This would allow an attacker to test remotely if a local file exists.
Originally committed as revision 21925 to svn://svn.ffmpeg.org/ffmpeg/trunk
static int mov_open_dref(ByteIOContext **pb, char *src, MOVDref *ref)
{
- /* try absolute path */
- if (!url_fopen(pb, ref->path, URL_RDONLY))
- return 0;
-
- /* try relative path */
+ /* try relative path, we do not try the absolute because it can leak information about our
+ system to an attacker */
if (ref->nlvl_to > 0 && ref->nlvl_from > 0) {
char filename[1024];
char *src_path;