[MPlayer-dev-eng] [PATCH] Use unrar for open vobsubs if available

[ods15 at ods15.dyndns.org]

On Sat, Nov 24, 2007 at 04:36:09PM +0800, Ulion wrote:
> 2007/11/24, ods15 at ods15.dyndns.org <ods15 at ods15.dyndns.org>:
> > On Sat, Nov 24, 2007 at 04:00:44PM +0800, Ulion wrote:
> > > 2007/11/24, Rich Felker <dalias at aerifal.cx>:
> > > > On Sat, Nov 24, 2007 at 02:50:59PM +0800, Ulion wrote:
> > > > > +    if (libpassword && strlen(libpassword))
> > > > > +        sprintf(pwd, "'-p%s'", libpassword);
> > > > > +    else
> > > > > +        pwd[0] = '\0';
> > > > > +
> > > > > +    sprintf(cmdline, "'%s' p -inul %s '%s' '%s'", cmd, pwd, rarfile, filename);
> > > >
> > > > Vulnerable overflows and much worse. Consider for example if filename
> > > > or rarfile happened to be:
> > > > ....' & rm -rf ~ & '....
> > >
> > > After a little test, I found only ' can break the '', so I for
> > > filename and rarfile I reject them if it contain '.
> > > for cmd, it's our defined for get from get_path, should be ok. And for
> > > the password, I change to use "" to quote it and escape \ and " by a
> > > prepending \ to make it safe.
> > >
> > > Now, if you still think there is any chance have security problem,
> > > please give me a note.
> >
> > Using a shell in general for this is a bad idea. But the correct way to
> > quote a string for a shell is replace all ' with '\'', and put '' around
> > the string. using "" is a bad idea because it can still use `` and $()
> >
> 
> I tried in shell but '\'' is not valie since within '', \ is just a
> normal char, can not escape anything.
> So only way can quote both ' and " is quote them within ". But you
> notified me, since I miss to skip $, I fixed it.

you misunderstood me

suppose you want the password "some'pass"

then you have to evantually run this command in shell:

unrar -p 'some'\''pass'

EACH single char ' in the original password/string has to be reaplced with 
the 4 letter string '\''. afterwards, the string has to be wraped with '

- ods15