[MPlayer-dev-eng] [PATCH] Use unrar for open vobsubs if available

ods15 at ods15.dyndns.org ods15 at ods15.dyndns.org
Sat Nov 24 09:08:51 CET 2007


On Sat, Nov 24, 2007 at 04:00:44PM +0800, Ulion wrote:
> 2007/11/24, Rich Felker <dalias at aerifal.cx>:
> > On Sat, Nov 24, 2007 at 02:50:59PM +0800, Ulion wrote:
> > > +    if (libpassword && strlen(libpassword))
> > > +        sprintf(pwd, "'-p%s'", libpassword);
> > > +    else
> > > +        pwd[0] = '\0';
> > > +
> > > +    sprintf(cmdline, "'%s' p -inul %s '%s' '%s'", cmd, pwd, rarfile, filename);
> >
> > Vulnerable overflows and much worse. Consider for example if filename
> > or rarfile happened to be:
> > ....' & rm -rf ~ & '....
> 
> After a little test, I found only ' can break the '', so I for
> filename and rarfile I reject them if it contain '.
> for cmd, it's our defined for get from get_path, should be ok. And for
> the password, I change to use "" to quote it and escape \ and " by a
> prepending \ to make it safe.
> 
> Now, if you still think there is any chance have security problem,
> please give me a note.

Using a shell in general for this is a bad idea. But the correct way to 
quote a string for a shell is replace all ' with '\'', and put '' around 
the string. using "" is a bad idea because it can still use `` and $()

- ods15



More information about the MPlayer-dev-eng mailing list