pdjstone
commented
7 years ago Allowing arbitrary data to be uploaded to ffmpeg is a much bigger risk than CSRF, but this is only a PoC demo. The code is intended to be as simple as possible. Ideally I would get rid of all the server-side bits and do the audio encoding/decoding in the browser (via emscripten/WebAssembly)
The exploit is vulnerable to Cross-site Request Forgery (CSRF). This is a common issue with Flask websites and can be fixed by using flask-wtf. While there aren't many interesting things an attacker can do using CSRF against this application (send an arbitrary file to ffmpeg with the hope of code execution), it seems worthwhile to fix it.