[rtmpdump] [PATCH] Add quotes to -o value

NhJm nhjm449 at gmail.com
Mon May 21 06:08:25 CEST 2012 

Holy shit, man. I wasn't trying to insult or criticize your patch. Your
patch is a *good thing*. I was just pointing out that the existing
ServeInvoke implementation has flaws that could allow arbitrary code
execution. Your patch simply inspired me to investigate the existing code.
I perhaps should've made that clearer in the first reply.

And yes, replying to your patch was appropriate because I was essentially
trying to say: this patch is good, but more work should be done relating to
this section of the code. Again, I perhaps should've made that clearer.

And yes, it is very true that I don't currently have the motivation to
actually write a patch to fix the issue, but the solution is fairly
obvious: drop all the surrounding quotes and add backslashes before any
unacceptable characters. (Or keep the quotes and add backslashes before
unacceptable characters such as other double quotes. Both methods have
their downsides.)

On Sun, May 20, 2012 at 10:10 PM, Steven Penny <svnpenn at gmail.com> wrote:

> NhJm wrote:
> > Never said that -o wasn't worthy of quotation. Just saying that the
> problem
> > (with the way *all* of the parameters are created) is that they're not
> > properly being escaped. Sending a double quote to the server in *any* of
> the
> > connect/play parameters will cause issues (such as the ability to execute
> > arbitrary commands).
>
> The purpose of my patch was not to create a platform for you to grandstand
> about
> the intricacies of the Bash interpreter. Please take that to the forums, or
> better yet, nowhere.
>
> My patch fixes an existing problem with YouTube RTMPE videos. If you have
> an
> alternate or better solution, please provide it; otherwise go away.
> _______________________________________________
> rtmpdump mailing list
> rtmpdump at mplayerhq.hu
> https://lists.mplayerhq.hu/mailman/listinfo/rtmpdump
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mplayerhq.hu/pipermail/rtmpdump/attachments/20120520/9a2b141c/attachment-0001.html>

More information about the rtmpdump mailing list