[vlc-devel] vlc: svn commit r24342 (funman)
rdenis at simphalempin.com
Wed Jan 16 19:45:01 CET 2008
Le Wednesday 16 January 2008 20:18:01 Rafaël Carré, vous avez écrit :
> > I don't want hackers to:
> > - up the volume and explode my ears or otherwise change my audio HW
> > settings,
> I hope you don't run flash.
So Flash does it, lets do it too. Come on, this is not a primary school
> > - change the CDDB server so they can learn what CDDA I am playing,
> But they know already, since they control VLC, no ?
CD drive, but for some reason, I doubt it.
> > - change the record filter path!!! (arbitrary file overwrite anyone?),
> if( asprintf( &p_sys->psz_file, "%s %d-%d-%d
> %.2dh%.2dm%.2ds.%s", ( psz_name != NULL ) ? psz_name : "Unknown",
> l.tm_mday, l.tm_mon+1, l.tm_year+1900,
> l.tm_hour, l.tm_min, l.tm_sec,
> p_sys->psz_ext ) == -1 )
> Oh my god it can overwrite such named files !
Should the thing be allowed to store large files anywhere (as in, on any
partition, inside any directory)? Plus having a restrictive filename does not
mean the problem is not there, won't be published on bugtraq, and won't give
VLC its (deserved) reputation as one of the least secure media player.
> > - change the TLS settings (nevermind it was supposed to be secure),
> again, they do control VLC
If this is the starting hypothesis, I wonder why I bothered implementing the
safe flag at all, and why you bothered committing this crap. If you don't
know or understand the x509/TLS trust model, it's not my fault. But it all
comes down to this very simple issue: why flag options you obviously don't
understand as safe? And why claim you did review them also?
> > Every second setting seems wrong to me.
> Thanks you so much for respecting my work, you lazy bastard.
Thank you so much for ensuring that VLC gets kicked out of every open-source
operating system distributions.
And for the record, I may be a bastard, but that is not a topic for a public
mailing opensource list. As for being lazy, considering the amount of
ungrateful clean up work that I have done for this project, I would disagree.
More information about the vlc-devel