diff mbox series

[FFmpeg-devel,v3] avformat/url: check url root node when rel include double dot

Message ID 20200427111216.11179-1-lq@chinaffmpeg.org
State New
Headers show
Series [FFmpeg-devel,v3] avformat/url: check url root node when rel include double dot
Related show

Checks

Context Check Description
andriy/default pending
andriy/make success Make finished
andriy/make_fate success Make fate finished

Commit Message

Steven Liu April 27, 2020, 11:12 a.m. UTC
fix ticket: 8625
and add testcase into url for double dot corner case

Signed-off-by: Steven Liu <liuqi05@kuaishou.com>
---
 libavformat/tests/url.c |  3 +++
 libavformat/url.c       | 21 +++++++++++++++++++--
 tests/ref/fate/url      |  3 +++
 3 files changed, 25 insertions(+), 2 deletions(-)

Comments

Nicolas George April 27, 2020, 11:14 a.m. UTC | #1
Steven Liu (12020-04-27):
> fix ticket: 8625
> and add testcase into url for double dot corner case
> 
> Signed-off-by: Steven Liu <liuqi05@kuaishou.com>
> ---
>  libavformat/tests/url.c |  3 +++
>  libavformat/url.c       | 21 +++++++++++++++++++--
>  tests/ref/fate/url      |  3 +++
>  3 files changed, 25 insertions(+), 2 deletions(-)
> 
> diff --git a/libavformat/tests/url.c b/libavformat/tests/url.c
> index 5e484fd428..02d0d59aa8 100644
> --- a/libavformat/tests/url.c
> +++ b/libavformat/tests/url.c
> @@ -56,6 +56,7 @@ int main(void)
>      test("/foo/bar", "baz");
>      test("/foo/bar", "../baz");
>      test("/foo/bar", "/baz");
> +    test("/foo/bar", "../../../baz");
>      test("http://server/foo/", "baz");
>      test("http://server/foo/bar", "baz");
>      test("http://server/foo/", "../baz");
> @@ -65,6 +66,8 @@ int main(void)
>      test("http://server/foo/bar?param=value/with/slashes", "/baz");
>      test("http://server/foo/bar?param&otherparam", "?someparam");
>      test("http://server/foo/bar", "//other/url");
> +    test("http://server/foo/bar", "../../../../../other/url");
> +    test("http://server/foo/bar", "/../../../../../other/url");
>  
>      printf("\nTesting av_url_split:\n");
>      test2("/foo/bar");
> diff --git a/libavformat/url.c b/libavformat/url.c
> index 596fb49cfc..0aa50ab9a7 100644
> --- a/libavformat/url.c
> +++ b/libavformat/url.c
> @@ -81,6 +81,7 @@ void ff_make_absolute_url(char *buf, int size, const char *base,
>                            const char *rel)
>  {
>      char *sep, *path_query;
> +    char *root, *p;
>      /* Absolute path, relative to the current server */
>      if (base && strstr(base, "://") && rel[0] == '/') {
>          if (base != buf)
> @@ -120,16 +121,32 @@ void ff_make_absolute_url(char *buf, int size, const char *base,
>          return;
>      }
>  
> +    root = p = buf;
> +    /* Get the path root of the url which start by "://" */
> +    if (p && strstr(p, "://")) {
> +        sep = strstr(p, "://");
> +        if (sep) {
> +            sep += 3;
> +            root = strchr(sep, '/');
> +        }
> +    }
> +
>      /* Remove the file name from the base url */
>      sep = strrchr(buf, '/');
> +    if (sep <= root)
> +        sep = root;
> +
>      if (sep)
>          sep[1] = '\0';
>      else
>          buf[0] = '\0';
>      while (av_strstart(rel, "../", NULL) && sep) {
>          /* Remove the path delimiter at the end */
> -        sep[0] = '\0';
> -        sep = strrchr(buf, '/');
> +        if (sep > root) {
> +            sep[0] = '\0';
> +            sep = strrchr(buf, '/');
> +        }
> +
>          /* If the next directory name to pop off is "..", break here */
>          if (!strcmp(sep ? &sep[1] : buf, "..")) {
>              /* Readd the slash we just removed */
> diff --git a/tests/ref/fate/url b/tests/ref/fate/url
> index 980b2ce1f9..c8260a97be 100644
> --- a/tests/ref/fate/url
> +++ b/tests/ref/fate/url
> @@ -3,6 +3,7 @@ Testing ff_make_absolute_url:
>                                            /foo/bar baz                  => /foo/baz
>                                            /foo/bar ../baz               => /baz
>                                            /foo/bar /baz                 => /baz
> +                                          /foo/bar ../../../baz         => /baz
>                                  http://server/foo/ baz                  => http://server/foo/baz
>                               http://server/foo/bar baz                  => http://server/foo/baz
>                                  http://server/foo/ ../baz               => http://server/baz
> @@ -12,6 +13,8 @@ Testing ff_make_absolute_url:
>      http://server/foo/bar?param=value/with/slashes /baz                 => http://server/baz
>              http://server/foo/bar?param&otherparam ?someparam           => http://server/foo/bar?someparam
>                               http://server/foo/bar //other/url          => http://other/url
> +                             http://server/foo/bar ../../../../../other/url => http://server/other/url

> +                             http://server/foo/bar /../../../../../other/url => http://server/../../../../../other/url

Is this supposed to be the proper result?

>  
>  Testing av_url_split:
>  /foo/bar                                                     =>                                                    -1 /foo/bar

Regards,
Steven Liu April 27, 2020, 11:16 a.m. UTC | #2
> 2020年4月27日 下午7:14,Nicolas George <george@nsup.org> 写道:
> 
> Steven Liu (12020-04-27):
>> fix ticket: 8625
>> and add testcase into url for double dot corner case
>> 
>> Signed-off-by: Steven Liu <liuqi05@kuaishou.com>
>> ---
>> libavformat/tests/url.c |  3 +++
>> libavformat/url.c       | 21 +++++++++++++++++++--
>> tests/ref/fate/url      |  3 +++
>> 3 files changed, 25 insertions(+), 2 deletions(-)
>> 
>> diff --git a/libavformat/tests/url.c b/libavformat/tests/url.c
>> index 5e484fd428..02d0d59aa8 100644
>> --- a/libavformat/tests/url.c
>> +++ b/libavformat/tests/url.c
>> @@ -56,6 +56,7 @@ int main(void)
>>     test("/foo/bar", "baz");
>>     test("/foo/bar", "../baz");
>>     test("/foo/bar", "/baz");
>> +    test("/foo/bar", "../../../baz");
>>     test("http://server/foo/", "baz");
>>     test("http://server/foo/bar", "baz");
>>     test("http://server/foo/", "../baz");
>> @@ -65,6 +66,8 @@ int main(void)
>>     test("http://server/foo/bar?param=value/with/slashes", "/baz");
>>     test("http://server/foo/bar?param&otherparam", "?someparam");
>>     test("http://server/foo/bar", "//other/url");
>> +    test("http://server/foo/bar", "../../../../../other/url");
>> +    test("http://server/foo/bar", "/../../../../../other/url");
>> 
>>     printf("\nTesting av_url_split:\n");
>>     test2("/foo/bar");
>> diff --git a/libavformat/url.c b/libavformat/url.c
>> index 596fb49cfc..0aa50ab9a7 100644
>> --- a/libavformat/url.c
>> +++ b/libavformat/url.c
>> @@ -81,6 +81,7 @@ void ff_make_absolute_url(char *buf, int size, const char *base,
>>                           const char *rel)
>> {
>>     char *sep, *path_query;
>> +    char *root, *p;
>>     /* Absolute path, relative to the current server */
>>     if (base && strstr(base, "://") && rel[0] == '/') {
>>         if (base != buf)
>> @@ -120,16 +121,32 @@ void ff_make_absolute_url(char *buf, int size, const char *base,
>>         return;
>>     }
>> 
>> +    root = p = buf;
>> +    /* Get the path root of the url which start by "://" */
>> +    if (p && strstr(p, "://")) {
>> +        sep = strstr(p, "://");
>> +        if (sep) {
>> +            sep += 3;
>> +            root = strchr(sep, '/');
>> +        }
>> +    }
>> +
>>     /* Remove the file name from the base url */
>>     sep = strrchr(buf, '/');
>> +    if (sep <= root)
>> +        sep = root;
>> +
>>     if (sep)
>>         sep[1] = '\0';
>>     else
>>         buf[0] = '\0';
>>     while (av_strstart(rel, "../", NULL) && sep) {
>>         /* Remove the path delimiter at the end */
>> -        sep[0] = '\0';
>> -        sep = strrchr(buf, '/');
>> +        if (sep > root) {
>> +            sep[0] = '\0';
>> +            sep = strrchr(buf, '/');
>> +        }
>> +
>>         /* If the next directory name to pop off is "..", break here */
>>         if (!strcmp(sep ? &sep[1] : buf, "..")) {
>>             /* Readd the slash we just removed */
>> diff --git a/tests/ref/fate/url b/tests/ref/fate/url
>> index 980b2ce1f9..c8260a97be 100644
>> --- a/tests/ref/fate/url
>> +++ b/tests/ref/fate/url
>> @@ -3,6 +3,7 @@ Testing ff_make_absolute_url:
>>                                           /foo/bar baz                  => /foo/baz
>>                                           /foo/bar ../baz               => /baz
>>                                           /foo/bar /baz                 => /baz
>> +                                          /foo/bar ../../../baz         => /baz
>>                                 http://server/foo/ baz                  => http://server/foo/baz
>>                              http://server/foo/bar baz                  => http://server/foo/baz
>>                                 http://server/foo/ ../baz               => http://server/baz
>> @@ -12,6 +13,8 @@ Testing ff_make_absolute_url:
>>     http://server/foo/bar?param=value/with/slashes /baz                 => http://server/baz
>>             http://server/foo/bar?param&otherparam ?someparam           => http://server/foo/bar?someparam
>>                              http://server/foo/bar //other/url          => http://other/url
>> +                             http://server/foo/bar ../../../../../other/url => http://server/other/url
> 
>> +                             http://server/foo/bar /../../../../../other/url => http://server/../../../../../other/url
> 
> Is this supposed to be the proper result?
/../../../../../other/url,  this is the absolute path, so just concat and don’t process,
Or what do you want to say?
> 
>> 
>> Testing av_url_split:
>> /foo/bar                                                     =>                                                    -1 /foo/bar
> 
> Regards,
> 
> -- 
>  Nicolas George

Thanks

Steven Liu
Nicolas George April 27, 2020, 11:22 a.m. UTC | #3
Steven Liu (12020-04-27):
> /../../../../../other/url,  this is the absolute path, so just concat and don’t process,
> Or what do you want to say?

This is not an absolute path, since it contains "..". I think it is a
problem that the output of ff_make_absolute_url() is not, you know,
absolute.

It can even be considered a security issue, since other parts of the
code could assume that the output of ff_make_absolute_url() is actually
absolute.

Regards,
Nicolas George April 27, 2020, 11:35 a.m. UTC | #4
Steven Liu (12020-04-27):
> I need one example to understand about the security issue after this patch.

Use ff_make_absolute_url() on a trusted base and an un-trusted path;
check the result starts with the allowed prefix. Let an attacker escape
because the result contains ../.

Regards,
Steven Liu April 27, 2020, 11:36 a.m. UTC | #5
> 2020年4月27日 下午7:35,Nicolas George <george@nsup.org> 写道:
> 
> Steven Liu (12020-04-27):
>> I need one example to understand about the security issue after this patch.
> 
> Use ff_make_absolute_url() on a trusted base and an un-trusted path;
> check the result starts with the allowed prefix. Let an attacker escape
> because the result contains ../.
> 
Command line?
> Regards,
> 
> -- 
>  Nicolas George

Thanks

Steven Liu
Nicolas George April 27, 2020, 11:38 a.m. UTC | #6
Steven Liu (12020-04-27):
> Command line?

There is none.
diff mbox series

Patch

diff --git a/libavformat/tests/url.c b/libavformat/tests/url.c
index 5e484fd428..02d0d59aa8 100644
--- a/libavformat/tests/url.c
+++ b/libavformat/tests/url.c
@@ -56,6 +56,7 @@  int main(void)
     test("/foo/bar", "baz");
     test("/foo/bar", "../baz");
     test("/foo/bar", "/baz");
+    test("/foo/bar", "../../../baz");
     test("http://server/foo/", "baz");
     test("http://server/foo/bar", "baz");
     test("http://server/foo/", "../baz");
@@ -65,6 +66,8 @@  int main(void)
     test("http://server/foo/bar?param=value/with/slashes", "/baz");
     test("http://server/foo/bar?param&otherparam", "?someparam");
     test("http://server/foo/bar", "//other/url");
+    test("http://server/foo/bar", "../../../../../other/url");
+    test("http://server/foo/bar", "/../../../../../other/url");
 
     printf("\nTesting av_url_split:\n");
     test2("/foo/bar");
diff --git a/libavformat/url.c b/libavformat/url.c
index 596fb49cfc..0aa50ab9a7 100644
--- a/libavformat/url.c
+++ b/libavformat/url.c
@@ -81,6 +81,7 @@  void ff_make_absolute_url(char *buf, int size, const char *base,
                           const char *rel)
 {
     char *sep, *path_query;
+    char *root, *p;
     /* Absolute path, relative to the current server */
     if (base && strstr(base, "://") && rel[0] == '/') {
         if (base != buf)
@@ -120,16 +121,32 @@  void ff_make_absolute_url(char *buf, int size, const char *base,
         return;
     }
 
+    root = p = buf;
+    /* Get the path root of the url which start by "://" */
+    if (p && strstr(p, "://")) {
+        sep = strstr(p, "://");
+        if (sep) {
+            sep += 3;
+            root = strchr(sep, '/');
+        }
+    }
+
     /* Remove the file name from the base url */
     sep = strrchr(buf, '/');
+    if (sep <= root)
+        sep = root;
+
     if (sep)
         sep[1] = '\0';
     else
         buf[0] = '\0';
     while (av_strstart(rel, "../", NULL) && sep) {
         /* Remove the path delimiter at the end */
-        sep[0] = '\0';
-        sep = strrchr(buf, '/');
+        if (sep > root) {
+            sep[0] = '\0';
+            sep = strrchr(buf, '/');
+        }
+
         /* If the next directory name to pop off is "..", break here */
         if (!strcmp(sep ? &sep[1] : buf, "..")) {
             /* Readd the slash we just removed */
diff --git a/tests/ref/fate/url b/tests/ref/fate/url
index 980b2ce1f9..c8260a97be 100644
--- a/tests/ref/fate/url
+++ b/tests/ref/fate/url
@@ -3,6 +3,7 @@  Testing ff_make_absolute_url:
                                           /foo/bar baz                  => /foo/baz
                                           /foo/bar ../baz               => /baz
                                           /foo/bar /baz                 => /baz
+                                          /foo/bar ../../../baz         => /baz
                                 http://server/foo/ baz                  => http://server/foo/baz
                              http://server/foo/bar baz                  => http://server/foo/baz
                                 http://server/foo/ ../baz               => http://server/baz
@@ -12,6 +13,8 @@  Testing ff_make_absolute_url:
     http://server/foo/bar?param=value/with/slashes /baz                 => http://server/baz
             http://server/foo/bar?param&otherparam ?someparam           => http://server/foo/bar?someparam
                              http://server/foo/bar //other/url          => http://other/url
+                             http://server/foo/bar ../../../../../other/url => http://server/other/url
+                             http://server/foo/bar /../../../../../other/url => http://server/../../../../../other/url
 
 Testing av_url_split:
 /foo/bar                                                     =>                                                    -1 /foo/bar