[vlc-devel] [PATCH] This patch adds an --http-add-head-string (additional header string) option to vlc

Rémi Denis-Courmont remi at remlab.net
Mon Aug 2 10:51:50 CEST 2010 

On Mon, 02 Aug 2010 09:38:38 +0200, Maximilian Podany <m.podany at art-est.at>
wrote:
> On Mon, 2010-08-02 at 09:15 +0200, Rémi Denis-Courmont wrote:
>> On Sun, 01 Aug 2010 20:57:04 +0200, Maximilian Podany
> <m.podany at art-est.at>
>> wrote:
>> > You could use it to add an arbitrary string to the
>> > HTTP-GET-request-header. For example a referer string like "Referer:
>> > http://www.example.com".
>> 
>> If you really want to fix that, you need to get the referer from the
>> browser (I don't know how that's done), and pass it. I am not convinced
>> that yet another obscure command line option solves the problem.
>> 
>> >  I noticed that if I use a vlc-firefox-plugin to play divx-streams it
>> > doesn't work on some servers.
>> >  After some research (wireshark and telnet ;-) I noticed that the
>> > divx-webplayer sends an referer string in the HTTP-GET-request-header
>> > and without the referer the server responds with "Moved Permanently".
>> >  So with this option you could use vlc to spoof a divx-webplayer (with
>> > user-agent changes).
>> >  But because you can define the whole header-line with this option,
> you
>> > could add every string you like.
>> 
>> Anything you like strikes me as a particularly bad idea. You can break
> the
>> HTTP protocol in so many ways. If you want to pass a referer, then pass
> a
>> referer, not an arbitrary string.
>> 
> 
> Ok. Then what do you think about an --http-referer option?

If it is _validated_ properly, then it might work from the security point
of view. However...

> Would it also be "another obscure command line option" ?

It comes down to, how do you expect the user to make use of this? This
might work for you and a few power users who care to ask on our IRC
channel. But it won't solve the problem for the outstanding majority. I am
not a GNOME integrist, but I think VLC has too many configurations switches
rather than to few.

> I also don't know how to get the referer from the browser,

Neither do I, I'm afraid. 

> but if vlc has an referer option it can't be very difficult.

If you find out how to extract the referer from the browser, it would be
easy, sure.

-- 
Rémi Denis-Courmont
http://www.remlab.net
http://fi.linkedin.com/in/remidenis

More information about the vlc-devel mailing list