[vlc-devel] Re: vlc: svn commit r19511 (pdherbemont)
Pierre d'Herbemont
pdherbemont at free.fr
Wed Mar 28 19:34:09 CEST 2007
On 28 mars 07, at 16:55, Rémi Denis-Courmont wrote:
> Le mercredi 28 mars 2007 15:41, Damien Fouilleul a écrit :
>> As far as i know an absolute URL starting with / is invalid, and even
>> assuming that it corresponds to a UNIX path is also against the
>> purpose of URL which strives to be system agnostic.
>
> Yes.
>
>> I would agree with pierre's implementation in that case, which
>> assumes
>> that an Location URL starting with / must be relative, and therefore
>> replaces the current absolute URL path with that one (even though it
>> can contradict the specification). This approach is better than just
>> ignoring the URL, one must be pragamatic and not dogmatic when
>> dealing with network protocols.
>
> No, this approach completely sucks.
>
> 1/ There is a reason why the spec says that (and I do not pretend
> to be
> more intelligent than the ones who wrote it).
Safari, Firefox, and even curl don't follow this item of the specs. I
agree that we ought to follow the specs, but in this case a work
around should really be considered, as a majority doesn't follow the
spec.
> 2/ This bug-to-bug fix is assuming VLC is using http://, so far
> instance, there now is a security bug if TLS was used. That's
> precisely
> the kind of reasons why quick-and-dirty bug-to-bug fixes suck.
Right, this is not right. Thanks, fixed. But if my change introduced
a security exploit when using TLS, it means that there still is one.
(send Location: http://ddd.ccc/etc from a TLS server). The code
should then be reviewed.
Pierre.
--
This is the vlc-devel mailing-list, see http://www.videolan.org/vlc/
To unsubscribe, please read http://developers.videolan.org/lists.html
More information about the vlc-devel
mailing list