[vlc-devel] commit: Default enable http forward cookies (Antoine Cellerier )

Rémi Denis-Courmont rem at videolan.org
Sat Sep 13 10:38:04 CEST 2008

Le vendredi 12 septembre 2008 19:30:49 Antoine Cellerier, vous avez écrit :
> On Fri, Sep 12, 2008, Rémi Denis-Courmont wrote:
> > Nevermind that it is a known and well-documented security hole.
> How is it a security hole? I mean, we only forward cookies through a
> redirection and never store them anywhere on the computer (nor have ways
> to write stuff such as passwords or credit card numbers to them).

While supporting neither persistent cookies nor scripting makes the cookie 
problems much simpler, it does not fix them automatically. This has already 
been discussed in the Trac feature ticket, on the ML when the feature was 
added, and in some terse FIXME comment in the code.

The exposure is (very) low, and so is the temptation to exploit. Nevertheless, 
the 0.8.6h->0.8.6i fiasco shows that we simply cannot afford to have known 
unpatched security issues, due to vulnerability scanners (and to not piss off 
Linux distros as well).

Rémi Denis-Courmont

More information about the vlc-devel mailing list