Commit c18bf390 authored by Rémi Denis-Courmont's avatar Rémi Denis-Courmont

HTTP access: validate user agent string

First, we should not let user shoot themselves in the foot. But most
importantly, we need to validate the string as it is marked as a safe
option (especially CRLF there could be disastrous).
(cherry picked from commit 2656ae56c83d87634ba5a137f118c04570ec8052)

Conflicts:

	modules/access/http.c
parent e84c803a
...@@ -344,8 +344,15 @@ static int OpenWithCookies( vlc_object_t *p_this, const char *psz_access, ...@@ -344,8 +344,15 @@ static int OpenWithCookies( vlc_object_t *p_this, const char *psz_access,
p_sys->url.i_port = 80; p_sys->url.i_port = 80;
} }
/* Do user agent */ /* Determine the HTTP user agent */
/* See RFC2616 §2.2 token definition and §3.8 user-agent header */
p_sys->psz_user_agent = var_CreateGetString( p_access, "http-user-agent" ); p_sys->psz_user_agent = var_CreateGetString( p_access, "http-user-agent" );
for( char *p = p_sys->psz_user_agent; *p; p++ )
{
uint8_t c = *p;
if( c < 32 || strchr( "()<>@,;:\\\"/[]?={}", c ) )
*p = '_'; /* remove potentially harmful characters */
}
/* Check proxy */ /* Check proxy */
psz = var_CreateGetNonEmptyString( p_access, "http-proxy" ); psz = var_CreateGetNonEmptyString( p_access, "http-proxy" );
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment