[MPlayer-dev-eng] [PATCH] Use unrar for open vobsubs if available

Rich Felker dalias at aerifal.cx
Fri Dec 14 04:40:11 CET 2007


On Thu, Dec 13, 2007 at 10:39:45AM +0100, Reimar Döffinger wrote:
> Hello,
> On Thu, Dec 13, 2007 at 12:40:44AM -0500, Rich Felker wrote:
> > On Wed, Dec 12, 2007 at 12:32:14PM -0600, Stuart Levy wrote:
> > > Also, would cmd_escape_append() be more palatable if it
> > > simply rejected all but a limited set of safe characters, like
> > > letters, digits, blanks, -+=&,.:_/\[](){}?
> > 
> > No, this would simply be buggy since real filenames can and will
> > contain arbitrary characters.
> 
> The idea is that buggy is better than exploitable, since it seems
> unclear if non-exploitable is possible without getting the Windows
> source code (and of all versions we support in addition), since even
> the official documentation seems contradictory.

As soon as the bullshit about cmd.exe is removed and CreateProcess[Ex]
is used directly, there is no possibility of any shell quoting
vulnerability. It's possible that bugs will lead unrar.exe to
misinterpret its commandline, and these possibilities should be
checked for vulns, but the overall situation is much safer...

Rich



More information about the MPlayer-dev-eng mailing list