[mythtv] mythvideo DB enhancement

Daniel Kristjansson danielk at cuymedia.net
Wed Jan 9 21:06:42 UTC 2008


On Wed, 2008-01-09 at 15:46 -0500, Chris Pinkham wrote:

> I don't remember, but think that the current filetransfer code would
> probably allow grabbing a file from a subdirectory if you issue the
> filetransfer request in subdirectroy/filename.png format.  I don't
> think I put any particular code in the StorageGroup's FindRecording*()
> methods that would prohibit and I don't remember any in MainServer's
> filetransfer code.  I think the issue we had was with allowing the
> filetransfer code to transfer _any_ readable file.  If a user points
> a SG at /etc/ and allows someone to snag their /etc/passwd and
> /etc/shadow files because they are running mythbackend as root, then
> that is their problem. :)  I don't see any reason to not let the
> filetransfer stuff send files in the subdirectory/filename format.

You would have to check for "//", "..", and symlinks in the path. You
can't realistically check for hardlinks; but neither MythTV, nor any
of the contrib scripts, create hardlinks.

-- Daniel



More information about the mythtv-dev mailing list