[MPlayer-dev-eng] [PATCH] Use unrar for open vobsubs if available
Ulion
ulion2002 at gmail.com
Sat Nov 24 09:36:09 CET 2007
2007/11/24, ods15 at ods15.dyndns.org <ods15 at ods15.dyndns.org>:
> On Sat, Nov 24, 2007 at 04:00:44PM +0800, Ulion wrote:
> > 2007/11/24, Rich Felker <dalias at aerifal.cx>:
> > > On Sat, Nov 24, 2007 at 02:50:59PM +0800, Ulion wrote:
> > > > + if (libpassword && strlen(libpassword))
> > > > + sprintf(pwd, "'-p%s'", libpassword);
> > > > + else
> > > > + pwd[0] = '\0';
> > > > +
> > > > + sprintf(cmdline, "'%s' p -inul %s '%s' '%s'", cmd, pwd, rarfile, filename);
> > >
> > > Vulnerable overflows and much worse. Consider for example if filename
> > > or rarfile happened to be:
> > > ....' & rm -rf ~ & '....
> >
> > After a little test, I found only ' can break the '', so I for
> > filename and rarfile I reject them if it contain '.
> > for cmd, it's our defined for get from get_path, should be ok. And for
> > the password, I change to use "" to quote it and escape \ and " by a
> > prepending \ to make it safe.
> >
> > Now, if you still think there is any chance have security problem,
> > please give me a note.
>
> Using a shell in general for this is a bad idea. But the correct way to
> quote a string for a shell is replace all ' with '\'', and put '' around
> the string. using "" is a bad idea because it can still use `` and $()
>
I tried in shell but '\'' is not valie since within '', \ is just a
normal char, can not escape anything.
So only way can quote both ' and " is quote them within ". But you
notified me, since I miss to skip $, I fixed it.
--
Ulion
-------------- next part --------------
A non-text attachment was scrubbed...
Name: unrarlib_use_bin_unrar3.diff
Type: text/x-diff
Size: 4524 bytes
Desc: not available
URL: <http://lists.mplayerhq.hu/pipermail/mplayer-dev-eng/attachments/20071124/cf32fb91/attachment.diff>
More information about the MPlayer-dev-eng
mailing list