[vlc-commits] commit: HTTP access: validate user agent string ( Rémi Denis-Courmont )
git at videolan.org
git at videolan.org
Sat May 29 17:59:12 CEST 2010
vlc | branch: master | Rémi Denis-Courmont <remi at remlab.net> | Sat May 29 18:57:33 2010 +0300| [2656ae56c83d87634ba5a137f118c04570ec8052] | committer: Rémi Denis-Courmont
HTTP access: validate user agent string
First, we should not let user shoot themselves in the foot. But most
importantly, we need to validate the string as it is marked as a safe
option (especially CRLF there could be disastrous).
> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=2656ae56c83d87634ba5a137f118c04570ec8052
---
modules/access/http.c | 9 ++++++++-
1 files changed, 8 insertions(+), 1 deletions(-)
diff --git a/modules/access/http.c b/modules/access/http.c
index 9f505d0..1eb8e81 100644
--- a/modules/access/http.c
+++ b/modules/access/http.c
@@ -344,8 +344,15 @@ static int OpenWithCookies( vlc_object_t *p_this, const char *psz_access,
p_sys->url.i_port = 80;
}
- /* Do user agent */
+ /* Determine the HTTP user agent */
+ /* See RFC2616 §2.2 token definition and §3.8 user-agent header */
p_sys->psz_user_agent = var_InheritString( p_access, "http-user-agent" );
+ for( char *p = p_sys->psz_user_agent; *p; p++ )
+ {
+ uint8_t c = *p;
+ if( c < 32 || strchr( "()<>@,;:\\\"/[]?={}", c ) )
+ *p = '_'; /* remove potentially harmful characters */
+ }
/* Check proxy */
psz = var_InheritString( p_access, "http-proxy" );
More information about the vlc-commits
mailing list