[vlc-devel] Lua extension and vlc.misc
Jean-Baptiste Kempf
jb at videolan.org
Tue Feb 28 21:07:04 CET 2012
On Tue, Feb 28, 2012 at 10:00:23PM +0200, Kaarlo Räihä wrote :
> 28. helmikuuta 2012 21.41 Jean-Baptiste Kempf <jb at videolan.org> kirjoitti:
>
> > On Tue, Feb 28, 2012 at 08:31:13PM +0200, Kaarlo Räihä wrote :
> > > Do these contain full paths? (e.g. /home/myname or
> > c:\users\peter.jackson)
> > > Because some people might complain about privacy violations, like they
> > did
> > > with automatic album art downloads.
> >
> > This statement about privacy of folders is even more ridiculous, that any
> > .dll plugin of VLC has access to all of those.
> > And plugins can be automatically loaded, with the right score. While, by
> > default extensions are not loaded.
> > And we do not sign .dlls.
> >
> > Compiling a VLC plugin.dll is quite simple and the audit of C code is
> > harder than a lua one.
> >
>
> http://addons.videolan.org/
> If there is an official site where people can download LUA script, then
> someone can abuse that. And yes, LUA has been abused before
> http://securityresponse.symantec.com/norton/antivirus-gaming/articles/details.jsp?aid=article_13
>
> Most people don't know what LUA can do (or what it can't do). In forums
> people have downloaded YouTube scripts made by someone, and I am sure most
> of them don't know even what those scripts do.
addons.videolan.org can also take .dlls.
Any website can host dlls that are VLC plugin and that can do way more
than exposing a username in a cache path.
And we are not going to check all extensions/plugins.
Adding a warning on the website, sure. Else, I do not see the reason.
--
Jean-Baptiste Kempf
http://www.jbkempf.com/ - +33 672 704 734
Sent from my Electronic Device
More information about the vlc-devel
mailing list