[vlc-devel] Re: [RFC] sanitize MRL format
Laurent Aimar
fenrir at via.ecp.fr
Fri Jun 15 13:58:56 CEST 2007
On Fri, Jun 15, 2007, Rémi Denis-Courmont wrote:
>
> On Fri, 15 Jun 2007 12:52:30 +0200, Laurent Aimar <fenrir at via.ecp.fr>
> wrote:
> > All we need would be a little check with stat() in InputSourceInit
> before
> > calling MRLSplit (and prepend file:// when needed)
> > What do you think ?
>
> I think there is a security problen. If you get a HTTP redirect, it MUST
> NEVER be allowed to end up being a file on your local system, for instance.
If our access http always redirect using http:// (and not http: or http:/) we
will not probe for file so not a problem. (I want to test for local file only
if the url do not use ://)
> What if I have a "http:" directory in the current path? Similarly, if you
> give a filename, it must not end up trying to open the network, even if the
> file cannot be stat'd for any reason (including being unexpectedly
> missing).
In any case you are doomed here. We cannot guess in the input if the user want
to open the file or the url. So it is up to the gui to prepand file://
when it know the user want a file and to produce good url otherwise.
--
fenrir
--
This is the vlc-devel mailing-list, see http://www.videolan.org/vlc/
To unsubscribe, please read http://developers.videolan.org/lists.html
More information about the vlc-devel
mailing list