[mythtv] mythvideo DB enhancement
Peter Schachte
schachte at csse.unimelb.edu.au
Fri Jan 11 00:45:45 UTC 2008
Stuart Auchterlonie wrote:
> Firstly i'll say it's theoretical and unlikely, but the general theory
> with these goes along the lines of the following.
>
> Say your SG directory is /myth/rec/
>
> if the code allows / then the attacker would request the file called
>
> ../../etc/passwd
>
> which when you string it together becomes
>
> /myth/rec/../../etc/passwd = /etc/passwd
How about not allowing '..' rather than not allowing '/' ? Then you could
use subdirectories within SGs without danger.
--
Peter Schachte I worry that 10 or 15 years from now, [my child]
schachte at cs.mu.OZ.AU will come to me and say 'Daddy, where were you
www.cs.mu.oz.au/~schachte/ when they took freedom of the press away from
Phone: +61 3 8344 1338 the Internet?' -- Mike Godwin
More information about the mythtv-dev
mailing list