Opened 8 years ago

Closed 7 years ago

#1371 closed defect (fixed)

Security issue: browser plugins input

Reported by: courmisch Owned by:
Priority: highest Milestone: 0.8.6 maintenance
Component: Web plugin: Mozilla Version:
Severity: critical Keywords:
Cc: Difficulty: unknown
Platform(s): all Work status: Not started

Description

As pointed out by Quovodis, browsers plugins must not be allowed to specify arbitrary input item options. In particular, controlling stream output is a big no no (writting to arbitrary files or to the network from web pages).

As far as I can tell, the simplest solution is to not allow items that start with a colon when initializing libvlc. However, it remains questionable whether even specifying arbitrary inputs should be allowed.

Change History (3)

comment:1 Changed 7 years ago by fkuehne

  • Milestone changed from 0.9.0 features freeze to 0.8.6-bugfix

comment:2 Changed 7 years ago by funman

(In [24342]) input options whitelisting, step 2 (refs #1371)

comment:3 Changed 7 years ago by courmisch

  • Resolution set to fixed
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.