[vlc-devel] [PATCH] Mark some options as safe

Frederik Kriewitz frederik at kriewitz.eu
Wed Mar 11 16:03:34 CET 2009

unsafe option "filter" has been ignored for security reasons

On Wed, Mar 11, 2009 at 1:53 PM, Rémi Denis-Courmont <remi at remlab.net> wrote:
> I am not confident that caching values are safe, if using inadequately
> large or small values. RTP misorder and dropout values are in a similar
> situation. I could be too pessimistic here.

I tried "vlc --rtp-caching=65535 --rtp-max-src=255
--rtp-max-dropout=32767 --rtp-max-misorder=32767" with a 6 Mbit stream
memory usage was growing slowly (over the 65 seconds) to 100 MB. I
guess there are easier ways to reserve a lot of memory via
Java(Script), Flash or something else.
I can't see a problem with too small values. Any other issues I missed?

> http-reconnect is a horrible hack in the first place. I believe making this
> option safe would enable DDoS attacks through the VLC client.

Ok, I agree. I think I'll add an extra HTTP header to allow reconnecting.

> I suspect vout-filter can be used as a proxy for any random setting (e.g.
> "filter{opt1=val1,opt2=val2}"). If this is true, it's a non-starter.

I'm not familiar with with the option parsing core.
I tried these:
vlc '--vout-filter=deinterlace' --deinterlace-mode=blend //
deinterlace module loaded, mode set to blend (working as expected)
vlc '--vout-filter=deinterlace{mode=blend}' // deinterlace module
loaded, mode=blend has no effect
vlc '--vout-filter=deinterlace{deinterlace-mode=blend}' // deinterlace
module loaded, deinterlace-mode=blend has no effect
vlc '--vout-filter=deinterlace{fullscreen}' // deinterlace module
loaded, fullscreen has no effect
vlc --vout-filter={fullscreen} // "no video filter module matched
"any"", fullscreen has no effect

Seems to work for me.

More information about the vlc-devel mailing list