This is an automated email from the git hooks/post-receive script. Git pushed a commit to branch release/8.0 in repository ffmpeg.
commit d73a74c2b7821e79b6a2e563b3df759a4cbcd423 Author: Franciszek Kalinowski <[email protected]> AuthorDate: Tue May 12 12:00:00 2026 +0000 Commit: Michael Niedermayer <[email protected]> CommitDate: Sun Jun 14 04:59:04 2026 +0200 avformat/ftp: reject CR/LF in the URL path to prevent FTP command injection ftp_connect() interpolates the URL path into SIZE/RETR/STOR/CWD/DELE/RMD/RNFR commands without checking for CR/LF, although it already rejects CR/LF in the user and password fields. Reject CR/LF in s->path the same way. Reported and reviewed by Franciszek Kalinowski (isec.pl / striga.ai) and Bartosz Ĺmigielski. (cherry picked from commit 640f32b1b6f7855d5aa8ecdb080e0c08e78e021d) Signed-off-by: Michael Niedermayer <[email protected]> --- libavformat/ftp.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/ftp.c b/libavformat/ftp.c index 761dce8128..7b0cf31492 100644 --- a/libavformat/ftp.c +++ b/libavformat/ftp.c @@ -746,6 +746,11 @@ static int ftp_connect(URLContext *h, const char *url) av_free(s->path); s->path = newpath; + if (strpbrk(s->path, "\r\n")) { + av_log(h, AV_LOG_ERROR, "Path contains CR/LF characters\n"); + return AVERROR(EINVAL); + } + return 0; } _______________________________________________ ffmpeg-cvslog mailing list -- [email protected] To unsubscribe send an email to [email protected]
