avformat/ftp: reject CR/LF in the URL path to prevent FTP command injection
authorFranciszek Kalinowski <franek.kalinowski@isec.pl>
Tue, 12 May 2026 12:00:00 +0000 (12:00 +0000)
committerMichael Niedermayer <michael@niedermayer.cc>
Sun, 14 Jun 2026 02:59:04 +0000 (04:59 +0200)
commitd73a74c2b7821e79b6a2e563b3df759a4cbcd423
tree0457f7a3f5e0c44843cce0f1668bff4892b1a6e4
parent0c021534868ffc4a3001698ffdbe468b4988d6aa
avformat/ftp: reject CR/LF in the URL path to prevent FTP command injection

ftp_connect() interpolates the URL path into SIZE/RETR/STOR/CWD/DELE/RMD/RNFR
commands without checking for CR/LF, although it already rejects CR/LF in the
user and password fields. Reject CR/LF in s->path the same way.

Reported and reviewed by Franciszek Kalinowski (isec.pl / striga.ai) and Bartosz Ĺšmigielski.

(cherry picked from commit 640f32b1b6f7855d5aa8ecdb080e0c08e78e021d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
libavformat/ftp.c