[vlc-devel] libvlc_media_option_trusted and security

Shane Phelan streamey at gmail.com
Tue Sep 18 21:19:46 CEST 2012

On Tue, Sep 18, 2012 at 12:12 PM, Rémi Denis-Courmont <remi at remlab.net>wrote:

> Le mardi 18 septembre 2012 19:02:40, Shane Phelan a écrit :
> > Are there changes that could be made that would satisfy the security
> > concerns?
> Everything is possible if someone cares to write the code.
> > I'm want to explore creating UI so that the user has to select the file
> > path themselves where the plugin could write the file.  It would also
> > disallowed the file record via playlist options and if it's possible set
> > the libvlc_media_option_trusted only at runtime when a record button was
> > pressed so that someone couldn't run rogue javascript without the user
> > knowing?
> Telling the user that his/her computer might be hacked is not acceptable.
> The computer shall not be hacked and that is all.

Every time you use a web browser out on the internet your computer "might"
be hacked, so I think that is a bit unfair.  I don't disagree with what I
assume your intent is that VLC can't be released with known security
vulnerabilities.  I'm simply trying to understand the scope of the issue.
J-B's response was that the problem is that windows dlls can be
overwritten.  If the user has to select the path through the plugin itself
and not javascript then it should be possible to make that a non-issue.
 What other issues have to be solved then?

> --
> Rémi Denis-Courmont
> http://www.remlab.net/
> _______________________________________________
> vlc-devel mailing list
> To unsubscribe or modify your subscription options:
> http://mailman.videolan.org/listinfo/vlc-devel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.videolan.org/pipermail/vlc-devel/attachments/20120918/5c77bed1/attachment.html>

More information about the vlc-devel mailing list