[MPlayer-dev-eng] [PATCH] Use unrar for open vobsubs if available
ods15 at ods15.dyndns.org
ods15 at ods15.dyndns.org
Sat Nov 24 09:08:51 CET 2007
On Sat, Nov 24, 2007 at 04:00:44PM +0800, Ulion wrote:
> 2007/11/24, Rich Felker <dalias at aerifal.cx>:
> > On Sat, Nov 24, 2007 at 02:50:59PM +0800, Ulion wrote:
> > > + if (libpassword && strlen(libpassword))
> > > + sprintf(pwd, "'-p%s'", libpassword);
> > > + else
> > > + pwd[0] = '\0';
> > > +
> > > + sprintf(cmdline, "'%s' p -inul %s '%s' '%s'", cmd, pwd, rarfile, filename);
> >
> > Vulnerable overflows and much worse. Consider for example if filename
> > or rarfile happened to be:
> > ....' & rm -rf ~ & '....
>
> After a little test, I found only ' can break the '', so I for
> filename and rarfile I reject them if it contain '.
> for cmd, it's our defined for get from get_path, should be ok. And for
> the password, I change to use "" to quote it and escape \ and " by a
> prepending \ to make it safe.
>
> Now, if you still think there is any chance have security problem,
> please give me a note.
Using a shell in general for this is a bad idea. But the correct way to
quote a string for a shell is replace all ' with '\'', and put '' around
the string. using "" is a bad idea because it can still use `` and $()
- ods15
More information about the MPlayer-dev-eng
mailing list