VirtualRPC oops

I’ve just discovered that *.// displays the parent of the current directory… even if the current directory is $. Naturally Filer_OpenDir //.//.// is also valid.

Not having a VirtualRPC to try this on, I’ll take your word for it. I might investigate what it does on a Pi, or do I risk terminal confusion?

Nah it’s a HostFS thing specific to emulators. VirtualRPC accidentally allows you to ‘parent’ out of your mounted sandbox by using Windows syntax within a RISC OS filename. D’oh.

Did you get the tokens of my esteem that I entrusted to the same organisation that sent your parcel a motorway trip away?

Yup, yesterday when I arrived home from trip to Scotland, thanks – I emailed you yesterday!

My copy of VRPC Adj allows me to access C:/VirtualAcorn (by Filer_openDir //.//) but not C:/ – this seems to be a security loophole?

RedSquirrel (0.6) also has this issue.

Filer_OpenDir //.//.// will take you back to Program Files, but it appears that you cannot directly access the root, but you can traverse it – //.//.//.//.Windows.System32.ntoskrnl.exe is a valid filename.

Jeez.

*Info //.//.//.//.Windows.System32.NTOSKRNL/EXE
NTOSKRNL/EXE WR/WR   Text       14:00:00 24-Feb-2009 2253 Kbytes

Chris joked

this seems to be a security loophole?

Considering one can *HostFS:Mount RootyTootToot C:\ I wouldn’t bother mentioning the S word.

this seems to be a security loophole?

More likely somebody forgetting that “.” is self and “..” is parent, and thus treating them as valid objects instead of filtering them out. Oops.

Wait – you can mount any arbitrary host path from within the emulator?

Oh yes indeed. VirtualRPC is as ‘secure’ as a Command Window. ;-)

And it has CallWin32 as well, of course.

And it has CallWin32 as well, of course.

So a NET USE to some arbitrary shared resource and then mount in RO should be relatively easy.

Indeed. VirtualRPC already exposes all the Windows printers as HostFS devices. But yes, anything mapped to a drive letter can be accessed.