Skip to content
Snippets Groups Projects

VLSub stores opensubtitles.org account credentials in own plaintext configuration

    • Open Issue created by Lior @lwc

    After the discovery of VLsub throws an error msg, this file now must contain a username/password for opensubtitles.org (#27701).

    Alas, it's stored in pure plaintext in vlc\lua\extensions\userdata\vlsub\vlsub_conf.xml.

    Can you encrypt it somehow?

    image image

    Edited
    To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

    Child items 0

    No child items are currently assigned. Use child items to break down this issue into smaller parts.

    Activity

    • Lior changed the description

      changed the description

    • Lior changed the description

      changed the description

    • Lior changed title from Allow to make of %APPDATA%vlc\lua\extensions\userdata\vlsub\vlsub_conf.xml portable to Don't expose the password inside vlc\lua\extensions\userdata\vlsub\vlsub_conf.xml

      changed title from Allow to make of %APPDATA%vlc\lua\extensions\userdata\vlsub\vlsub_conf.xml portable to Don't expose the password inside vlc\lua\extensions\userdata\vlsub\vlsub_conf.xml

    • Lior changed title from Don't expose the password inside vlc\lua\extensions\userdata\vlsub\vlsub_conf.xml to Avoid exposing the password inside vlc\lua\extensions\userdata\vlsub\vlsub_conf.xml

      changed title from Don't expose the password inside vlc\lua\extensions\userdata\vlsub\vlsub_conf.xml to Avoid exposing the password inside vlc\lua\extensions\userdata\vlsub\vlsub_conf.xml

    • Rémi Denis-Courmont
      Rémi Denis-Courmont @Courmisch ·
      Maintainer

      Encrypting the password with what key? I don't really get what you are hoping to achieve.

      The password should be stored by the system password manager. But of course that's not possible with a Lua extension. Somebody would have to rewrite the whole thing as native code.

    • Lior
      Lior @lwc ·
      Author

      Just trying to achieve not to store a plaintext password of a third party service.

      If you want open source examples how programs manage to do it anyway (even if it's not perfect), check it out in WinSCP (it even links to the GitHub file that does the encryption) and in FileZilla.

    • Denis Charmet
      Denis Charmet @typx ·
      Maintainer

      Hi,

      The issue here, as Rémi pointed it, is that right now vlsub is not handled by native code but by a LUA plugin and those don't have access to the OS keystore so it won't be possible until there are LUA bindings for VLC's keystore modules (provided that it's technically possible).

      The encryption is not a problem in itself but we have to somehow access a key that will not be easily retrievable else the encryption itself is pointless.

      The alternative would be to not store it at all and ask the password everytime...

      Edited by Denis Charmet
    • Pierre Ynard
      Pierre Ynard @linkfanel ·
      Developer

      You could always scramble the password with rot13 or encode it as Base64 lol More seriously, this isn't the only password susceptible to be saved as plaintext in the configuration. It is possible to enter and save into the preferences passwords used for many access or stream output plugins, that would then be stored as plaintext in the vlcrc main configuration file; although as an average or advanced user you wouldn't typically do that, you'd just type them in as needed or when setting up your streaming solution. I did see one other similar third-party service that stores account credentials in plaintext, that's the audioscrobbler plugin.

      Someone may want to file a ticket to provide lua bindings for this, but I won't, because I don't believe in furthering the systemic technical failings of the lua extensions framework. Even for functional lua scripts, i.e. not extensions, configuration remains a technical problem because there is no relay between them and the config core. This is just a mess.

      Why not move the opensubtitles.org configuration into the core, or just move the whole VLSub.lua into the main interfaces?... Wouldn't it just be easier to have this feature as not a lua extension?

      Edited by Pierre Ynard
    • Pierre Ynard added Component::LUA scripts label

      added Component::LUA scripts label

    • Pierre Ynard changed title from Avoid exposing the password inside vlc\lua\extensions\userdata\vlsub\vlsub_conf.xml to VLSub.lua stores opensubtitles.org account credentials in plaintext configuration

      changed title from Avoid exposing the password inside vlc\lua\extensions\userdata\vlsub\vlsub_conf.xml to VLSub.lua stores opensubtitles.org account credentials in plaintext configuration

    • Pierre Ynard changed title from VLSub.lua stores opensubtitles.org account credentials in plaintext configuration to VLSub stores opensubtitles.org account credentials in own plaintext configuration

      changed title from VLSub.lua stores opensubtitles.org account credentials in plaintext configuration to VLSub stores opensubtitles.org account credentials in own plaintext configuration

    • Pierre Ynard mentioned in issue #27701

      mentioned in issue #27701

    • Pierre Ynard mentioned in issue #27828

      mentioned in issue #27828

    • Pierre Ynard added Security label

      added Security label

    Please register or sign in to reply

    VideoLAN code repository instance