmpeg_graph_2025-05-28_06-53-23_550.html There's nothing in the resulting command that is depending on user input and could be manipulated in some way. So, what's actually bad about this invocation? Where's the risk? While searching for an answer, I've seen many uses of system() in Linux tools (less, Vim, linuxmint; Python's os.system() maps directly to glibc's system() and is used everywhere) - and I've seen even more which are doing the exact same things as glibc does internally (launching sh). I fully understand that care needs to be taken when invoking a shell. It should raise a flag - absolutely. But the next step must be careful evaluation rather than going crazy. I really don't see why it should be categorized as "forbidden", especially not for a very clear and narrow case like here. So far, the system() API in glibc has only been talked about as a black box - a "bad" black box. Making claims about something unknown is always easy - but not useful for discussion, and hence I've moved that out of the way: I have updated and reposted the "bad" patch, alongside a second patch which substitutes the system() call with the actual source code from glibc 2.31 that is used on Linux systems. Now, it's no longer a black box. And so, here's my question to all those who had told me how forbidden, unacceptable and 'no-no' the use of the system() API would be: Could you please explain to me in detail what exactly is bad about using that API in THIS WAY and in THIS CONTEXT? Which bad things can happen and how exactly? Thanks sw Please note: I have no intentions towards getting this merged. It's a valid opinion when you think that "ffmpeg shouldn't launch a browser" or similar - but that's not the topic. This is merely a technical question. _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".