[FFmpeg-devel] [PATCH v3] avformat/url: check url root node when rel include double dot
Nicolas George
george at nsup.org
Mon Apr 27 14:35:43 EEST 2020
Steven Liu (12020-04-27):
> I need one example to understand about the security issue after this patch.
Use ff_make_absolute_url() on a trusted base and an un-trusted path;
check the result starts with the allowed prefix. Let an attacker escape
because the result contains ../.
Regards,
--
Nicolas George
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20200427/905dbe40/attachment.sig>
More information about the ffmpeg-devel
mailing list