[vlc-devel] [PATCH 2/2] cli: also mark --cli-host as deprecated

Pierre Ynard linkfanel at yahoo.fr
Sun Nov 22 13:43:25 CET 2020


> TCP mode as it stands cannot be kept because it's a trivial RCE (or
> local escalation on loopback) regardless of the RC implementation.
> There are only two options, replace it or remove it.

That's a false dichotomy. There are plenty of other options, some of
which I've already brought up: just deprecating it in the configuration
and documentation while recommending an alternative, printing big fat
warnings about unsecured use, actually securing it with access control,
leaving it to the administrators to use it only on trusted networks or
secure it using external tools such as firewalling, or even mitigation
such as restricting it to localhost.

But you know that since you say "TCP mode as it stands".

-- 
Pierre Ynard
"Une âme dans un corps, c'est comme un dessin sur une feuille de papier."


More information about the vlc-devel mailing list