Commit 2656ae56 authored by Rémi Denis-Courmont's avatar Rémi Denis-Courmont

HTTP access: validate user agent string

First, we should not let user shoot themselves in the foot. But most
importantly, we need to validate the string as it is marked as a safe
option (especially CRLF there could be disastrous).
parent f1dac78a
......@@ -344,8 +344,15 @@ static int OpenWithCookies( vlc_object_t *p_this, const char *psz_access,
p_sys->url.i_port = 80;
}
/* Do user agent */
/* Determine the HTTP user agent */
/* See RFC2616 §2.2 token definition and §3.8 user-agent header */
p_sys->psz_user_agent = var_InheritString( p_access, "http-user-agent" );
for( char *p = p_sys->psz_user_agent; *p; p++ )
{
uint8_t c = *p;
if( c < 32 || strchr( "()<>@,;:\\\"/[]?={}", c ) )
*p = '_'; /* remove potentially harmful characters */
}
/* Check proxy */
psz = var_InheritString( p_access, "http-proxy" );
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment