[Playlist] First XSPF-related security issue? -- was: Re: [oss-security] CVE id request: vlc
lucas at gonze.com
Wed Oct 15 19:01:31 UTC 2008
So the href correlates with track identifier? That's fascinating.
As a point of security, then, this is an issue with a proprietary
extension rather than with XSPF as a whole, and doesn't affect anyone
who doesn't use that extension.
Sebastian Pipping wrote:
> Lucas Gonze wrote:
>> Though it's worth pointing out that there is an error in the
>> understanding of XSPF: "The identifier attribute is a numeric value that
>> indicates the position of the track in the tracklist. " They're
>> thinking of the trackNum element, which indicates the position of a
>> recording from an album in the original album sequence.
> I don't think they mixed it up with <trackNum> as they are referencing
> the identifiers in a playlist extension:
> <playlist ...>
> <extension application="http://www.videolan.org/vlc/playlist/0">
> <item href="0" />
> <item href="1" />
> If I remember correctly this extension is VLC's way to put
> several ("virtual") playlists into a single XSPF document.
> Playlist mailing list
> Playlist at lists.musicbrainz.org
More information about the Playlist