From: Frantisek D. <va...@us...> - 2003-10-24 10:43:14
|
Hi Michael, On =C4=8Ct, 2003-10-23 at 16:32, Michael Roitzsch wrote: > taking this over to xine-devel >=20 > short summary for those who are new to this thread: > The #save: feature introduced with the latest release poses a security > threat when files can be saved to arbitrary positions just by the MRL. > This is fixed in current cvs by a config entry which tells xine-lib a > directory for all saved files. Now we need to ensure that this config > entry cannot be changed by a remote attacker. > Problem: xine-ui has a feature to change config entries with a > cfg:/ pseudo-MRL. >=20 > Hi Daniel, >=20 > > > Agreed, but I think this should better be done inside xine-lib with > > > a MRL. Maybe we should write a none input plugin, so that something > > > like "none:#<config_entry>:<value>" would work. This would allow > > > xine-lib to enforce all security policies on config entries. > > > > In fact, originally (read: many many months ago), the xine-lib > > supported such thing. But it was decided to remove such "hacky" > > thing. Then, few months later, i decided to introduce such feature in > > xine-ui, since it was better than push such things in the lib. >=20 > I remember that, but I think a none-input plugin would be the correct=20 > way to do this. Plus: This will work with all frontends. > Any comments from others? >=20 I think we don't need new virtual input plugin for it, it's only MRL parsing. And for users can be better retain 'cfg:/', what says better, what it does. What just move 'cfg:/' from xine-ui to xine-lib? I don't know the old thread about it. > Michael >=20 > --=20 > "This vulnerability is completely theoretical!" > -Microsoft >=20 Microsoft would help us. :-) Cheers, Frantisek |