[FFmpeg-devel] [PATCH v2 1/2] avformat/url: check double dot is not to parent directory

Marton Balint cus at passwd.hu
Sat Jul 25 12:40:15 EEST 2020 


On Sat, 25 Jul 2020, Zlomek, Josef wrote:

> Hi Steven,
>
> It is better but still not correct. Consider this test:
>
> test("http://server/foo/bar",
> "a/b/../c/d/../e../.../..f/g../h../other/url/a.mp3/...");
> It should give "
> http://server/foo/bar/a/c/e../.../..f/g../h../other/url/a.mp3/...".
>
> I think the best would be to use strtok(p, "/") to split the path into the
> components and for each ".." component remove the previous one (if there
> are some still).

And I also would like to point out that using static strings with 
MAX_URL_SIZE is not OK. This function supports an arbitrary buffer size, 
so limiting it to MAX_URL_SIZE is a bug.

Regards,
Marton

>
> Best regards,
> Josef
>
> On Sat, Jul 25, 2020 at 4:45 AM Steven Liu <lq at chinaffmpeg.org> wrote:
>
>> fix ticket: 8814
>> if get ".." in the url, check next byte and lead byte by double dot,
>> it there have no '/' and not root node, it is not used go to directory ".."
>>
>> Signed-off-by: Steven Liu <lq at chinaffmpeg.org>
>> ---
>>  libavformat/url.c | 12 ++++++++++++
>>  1 file changed, 12 insertions(+)
>>
>> diff --git a/libavformat/url.c b/libavformat/url.c
>> index 20463a6674..35f27fe3ca 100644
>> --- a/libavformat/url.c
>> +++ b/libavformat/url.c
>> @@ -97,6 +97,18 @@ static void trim_double_dot_url(char *buf, const char
>> *rel, int size)
>>      /* set new current position if the root node is changed */
>>      p = root;
>>      while (p && (node = strstr(p, ".."))) {
>> +        if (strlen(node) > 2 && node[2] != '/') {
>> +            node = strstr(node + 1, "..");
>> +            if (!node)
>> +                break;
>> +        }
>> +
>> +        if (p != node && p[node - p - 1] != '/') {
>> +            node = strstr(node + 1, "..");
>> +            if (!node)
>> +                break;
>> +        }
>> +
>>          av_strlcat(tmp_path, p, node - p + strlen(tmp_path));
>>          p = node + 3;
>>          sep = strrchr(tmp_path, '/');
>> --
>> 2.25.0
>>
>>
>>
>>
>> _______________________________________________
>> ffmpeg-devel mailing list
>> ffmpeg-devel at ffmpeg.org
>> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>>
>> To unsubscribe, visit link above, or email
>> ffmpeg-devel-request at ffmpeg.org with subject "unsubscribe".
>
>
>
> -- 
> Josef Zlomek
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel at ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request at ffmpeg.org with subject "unsubscribe".

More information about the ffmpeg-devel mailing list