[Playlist] First XSPF-related security issue? -- was: Re: [oss-security] CVE id request: vlc
lucas at gonze.com
Wed Oct 15 17:41:17 UTC 2008
Though it's worth pointing out that there is an error in the
understanding of XSPF: "The identifier attribute is a numeric value that
indicates the position of the track in the tracklist. " They're
thinking of the trackNum element, which indicates the position of a
recording from an album in the original album sequence.
So I wonder if there are two more bugs in VLC -- using identifier as
trackNum, and having the same vulnerability in the trackNum code.
Sebastian Pipping wrote:
> What I find especially interesting here is that
> <identifier> is specified to hold a URI. A number
> is just a very special case of a relative URI...
> Also I really hope this
> is not what VLC was/is producing.
> Robert, thanks for letting us know.
> Playlist mailing list
> Playlist at lists.musicbrainz.org
More information about the Playlist