[MPlayer-dev-eng] [PATCH] Use unrar for open vobsubs if available

Ulion ulion2002 at gmail.com
Sat Nov 24 15:03:40 CET 2007 

2007/11/24, ods15 at ods15.dyndns.org <ods15 at ods15.dyndns.org>:
> On Sat, Nov 24, 2007 at 04:36:09PM +0800, Ulion wrote:
> > 2007/11/24, ods15 at ods15.dyndns.org <ods15 at ods15.dyndns.org>:
> > > On Sat, Nov 24, 2007 at 04:00:44PM +0800, Ulion wrote:
> > > > 2007/11/24, Rich Felker <dalias at aerifal.cx>:
> > > > > On Sat, Nov 24, 2007 at 02:50:59PM +0800, Ulion wrote:
> > > > > > +    if (libpassword && strlen(libpassword))
> > > > > > +        sprintf(pwd, "'-p%s'", libpassword);
> > > > > > +    else
> > > > > > +        pwd[0] = '\0';
> > > > > > +
> > > > > > +    sprintf(cmdline, "'%s' p -inul %s '%s' '%s'", cmd, pwd, rarfile, filename);
> > > > >
> > > > > Vulnerable overflows and much worse. Consider for example if filename
> > > > > or rarfile happened to be:
> > > > > ....' & rm -rf ~ & '....
> > > >
> > > > After a little test, I found only ' can break the '', so I for
> > > > filename and rarfile I reject them if it contain '.
> > > > for cmd, it's our defined for get from get_path, should be ok. And for
> > > > the password, I change to use "" to quote it and escape \ and " by a
> > > > prepending \ to make it safe.
> > > >
> > > > Now, if you still think there is any chance have security problem,
> > > > please give me a note.
> > >
> > > Using a shell in general for this is a bad idea. But the correct way to
> > > quote a string for a shell is replace all ' with '\'', and put '' around
> > > the string. using "" is a bad idea because it can still use `` and $()
> > >
> >
> > I tried in shell but '\'' is not valie since within '', \ is just a
> > normal char, can not escape anything.
> > So only way can quote both ' and " is quote them within ". But you
> > notified me, since I miss to skip $, I fixed it.
>
> you misunderstood me
>
> suppose you want the password "some'pass"
>
> then you have to evantually run this command in shell:
>
> unrar -p 'some'\''pass'
>
> EACH single char ' in the original password/string has to be reaplced with
> the 4 letter string '\''. afterwards, the string has to be wraped with '

Oh, That's it. But now for make it work on win32 also, I change to use
" to quote parameters. So please recheck my " quote code to see
whether it's safe enough.

Attached patch also test work on MinGW built of mplayer.

-- 
Ulion
-------------- next part --------------
A non-text attachment was scrubbed...
Name: unrarlib_use_bin_unrar4.diff
Type: text/x-diff
Size: 4989 bytes
Desc: not available
URL: <http://lists.mplayerhq.hu/pipermail/mplayer-dev-eng/attachments/20071124/ef6ae159/attachment.diff>

More information about the MPlayer-dev-eng mailing list