PR #23148 opened by michaelni URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/23148 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/23148.patch
ftp_connect() interpolates the URL path into SIZE/RETR/STOR/CWD/DELE/RMD/RNFR/RNTO commands without checking for CR/LF, although it already rejects CR/LF in the user and password fields. Reject CR/LF in s->path the same way. Reported and reviewed by Franciszek Kalinowski (isec.pl / striga.ai) and Bartosz Śmigielski. From 5c171e988ba7baf5961b0f34fdca1b8b6ddfbff8 Mon Sep 17 00:00:00 2001 From: Franciszek Kalinowski <[email protected]> Date: Tue, 12 May 2026 12:00:00 +0000 Subject: [PATCH] avformat/ftp: reject CR/LF in the URL path to prevent FTP command injection MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ftp_connect() interpolates the URL path into SIZE/RETR/STOR/CWD/DELE/RMD/RNFR/RNTO commands without checking for CR/LF, although it already rejects CR/LF in the user and password fields. Reject CR/LF in s->path the same way. Reported and reviewed by Franciszek Kalinowski (isec.pl / striga.ai) and Bartosz Śmigielski. --- libavformat/ftp.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/ftp.c b/libavformat/ftp.c index 761dce8128..7b0cf31492 100644 --- a/libavformat/ftp.c +++ b/libavformat/ftp.c @@ -746,6 +746,11 @@ static int ftp_connect(URLContext *h, const char *url) av_free(s->path); s->path = newpath; + if (strpbrk(s->path, "\r\n")) { + av_log(h, AV_LOG_ERROR, "Path contains CR/LF characters\n"); + return AVERROR(EINVAL); + } + return 0; } -- 2.52.0 _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
