[MPlayer-cvslog] r32731 - in trunk: path.c path.h
ubitux at gmail.com
Tue Dec 28 17:35:18 CET 2010
On Wed, Dec 29, 2010 at 12:57:37AM +0900, KO Myung-Hun wrote:
> > Security-wise this is a very, very dangerous way to define it, if someone can trick you into changing the current directory (which btw. the file open dialog will do), \something will suddenly be a completely different location than it was just before.
> > Maybe it makes most sense in the end, but not without a _huge_ warning note in the documentation and reviewing what this means for how the code behaves.
> > For subtitles this is less critical, but for example if it was used for config files getting this wrong might mean reading them from a public network drive, which would be trivial to exploit.
> Yes, but you should consider the case that people append a relative path
> to a current path.
> \something and c: generate a incorrect path.
> I agree absolutely with you that these codes should be reviewed
> thoroughly for a security.
> And it would be better to provide a function to composite a absolute
> path from a relative path.
> This can reduce the errors on OS using DOSish path.
True. I'll work on a function replacement to concatenate path which is
what I need in the subdirs patch. It will also lighten this patch which
may be "too big" :)
Not sent from a jesusPhone.
More information about the MPlayer-cvslog