diff options
Diffstat (limited to 'HISTORY')
| -rw-r--r-- | HISTORY | 16 | 
1 files changed, 15 insertions, 1 deletions
| @@ -3963,7 +3963,7 @@ Video Disk Recorder Revision History    commands may now be executed at any time, and the message will be displayed    (no more "pending message"). -2005-12-29: Version 1.3.38 +2005-12-30: Version 1.3.38  - Fixed handling second audio and Dolby Digital PIDs for encrypted channels    (was broken in version 1.3.37). @@ -4023,3 +4023,17 @@ Video Disk Recorder Revision History    (encoded in base64) if the given file name consists of only the file    extension (".jpg", ".jpeg" or ".pnm"), or if only "-" is given as file    name (based on a suggestion from Darren Salt). +- The new command line option '-g' must be given if the SVDRP command GRAB +  shall be allowed to write image files to disk. The parameter to this option +  must be the full path name of an existing directory, without any "..", double +  '/' or symlinks. By default, or if "-g- is given, grabbing to files is +  not allowed any more because of potential security risks. +- Modified the way the SVDRP command GRAB writes the grabbed image to a file +  to avoid a security hole (CAN-2005-0071, reported by Javier Fernández-Sanguino +  Peña): +  + The file handle is now opened in a way that it won't follow symbolic links +    (suggested by Darren Salt). +  + The given file name is now canonicalized, so that it won't contain any +    ".." or symlinks (suggested by Darren Salt). +  + Grabbing to files is limited to the directory given in the the command +    line option '-g'. By default grabbing to files is not allowed any more. | 
