[vlc-devel] [PATCH 14/14] upnp_server: add the upnp server module
remi at remlab.net
Tue Mar 23 11:42:10 UTC 2021
Le maanantaina 22. maaliskuuta 2021, 20.09.47 EET Alaric Senat a écrit :
> > Should the ML component possibly have security restrictions to prevent
> > other modules in VLC from querying it when really they shouldn't?
> There's no such protection for the moment. I actually thought the
> medialib instance was only queryable by an interface module like the main
> playlist but its currently not the case.
Some security policy is not optional here. You can't make it even more
insecure than the HTTP control interface or a Chromecast dongle.
In particular, you obviously can't just expose the content of the playlist to
the network without strong authentication.
Privacy, data protection and all that.
> But in the case of the main playlist for example, this is only a matter
> of guiding the
> modules implementers and tell them that they shouldn't access the main
> if they are not working on an interface module.
> Truly denying modules access to certains parts of the core would require
> isolating modules in separate processes
Not at all. It's not about preventing the UPnP code within the same VLC
instance from accessing the playlist. It's about restricting remote access to
the playlist through the UPnP code. The UPnP code can very well restrict
itself what of the playlist it exposes, without any process isolation.
> and that's not where we are now.
We need process isolation to isolate untrusted code, or to protect separate
components from crashing one another. There is no untrusted code involved in
this particular case though (or so I hope).
Isolation is necessary here *only* because of the high risk that the UPnP
pipelines will crash or otherwise mess with the main VLC GUI and playlist
pipeline. But that's a matter of robustness, not security or privacy.
More information about the vlc-devel