[FFmpeg-devel] [PATCH] fateserver/log: clean chars in slot, time and log
Michael Niedermayer
michael at niedermayer.cc
Tue Oct 17 19:12:13 EEST 2017
Fixes: Directory Traversal
Found-by: Pankaj Jadhav <pankajj736 at gmail.com>
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
---
log.cgi | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/log.cgi b/log.cgi
index d5d2abb..8767e3a 100755
--- a/log.cgi
+++ b/log.cgi
@@ -22,7 +22,11 @@ use FATE;
my $req_slot = param 'slot';
my $req_time = param 'time';
+$req_slot =~ s/[^-._A-Za-z0-9 ]*//g;
+$req_time =~ s/[^0-9]*//g;
my ($req_log, $req_diff) = param('log') =~ m!([^/]+)(?:/([^/]+))?!;
+$req_log =~ s/[^a-z]*//g;
+$req_diff =~ s/[^0-9]*//g;
my $repdir = "$fatedir/$req_slot/$req_time";
my $log = "$repdir/$req_log.log.gz";
--
2.14.2
More information about the ffmpeg-devel
mailing list