[mythtv] mythvideo DB enhancement

Stuart Auchterlonie stuarta at squashedfrog.net
Wed Jan 9 23:02:20 UTC 2008


Chris Pinkham wrote:
> * On Wed Jan 09, 2008 at 04:06:42PM -0500, Daniel Kristjansson wrote:
>>> I don't remember, but think that the current filetransfer code would
>>> probably allow grabbing a file from a subdirectory if you issue the
> 
>> You would have to check for "//", "..", and symlinks in the path. You
>> can't realistically check for hardlinks; but neither MythTV, nor any
>> of the contrib scripts, create hardlinks.
> 
> That was the reason...  Parts of IRC conversations gone by are resurfacing
> in my head.
> 
> I just checked to verify there wasn't a hole.  MainServer::LocalFilePath()
> is used to find files for the file transfer code.  LocalFilePath has the
> following code to prevent this:
> 
>     lpath = lpath.section('/', -1);
> 
> So, we chop off any directory names before we even go looking for the file.
> 
> It wouldn't take much code for someone to implement the above checks that
> you describe though.
> 

However, starting to allow / directory delimiters at this point
will reduce the portability of the SG code, especially given that
a few things have been going on in the win32 arena.

I'd be inclined to leave the SG code as is, and implement a SG
for the thumbnails.


Stuart


More information about the mythtv-dev mailing list