[FFmpeg-devel] [PATCH v3] avformat/url: check url root node when rel include double dot

Steven Liu lq at chinaffmpeg.org
Mon Apr 27 14:27:46 EEST 2020



> 2020年4月27日 下午7:22,Nicolas George <george at nsup.org> 写道:
> 
> Steven Liu (12020-04-27):
>> /../../../../../other/url,  this is the absolute path, so just concat and don’t process,
>> Or what do you want to say?
> 
> This is not an absolute path, since it contains "..". I think it is a
> problem that the output of ff_make_absolute_url() is not, you know,
> absolute.
> 
> It can even be considered a security issue, since other parts of the
> code could assume that the output of ff_make_absolute_url() is actually
> absolute.
I need one example to understand about the security issue after this patch.


Thanks

Steven Liu





More information about the ffmpeg-devel mailing list