[MPlayer-dev-eng] Playlist recognition
Reimar Döffinger
Reimar.Doeffinger at gmx.de
Sun Jun 5 14:16:42 CEST 2011
On Sun, Jun 05, 2011 at 02:02:18PM +0200, Ingo Brückl wrote:
> Is there a special reason for commenting
>
> // { "pls", DEMUXER_TYPE_PLAYLIST },
> // { "m3u", DEMUXER_TYPE_PLAYLIST },
>
> in libmpdemux\extension.c?
Yes, playlists can be used for all kinds of mischief ("pinging" a
certain website for user tracking, trying to play certain /dev
things and combining with that to detect what kind of hardware
is installed in a PC, if there is a DVD in the driver, maybe even
other things - anything that can be triggered by reading/trying to play
an arbitrary file and being able to time that) and thus should not
be enable without user consent, at least when the playlist comes
from an untrusted source.
There is also the issue of some playlist parser not having
appropriate code quality, so putting restrictions on running them
reduces the risk of successful exploits.
No doubt it's not a particularly good solution but I don't feel
just enabling that feature isn't an improvement really.
More information about the MPlayer-dev-eng
mailing list