[vlc-devel] [PATCH 14/14] upnp_server: add the upnp server module

[Rémi Denis-Courmont]

Le maanantaina 22. maaliskuuta 2021, 20.09.47 EET Alaric Senat a écrit :
> > Should the ML component possibly have security restrictions to prevent
> > other modules in VLC from querying it when really they shouldn't?

> There's no such protection for the moment. I actually thought the
> medialib instance was only queryable by an interface module like the main
> playlist but its currently not the case.

Some security policy is not optional here. You can't make it even more 
insecure than the HTTP control interface or a Chromecast dongle.

In particular, you obviously can't just expose the content of the playlist to 
the network without strong authentication.

Privacy, data protection and all that.

> But in the case of the main playlist for example, this is only a matter
> of guiding the
> modules implementers and tell them that they shouldn't access the main
> playlist
> if they are not working on an interface module.

> Truly denying modules access to certains parts of the core would require
> isolating modules in separate processes

Not at all. It's not about preventing the UPnP code within the same VLC 
instance from accessing the playlist. It's about restricting remote access to 
the playlist through the UPnP code. The UPnP code can very well restrict 
itself what of the playlist it exposes, without any process isolation.

> and that's not where we are now.

We need process isolation to isolate untrusted code, or to protect separate 
components from crashing one another. There is no untrusted code involved in 
this particular case though (or so I hope).

Isolation is necessary here *only* because of the high risk that the UPnP 
pipelines will crash or otherwise mess with the main VLC GUI and playlist 
pipeline. But that's a matter of robustness, not security or privacy.

-- 
雷米‧德尼-库尔蒙
http://www.remlab.net/