avformat/ftp: reject CR/LF in the URL path to prevent FTP command injection
ftp_connect() interpolates the URL path into SIZE/RETR/STOR/CWD/DELE/RMD/RNFR
commands without checking for CR/LF, although it already rejects CR/LF in the
user and password fields. Reject CR/LF in s->path the same way.
Reported and reviewed by Franciszek Kalinowski (isec.pl / striga.ai) and Bartosz Ĺmigielski.
(cherry picked from commit
640f32b1b6f7855d5aa8ecdb080e0c08e78e021d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>