Welcome to Doom9's Forum, THE in-place to be for everyone interested in DVD conversion. Before you start posting please read the forum rules. By posting to this forum you agree to abide by the rules. |
|
|
Thread Tools | Search this Thread | Display Modes |
20th June 2018, 13:01 | #21 | Link | |
Registered User
Join Date: Feb 2016
Posts: 5
|
Quote:
|
|
3rd July 2018, 04:10 | #23 | Link |
Registered User
Join Date: Sep 2010
Location: Ukraine, Bohuslav
Posts: 377
|
I still have it: https://pastebin.com/Ls1LmTyj
|
5th July 2018, 21:10 | #25 | Link |
Soul Architect
Join Date: Apr 2014
Posts: 2,559
|
Wait a second. VapourSynth directly executes any Python script (without any restrictions?), so it's like opening Word documents without any macro restrictions?
That means that if you have vpy files associated with a program and you click on a vpy script someone sends you via email, it could execute anything directly on your computer? I don't like this design decision... Are there at least restrictions on what the script can do? |
5th July 2018, 21:42 | #27 | Link | |
Professional Code Monkey
Join Date: Jun 2003
Location: Kinnarps Chair
Posts: 2,555
|
Quote:
__________________
VapourSynth - proving that scripting languages and video processing isn't dead yet |
|
6th July 2018, 02:53 | #28 | Link |
Soul Architect
Join Date: Apr 2014
Posts: 2,559
|
There are indeed risks with downloading DLLs from unknown sources. However, one needs to do special work to run code in a DLL, it won't happen automatically, and most viruses within DLLs will be auto-detected by a good anti-virus.
Running a Python script by double-clicking on a file (for users who may not even know what VapourSynth is), however, can seriously limit the adaptation of VapourSynth. If that's the reason FFMPEG hasn't added native support for it, then I fully understand. In a business or production environment, have to be *VERY* careful where the scripts are coming from and where they are running. I don't think many people realize that. I also don't think Kaspersky will scan the Python raw script for malicious code. I would say that this, combined with the lack of audio support, are the 2 things most limiting the adaptation of VapourSynth. |
6th July 2018, 03:18 | #29 | Link | |
Registered User
Join Date: Oct 2009
Location: crow-land
Posts: 540
|
OK, any recommendations or hints (other than yes you should do this) on sandboxing under Win10x64 ?
My preference is to always use portable version of things, if that helps with advice. Quote:
Last edited by hydra3333; 6th July 2018 at 03:22. |
|
6th July 2018, 03:59 | #30 | Link | ||
Soul Architect
Join Date: Apr 2014
Posts: 2,559
|
Quote:
Quote:
|
||
6th July 2018, 09:01 | #31 | Link |
Registered User
Join Date: Mar 2015
Posts: 775
|
How is this FFMpeg problem? It does not create file associations.
__________________
VirtualDub2 |
6th July 2018, 09:33 | #32 | Link | |
Registered User
Join Date: Dec 2005
Location: Germany
Posts: 1,795
|
Quote:
Edit: If your vpy is associated with an editor, why would this be a bad thing? It is only executed only if you run it.
__________________
AVSRepoGUI // VSRepoGUI - Package Manager for AviSynth // VapourSynth VapourSynth Portable FATPACK || VapourSynth Database Last edited by ChaosKing; 6th July 2018 at 09:46. |
|
6th July 2018, 10:01 | #33 | Link |
Registered User
Join Date: Oct 2009
Location: crow-land
Posts: 540
|
afaik vpy is not associated in a portable vapoursynth install ? would (portable) ffmpeg not create any associations ?
An untested assumption is to pop ffmpeg into the same folder as portable vapoursynth and then run ffmpeg with the correct commandline to open a vpy that the user specifies ? ( Assuming that one has a static vapoursynth enabled build of ffmpeg which works ) |
6th July 2018, 10:31 | #34 | Link |
Registered User
Join Date: Dec 2005
Location: Germany
Posts: 1,795
|
I have the install version of VS and there is no auto association of vpy files.
__________________
AVSRepoGUI // VSRepoGUI - Package Manager for AviSynth // VapourSynth VapourSynth Portable FATPACK || VapourSynth Database Last edited by ChaosKing; 6th July 2018 at 10:34. |
6th July 2018, 15:22 | #35 | Link | |
Soul Architect
Join Date: Apr 2014
Posts: 2,559
|
FFMPEG doesn't create any file association. However, in a business environment, the scripts may be running in one environment while production material is being fed from employees on the network. If, for example, the server is designed to automatically batch-process all scripts in a folder, and someone manages to push a script in there, he can run anything he wants on the server. Perhaps the admins don't even know about VapourSynth and just try to read every video file in that folder thinking they are harmless.
There are lots of scenarios where we don't care about security -- but in cases where it's important, we're at a bad start. Quote:
I'll also note that this isn't an issue in Avisynth. In .NET, at least, there are sandboxing options where the code can run with limited privilege, which allows for Silverlight that could run within a browser (but then browsers dropped support for Silverlight anyway). Indeed VapourSynth doesn't create any file association by default -- but I associated them with a program to preview the files, not knowing the risks that go with it. Of course it's not much of a personal issue on my laptop where I'm in control of everything, but in a business network, things aren't so simple. Just to put things into perspective, FFMPEG is being used by all kinds of corporations. Many of them have batch-processing servers (and aren't even using VapourSynth). Adding native support for VapourSynth in FFMPEG would put all of these batch-processing servers and businesses at risk, as anyone who can push a file into the batch-processing could run anything on the server. The only way around that would be for server admin to explicitly forbid VapourSynth extensions -- essentially disabling FFMPEG's VapourSynth support. It certainly cannot be turned on by default.
__________________
FrameRateConverter | AvisynthShader | AvsFilterNet | Natural Grounding Player with Yin Media Encoder, 432hz Player, Powerliminals Player and Audio Video Muxer Last edited by MysteryX; 6th July 2018 at 15:49. |
|
6th July 2018, 21:59 | #36 | Link | |
Guest
Posts: n/a
|
Quote:
|
|
7th July 2018, 00:20 | #38 | Link |
Guest
Posts: n/a
|
Even if it was, it not being enabled by default has nothing to do with your FUD about Vapoursynth being a potential a malware vector. Plenty of ffmpeg features are optional and disabled by default. For example, Avisynth support is also disabled by default.
|
7th July 2018, 00:50 | #39 | Link |
Guest
Posts: n/a
|
Also a malicious Avisynth plugin can be written to delete everything off your hard druve, download malware, etc. What you're talking about is what any piece of malicious arbitrary-code can do. Avisynth also has no sandboxing to prevent this. So you're really no more safe with Avisynth.
And if you use autoload, a malware-ridden plugin could have its init function called and do malicious things without you even needing to ever explicitly call it. |
7th July 2018, 03:29 | #40 | Link | ||
Soul Architect
Join Date: Apr 2014
Posts: 2,559
|
What about this? I haven't made anything up, but I understand their decision.
Quote:
|
||
Thread Tools | Search this Thread |
Display Modes | |
|
|