[FFmpeg-cvslog] avformat/url: check url root node when rel include double dot and trim double dot

Steven Liu git at videolan.org
Wed May 6 07:01:50 EEST 2020


ffmpeg | branch: master | Steven Liu <lq at chinaffmpeg.org> | Wed Apr 29 12:50:57 2020 +0800| [648051f07cffd0d91c89dc6706e3d0d6a286de43] | committer: Steven Liu

avformat/url: check url root node when rel include double dot and trim double dot

fix ticket: 8625
and add testcase into url for double dot corner case

Signed-off-by: Steven Liu <lq at chinaffmpeg.org>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=648051f07cffd0d91c89dc6706e3d0d6a286de43
---

 libavformat/tests/url.c |  5 ++++
 libavformat/url.c       | 77 ++++++++++++++++++++++++++++++++++++++++++++++---
 tests/ref/fate/url      |  5 ++++
 3 files changed, 83 insertions(+), 4 deletions(-)

diff --git a/libavformat/tests/url.c b/libavformat/tests/url.c
index 5e484fd428..1d961a1b43 100644
--- a/libavformat/tests/url.c
+++ b/libavformat/tests/url.c
@@ -56,6 +56,7 @@ int main(void)
     test("/foo/bar", "baz");
     test("/foo/bar", "../baz");
     test("/foo/bar", "/baz");
+    test("/foo/bar", "../../../baz");
     test("http://server/foo/", "baz");
     test("http://server/foo/bar", "baz");
     test("http://server/foo/", "../baz");
@@ -65,6 +66,10 @@ int main(void)
     test("http://server/foo/bar?param=value/with/slashes", "/baz");
     test("http://server/foo/bar?param&otherparam", "?someparam");
     test("http://server/foo/bar", "//other/url");
+    test("http://server/foo/bar", "../../../../../other/url");
+    test("http://server/foo/bar", "/../../../../../other/url");
+    test("http://server/foo/bar", "/test/../../../../../other/url");
+    test("http://server/foo/bar", "/test/../../test/../../../other/url");
 
     printf("\nTesting av_url_split:\n");
     test2("/foo/bar");
diff --git a/libavformat/url.c b/libavformat/url.c
index 596fb49cfc..7cd9e0c705 100644
--- a/libavformat/url.c
+++ b/libavformat/url.c
@@ -21,6 +21,7 @@
 
 
 #include "avformat.h"
+#include "internal.h"
 #include "config.h"
 #include "url.h"
 #if CONFIG_NETWORK
@@ -77,10 +78,53 @@ int ff_url_join(char *str, int size, const char *proto,
     return strlen(str);
 }
 
+static void trim_double_dot_url(char *buf, const char *rel, int size)
+{
+    const char *p = rel;
+    const char *root = rel;
+    char tmp_path[MAX_URL_SIZE] = {0, };
+    char *sep;
+    char *node;
+
+    /* Get the path root of the url which start by "://" */
+    if (p && (sep = strstr(p, "://"))) {
+        sep += 3;
+        root = strchr(sep, '/');
+    }
+
+    /* set new current position if the root node is changed */
+    p = root;
+    while (p && (node = strstr(p, ".."))) {
+        av_strlcat(tmp_path, p, node - p + strlen(tmp_path));
+        p = node + 3;
+        sep = strrchr(tmp_path, '/');
+        if (sep)
+            sep[0] = '\0';
+        else
+            tmp_path[0] = '\0';
+    }
+
+    if (!av_stristart(p, "/", NULL) && root != rel)
+        av_strlcat(tmp_path, "/", size);
+
+    av_strlcat(tmp_path, p, size);
+    /* start set buf after temp path process. */
+    av_strlcpy(buf, rel, root - rel + 1);
+
+    if (!av_stristart(tmp_path, "/", NULL) && root != rel)
+        av_strlcat(buf, "/", size);
+
+    av_strlcat(buf, tmp_path, size);
+}
+
 void ff_make_absolute_url(char *buf, int size, const char *base,
                           const char *rel)
 {
     char *sep, *path_query;
+    char *root, *p;
+    char tmp_path[MAX_URL_SIZE];
+
+    memset(tmp_path, 0, sizeof(tmp_path));
     /* Absolute path, relative to the current server */
     if (base && strstr(base, "://") && rel[0] == '/') {
         if (base != buf)
@@ -99,11 +143,14 @@ void ff_make_absolute_url(char *buf, int size, const char *base,
             }
         }
         av_strlcat(buf, rel, size);
+        trim_double_dot_url(tmp_path, buf, size);
+        memset(buf, 0, size);
+        av_strlcpy(buf, tmp_path, size);
         return;
     }
     /* If rel actually is an absolute url, just copy it */
     if (!base || strstr(rel, "://") || rel[0] == '/') {
-        av_strlcpy(buf, rel, size);
+        trim_double_dot_url(buf, rel, size);
         return;
     }
     if (base != buf)
@@ -117,19 +164,38 @@ void ff_make_absolute_url(char *buf, int size, const char *base,
     /* Is relative path just a new query part? */
     if (rel[0] == '?') {
         av_strlcat(buf, rel, size);
+        trim_double_dot_url(tmp_path, buf, size);
+        memset(buf, 0, size);
+        av_strlcpy(buf, tmp_path, size);
         return;
     }
 
+    root = p = buf;
+    /* Get the path root of the url which start by "://" */
+    if (p && strstr(p, "://")) {
+        sep = strstr(p, "://");
+        if (sep) {
+            sep += 3;
+            root = strchr(sep, '/');
+        }
+    }
+
     /* Remove the file name from the base url */
     sep = strrchr(buf, '/');
+    if (sep <= root)
+        sep = root;
+
     if (sep)
         sep[1] = '\0';
     else
         buf[0] = '\0';
-    while (av_strstart(rel, "../", NULL) && sep) {
+    while (av_strstart(rel, "..", NULL) && sep) {
         /* Remove the path delimiter at the end */
-        sep[0] = '\0';
-        sep = strrchr(buf, '/');
+        if (sep > root) {
+            sep[0] = '\0';
+            sep = strrchr(buf, '/');
+        }
+
         /* If the next directory name to pop off is "..", break here */
         if (!strcmp(sep ? &sep[1] : buf, "..")) {
             /* Readd the slash we just removed */
@@ -144,6 +210,9 @@ void ff_make_absolute_url(char *buf, int size, const char *base,
         rel += 3;
     }
     av_strlcat(buf, rel, size);
+    trim_double_dot_url(tmp_path, buf, size);
+    memset(buf, 0, size);
+    av_strlcpy(buf, tmp_path, size);
 }
 
 AVIODirEntry *ff_alloc_dir_entry(void)
diff --git a/tests/ref/fate/url b/tests/ref/fate/url
index 980b2ce1f9..533ba2cb1e 100644
--- a/tests/ref/fate/url
+++ b/tests/ref/fate/url
@@ -3,6 +3,7 @@ Testing ff_make_absolute_url:
                                           /foo/bar baz                  => /foo/baz
                                           /foo/bar ../baz               => /baz
                                           /foo/bar /baz                 => /baz
+                                          /foo/bar ../../../baz         => /baz
                                 http://server/foo/ baz                  => http://server/foo/baz
                              http://server/foo/bar baz                  => http://server/foo/baz
                                 http://server/foo/ ../baz               => http://server/baz
@@ -12,6 +13,10 @@ Testing ff_make_absolute_url:
     http://server/foo/bar?param=value/with/slashes /baz                 => http://server/baz
             http://server/foo/bar?param&otherparam ?someparam           => http://server/foo/bar?someparam
                              http://server/foo/bar //other/url          => http://other/url
+                             http://server/foo/bar ../../../../../other/url => http://server/other/url
+                             http://server/foo/bar /../../../../../other/url => http://server/other/url
+                             http://server/foo/bar /test/../../../../../other/url => http://server/other/url
+                             http://server/foo/bar /test/../../test/../../../other/url => http://server/other/url
 
 Testing av_url_split:
 /foo/bar                                                     =>                                                    -1 /foo/bar



More information about the ffmpeg-cvslog mailing list