From: Mark Thompson <sw@jkqxz.net>
To: ffmpeg-devel@ffmpeg.org
Subject: Re: [FFmpeg-devel] [FFmpeg-cvslog] fftools/graphprint: Now, make it a Killer-Feature!
Date: Thu, 15 May 2025 23:34:46 +0100
Message-ID: <d6325a47-9c76-40b0-aefa-74ac3e98782a@jkqxz.net> (raw)
In-Reply-To: <DM8P223MB036529DA4B7A33A2EA9D2E47BA90A@DM8P223MB0365.NAMP223.PROD.OUTLOOK.COM>
On 15/05/2025 23:19, softworkz . wrote:
>
>
>> -----Original Message-----
>> From: ffmpeg-devel <ffmpeg-devel-bounces@ffmpeg.org> On Behalf Of Ramiro Polla
>> Sent: Freitag, 16. Mai 2025 00:13
>> To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
>> Subject: Re: [FFmpeg-devel] [FFmpeg-cvslog] fftools/graphprint: Now, make it a
>> Killer-Feature!
>>
>> On Fri, May 16, 2025 at 12:00 AM softworkz .
>> <softworkz-at-hotmail.com@ffmpeg.org> wrote:
>>>> On Thu, May 15, 2025 at 11:11 PM softworkz <git@videolan.org> wrote:
>>>> [...]
>>>>> diff --git a/fftools/graph/filelauncher.c b/fftools/graph/filelauncher.c
>>>>> new file mode 100644
>>>>> index 0000000000..45514ca599
>>>>> --- /dev/null
>>>>> +++ b/fftools/graph/filelauncher.c
>>>> [...]
>>>>> +int ff_open_html_in_browser(const char *html_path)
>>>>> +{
>>>>> + if (!html_path || !*html_path)
>>>>> + return -1;
>>>>> +
>>>>> +#if defined(_WIN32)
>>>>> +
>>>>> + // --- Windows ---------------------------------
>>>>> + {
>>>>> + HINSTANCE rc = ShellExecuteA(NULL, "open", html_path, NULL,
>> NULL,
>>>> SW_SHOWNORMAL);
>>>>> + if ((UINT_PTR)rc <= 32) {
>>>>> + // Fallback: system("start ...")
>>>>> + char cmd[1024];
>>>>> + _snprintf_s(cmd, sizeof(cmd), _TRUNCATE, "start \"\"
>> \"%s\"",
>>>> html_path);
>>>>> + if (system(cmd) != 0)
>>>>> + return -1;
>>>>> + }
>>>>> + return 0;
>>>>> + }
>>>>> +
>>>>> +#elif defined(__APPLE__)
>>>>> +
>>>>> + // --- macOS -----------------------------------
>>>>> + {
>>>>> + // "open" is the macOS command to open a file/URL with the
>> default
>>>> application
>>>>> + char cmd[1024];
>>>>> + snprintf(cmd, sizeof(cmd), "open '%s' 1>/dev/null 2>&1 &",
>>>> html_path);
>>>>> + if (system(cmd) != 0)
>>>>> + return -1;
>>>>> + return 0;
>>>>> + }
>>>>> +
>>>>> +#else
>>>>> +
>>>>> + // --- Linux / Unix-like -----------------------
>>>>> + // We'll try xdg-open, then gnome-open, then kfmclient
>>>>> + {
>>>>> + // Helper macro to try one browser command
>>>>> + // Returns 0 on success, -1 on failure
>>>>> + #define TRY_CMD(prog) do { \
>>>>> + char buf[1024]; \
>>>>> + snprintf(buf, sizeof(buf), "%s '%s' 1>/dev/null 2>&1 &", \
>>>>> + (prog), html_path); \
>>>>> + int ret = system(buf); \
>>>>> + /* On Unix: system() returns -1 if the shell can't run. */\
>>>>> + /* Otherwise, check exit code in lower 8 bits.
>> */\
>>>>> + if (ret != -1 && WIFEXITED(ret) && WEXITSTATUS(ret) == 0) \
>>>>> + return 0; \
>>>>> + } while (0)
>>>>> +
>>>>> + TRY_CMD("xdg-open");
>>>>> + TRY_CMD("gnome-open");
>>>>> + TRY_CMD("kfmclient exec");
>>>>> +
>>>>> + fprintf(stderr, "Could not open '%s' in a browser.\n",
>> html_path);
>>>>> + return -1;
>>>>> + }
>>>>> +
>>>>> +#endif
>>>>> +}
>>>> [...]
>>>>
>>>> Sorry I didn't have a closer look at the patchset while it was under
>>>> review, but system(cmd) is a big no-no. We could create a file with an
>>>> explicit path passed by the user, but then it's up to the user to open
>>>> it.
>>>
>>> What's bad about opening a file in the browser when that's the documented
>>> behavior of the cli parameter?
>>
>> Straight out of ChatGPT:
>> I understand the motivation — making the feature more user-friendly by
>> launching the result directly is a nice touch. The concern isn't with
>> the feature itself, but rather with the way it's implemented.
>> Using system() to launch a browser introduces potential security
>> risks, especially if the file path is ever constructed from untrusted
>> input (e.g. future scripting, API wrapping, or unexpected shell
>> expansion). It's generally discouraged in projects like FFmpeg, where
>> robustness and security are critical.
>
> Hi,
>
> of course I understand that.
> But it isn't constructed from untrusted input.
>
> Best regards
> sw
$ export TMPDIR="'; rm -rf / ;'\\\\"
$ ./ffmpeg_g -sg -i /dev/null -f null -
Calls to system are just not a good idea in general. Suggest printing the file name and let the user open the file however they choose to.
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
next prev parent reply other threads:[~2025-05-15 22:35 UTC|newest]
Thread overview: 55+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20250515211148.6C91C4128B8@natalya.videolan.org>
2025-05-15 21:50 ` Ramiro Polla
2025-05-15 21:59 ` softworkz .
2025-05-15 22:13 ` Ramiro Polla
2025-05-15 22:19 ` softworkz .
2025-05-15 22:33 ` softworkz .
2025-05-15 22:34 ` Mark Thompson [this message]
2025-05-15 22:43 ` softworkz .
2025-05-15 22:49 ` Ramiro Polla
2025-05-15 23:04 ` softworkz .
2025-05-15 23:29 ` Ramiro Polla
2025-05-16 0:19 ` softworkz .
2025-05-15 22:49 ` softworkz .
2025-05-24 15:54 ` Rémi Denis-Courmont
2025-05-25 10:50 ` softworkz .
2025-05-16 0:00 ` Marton Balint
2025-05-16 0:17 ` softworkz .
2025-05-16 0:27 ` James Almer
2025-05-16 0:32 ` softworkz .
2025-05-16 0:36 ` softworkz .
2025-05-16 0:39 ` James Almer
2025-05-16 0:45 ` Lynne
2025-05-16 0:59 ` softworkz .
2025-05-16 0:54 ` Michael Niedermayer
2025-05-16 1:26 ` softworkz .
2025-05-16 8:43 ` softworkz .
2025-05-16 9:41 ` softworkz .
2025-05-16 9:50 ` Nicolas George
2025-05-16 10:10 ` softworkz .
2025-05-16 11:10 ` Nicolas George
2025-05-16 11:49 ` Michael Niedermayer
2025-05-16 12:03 ` Nicolas George
2025-05-31 21:38 ` softworkz .
2025-05-16 13:42 ` softworkz .
2025-05-16 13:45 ` Nicolas George
2025-05-16 3:39 ` Romain Beauxis
2025-05-16 4:15 ` softworkz .
2025-05-16 5:06 ` softworkz .
2025-05-16 8:11 ` Marton Balint
2025-05-24 16:01 ` Rémi Denis-Courmont
2025-05-25 11:04 ` softworkz .
2025-05-15 21:53 ` James Almer
2025-05-15 21:58 ` softworkz .
2025-05-15 22:00 ` James Almer
2025-05-15 22:02 ` softworkz .
2025-05-16 2:06 ` softworkz .
2025-05-31 21:38 ` softworkz .
2025-05-16 6:22 ` Martin Storsjö
2025-05-16 6:40 ` softworkz .
2025-05-16 7:50 ` softworkz .
2025-05-16 8:13 ` Gyan Doshi
2025-05-16 8:19 ` softworkz .
2025-05-16 8:19 ` Martin Storsjö
2025-05-16 8:25 ` softworkz .
2025-05-16 8:50 ` Martin Storsjö
2025-05-16 8:55 ` softworkz .
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d6325a47-9c76-40b0-aefa-74ac3e98782a@jkqxz.net \
--to=sw@jkqxz.net \
--cc=ffmpeg-devel@ffmpeg.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git