[vlc-devel] [PATCH 2/3] Save album art to id3 tag.
Angelo Haller
vlc-devel at szanni.org
Fri Aug 10 17:17:32 CEST 2012
On 08/10/2012 01:43 PM, Francois Cartegnie wrote:
> Le 10/08/2012 12:47, Rémi Denis-Courmont a écrit :
>>> Could you provide a sample URL that fails?
>>> Passing crap to make_path() always seems to return NULL for me.
>> Yes my mistake, nevermind.
>>
> Nah. Make path doesn't check scheme < path.
> This example produces crap and then allows deleting an arbitrary file
> when the user uploads his own [1]:
>
> "file/truc:///../../../../../../home/user/.login"
>
> Assuming a lua script can inject a such crafted art url.
>
>
> [1] See [PATCH 3/3] Add file dialogue to manually set album art.
Oh, I'm not aware on how the lua scripts work internally.
One of them is responsible for fetching the artwork from the net,
if I'm not mistaken.
So a response could be a maliciously crafted url, correct?
This would impose two threats:
1. Delete arbitary system files [P 3/3]
2. Save file contents (e.g. /etc/shadow) in the meta data of media
files. [P 2/3]
I would suggest using something like realpath (posix) to strip the ../ and
make sure to resolve possible symlinks. Should I incorporate
that in make_path? Or just include the headers in the two files and call
realpath directly?
Would this actually work in all cases? Does realpath behave correctly when
applied to a utf-8 encoded string? I couldn't find a reference regarding
encodings.
Best regards
More information about the vlc-devel
mailing list