[vlc] Suggestion for security feature

Markus markus at eserver.homelinux.org
Tue Jan 24 21:10:12 CET 2012


Hello VLC developers!

I have a suggestion for a security feature:

When you open a .mpg file with vlc, it doesn't mean, that there is
actually mpeg inside it. File extensions are useless. But users normally
open mpg-files directly with vlc without checking the real content. It
doesn't matter if the file contains mpg, mp4, flv, or whatever.

But what if the real content is a playlist file? (pls-file)

An attacker is able to create a pls file which links to a
"streaming"-server which collects ip adresses. The attacker can know
rename his pls file to wikileaks.mpg, extend the file to a normal file
size and drop the file somewhere... -> massive privacy problem!

In my oppinion, vlc should really ask the user for permission to connect
to the internet:
Maybe in first-start dialog: "allow everytime", "ask everytime"

Thank you for your great player!




More information about the vlc mailing list