Ticket #1371 (closed defect: fixed)

Opened 6 months ago

Last modified 1 week ago

Security issue: browser plugins input

Reported by: courmisch Assigned to:
Priority: highest Milestone: 0.8.6-bugfix
Component: Mozilla plugin Version:
Severity: critical Keywords:
Cc: Platform(s): all
Difficulty: unknown Work status: Not started

Description

As pointed out by Quovodis, browsers plugins must not be allowed to specify arbitrary input item options. In particular, controlling stream output is a big no no (writting to arbitrary files or to the network from web pages).

As far as I can tell, the simplest solution is to not allow items that start with a colon when initializing libvlc. However, it remains questionable whether even specifying arbitrary inputs should be allowed.

Change History

01/06/08 15:12:49 changed by fkuehne

  • milestone changed from 0.9.0 features freeze to 0.8.6-bugfix.

01/16/08 18:36:14 changed by funman

(In [24342]) input options whitelisting, step 2 (refs #1371)

05/08/08 22:41:28 changed by courmisch

  • status changed from new to closed.
  • resolution set to fixed.