-
-
Notifications
You must be signed in to change notification settings - Fork 121
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Liquidsoap specific metadata tags could be set by file #3813
Comments
That's a good point thanks for reporting. I think we should prefix/namespace our internal tags so that they are clearly identifiable. |
Hi @toots, |
I don't think that GitHub supports that. I'll setup a private repository when I get back home and will add you to it. |
The fix is on its way. I could consider taking this offline but I'm not sure how sensitive the issue really is. If an attacker has control over the files sent to the playout system, there's a lot more damage they could do before getting into override the root metadata. Do you have a specific scenario in mind? |
I think |
Yes absolutely and that is why I have prioritized the fix. However, any one sending files to the system should be considered either a trusted user or else the system should be protected by security measures such as running the script inside a container. We also provide support for sandboxing external processed in such cases: https://www.liquidsoap.info/doc-2.2.4/settings.html#sandboxing-for-external-processes. |
Don’t forget that we want to tag our files to have the So lengthy calculations like I know many who prefer keeping "data together where it belongs", i.e. cue points belong into the audio file. Talking about possibly security-relevant tags I agree: These should be kept out, if possible. |
Hi @toots, [ string * string ].{
initial_uri: string,
filename: string,
temporary: bool,
rid: int,
on_air: string,
on_air_timestamp: int,
kind: string,
} |
Describe the bug
If the file has metadata tags with the same names as the internal tags of liqduidsoap, the internal tags will be suppressed.
To Reproduce
Expected behavior
[string*string]
.Version details
Install method
savonet/liquidsoap:v2.2.4
Common issues
#3782 (reply in thread)
The text was updated successfully, but these errors were encountered: