[vlc-devel] Playlist item options security et al

Pierre d'Herbemont pdherbemont at free.fr
Mon Dec 24 20:16:01 CET 2007

On Dec 24, 2007, at 7:01 PM, Rémi Denis-Courmont wrote:

> Le lundi 24 décembre 2007, Pierre d'Herbemont a écrit :
>> On Dec 24, 2007, at 6:35 PM, Pierre d'Herbemont wrote:
>>> What about simply lowering the m3u-extvlcopt  Error message to a
>>> Dbg message? The freebox module is fine without extvlcopt, and
>>> extvlcopt doesn't add much...
>> hum... Apparently they need:
>> #EXTVLCOPT:ts-es-id-pid
>> #EXTVLCOPT:no-video
>> #EXTVLCOPT:audio-track-id=1001
>> We could simply allow certain 'safe' options, such as those, when
>> parsing m3u.
> That's what I already stated several times. Indeed, the ASX parser
> already does uses some playlist item options in a similar way. That
> however would NOT work if certain insecure options (such as sout or
> demux-dump) were needed. In this later case, a new
> dedicated "restricted" sout option/plugin seems like the only safe
> solution.

Yes. I have a dummy patch for that, what do you think? My concern is  
that it is a bit silly to consider to keep a list of all the safe  
options in core, whereas those are defined in the modules... Also I  
have a few concern on options parsing. But that could be a nice way to  
work around those issues.
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: secure_m3u.diff.txt
URL: <http://mailman.videolan.org/pipermail/vlc-devel/attachments/20071224/f60454e7/attachment.txt>
-------------- next part --------------

> As with JB's _amazing_ work on the Qt4 plugin and as with human beings
> in general, the unhappy ones are much more noisy (or then nobody likes
> me trying to fix VLC security issues). That won't make me change my
> mind, I've long since grown used to doing ungrateful tasks (cleaning  
> up
> the API and the build system being another ones)

And I strongly thank you for that!

> While I'm on it, thanks for those keeping the forums alive, and taking
> care of the servers, ML moderation and builds. Some very much needed
> and ungrateful stuff that I don't do.



More information about the vlc-devel mailing list