Several security issue abot h323plus about h323plus HOT 2 CLOSED

The code you reference is only executed inside the H.263 and H.264 plugin which are shared libraries themselves and don't have and provision for any config settings.

I fixed the one strcpy() and added a security note that if one uses these plugins the environment needs to be secured which probably isn't very difficult in most server installations.

If you see a way to use the plugins without any trusted environment variables, please provide a patch.

from h323plus.

Oh yes. It's a shared library for developers, and have no any other config settings.
In that way, I think that using current module path may be another optional way to locate the plugin path.

I think the developers could put the plugins and other shared libraries into the same directory with their executable file, which can be wrote to the tutorial document. In this way, GetModuleName could be used to get current executable module path in Windows platform. And in linux, readlink( "/proc/self/exe", path, PATH_MAX) can get current executable module path.

// Windows
TCHAR szPath[MAX_PATH];
GetModuleFileName(NULL, szPath, MAX_PATH));

// Linux
char path[MAX_PATH];
readlink("/proc/self/exe", path, MAX_PATH);

Hardcoded path could be always a second option way as you use in your code:

// Windows
InternalOpen("C:\\H323plus\plugin", name);  // just an example path for windows

// Linux
InternalOpen("/usr/local/lib", name);

Anyway, what I mentioned above is just my advice for that. Environment variable is still widily used, and it's ok if only developers make sure that the environment variable is unable to be modified by others.

However the buffer overflow issue is nessussary to be fixed by using strcpy_s\strcat_s instead.

from h323plus.