Welcome to Doom9's Forum, THE in-place to be for everyone interested in DVD conversion.

Before you start posting please read the forum rules. By posting to this forum you agree to abide by the rules.

 

Go Back   Doom9's Forum > Capturing and Editing Video > VapourSynth

Reply
 
Thread Tools Search this Thread Display Modes
Old 20th June 2018, 13:01   #21  |  Link
ca18
Registered User
 
Join Date: Feb 2016
Posts: 5
Quote:
Originally Posted by HolyWu
By the way the patch on FFmpeg mailing list seems buggy, it gives an error when trying to open vpy file. But Stephen's patch works fine for me.
Hi HolyWu, what is "Stephen's patch" and where can we find it? Thanks!
ca18 is offline   Reply With Quote
Old 3rd July 2018, 00:18   #22  |  Link
hydra3333
Registered User
 
Join Date: Oct 2009
Location: crow-land
Posts: 540
Quote:
Originally Posted by ca18 View Post
Hi HolyWu, what is "Stephen's patch" and where can we find it? Thanks!
bump ?
hydra3333 is offline   Reply With Quote
Old 3rd July 2018, 04:10   #23  |  Link
DJATOM
Registered User
 
DJATOM's Avatar
 
Join Date: Sep 2010
Location: Ukraine, Bohuslav
Posts: 377
I still have it: https://pastebin.com/Ls1LmTyj
__________________
Me on GitHub
PC Specs: Ryzen 5950X, 64 GB RAM, RTX 2070
DJATOM is offline   Reply With Quote
Old 3rd July 2018, 23:25   #24  |  Link
ca18
Registered User
 
Join Date: Feb 2016
Posts: 5
Thank you for digging that up so it can be compared now to the "official" nonworking patch.
ca18 is offline   Reply With Quote
Old 5th July 2018, 21:10   #25  |  Link
MysteryX
Soul Architect
 
MysteryX's Avatar
 
Join Date: Apr 2014
Posts: 2,559
Wait a second. VapourSynth directly executes any Python script (without any restrictions?), so it's like opening Word documents without any macro restrictions?

That means that if you have vpy files associated with a program and you click on a vpy script someone sends you via email, it could execute anything directly on your computer?

I don't like this design decision... Are there at least restrictions on what the script can do?
MysteryX is offline   Reply With Quote
Old 5th July 2018, 21:37   #26  |  Link
DJATOM
Registered User
 
DJATOM's Avatar
 
Join Date: Sep 2010
Location: Ukraine, Bohuslav
Posts: 377
It can't do anything admin-related until you allow it (start with admin privileges).
__________________
Me on GitHub
PC Specs: Ryzen 5950X, 64 GB RAM, RTX 2070
DJATOM is offline   Reply With Quote
Old 5th July 2018, 21:42   #27  |  Link
Myrsloik
Professional Code Monkey
 
Myrsloik's Avatar
 
Join Date: Jun 2003
Location: Kinnarps Chair
Posts: 2,547
Quote:
Originally Posted by MysteryX View Post
Wait a second. VapourSynth directly executes any Python script (without any restrictions?), so it's like opening Word documents without any macro restrictions?

That means that if you have vpy files associated with a program and you click on a vpy script someone sends you via email, it could execute anything directly on your computer?

I don't like this design decision... Are there at least restrictions on what the script can do?
I didn't see you complaining when you loaded dll files from strangers you found on the interwebs. Same thing. If you don't check or sandbox things it's your own fault.
__________________
VapourSynth - proving that scripting languages and video processing isn't dead yet
Myrsloik is offline   Reply With Quote
Old 6th July 2018, 02:53   #28  |  Link
MysteryX
Soul Architect
 
MysteryX's Avatar
 
Join Date: Apr 2014
Posts: 2,559
There are indeed risks with downloading DLLs from unknown sources. However, one needs to do special work to run code in a DLL, it won't happen automatically, and most viruses within DLLs will be auto-detected by a good anti-virus.

Running a Python script by double-clicking on a file (for users who may not even know what VapourSynth is), however, can seriously limit the adaptation of VapourSynth. If that's the reason FFMPEG hasn't added native support for it, then I fully understand. In a business or production environment, have to be *VERY* careful where the scripts are coming from and where they are running. I don't think many people realize that. I also don't think Kaspersky will scan the Python raw script for malicious code.

I would say that this, combined with the lack of audio support, are the 2 things most limiting the adaptation of VapourSynth.
MysteryX is offline   Reply With Quote
Old 6th July 2018, 03:18   #29  |  Link
hydra3333
Registered User
 
Join Date: Oct 2009
Location: crow-land
Posts: 540
OK, any recommendations or hints (other than yes you should do this) on sandboxing under Win10x64 ?

My preference is to always use portable version of things, if that helps with advice.
Quote:
If you don't check or sandbox things it's your own fault
Audio support may seem to be a bit problematic if video/audio delays are involved - at one point I had to process them separately each into a separate .mp4 container to preserve a delay, although it may have changed since then and/or I was doing something wrong ... tinkered until a process worked.

Last edited by hydra3333; 6th July 2018 at 03:22.
hydra3333 is offline   Reply With Quote
Old 6th July 2018, 03:59   #30  |  Link
MysteryX
Soul Architect
 
MysteryX's Avatar
 
Join Date: Apr 2014
Posts: 2,559
Quote:
Originally Posted by hydra3333 View Post
My preference is to always use portable version of things, if that helps with advice.
Running a portable version won't change anything in regards to security. The script can still execute or do anything that doesn't require admin privilege.

Quote:
Audio support may seem to be a bit problematic if video/audio delays are involved - at one point I had to process them separately each into a separate .mp4 container to preserve a delay, although it may have changed since then and/or I was doing something wrong ... tinkered until a process worked.
That's for holding audio (associating it with the video track). AFAIK there's nothing in regards to audio processing.
MysteryX is offline   Reply With Quote
Old 6th July 2018, 09:01   #31  |  Link
shekh
Registered User
 
Join Date: Mar 2015
Posts: 775
Quote:
Originally Posted by MysteryX View Post
...If that's the reason FFMPEG hasn't added native support for it, then I fully understand.
How is this FFMpeg problem? It does not create file associations.
__________________
VirtualDub2
shekh is offline   Reply With Quote
Old 6th July 2018, 09:33   #32  |  Link
ChaosKing
Registered User
 
Join Date: Dec 2005
Location: Germany
Posts: 1,795
Quote:
Originally Posted by MysteryX View Post
Wait a second. VapourSynth directly executes any Python script (without any restrictions?), so it's like opening Word documents without any macro restrictions?

That means that if you have vpy files associated with a program and you click on a vpy script someone sends you via email, it could execute anything directly on your computer?

I don't like this design decision... Are there at least restrictions on what the script can do?
The same applies to py files (blame python installer). That about bat or exe files? They have the same "power of potential destruction", I don't see why this is suddenly a problem now. Or do you click on every exe file send by email to you?

Edit:
If your vpy is associated with an editor, why would this be a bad thing? It is only executed only if you run it.
__________________
AVSRepoGUI // VSRepoGUI - Package Manager for AviSynth // VapourSynth
VapourSynth Portable FATPACK || VapourSynth Database

Last edited by ChaosKing; 6th July 2018 at 09:46.
ChaosKing is offline   Reply With Quote
Old 6th July 2018, 10:01   #33  |  Link
hydra3333
Registered User
 
Join Date: Oct 2009
Location: crow-land
Posts: 540
afaik vpy is not associated in a portable vapoursynth install ? would (portable) ffmpeg not create any associations ?
An untested assumption is to pop ffmpeg into the same folder as portable vapoursynth and then run ffmpeg with the correct commandline to open a vpy that the user specifies ?
( Assuming that one has a static vapoursynth enabled build of ffmpeg which works )
hydra3333 is offline   Reply With Quote
Old 6th July 2018, 10:31   #34  |  Link
ChaosKing
Registered User
 
Join Date: Dec 2005
Location: Germany
Posts: 1,795
I have the install version of VS and there is no auto association of vpy files.
__________________
AVSRepoGUI // VSRepoGUI - Package Manager for AviSynth // VapourSynth
VapourSynth Portable FATPACK || VapourSynth Database

Last edited by ChaosKing; 6th July 2018 at 10:34.
ChaosKing is offline   Reply With Quote
Old 6th July 2018, 15:22   #35  |  Link
MysteryX
Soul Architect
 
MysteryX's Avatar
 
Join Date: Apr 2014
Posts: 2,559
FFMPEG doesn't create any file association. However, in a business environment, the scripts may be running in one environment while production material is being fed from employees on the network. If, for example, the server is designed to automatically batch-process all scripts in a folder, and someone manages to push a script in there, he can run anything he wants on the server. Perhaps the admins don't even know about VapourSynth and just try to read every video file in that folder thinking they are harmless.

There are lots of scenarios where we don't care about security -- but in cases where it's important, we're at a bad start.

Quote:
Originally Posted by ChaosKing View Post
That about bat or exe files? They have the same "power of potential destruction", I don't see why this is suddenly a problem now.
The danger of EXE and BAT files is very well known, and many steps have been taken to limit their damage. Browsers will give you strong warnings, EXE/BAT files are flagged as coming from the Internet and will ask you for confirmation to run them, and anti-viruses will scan them. The danger of Word files was also very well-known, prompting Microsoft to disable macros by default, and give strong warnings before executing any macro.

I'll also note that this isn't an issue in Avisynth.

In .NET, at least, there are sandboxing options where the code can run with limited privilege, which allows for Silverlight that could run within a browser (but then browsers dropped support for Silverlight anyway).

Indeed VapourSynth doesn't create any file association by default -- but I associated them with a program to preview the files, not knowing the risks that go with it. Of course it's not much of a personal issue on my laptop where I'm in control of everything, but in a business network, things aren't so simple.

Just to put things into perspective, FFMPEG is being used by all kinds of corporations. Many of them have batch-processing servers (and aren't even using VapourSynth). Adding native support for VapourSynth in FFMPEG would put all of these batch-processing servers and businesses at risk, as anyone who can push a file into the batch-processing could run anything on the server. The only way around that would be for server admin to explicitly forbid VapourSynth extensions -- essentially disabling FFMPEG's VapourSynth support. It certainly cannot be turned on by default.

Last edited by MysteryX; 6th July 2018 at 15:49.
MysteryX is offline   Reply With Quote
Old 6th July 2018, 21:59   #36  |  Link
amichaelt
Guest
 
Posts: n/a
Quote:
Just to put things into perspective, FFMPEG is being used by all kinds of corporations. Many of them have batch-processing servers (and aren't even using VapourSynth). Adding native support for VapourSynth in FFMPEG would put all of these batch-processing servers and businesses at risk, as anyone who can push a file into the batch-processing could run anything on the server. The only way around that would be for server admin to explicitly forbid VapourSynth extensions -- essentially disabling FFMPEG's VapourSynth support. It certainly cannot be turned on by default.
Interesting FUD and all, but as linked to above, native Vapoursynth script support was committed to the ffmpeg git repository back in April and it's still there today.
  Reply With Quote
Old 6th July 2018, 23:18   #37  |  Link
MysteryX
Soul Architect
 
MysteryX's Avatar
 
Join Date: Apr 2014
Posts: 2,559
Isn't this whole conversation because it isn't enabled by default?
MysteryX is offline   Reply With Quote
Old 7th July 2018, 00:20   #38  |  Link
amichaelt
Guest
 
Posts: n/a
Quote:
Originally Posted by MysteryX View Post
Isn't this whole conversation because it isn't enabled by default?
Even if it was, it not being enabled by default has nothing to do with your FUD about Vapoursynth being a potential a malware vector. Plenty of ffmpeg features are optional and disabled by default. For example, Avisynth support is also disabled by default.
  Reply With Quote
Old 7th July 2018, 00:50   #39  |  Link
amichaelt
Guest
 
Posts: n/a
Also a malicious Avisynth plugin can be written to delete everything off your hard druve, download malware, etc. What you're talking about is what any piece of malicious arbitrary-code can do. Avisynth also has no sandboxing to prevent this. So you're really no more safe with Avisynth.

And if you use autoload, a malware-ridden plugin could have its init function called and do malicious things without you even needing to ever explicitly call it.
  Reply With Quote
Old 7th July 2018, 03:29   #40  |  Link
MysteryX
Soul Architect
 
MysteryX's Avatar
 
Join Date: Apr 2014
Posts: 2,559
What about this? I haven't made anything up, but I understand their decision.
Quote:
Originally Posted by hydra3333 View Post
Here's the ffmpeg commit
https://git.ffmpeg.org/gitweb/ffmpeg...182aa0b3778b79
Quote:
avformat: add vapoursynth wrapper

This can "demux" .vpy files. Autodetection of .vpy scripts is
intentionally not done, because it would be a major security issue. You
need to force the format, for example with "-f vapoursynth" for the
FFmpeg CLI tools.

Some minor code copied from other LGPL parts of FFmpeg.

I did not find a good way to test a few of the more obscure VS features,
like VFR nodes, compat pixel formats, or nodes with dynamic size/format
changes. These can be easily implemented on demand.

--enable-vapoursynth in the ffmpeg configure
MysteryX is offline   Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +1. The time now is 09:41.


Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2024, vBulletin Solutions Inc.