[vlc-devel] vlc: svn commit r23880 (courmisch)
Damien Fouilleul
damien.fouilleul at laposte.net
Thu Dec 27 18:00:52 CET 2007
well, if you mark :demux-dump-file as unsafe, and then block it by
forcing to its default (which is ""), then i don't see where the
problems is.
moreover, what combinations are you talking about which do not involve
inputing file names (or URLs) that could be unsafe, i don't see any ?
Damien
On 27 Dec 2007, at 16:47, Rémi Denis-Courmont wrote:
> Le jeudi 27 décembre 2007, Damien Fouilleul a écrit :
>> i'm glad you implemented that option as i think this is the best way
>> to solve that security problem with options, however i think you
>> should have inverted that option, basically using VLC_CONFIG_UNSAFE,
>
> And who's going to validate every single of the hundreds of options
> that
> we have? And worst yet, the explosive possibilites when combining
> options.
>
>> as i believe most options are safe to use, all we need to do is mark
>> the configuration options that are actually unsafe (basically all
>> options dealing with files and/or URLs in general)
>
> That's pretty much impossible. The demux option is clearly harmful as
> well, yet it does not deal with URL.
>
> --
> Rémi Denis-Courmont
> http://www.remlab.net/
> _______________________________________________
> vlc-devel mailing list
> To unsubscribe or modify your subscription options:
> http://mailman.videolan.org/listinfo/vlc-devel
More information about the vlc-devel
mailing list