[vlc-devel] [PATCH 2/3] Save album art to id3 tag.
Francois Cartegnie
fcvlcdev at free.fr
Fri Aug 10 13:43:28 CEST 2012
Le 10/08/2012 12:47, Rémi Denis-Courmont a écrit :
>> Could you provide a sample URL that fails?
>> Passing crap to make_path() always seems to return NULL for me.
>
> Yes my mistake, nevermind.
>
Nah. Make path doesn't check scheme < path.
This example produces crap and then allows deleting an arbitrary file
when the user uploads his own [1]:
"file/truc:///../../../../../../home/user/.login"
Assuming a lua script can inject a such crafted art url.
[1] See [PATCH 3/3] Add file dialogue to manually set album art.
Francois
More information about the vlc-devel
mailing list