mirror of
https://github.com/FFmpeg/FFmpeg.git
synced 2024-12-28 20:53:54 +02:00
avformat/mov: Implement a same origin policy for references instead of only allowing a subset of relative pathes in references
Fixes Ticket4671 Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
parent
eea08efc0d
commit
8f2c045a0e
@ -2698,6 +2698,35 @@ static void mov_build_index(MOVContext *mov, AVStream *st)
|
||||
}
|
||||
}
|
||||
|
||||
static int test_same_origin(const char *src, const char *ref) {
|
||||
char src_proto[64];
|
||||
char ref_proto[64];
|
||||
char src_auth[256];
|
||||
char ref_auth[256];
|
||||
char src_host[256];
|
||||
char ref_host[256];
|
||||
int src_port=-1;
|
||||
int ref_port=-1;
|
||||
|
||||
av_url_split(src_proto, sizeof(src_proto), src_auth, sizeof(src_auth), src_host, sizeof(src_host), &src_port, NULL, 0, src);
|
||||
av_url_split(ref_proto, sizeof(ref_proto), ref_auth, sizeof(ref_auth), ref_host, sizeof(ref_host), &ref_port, NULL, 0, ref);
|
||||
|
||||
if (strlen(src) == 0) {
|
||||
return -1;
|
||||
} else if (strlen(src_auth) + 1 >= sizeof(src_auth) ||
|
||||
strlen(ref_auth) + 1 >= sizeof(ref_auth) ||
|
||||
strlen(src_host) + 1 >= sizeof(src_host) ||
|
||||
strlen(ref_host) + 1 >= sizeof(ref_host)) {
|
||||
return 0;
|
||||
} else if (strcmp(src_proto, ref_proto) ||
|
||||
strcmp(src_auth, ref_auth) ||
|
||||
strcmp(src_host, ref_host) ||
|
||||
src_port != ref_port) {
|
||||
return 0;
|
||||
} else
|
||||
return 1;
|
||||
}
|
||||
|
||||
static int mov_open_dref(MOVContext *c, AVIOContext **pb, const char *src, MOVDref *ref,
|
||||
AVIOInterruptCB *int_cb)
|
||||
{
|
||||
@ -2738,12 +2767,23 @@ static int mov_open_dref(MOVContext *c, AVIOContext **pb, const char *src, MOVDr
|
||||
av_strlcat(filename, "../", sizeof(filename));
|
||||
|
||||
av_strlcat(filename, ref->path + l + 1, sizeof(filename));
|
||||
if (!c->use_absolute_path && !c->fc->open_cb)
|
||||
if (!c->use_absolute_path && !c->fc->open_cb) {
|
||||
int same_origin = test_same_origin(src, filename);
|
||||
|
||||
if (!same_origin) {
|
||||
av_log(c->fc, AV_LOG_ERROR,
|
||||
"Reference with mismatching origin, %s not tried for security reasons, "
|
||||
"set demuxer option use_absolute_path to allow it anyway\n",
|
||||
ref->path);
|
||||
return AVERROR(ENOENT);
|
||||
}
|
||||
|
||||
if(strstr(ref->path + l + 1, "..") ||
|
||||
strstr(ref->path + l + 1, ":") ||
|
||||
ref->nlvl_from > 1 ||
|
||||
(ref->nlvl_from > 1 && same_origin < 0) ||
|
||||
(filename[0] == '/' && src_path == src))
|
||||
return AVERROR(ENOENT);
|
||||
}
|
||||
|
||||
if (strlen(filename) + 1 == sizeof(filename))
|
||||
return AVERROR(ENOENT);
|
||||
|
Loading…
Reference in New Issue
Block a user