This is an automated email from the git hooks/post-receive script. Git pushed a commit to branch release/6.1 in repository ffmpeg.
commit 1d5ab8dea94d53d4cad7eba59bc29f6a0cb1548a Author: Franciszek Kalinowski <[email protected]> AuthorDate: Tue May 12 12:00:00 2026 +0000 Commit: Michael Niedermayer <[email protected]> CommitDate: Sun Jun 14 19:38:55 2026 +0200 avformat/ftp: reject CR/LF in the URL path to prevent FTP command injection ftp_connect() interpolates the URL path into SIZE/RETR/STOR/CWD/DELE/RMD/RNFR commands without checking for CR/LF, although it already rejects CR/LF in the user and password fields. Reject CR/LF in s->path the same way. Reported and reviewed by Franciszek Kalinowski (isec.pl / striga.ai) and Bartosz Ĺmigielski. (cherry picked from commit 640f32b1b6f7855d5aa8ecdb080e0c08e78e021d) Signed-off-by: Michael Niedermayer <[email protected]> --- libavformat/ftp.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/ftp.c b/libavformat/ftp.c index f9b069a59e..6a765e660c 100644 --- a/libavformat/ftp.c +++ b/libavformat/ftp.c @@ -745,6 +745,11 @@ static int ftp_connect(URLContext *h, const char *url) av_free(s->path); s->path = newpath; + if (strpbrk(s->path, "\r\n")) { + av_log(h, AV_LOG_ERROR, "Path contains CR/LF characters\n"); + return AVERROR(EINVAL); + } + return 0; } _______________________________________________ ffmpeg-cvslog mailing list -- [email protected] To unsubscribe send an email to [email protected]
