[MPlayer-cvslog] r32731 - in trunk: path.c path.h

Clément Bœsch ubitux at gmail.com
Tue Dec 28 17:35:18 CET 2010


On Wed, Dec 29, 2010 at 12:57:37AM +0900, KO Myung-Hun wrote:
[...]
> > Security-wise this is a very, very dangerous way to define it, if someone can trick you into changing the current directory (which btw. the file open dialog will do), \something will suddenly be a completely different location than it was just before.
> > Maybe it makes most sense in the end, but not without a _huge_ warning note in the documentation and reviewing what this means for how the code behaves.
> > For subtitles this is less critical, but for example if it was used for config files getting this wrong might mean reading them from a public network drive, which would be trivial to exploit.
> 
> Yes, but you should consider the case that people append a relative path
> to a current path.
> 
> \something and c: generate a incorrect path.
> 
> I agree absolutely with you that these codes should be reviewed
> thoroughly for a security.
> 
> And it would be better to provide a function to composite a absolute
> path from a relative path.
> 
> This can reduce the errors on OS using DOSish path.
> 

True. I'll work on a function replacement to concatenate path which is
what I need in the subdirs patch. It will also lighten this patch which
may be "too big" :)

-- 
Clément B.
Not sent from a jesusPhone.


More information about the MPlayer-cvslog mailing list