[vlc-devel] vlc: svn commit r24345 (damienf)
Rémi Denis-Courmont
rdenis at simphalempin.com
Wed Jan 16 20:47:35 CET 2008
Le Wednesday 16 January 2008 21:30:14 Subversion daemon, vous avez écrit :
> - most vlc options are considered safe, only a handful are particularily
> unsafe and need be declared as such in their definition (they mostly deal
> with writing to an output file or URL)
A huge range of options are either arguably bad, or just non-sense (because
any sane value can't be known by a web server). All of the people who gave
their opinion, besides yourself, wanted to go for whitelisting, not
blacklisting.
With blacklisting, we are 99,9% sure that someone will find yet another
harmful combination after then next release, especially as we start adding
new options and forget thinking about their security implications.
I'd rather ban harmless option (that probably nobody uses) until the next
release than allow harmful ones.
--
Rémi Denis-Courmont
http://www.remlab.net/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
URL: <http://mailman.videolan.org/pipermail/vlc-devel/attachments/20080116/6773fde2/attachment.sig>
More information about the vlc-devel
mailing list