[vlc-devel] commit: Default enable http forward cookies (Antoine Cellerier )
rem at videolan.org
Sat Sep 13 10:38:04 CEST 2008
Le vendredi 12 septembre 2008 19:30:49 Antoine Cellerier, vous avez écrit :
> On Fri, Sep 12, 2008, Rémi Denis-Courmont wrote:
> > Nevermind that it is a known and well-documented security hole.
> How is it a security hole? I mean, we only forward cookies through a
> redirection and never store them anywhere on the computer (nor have ways
> to write stuff such as passwords or credit card numbers to them).
While supporting neither persistent cookies nor scripting makes the cookie
problems much simpler, it does not fix them automatically. This has already
been discussed in the Trac feature ticket, on the ML when the feature was
added, and in some terse FIXME comment in the code.
The exposure is (very) low, and so is the temptation to exploit. Nevertheless,
the 0.8.6h->0.8.6i fiasco shows that we simply cannot afford to have known
unpatched security issues, due to vulnerability scanners (and to not piss off
Linux distros as well).
More information about the vlc-devel