[MPlayer-dev-eng] running a program with a keystroke - passing playing filename to it
compn
tempn at twmi.rr.com
Tue Dec 21 22:36:00 CET 2010
On Tue, 21 Dec 2010 14:19:19 -0700, Kevin DeKorte wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>On 12/21/2010 12:00 PM, Elias Gabriel Amaral da Silva wrote:
>> 2010/12/21 Clément Bœsch <ubitux at gmail.com>:
>>
>>>> [...]
>>>> diff --git a/DOCS/tech/slave.txt b/DOCS/tech/slave.txt
>>>> index e31a9f4..5bcf074 100644
>>>> --- a/DOCS/tech/slave.txt
>>>> +++ b/DOCS/tech/slave.txt
>>>> @@ -508,6 +508,11 @@ run <value>
>>>> Run <value> as shell command. In OSD menu console mode stdout and stdin
>>>> are through the video output driver.
>>>>
>>>> + It expands properties inside the command. Due to an unfortunate
>>>> + syntax clash, it *looks* like those properties are shell variables,
>>>> + but then aren't. (for example, in run "echo ${filename}",
>>> ^^^^
>>> they?
>>
>> oh yes, that was a typo, thanks
>
>I'm a little concerned that this patch allows mplayer to execute pretty
>much any command available at the OS level. I know it is not running as
>root, but it still concerns me a bit.
you are a few years too late to voice that concern. mplayer has had the
'run' parameter since 2003 (or earlier). this patch just creates a
variable to pass the current filename to 'run'. :)
now you should wonder how many boxes have been rooted using mplayer's
run command, or why mplayer devels would add a backdoor like this.
-compn
More information about the MPlayer-dev-eng
mailing list