[vlc-devel] [PATCH] Revert "Input options inheritance for playlists"

RĂ©mi Denis-Courmont remi at remlab.net
Sun Mar 31 09:56:51 CEST 2019 

Blindly inheriting options from a playlist to the playlist items leads
to several variants of the same vulnerability, whereby an option
intended solely for the playlist is wrongly given to the items:

1) Unsafe options.
2) Options conveying private data such as credentials.

As an example, consider the case of a playlist served over HTTP and
protected by username/password. The HTTP credentials must not be passed
to playlist items, which may well be in a different HTTP domain.
(Instead, the VLC key store should be used and do the right thing.)

This reverts commit 4db1802cf69e67756798b50c54b4030d11de11ee.
---
 modules/demux/playlist/m3u.c | 2 --
 modules/demux/playlist/pls.c | 2 --
 2 files changed, 4 deletions(-)

diff --git a/modules/demux/playlist/m3u.c b/modules/demux/playlist/m3u.c
index f4da7d93bd..a0a407ad23 100644
--- a/modules/demux/playlist/m3u.c
+++ b/modules/demux/playlist/m3u.c
@@ -311,8 +311,6 @@ static int ReadDir( stream_t *p_demux, input_item_node_t *p_subitems )
             if( !p_input )
                 goto error;
             input_item_AddOptions( p_input, i_options, ppsz_options, 0 );
-            if ( p_current_input )
-                input_item_CopyOptions( p_input, p_current_input );
 
             if( !EMPTY_STR(psz_artist) )
                 input_item_SetArtist( p_input, psz_artist );
diff --git a/modules/demux/playlist/pls.c b/modules/demux/playlist/pls.c
index 6d71461779..833dae4c70 100644
--- a/modules/demux/playlist/pls.c
+++ b/modules/demux/playlist/pls.c
@@ -144,7 +144,6 @@ static int ReadDir( stream_t *p_demux, input_item_node_t *p_subitems )
             if( psz_mrl )
             {
                 p_input = input_item_New( psz_mrl, psz_name );
-                input_item_CopyOptions( p_input, p_current_input );
                 input_item_node_AppendItem( p_subitems, p_input );
                 input_item_Release( p_input );
                 free( psz_mrl_orig );
@@ -189,7 +188,6 @@ static int ReadDir( stream_t *p_demux, input_item_node_t *p_subitems )
     if( psz_mrl )
     {
         p_input = input_item_New( psz_mrl, psz_name );
-        input_item_CopyOptions( p_input, p_current_input );
         input_item_node_AppendItem( p_subitems, p_input );
         input_item_Release( p_input );
         free( psz_mrl_orig );
-- 
2.20.1

More information about the vlc-devel mailing list