Message ID | 20200427111216.11179-1-lq@chinaffmpeg.org |
---|---|
State | New |
Headers | show |
Series | [FFmpeg-devel,v3] avformat/url: check url root node when rel include double dot | expand |
Context | Check | Description |
---|---|---|
andriy/default | pending | |
andriy/make | success | Make finished |
andriy/make_fate | success | Make fate finished |
Steven Liu (12020-04-27): > fix ticket: 8625 > and add testcase into url for double dot corner case > > Signed-off-by: Steven Liu <liuqi05@kuaishou.com> > --- > libavformat/tests/url.c | 3 +++ > libavformat/url.c | 21 +++++++++++++++++++-- > tests/ref/fate/url | 3 +++ > 3 files changed, 25 insertions(+), 2 deletions(-) > > diff --git a/libavformat/tests/url.c b/libavformat/tests/url.c > index 5e484fd428..02d0d59aa8 100644 > --- a/libavformat/tests/url.c > +++ b/libavformat/tests/url.c > @@ -56,6 +56,7 @@ int main(void) > test("/foo/bar", "baz"); > test("/foo/bar", "../baz"); > test("/foo/bar", "/baz"); > + test("/foo/bar", "../../../baz"); > test("http://server/foo/", "baz"); > test("http://server/foo/bar", "baz"); > test("http://server/foo/", "../baz"); > @@ -65,6 +66,8 @@ int main(void) > test("http://server/foo/bar?param=value/with/slashes", "/baz"); > test("http://server/foo/bar?param&otherparam", "?someparam"); > test("http://server/foo/bar", "//other/url"); > + test("http://server/foo/bar", "../../../../../other/url"); > + test("http://server/foo/bar", "/../../../../../other/url"); > > printf("\nTesting av_url_split:\n"); > test2("/foo/bar"); > diff --git a/libavformat/url.c b/libavformat/url.c > index 596fb49cfc..0aa50ab9a7 100644 > --- a/libavformat/url.c > +++ b/libavformat/url.c > @@ -81,6 +81,7 @@ void ff_make_absolute_url(char *buf, int size, const char *base, > const char *rel) > { > char *sep, *path_query; > + char *root, *p; > /* Absolute path, relative to the current server */ > if (base && strstr(base, "://") && rel[0] == '/') { > if (base != buf) > @@ -120,16 +121,32 @@ void ff_make_absolute_url(char *buf, int size, const char *base, > return; > } > > + root = p = buf; > + /* Get the path root of the url which start by "://" */ > + if (p && strstr(p, "://")) { > + sep = strstr(p, "://"); > + if (sep) { > + sep += 3; > + root = strchr(sep, '/'); > + } > + } > + > /* Remove the file name from the base url */ > sep = strrchr(buf, '/'); > + if (sep <= root) > + sep = root; > + > if (sep) > sep[1] = '\0'; > else > buf[0] = '\0'; > while (av_strstart(rel, "../", NULL) && sep) { > /* Remove the path delimiter at the end */ > - sep[0] = '\0'; > - sep = strrchr(buf, '/'); > + if (sep > root) { > + sep[0] = '\0'; > + sep = strrchr(buf, '/'); > + } > + > /* If the next directory name to pop off is "..", break here */ > if (!strcmp(sep ? &sep[1] : buf, "..")) { > /* Readd the slash we just removed */ > diff --git a/tests/ref/fate/url b/tests/ref/fate/url > index 980b2ce1f9..c8260a97be 100644 > --- a/tests/ref/fate/url > +++ b/tests/ref/fate/url > @@ -3,6 +3,7 @@ Testing ff_make_absolute_url: > /foo/bar baz => /foo/baz > /foo/bar ../baz => /baz > /foo/bar /baz => /baz > + /foo/bar ../../../baz => /baz > http://server/foo/ baz => http://server/foo/baz > http://server/foo/bar baz => http://server/foo/baz > http://server/foo/ ../baz => http://server/baz > @@ -12,6 +13,8 @@ Testing ff_make_absolute_url: > http://server/foo/bar?param=value/with/slashes /baz => http://server/baz > http://server/foo/bar?param&otherparam ?someparam => http://server/foo/bar?someparam > http://server/foo/bar //other/url => http://other/url > + http://server/foo/bar ../../../../../other/url => http://server/other/url > + http://server/foo/bar /../../../../../other/url => http://server/../../../../../other/url Is this supposed to be the proper result? > > Testing av_url_split: > /foo/bar => -1 /foo/bar Regards,
> 2020年4月27日 下午7:14,Nicolas George <george@nsup.org> 写道: > > Steven Liu (12020-04-27): >> fix ticket: 8625 >> and add testcase into url for double dot corner case >> >> Signed-off-by: Steven Liu <liuqi05@kuaishou.com> >> --- >> libavformat/tests/url.c | 3 +++ >> libavformat/url.c | 21 +++++++++++++++++++-- >> tests/ref/fate/url | 3 +++ >> 3 files changed, 25 insertions(+), 2 deletions(-) >> >> diff --git a/libavformat/tests/url.c b/libavformat/tests/url.c >> index 5e484fd428..02d0d59aa8 100644 >> --- a/libavformat/tests/url.c >> +++ b/libavformat/tests/url.c >> @@ -56,6 +56,7 @@ int main(void) >> test("/foo/bar", "baz"); >> test("/foo/bar", "../baz"); >> test("/foo/bar", "/baz"); >> + test("/foo/bar", "../../../baz"); >> test("http://server/foo/", "baz"); >> test("http://server/foo/bar", "baz"); >> test("http://server/foo/", "../baz"); >> @@ -65,6 +66,8 @@ int main(void) >> test("http://server/foo/bar?param=value/with/slashes", "/baz"); >> test("http://server/foo/bar?param&otherparam", "?someparam"); >> test("http://server/foo/bar", "//other/url"); >> + test("http://server/foo/bar", "../../../../../other/url"); >> + test("http://server/foo/bar", "/../../../../../other/url"); >> >> printf("\nTesting av_url_split:\n"); >> test2("/foo/bar"); >> diff --git a/libavformat/url.c b/libavformat/url.c >> index 596fb49cfc..0aa50ab9a7 100644 >> --- a/libavformat/url.c >> +++ b/libavformat/url.c >> @@ -81,6 +81,7 @@ void ff_make_absolute_url(char *buf, int size, const char *base, >> const char *rel) >> { >> char *sep, *path_query; >> + char *root, *p; >> /* Absolute path, relative to the current server */ >> if (base && strstr(base, "://") && rel[0] == '/') { >> if (base != buf) >> @@ -120,16 +121,32 @@ void ff_make_absolute_url(char *buf, int size, const char *base, >> return; >> } >> >> + root = p = buf; >> + /* Get the path root of the url which start by "://" */ >> + if (p && strstr(p, "://")) { >> + sep = strstr(p, "://"); >> + if (sep) { >> + sep += 3; >> + root = strchr(sep, '/'); >> + } >> + } >> + >> /* Remove the file name from the base url */ >> sep = strrchr(buf, '/'); >> + if (sep <= root) >> + sep = root; >> + >> if (sep) >> sep[1] = '\0'; >> else >> buf[0] = '\0'; >> while (av_strstart(rel, "../", NULL) && sep) { >> /* Remove the path delimiter at the end */ >> - sep[0] = '\0'; >> - sep = strrchr(buf, '/'); >> + if (sep > root) { >> + sep[0] = '\0'; >> + sep = strrchr(buf, '/'); >> + } >> + >> /* If the next directory name to pop off is "..", break here */ >> if (!strcmp(sep ? &sep[1] : buf, "..")) { >> /* Readd the slash we just removed */ >> diff --git a/tests/ref/fate/url b/tests/ref/fate/url >> index 980b2ce1f9..c8260a97be 100644 >> --- a/tests/ref/fate/url >> +++ b/tests/ref/fate/url >> @@ -3,6 +3,7 @@ Testing ff_make_absolute_url: >> /foo/bar baz => /foo/baz >> /foo/bar ../baz => /baz >> /foo/bar /baz => /baz >> + /foo/bar ../../../baz => /baz >> http://server/foo/ baz => http://server/foo/baz >> http://server/foo/bar baz => http://server/foo/baz >> http://server/foo/ ../baz => http://server/baz >> @@ -12,6 +13,8 @@ Testing ff_make_absolute_url: >> http://server/foo/bar?param=value/with/slashes /baz => http://server/baz >> http://server/foo/bar?param&otherparam ?someparam => http://server/foo/bar?someparam >> http://server/foo/bar //other/url => http://other/url >> + http://server/foo/bar ../../../../../other/url => http://server/other/url > >> + http://server/foo/bar /../../../../../other/url => http://server/../../../../../other/url > > Is this supposed to be the proper result? /../../../../../other/url, this is the absolute path, so just concat and don’t process, Or what do you want to say? > >> >> Testing av_url_split: >> /foo/bar => -1 /foo/bar > > Regards, > > -- > Nicolas George Thanks Steven Liu
Steven Liu (12020-04-27): > /../../../../../other/url, this is the absolute path, so just concat and don’t process, > Or what do you want to say? This is not an absolute path, since it contains "..". I think it is a problem that the output of ff_make_absolute_url() is not, you know, absolute. It can even be considered a security issue, since other parts of the code could assume that the output of ff_make_absolute_url() is actually absolute. Regards,
Steven Liu (12020-04-27):
> I need one example to understand about the security issue after this patch.
Use ff_make_absolute_url() on a trusted base and an un-trusted path;
check the result starts with the allowed prefix. Let an attacker escape
because the result contains ../.
Regards,
> 2020年4月27日 下午7:35,Nicolas George <george@nsup.org> 写道: > > Steven Liu (12020-04-27): >> I need one example to understand about the security issue after this patch. > > Use ff_make_absolute_url() on a trusted base and an un-trusted path; > check the result starts with the allowed prefix. Let an attacker escape > because the result contains ../. > Command line? > Regards, > > -- > Nicolas George Thanks Steven Liu
Steven Liu (12020-04-27):
> Command line?
There is none.
diff --git a/libavformat/tests/url.c b/libavformat/tests/url.c index 5e484fd428..02d0d59aa8 100644 --- a/libavformat/tests/url.c +++ b/libavformat/tests/url.c @@ -56,6 +56,7 @@ int main(void) test("/foo/bar", "baz"); test("/foo/bar", "../baz"); test("/foo/bar", "/baz"); + test("/foo/bar", "../../../baz"); test("http://server/foo/", "baz"); test("http://server/foo/bar", "baz"); test("http://server/foo/", "../baz"); @@ -65,6 +66,8 @@ int main(void) test("http://server/foo/bar?param=value/with/slashes", "/baz"); test("http://server/foo/bar?param&otherparam", "?someparam"); test("http://server/foo/bar", "//other/url"); + test("http://server/foo/bar", "../../../../../other/url"); + test("http://server/foo/bar", "/../../../../../other/url"); printf("\nTesting av_url_split:\n"); test2("/foo/bar"); diff --git a/libavformat/url.c b/libavformat/url.c index 596fb49cfc..0aa50ab9a7 100644 --- a/libavformat/url.c +++ b/libavformat/url.c @@ -81,6 +81,7 @@ void ff_make_absolute_url(char *buf, int size, const char *base, const char *rel) { char *sep, *path_query; + char *root, *p; /* Absolute path, relative to the current server */ if (base && strstr(base, "://") && rel[0] == '/') { if (base != buf) @@ -120,16 +121,32 @@ void ff_make_absolute_url(char *buf, int size, const char *base, return; } + root = p = buf; + /* Get the path root of the url which start by "://" */ + if (p && strstr(p, "://")) { + sep = strstr(p, "://"); + if (sep) { + sep += 3; + root = strchr(sep, '/'); + } + } + /* Remove the file name from the base url */ sep = strrchr(buf, '/'); + if (sep <= root) + sep = root; + if (sep) sep[1] = '\0'; else buf[0] = '\0'; while (av_strstart(rel, "../", NULL) && sep) { /* Remove the path delimiter at the end */ - sep[0] = '\0'; - sep = strrchr(buf, '/'); + if (sep > root) { + sep[0] = '\0'; + sep = strrchr(buf, '/'); + } + /* If the next directory name to pop off is "..", break here */ if (!strcmp(sep ? &sep[1] : buf, "..")) { /* Readd the slash we just removed */ diff --git a/tests/ref/fate/url b/tests/ref/fate/url index 980b2ce1f9..c8260a97be 100644 --- a/tests/ref/fate/url +++ b/tests/ref/fate/url @@ -3,6 +3,7 @@ Testing ff_make_absolute_url: /foo/bar baz => /foo/baz /foo/bar ../baz => /baz /foo/bar /baz => /baz + /foo/bar ../../../baz => /baz http://server/foo/ baz => http://server/foo/baz http://server/foo/bar baz => http://server/foo/baz http://server/foo/ ../baz => http://server/baz @@ -12,6 +13,8 @@ Testing ff_make_absolute_url: http://server/foo/bar?param=value/with/slashes /baz => http://server/baz http://server/foo/bar?param&otherparam ?someparam => http://server/foo/bar?someparam http://server/foo/bar //other/url => http://other/url + http://server/foo/bar ../../../../../other/url => http://server/other/url + http://server/foo/bar /../../../../../other/url => http://server/../../../../../other/url Testing av_url_split: /foo/bar => -1 /foo/bar
fix ticket: 8625 and add testcase into url for double dot corner case Signed-off-by: Steven Liu <liuqi05@kuaishou.com> --- libavformat/tests/url.c | 3 +++ libavformat/url.c | 21 +++++++++++++++++++-- tests/ref/fate/url | 3 +++ 3 files changed, 25 insertions(+), 2 deletions(-)