[SCM] libav/experimental: Do not attempt to open references through absolute pathes. This would allow an attacker to test remotely if a local file exists.
siretart at users.alioth.debian.org
siretart at users.alioth.debian.org
Sun Jun 30 17:00:43 UTC 2013
The following commit has been merged in the experimental branch:
commit 6a2459059e469fdb835ff4abcbc3bae9781116b3
Author: Michael Niedermayer <michaelni at gmx.at>
Date: Sat Feb 20 22:48:09 2010 +0000
Do not attempt to open references through absolute pathes.
This would allow an attacker to test remotely if a local file exists.
Originally committed as revision 21925 to svn://svn.ffmpeg.org/ffmpeg/trunk
diff --git a/libavformat/mov.c b/libavformat/mov.c
index c5e3ec0..8cc1287 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -1556,11 +1556,8 @@ static void mov_build_index(MOVContext *mov, AVStream *st)
static int mov_open_dref(ByteIOContext **pb, char *src, MOVDref *ref)
{
- /* try absolute path */
- if (!url_fopen(pb, ref->path, URL_RDONLY))
- return 0;
-
- /* try relative path */
+ /* try relative path, we do not try the absolute because it can leak information about our
+ system to an attacker */
if (ref->nlvl_to > 0 && ref->nlvl_from > 0) {
char filename[1024];
char *src_path;
--
Libav/FFmpeg packaging
More information about the pkg-multimedia-commits
mailing list