[Playlist] First XSPF-related security issue? -- was: Re: [oss-security] CVE id request: vlc
Lucas Gonze
lucas at gonze.com
Wed Oct 15 19:01:31 UTC 2008
So the href correlates with track identifier? That's fascinating.
As a point of security, then, this is an issue with a proprietary
extension rather than with XSPF as a whole, and doesn't affect anyone
who doesn't use that extension.
Sebastian Pipping wrote:
> Lucas Gonze wrote:
>> Though it's worth pointing out that there is an error in the
>> understanding of XSPF: "The identifier attribute is a numeric value that
>> indicates the position of the track in the tracklist. " They're
>> thinking of the trackNum element, which indicates the position of a
>> recording from an album in the original album sequence.
>
> I don't think they mixed it up with <trackNum> as they are referencing
> the identifiers in a playlist extension:
>
> <playlist ...>
> ...
> <trackList>
> <track>
> <identifier>0</identifier>
> ...
> </track>
> <track>
> <identifier>1</identifier>
> ...
> </track>
> ...
> </trackList>
> <extension application="http://www.videolan.org/vlc/playlist/0">
> <item href="0" />
> <item href="1" />
> ...
> </extension>
> </playlist>
>
> If I remember correctly this extension is VLC's way to put
> several ("virtual") playlists into a single XSPF document.
>
>
>
> Sebastian
>
> _______________________________________________
> Playlist mailing list
> Playlist at lists.musicbrainz.org
> http://lists.musicbrainz.org/mailman/listinfo/playlist
>
>
More information about the Playlist
mailing list