Input item options leaked to slave inputs
Currently, the input item options are passed not only to the "master" input objects (i.e. access, stream filter and demux), but also to the "slave" input objects (likewise).
In most cases, that is harmless. But in some cases, that leads to informations leakage.
Consider this:
vlc smb://secure/media/video.mp4 --input-slave smb://insecure/media/video.srt --smb-user john --smb-password asdf
The username and password intended for "secure" server are also supplised to "insecure" server...
Note: I stumbled upon this problem while trying to add "token" authentication to HTTPS. That would suffer from the same issue.