[mythtv] mythvideo DB enhancement
Stuart Auchterlonie
stuarta at squashedfrog.net
Wed Jan 9 23:02:20 UTC 2008
Chris Pinkham wrote:
> * On Wed Jan 09, 2008 at 04:06:42PM -0500, Daniel Kristjansson wrote:
>>> I don't remember, but think that the current filetransfer code would
>>> probably allow grabbing a file from a subdirectory if you issue the
>
>> You would have to check for "//", "..", and symlinks in the path. You
>> can't realistically check for hardlinks; but neither MythTV, nor any
>> of the contrib scripts, create hardlinks.
>
> That was the reason... Parts of IRC conversations gone by are resurfacing
> in my head.
>
> I just checked to verify there wasn't a hole. MainServer::LocalFilePath()
> is used to find files for the file transfer code. LocalFilePath has the
> following code to prevent this:
>
> lpath = lpath.section('/', -1);
>
> So, we chop off any directory names before we even go looking for the file.
>
> It wouldn't take much code for someone to implement the above checks that
> you describe though.
>
However, starting to allow / directory delimiters at this point
will reduce the portability of the SG code, especially given that
a few things have been going on in the win32 arena.
I'd be inclined to leave the SG code as is, and implement a SG
for the thumbnails.
Stuart
More information about the mythtv-dev
mailing list