Security issue: browser plugins input
|Reported by:||courmisch||Owned by:|
|Component:||Web plugin: Mozilla||Version:|
|Platform(s):||all||Work status:||Not started|
As pointed out by Quovodis, browsers plugins must not be allowed to specify arbitrary input item options. In particular, controlling stream output is a big no no (writting to arbitrary files or to the network from web pages).
As far as I can tell, the simplest solution is to not allow items that start with a colon when initializing libvlc. However, it remains questionable whether even specifying arbitrary inputs should be allowed.