avformat/ftp: do not break protocol on username or password with newlines

Signed-off-by: Marton Balint <cus@passwd.hu>
author: Marton Balint <cus@passwd.hu> 2020-02-06 00:48:17 +0100
committer: Marton Balint <cus@passwd.hu> 2020-02-15 18:41:36 +0100
commit: 04f1d49709dac2d0e35f54bbe49cf00ba632e6dd (patch)
tree: 8ead876ebe49cfb231fd81101eeac308bc066f80
parent: f204a38e08f937f6204bb21a3d95a23089679fe0 (diff)
download: ffmpeg-04f1d49709dac2d0e35f54bbe49cf00ba632e6dd.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/libavformat/ftp.c b/libavformat/ftp.c
index 860dd7d8dc..ab7368256c 100644
--- a/libavformat/ftp.c
+++ b/libavformat/ftp.c
@@ -18,6 +18,8 @@
  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
  */
 
+#include <string.h>
+
 #include "libavutil/avstring.h"
 #include "libavutil/internal.h"
 #include "libavutil/parseutils.h"
@@ -246,10 +248,14 @@ static int ftp_auth(FTPContext *s)
     static const int user_codes[] = {331, 230, 0};
     static const int pass_codes[] = {230, 0};
 
+    if (strpbrk(s->user, "\r\n"))
+        return AVERROR(EINVAL);
     snprintf(buf, sizeof(buf), "USER %s\r\n", s->user);
     err = ftp_send_command(s, buf, user_codes, NULL);
     if (err == 331) {
         if (s->password) {
+            if (strpbrk(s->password, "\r\n"))
+                return AVERROR(EINVAL);
             snprintf(buf, sizeof(buf), "PASS %s\r\n", s->password);
             err = ftp_send_command(s, buf, pass_codes, NULL);
         } else
author	Marton Balint <cus@passwd.hu>	2020-02-06 00:48:17 +0100
committer	Marton Balint <cus@passwd.hu>	2020-02-15 18:41:36 +0100
commit	04f1d49709dac2d0e35f54bbe49cf00ba632e6dd (patch)
tree	8ead876ebe49cfb231fd81101eeac308bc066f80
parent	f204a38e08f937f6204bb21a3d95a23089679fe0 (diff)
download	ffmpeg-04f1d49709dac2d0e35f54bbe49cf00ba632e6dd.tar.gz