reopen 525078
thanks
On Mon, Jun 15, 2009, Steffen Joeris wrote:
> The code snippet is upstream's security fix. Testing it now and preparing DSA.
Unfortunately it doesn't work properly. It looks like upstream didn't
even bother to test the fix.
Quick (and harmless) way to simulate an attack and reproduce the bug:
- run amule from the command line
- set video player to "vlc" in the preferences
- start downloading a file (use the search tool to find a small
txt file)
- pause download using right click -> Pause
- rename file to '-vvvv.avi (with a leading tick) using right
click -> Show File Details
- resume download, wait for completion
- double click on the file
- you should see VLC's very verbose debug messages in amule's console,
indicating that it has been called with -vvvv.avi as an extra
argument, increasing its verbosity
The following fix works, though (tested with 2.2.5):
rawFileName.Replace(QUOTE, wxT("\\") QUOTE);
--
Sam.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
