[vlc-devel] Re: [RFC] sanitize MRL format
Rémi Denis-Courmont
rdenis at simphalempin.com
Fri Jun 15 13:19:38 CEST 2007
On Fri, 15 Jun 2007 12:52:30 +0200, Laurent Aimar <fenrir at via.ecp.fr>
wrote:
> All we need would be a little check with stat() in InputSourceInit
before
> calling MRLSplit (and prepend file:// when needed)
> What do you think ?
I think there is a security problen. If you get a HTTP redirect, it MUST
NEVER be allowed to end up being a file on your local system, for instance.
What if I have a "http:" directory in the current path? Similarly, if you
give a filename, it must not end up trying to open the network, even if the
file cannot be stat'd for any reason (including being unexpectedly
missing).
--
Rémi Denis-Courmont
http://www.remlab.net/
--
This is the vlc-devel mailing-list, see http://www.videolan.org/vlc/
To unsubscribe, please read http://developers.videolan.org/lists.html
More information about the vlc-devel
mailing list