[MPlayer-dev-eng] running a program with a keystroke - passing playing filename to it

Mon Jan 3 19:47:09 CET 2011

On Tue, Dec 21, 2010 at 04:36:00PM -0500, compn wrote:
> On Tue, 21 Dec 2010 14:19:19 -0700, Kevin DeKorte wrote:
> >-----BEGIN PGP SIGNED MESSAGE-----
> >Hash: SHA1
> >
> >On 12/21/2010 12:00 PM, Elias Gabriel Amaral da Silva wrote:
> >> 2010/12/21 Clément Bœsch <ubitux at gmail.com>:
> >> 
> >>>> [...]
> >>>> diff --git a/DOCS/tech/slave.txt b/DOCS/tech/slave.txt
> >>>> index e31a9f4..5bcf074 100644
> >>>> --- a/DOCS/tech/slave.txt
> >>>> +++ b/DOCS/tech/slave.txt
> >>>> @@ -508,6 +508,11 @@ run <value>
> >>>>      Run <value> as shell command. In OSD menu console mode stdout and stdin
> >>>>      are through the video output driver.
> >>>>
> >>>> +    It expands properties inside the command. Due to an unfortunate
> >>>> +    syntax clash, it *looks* like those properties are shell variables,
> >>>> +    but then aren't. (for example, in run "echo ${filename}",
> >>>           ^^^^
> >>>           they?
> >> 
> >> oh yes, that was a typo, thanks
> >
> >I'm a little concerned that this patch allows mplayer to execute pretty
> >much any command available at the OS level. I know it is not running as
> >root, but it still concerns me a bit.
> 
> you are a few years too late to voice that concern. mplayer has had the
> 'run' parameter since 2003 (or earlier). this patch just creates a
> variable to pass the current filename to 'run'. :)
> 
> now you should wonder how many boxes have been rooted using mplayer's
> run command, or why mplayer devels would add a backdoor like this.
> 

Shall we apply this then? It's a pity a lot of interesting patches get
lost like this, and more importantly, potential contributors…

-- 
Clément B.
Not sent from a jesusPhone.