[vlc-devel] Lua extension and vlc.misc

Jean-Baptiste Kempf jb at videolan.org
Tue Feb 28 21:07:04 CET 2012


On Tue, Feb 28, 2012 at 10:00:23PM +0200, Kaarlo Räihä wrote :
> 28. helmikuuta 2012 21.41 Jean-Baptiste Kempf <jb at videolan.org> kirjoitti:
> 
> > On Tue, Feb 28, 2012 at 08:31:13PM +0200, Kaarlo Räihä wrote :
> > > Do these contain full paths? (e.g. /home/myname or
> > c:\users\peter.jackson)
> > > Because some people might complain about privacy violations, like they
> > did
> > > with automatic album art downloads.
> >
> > This statement about privacy of folders is even more ridiculous, that any
> > .dll plugin of VLC has access to all of those.
> > And plugins can be automatically loaded, with the right score. While, by
> > default extensions are not loaded.
> > And we do not sign .dlls.
> >
> > Compiling a VLC plugin.dll is quite simple and the audit of C code is
> > harder than a lua one.
> >
> 
> http://addons.videolan.org/
> If there is an official site where people can download LUA script, then
> someone can abuse that. And yes, LUA has been abused before
> http://securityresponse.symantec.com/norton/antivirus-gaming/articles/details.jsp?aid=article_13
> 
> Most people don't know what LUA can do (or what it can't do). In forums
> people have downloaded YouTube scripts made by someone, and I am sure most
> of them don't know even what those scripts do.

addons.videolan.org can also take .dlls.

Any website can host dlls that are VLC plugin and that can do way more
than exposing a username in a cache path.

And we are not going to check all extensions/plugins.

Adding a warning on the website, sure. Else, I do not see the reason.

-- 
Jean-Baptiste Kempf
http://www.jbkempf.com/ - +33 672 704 734
Sent from my Electronic Device



More information about the vlc-devel mailing list