HTTP access: validate user agent string

First, we should not let user shoot themselves in the foot. But most importantly, we need to validate the string as it is marked as a safe option (especially CRLF there could be disastrous).

HTTP access: validate user agent string
First, we should not let user shoot themselves in the foot. But most importantly, we need to validate the string as it is marked as a safe option (especially CRLF there could be disastrous).
2656ae56 · Rémi Denis-Courmont · f1dac78a · 2656ae56
Commit 2656ae56 authored May 29, 2010 by Rémi Denis-Courmont
Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 1 deletion

modules/access/http.c modules/access/http.c +8 -1

No files found.
--- a/modules/access/http.c
+++ b/modules/access/http.c
@@ -344,8 +344,15 @@ static int OpenWithCookies( vlc_object_t *p_this, const char *psz_access,
            p_sys->url.i_port = 80;
    }

-    /* Do user agent */
+    /* Determine the HTTP user agent */
+    /* See RFC2616 §2.2 token definition and §3.8 user-agent header */
    p_sys->psz_user_agent = var_InheritString( p_access, "http-user-agent" );
+    for( char *p = p_sys->psz_user_agent; *p; p++ )
+    {
+        uint8_t c = *p;
+        if( c < 32 || strchr( "()<>@,;:\\\"/[]?={}", c ) )
+            *p = '_'; /* remove potentially harmful characters */
+    }

    /* Check proxy */
    psz = var_InheritString( p_access, "http-proxy" );