avformat/ftp: reject CR/LF in the URL path to prevent FTP command injection
authorFranciszek Kalinowski <franek.kalinowski@isec.pl>
Tue, 12 May 2026 12:00:00 +0000 (12:00 +0000)
committerMichael Niedermayer <michael@niedermayer.cc>
Sat, 13 Jun 2026 15:16:09 +0000 (17:16 +0200)
commitefec380830e6f38d6496b004ffb2e3297c73525f
tree332c28043ae4b651bde85e5adb8c3aec879ffda6
parent2b62201452d9d688a2fe1d6cc76a33f7b8547f8d
avformat/ftp: reject CR/LF in the URL path to prevent FTP command injection

ftp_connect() interpolates the URL path into SIZE/RETR/STOR/CWD/DELE/RMD/RNFR
commands without checking for CR/LF, although it already rejects CR/LF in the
user and password fields. Reject CR/LF in s->path the same way.

Reported and reviewed by Franciszek Kalinowski (isec.pl / striga.ai) and Bartosz Ĺšmigielski.

(cherry picked from commit 640f32b1b6f7855d5aa8ecdb080e0c08e78e021d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
libavformat/ftp.c