[vlc] unsafe option "sout" has been ignored for security reaso ns

Remi Denis-Courmont rdenis at simphalempin.com
Fri Apr 11 12:56:37 CEST 2008


In my home country, there is a saying that only stupid people never change their mind. Extended M3U options were a bad idea, from a security perspective AND from a design perspective (a playlist is a playlist is a playlist, not a stream output list).


I am very much against "shoot oneself in the foot option" especially m3u-extvlcopt. Most people (probably including those who want the option back) do not understand the security implications.

Use vlm-conf or set options from the command line.

regards,

Remi Denis

-- message original --
Sujet:	Re: [vlc] unsafe option "sout" has been ignored for security reasons
De:	Richard Musil <richard.musil at bigfoot.com>
Date:		08.04.2008 21:59

On 6.4.2008 12:48, Rafaël Carré wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Le Sun, 30 Mar 2008 23:01:02 +0200,
> Richard Musil <richard.musil at bigfoot.com> a écrit :
> 
>> I am having some issues on latest 0.9 version (built on gentoo with
>> ~x86). I have been using vlc on my router (running gentoo) to pass
>> streaming from external network to my home lan using M3U list and
>> HTTP interface to control which channel is going to be streamed.
>>
>> I had used M3U file like this (which I guess I created on windows):
>>
>>> #EXTM3U
>>> #EXTVLCOPT:sout=#std{access=udp,dst=225.1.1.1:1234}
>>> udp://@239.2.3.100:2314
>>> #EXTVLCOPT:sout=#std{access=udp,dst=225.1.1.1:1234}
>>> udp://@239.2.3.101:2314
>>> #EXTVLCOPT:sout=#std{access=udp,dst=225.1.1.1:1234}
>>> udp://@239.2.3.111:2314
>>> #EXTVLCOPT:sout=#std{access=udp,dst=225.1.1.1:1234}
>>> udp://@239.2.3.102:2314
>>> #EXTVLCOPT:sout=#std{access=udp,dst=225.1.1.1:1234}
>>> udp://@239.2.3.121:2314
>>> #EXTVLCOPT:sout=#std{access=udp,dst=225.1.1.1:1234}
>>> udp://@239.2.3.103:2314
>> and then run vlc with:
>> vlc -vv --extraintf http channels.m3u
>>
>> Now, I got "unsafe option "sout" has been ignored for security
>> reasons", in log and although it seems I can switch channels in HTTP
>> interface, nothing is apparently streamed.
>>
>> I wonder, how I am supposed to configure vlc to get the former 
>> functionality and which security measures are actually violated in my 
>> scenario.
> 
> It's in no way configurable, besides modifying the source yourself to
> disable options checking.
> We disable options based on whitelisting, because they may be used by
> potentially offensive m3u / websites to overwrite files on your system.
> Since it's based on a whitelisting, and nobody in our team started
> whitelisting, all options are deemed "insecure".
> 
> If you can send a patch which enables some options (the one you use for
> example) it would be welcome.

I am not sure I want to send a patch. I was just pointing out that you 
have probably removed functionality which was perfectly justified and 
now I cannot find other way to get it.

Meanwhile I have reverted back to vlc 0.8.6e (because I simply could not 
use 0.9), which also complained about security and suggested using 
option "--m3u-extvlcopt", and which, with this option used, worked the 
expected way. I would say, if you put back this option in 0.9, it would 
be all I need.

Richard


______________________________________________________
vlc mailing list
To unsubscribe or modify your subscription options:
http://mailman.videolan.org/listinfo/vlc




More information about the vlc mailing list