[vlc-devel] vlc: svn commit r24345 (damienf)

Rémi Denis-Courmont rdenis at simphalempin.com
Wed Jan 16 20:47:35 CET 2008


Le Wednesday 16 January 2008 21:30:14 Subversion daemon, vous avez écrit :
> - most vlc options are considered safe, only a handful are particularily
> unsafe and need be declared as such in their definition (they mostly deal
> with writing to an output file or URL)

A huge range of options are either arguably bad, or just non-sense (because 
any sane value can't be known by a web server). All of the people who gave 
their opinion, besides yourself, wanted to go for whitelisting, not 
blacklisting.

With blacklisting, we are 99,9% sure that someone will find yet another 
harmful combination after then next release, especially as we start adding 
new options and forget thinking about their security implications.

I'd rather ban harmless option (that probably nobody uses) until the next 
release than allow harmful ones.

-- 
Rémi Denis-Courmont
http://www.remlab.net/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
URL: <http://mailman.videolan.org/pipermail/vlc-devel/attachments/20080116/6773fde2/attachment.sig>


More information about the vlc-devel mailing list