On Fri, Jul 10, 2015 at 8:12 PM, Luca Barbato <[email protected]> wrote: > On 10/07/15 19:46, Vittorio Giovara wrote: >> This reverts commit 9286de045968ad456d4e752651eec22de5e89060. >> The change broke support for legit absolute file paths. >> >> Reported-by: Maksym Veremeyenko <[email protected]>. >> --- >> It looks like there are more samples that reference absolute path files >> than samples referencing files from the same directory. >> I proposed to just revert the change for now, and think on a solution when >> the number of samples of the second kind increases. >> >> Vittorio >> >> libavformat/mov.c | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/libavformat/mov.c b/libavformat/mov.c >> index d075645..eb42bf5 100644 >> --- a/libavformat/mov.c >> +++ b/libavformat/mov.c >> @@ -2394,7 +2394,7 @@ static int mov_open_dref(AVIOContext **pb, char *src, >> MOVDref *ref, >> { >> /* try relative path, we do not try the absolute because it can leak >> information about our >> system to an attacker */ >> - if (ref->nlvl_to > 0 && ref->nlvl_from > 0 && ref->path[0] != '/') { >> + if (ref->nlvl_to > 0 && ref->nlvl_from > 0) { >> char filename[1024]; >> char *src_path; >> int i, l; >> > > I'd rather provide a switch in the shape of -fflags savepath or such.
Probably a good idea, but this needs further study, so for the time being I think it ought to be reverted. -- Vittorio _______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
