[FFmpeg-cvslog] avformat/ftp: do not break protocol on username or password with newlines

Marton Balint git at videolan.org
Sat Feb 15 20:27:06 EET 2020


ffmpeg | branch: master | Marton Balint <cus at passwd.hu> | Thu Feb  6 00:48:17 2020 +0100| [04f1d49709dac2d0e35f54bbe49cf00ba632e6dd] | committer: Marton Balint

avformat/ftp: do not break protocol on username or password with newlines

Signed-off-by: Marton Balint <cus at passwd.hu>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=04f1d49709dac2d0e35f54bbe49cf00ba632e6dd
---

 libavformat/ftp.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/libavformat/ftp.c b/libavformat/ftp.c
index 860dd7d8dc..ab7368256c 100644
--- a/libavformat/ftp.c
+++ b/libavformat/ftp.c
@@ -18,6 +18,8 @@
  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
  */
 
+#include <string.h>
+
 #include "libavutil/avstring.h"
 #include "libavutil/internal.h"
 #include "libavutil/parseutils.h"
@@ -246,10 +248,14 @@ static int ftp_auth(FTPContext *s)
     static const int user_codes[] = {331, 230, 0};
     static const int pass_codes[] = {230, 0};
 
+    if (strpbrk(s->user, "\r\n"))
+        return AVERROR(EINVAL);
     snprintf(buf, sizeof(buf), "USER %s\r\n", s->user);
     err = ftp_send_command(s, buf, user_codes, NULL);
     if (err == 331) {
         if (s->password) {
+            if (strpbrk(s->password, "\r\n"))
+                return AVERROR(EINVAL);
             snprintf(buf, sizeof(buf), "PASS %s\r\n", s->password);
             err = ftp_send_command(s, buf, pass_codes, NULL);
         } else



More information about the ffmpeg-cvslog mailing list