[vlc-devel] Lua extension and vlc.misc

Rémi Denis-Courmont remi at remlab.net
Tue Feb 28 20:03:19 CET 2012

Le mardi 28 février 2012 20:31:13 Kaarlo Räihä, vous avez écrit :
> 28. helmikuuta 2012 20.13 Jean-Baptiste Kempf <jb at videolan.org> kirjoitti:
> > Hello,
> > 
> > Since 52d4b4bb1c, vlc.misc.* are not available outside of lua
> > interfaces, notably for extensions and sds.
> > It seems indeed that vlc.misc was over-exposing things, like should_die
> > or quit.
> > 
> > However, some things were useful, like version() or copyright() or
> > cachedir().
> > 
> > Therefore, I suggest to allow back some of those things for other lua
> > modules, and keep the other ones only for intf. I will do the work of
> > splitting, but I would need feedback.
> > 
> > Here is the list of things:
> > 
> > Those seems safe to explose:
> > "version"
> > "copyright"
> > "license"

version is safe if we assume that Lua extensions are trusted. version is a 
very nice way to detect security bugs though...

copyright and license are useless. They were clearly meant for Lua 
_interfaces_ to provide "About" functionality. An extension will have its own 
copyrights and will not need these.

> > "datadir"
> > "userdatadir"
> > "homedir"
> > "configdir"
> > "cachedir"
> > "datadir_list"
> Do these contain full paths? (e.g. /home/myname or c:\users\peter.jackson)

Yes, of course.

> Because some people might complain about privacy violations, like they did
> with automatic album art downloads.

Indeed. Since we do not expose general purpose functions to extensions, 
extensions cannot access the file system regularly. So there is not much 
practical use for VLC directories other than to invade the user privacy.

> Best solution for LUA would be permission based model, but I don't know if
> anyone wants code that.

Eh, I pointed out the security problems inherent to Lua extensions before they 
were merged. But I was completely ignored. And now any new restriction gets 
faulted for breaking backward compatibility...

Rémi Denis-Courmont

More information about the vlc-devel mailing list