[mythtv] mythvideo DB enhancement
Chris Pinkham
cpinkham at bc2va.org
Wed Jan 9 22:43:55 UTC 2008
* On Wed Jan 09, 2008 at 04:06:42PM -0500, Daniel Kristjansson wrote:
> > I don't remember, but think that the current filetransfer code would
> > probably allow grabbing a file from a subdirectory if you issue the
> You would have to check for "//", "..", and symlinks in the path. You
> can't realistically check for hardlinks; but neither MythTV, nor any
> of the contrib scripts, create hardlinks.
That was the reason... Parts of IRC conversations gone by are resurfacing
in my head.
I just checked to verify there wasn't a hole. MainServer::LocalFilePath()
is used to find files for the file transfer code. LocalFilePath has the
following code to prevent this:
lpath = lpath.section('/', -1);
So, we chop off any directory names before we even go looking for the file.
It wouldn't take much code for someone to implement the above checks that
you describe though.
--
Chris
More information about the mythtv-dev
mailing list