[vlc-devel] Re: vlc: svn commit r19511 (pdherbemont)

Pierre d'Herbemont pdherbemont at free.fr
Wed Mar 28 19:34:09 CEST 2007

On 28 mars 07, at 16:55, Rémi Denis-Courmont wrote:

> Le mercredi 28 mars 2007 15:41, Damien Fouilleul a écrit :
>> As far as i know an absolute URL starting with / is invalid, and even
>> assuming that it corresponds to a UNIX path is also against the
>> purpose of URL which strives to be system agnostic.
> Yes.
>> I would agree with pierre's implementation in that case, which  
>> assumes
>> that an Location URL starting with / must be relative, and therefore
>> replaces the current absolute URL path with that one (even though it
>> can contradict the specification). This approach is better than just
>> ignoring the URL, one must be pragamatic and not dogmatic when
>> dealing with network protocols.
> No, this approach completely sucks.
> 1/ There is a reason why the spec says that (and I do not pretend  
> to be
> more intelligent than the ones who wrote it).

Safari, Firefox, and even curl don't follow this item of the specs. I  
agree that we ought to follow the specs, but in this case a work  
around should really be considered, as a majority doesn't follow the  

> 2/ This bug-to-bug fix is assuming VLC is using http://, so far
> instance, there now is a security bug if TLS was used. That's  
> precisely
> the kind of reasons why quick-and-dirty bug-to-bug fixes suck.

Right, this is not right. Thanks, fixed. But if my change introduced  
a security exploit when using TLS, it means that there still is one.  
(send Location: http://ddd.ccc/etc from a TLS server). The code  
should then be reviewed.

This is the vlc-devel mailing-list, see http://www.videolan.org/vlc/
To unsubscribe, please read http://developers.videolan.org/lists.html

More information about the vlc-devel mailing list