[MPlayer-dev-eng] [PATCH] Use unrar for open vobsubs if available
Reimar Döffinger
Reimar.Doeffinger at stud.uni-karlsruhe.de
Fri Dec 14 09:24:14 CET 2007
Hello,
On Thu, Dec 13, 2007 at 10:40:11PM -0500, Rich Felker wrote:
> On Thu, Dec 13, 2007 at 10:39:45AM +0100, Reimar Döffinger wrote:
> > On Thu, Dec 13, 2007 at 12:40:44AM -0500, Rich Felker wrote:
> > > On Wed, Dec 12, 2007 at 12:32:14PM -0600, Stuart Levy wrote:
> > > > Also, would cmd_escape_append() be more palatable if it
> > > > simply rejected all but a limited set of safe characters, like
> > > > letters, digits, blanks, -+=&,.:_/\[](){}?
> > >
> > > No, this would simply be buggy since real filenames can and will
> > > contain arbitrary characters.
> >
> > The idea is that buggy is better than exploitable, since it seems
> > unclear if non-exploitable is possible without getting the Windows
> > source code (and of all versions we support in addition), since even
> > the official documentation seems contradictory.
>
> As soon as the bullshit about cmd.exe is removed and CreateProcess[Ex]
> is used directly, there is no possibility of any shell quoting
> vulnerability. It's possible that bugs will lead unrar.exe to
> misinterpret its commandline, and these possibilities should be
> checked for vulns, but the overall situation is much safer...
Did you actually read the CreateProcess documentation? I'd really like
to know why you think this will help?
Greetings,
Reimar Döffinger
More information about the MPlayer-dev-eng
mailing list