[vlc-commits] commit: HTTP access: validate user agent string ( Rémi Denis-Courmont )
git at videolan.org
git at videolan.org
Sat May 29 18:00:05 CEST 2010
vlc/vlc-1.1 | branch: master | Rémi Denis-Courmont <remi at remlab.net> | Sat May 29 18:59:48 2010 +0300| [c18bf39069082a49b2cbb6a0814478440a4471c7] | committer: Rémi Denis-Courmont
HTTP access: validate user agent string
First, we should not let user shoot themselves in the foot. But most
importantly, we need to validate the string as it is marked as a safe
option (especially CRLF there could be disastrous).
(cherry picked from commit 2656ae56c83d87634ba5a137f118c04570ec8052)
Conflicts:
modules/access/http.c
> http://git.videolan.org/gitweb.cgi/vlc/vlc-1.1.git/?a=commit;h=c18bf39069082a49b2cbb6a0814478440a4471c7
---
modules/access/http.c | 9 ++++++++-
1 files changed, 8 insertions(+), 1 deletions(-)
diff --git a/modules/access/http.c b/modules/access/http.c
index 3d82e87..13e889f 100644
--- a/modules/access/http.c
+++ b/modules/access/http.c
@@ -344,8 +344,15 @@ static int OpenWithCookies( vlc_object_t *p_this, const char *psz_access,
p_sys->url.i_port = 80;
}
- /* Do user agent */
+ /* Determine the HTTP user agent */
+ /* See RFC2616 §2.2 token definition and §3.8 user-agent header */
p_sys->psz_user_agent = var_CreateGetString( p_access, "http-user-agent" );
+ for( char *p = p_sys->psz_user_agent; *p; p++ )
+ {
+ uint8_t c = *p;
+ if( c < 32 || strchr( "()<>@,;:\\\"/[]?={}", c ) )
+ *p = '_'; /* remove potentially harmful characters */
+ }
/* Check proxy */
psz = var_CreateGetNonEmptyString( p_access, "http-proxy" );
More information about the vlc-commits
mailing list