[vlc-devel] vlc: svn commit r24342 (funman)

Rémi Denis-Courmont rdenis at simphalempin.com
Wed Jan 16 19:45:01 CET 2008 

Le Wednesday 16 January 2008 20:18:01 Rafaël Carré, vous avez écrit :
> > I don't want hackers to:
> > - up the volume and explode my ears or otherwise change my audio HW
> > settings,
>
> I hope you don't run flash.

So Flash does it, lets do it too. Come on, this is not a primary school 
backyard.

> > - change the CDDB server so they can learn what CDDA I am playing,
>
> But they know already, since they control VLC, no ?

Maybe there is a Javascript API that I haven't heard of, which can access the 
CD drive, but for some reason, I doubt it.

> > - change the record filter path!!! (arbitrary file overwrite anyone?),
>
>         if( asprintf( &p_sys->psz_file, "%s %d-%d-%d
> %.2dh%.2dm%.2ds.%s", ( psz_name != NULL ) ? psz_name : "Unknown",
>                       l.tm_mday, l.tm_mon+1, l.tm_year+1900,
>                       l.tm_hour, l.tm_min, l.tm_sec,
>                       p_sys->psz_ext ) == -1 )
>
> Oh my god it can overwrite such named files !

Should the thing be allowed to store large files anywhere (as in, on any 
partition, inside any directory)? Plus having a restrictive filename does not 
mean the problem is not there, won't be published on bugtraq, and won't give 
VLC its (deserved) reputation as one of the least secure media player.

> > - change the TLS settings (nevermind it was supposed to be secure),
>
> again, they do control VLC

If this is the starting hypothesis, I wonder why I bothered implementing the 
safe flag at all, and why you bothered committing this crap. If you don't 
know or understand the x509/TLS trust model, it's not my fault. But it all 
comes down to this very simple issue: why flag options you obviously don't 
understand as safe? And why claim you did review them also?

> > Every second setting seems wrong to me.
>
> Thanks you so much for respecting my work, you lazy bastard.

Thank you so much for ensuring that VLC gets kicked out of every open-source 
operating system distributions.

And for the record, I may be a bastard, but that is not a topic for a public 
mailing opensource list. As for being lazy, considering the amount of 
ungrateful clean up work that I have done for this project, I would disagree.

-- 
Rémi Denis-Courmont
http://www.remlab.net/

More information about the vlc-devel mailing list