[FFmpeg-devel] [PATCH v3] avformat/url: check url root node when rel include double dot
Steven Liu
lq at chinaffmpeg.org
Mon Apr 27 14:36:27 EEST 2020
> 2020年4月27日 下午7:35,Nicolas George <george at nsup.org> 写道:
>
> Steven Liu (12020-04-27):
>> I need one example to understand about the security issue after this patch.
>
> Use ff_make_absolute_url() on a trusted base and an un-trusted path;
> check the result starts with the allowed prefix. Let an attacker escape
> because the result contains ../.
>
Command line?
> Regards,
>
> --
> Nicolas George
Thanks
Steven Liu
More information about the ffmpeg-devel
mailing list