pythonBits icon indicating copy to clipboard operation
pythonBits copied to clipboard

Published 20 hours ago verified publisher icon mueslo

Better scene detection

Open plotski opened this issue 4 years ago • 7 comments

See pm on bb.

plotski avatar Jun 09 '20 13:06 plotski

I'm sorry, but I really don't see the attack vector. We don't pickle arbitrary stuff from the API, we pickle requests.Response objects that we already trust.

If the attacker controls the API, they would have to find a vulnerability in requests.Response. And if they can do that, it doesn't matter if malicious objects are pickled or not.

plotski avatar Jun 13 '20 13:06 plotski

@plotski you as the committer can still hide almost arbitrary code in there, which will get executed if you run tests. It's like a proprietary software blob. This is what I disagree with.

mueslo avatar Jun 13 '20 13:06 mueslo

Oh, right. Good point. I didn't think of that.

I'll work something out without pickles.

plotski avatar Jun 13 '20 13:06 plotski

API responses are now stored as plain text files. Are we good on the other points you raised?

plotski avatar Jun 14 '20 16:06 plotski

os.path.splitext(os.path.basename("The.Title.2000.x265-GRP"))[0] ('The.Title.2000', '.x265-GRP')

plotski avatar Jun 21 '20 12:06 plotski

A scene file in a directory with the wrong folder name yields "scene: False". This is another regression, while it would be possible to detect that this is basically equivalent to a renamed scene release, previously it at least queried the user.

mueslo avatar Jun 21 '20 13:06 mueslo

Can you provide an example?

plotski avatar Jun 21 '20 14:06 plotski