At least need an escape for quote… I really need to RTFM and see what has to be escaped in quotes.
popen doesn’t sanitize anything, so a filename with a quote in it could be exploited to execute an arbitrary executable as the “runas” user. I just need to see what else has to be escaped.
p.s. there are a couple reasons for wavstreamer — one is that it reads and writes in large blocks, which helps performance a lot. The other is that a lot of programs don’t write proper wav headers when they stream to stdout — they don’t know the length of the file before they decode it, so they send wav headers with zero length. iTunes doesn’t like that, so wavestreamer dummies up the wav headers with the appropriate song length based on what was scanned from the tags.
That’s what wavstreamer is about.