[vlc] unsafe option "sout" has been ignored for security reaso ns

Remi Denis-Courmont rdenis at simphalempin.com
Sun Apr 6 13:06:18 CEST 2008 

--sout is one of the most obviously dangerous options. No way it's going to be considered safe. Not only is it too open-ended option, but it does allow file overwrite.

Remi Denis

-- message original --
Sujet:	Re: [vlc] unsafe option "sout" has been ignored for security reasons
De:	Rafaël Carré <funman at videolan.org>
Date:		06.04.2008 10:48

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Le Sun, 30 Mar 2008 23:01:02 +0200,
Richard Musil <richard.musil at bigfoot.com> a écrit :

> I am having some issues on latest 0.9 version (built on gentoo with
> ~x86). I have been using vlc on my router (running gentoo) to pass
> streaming from external network to my home lan using M3U list and
> HTTP interface to control which channel is going to be streamed.
> 
> I had used M3U file like this (which I guess I created on windows):
> 
> > #EXTM3U
> > #EXTVLCOPT:sout=#std{access=udp,dst=225.1.1.1:1234}
> > udp://@239.2.3.100:2314
> > #EXTVLCOPT:sout=#std{access=udp,dst=225.1.1.1:1234}
> > udp://@239.2.3.101:2314
> > #EXTVLCOPT:sout=#std{access=udp,dst=225.1.1.1:1234}
> > udp://@239.2.3.111:2314
> > #EXTVLCOPT:sout=#std{access=udp,dst=225.1.1.1:1234}
> > udp://@239.2.3.102:2314
> > #EXTVLCOPT:sout=#std{access=udp,dst=225.1.1.1:1234}
> > udp://@239.2.3.121:2314
> > #EXTVLCOPT:sout=#std{access=udp,dst=225.1.1.1:1234}
> > udp://@239.2.3.103:2314
> 
> and then run vlc with:
> vlc -vv --extraintf http channels.m3u
> 
> Now, I got "unsafe option "sout" has been ignored for security
> reasons", in log and although it seems I can switch channels in HTTP
> interface, nothing is apparently streamed.
> 
> I wonder, how I am supposed to configure vlc to get the former 
> functionality and which security measures are actually violated in my 
> scenario.

It's in no way configurable, besides modifying the source yourself to
disable options checking.
We disable options based on whitelisting, because they may be used by
potentially offensive m3u / websites to overwrite files on your system.
Since it's based on a whitelisting, and nobody in our team started
whitelisting, all options are deemed "insecure".

If you can send a patch which enables some options (the one you use for
example) it would be welcome.

- -- 
Rafaël Carré
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.8 (FreeBSD)

iEYEARECAAYFAkf4qoAACgkQYWCeGMCv8Q/WVQCfXKXywSy8qZ8qIWr0sFsurmSm
VqYAoILnVFjLBpd2Nv4uu1CwVQBb3Zjd
=6d4h
-----END PGP SIGNATURE-----
______________________________________________________
vlc mailing list
To unsubscribe or modify your subscription options:
http://mailman.videolan.org/listinfo/vlc

More information about the vlc mailing list