About Archive Tags RSS Feed

 

Entries tagged xine

It eats the pain

29 September 2007 21:50

Randomisation is a good thing for media players, but it must be done properly.

What do I mean by this? I mean randomness which only works going forwards.

As an example consider the case where you have several films/videos in a directory and you run this:

xine --loop=shuffle *.mpeg *.avi

This appears to do what you want, showing each film in a random order but it is subtly doing the wrong thing.

If you're watching film "two", having just finished film "five" you'd expect to be able to return to film "five" by pressing "previous"/Page-Up - however that doesn't happen.

Xine decides that "moving backwards" in the playlist means selecting another film at random, rather than the previously viewed film which was selected at random - the two are different - and the current behaviour is both counter-intuitive and plain wrong IMHO.

I forget the name of the media player that I used briefly which also behaved like this, but it was enough to make me abandon it almost immediately.

So, think of the children. If you have a random mode, make sure that going to previous items actually does return to previously played items and not random ones.

| No comments

 

Did you know xine will download and execute scripts?

19 July 2014 21:50

Today I was poking around the source of Xine, the well-known media player. During the course of this poking I spotted that Xine has skin support - something I've been blissfully ignorant of for many years.

How do these skins work? You bring up the skin-browser, by default this is achieved by pressing "Ctrl-d". The browser will show you previews of the skins available, and allow you to install them.

How does Xine know what skins are available? It downloads the contents of:

NOTE: This is an insecure URL.

The downloaded file is a simple XML thing, containing references to both preview-images and download locations.

For example the theme "Sunset" has the following details:

  • Download link: http://xine.sourceforge.net/skins/Sunset.tar.gz
  • Preview link: http://xine.sourceforge.net/skins/Sunset.png

if you choose to install the skin the Sunset.tar.gz file is downloaded, via HTTP, extracted, and the shell-script doinst.sh is executed, if present.

So if you control DNS on your LAN you can execute arbitrary commands if you persuade a victim to download your "corporate xine theme".

Probably a low-risk attack, but still a surprise.

| 5 comments