On Sun, 20 Mar 2005, Isaac Richards wrote: > On Sunday 20 March 2005 01:17 am, Jonathan T Wang wrote: > > Hi, > > > > I believe I've found a security hole in Myth - in > > MainServer::LocalFilePath, MythTV does not check whether the QUrl passed > > in by the client in MainServer::HandleAnnounce contains any instances > > of "../" > > > > This means that an attacker could cause MythTV to send him any file on the > > system readable by the mythtv user. > > Read the code again.
Ah, got it. Sorry about that. Jonathan
_______________________________________________ mythtv-dev mailing list [email protected] http://mythtv.org/cgi-bin/mailman/listinfo/mythtv-dev
