-
-
Notifications
You must be signed in to change notification settings - Fork 989
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nanoStream app manages to get past publishing security check #282
Comments
This is the changes I made to /securityplugin/src/main/java/org/red5/server/plugin/security/PublishSecurityHandler.java |
Additional note I managed to figure out today: when the IP is allowed to publish (listed in allowedIP.txt file): [INFO] [NioProcessor-5] com.infrared5.red5pro.live.Red5ProLive - W3C x-category:session x-event:connect c-ip:182.253.250.213 c-client-id:2 when the IP is denied: so it looks like if the IP is denied by PublishSecurityHandler, the stream from this offending publisher is never (properly) registered for subscribers to subscribe to although the stream data being accepted by Red5, but this bug could still be used to DoS the service as the RTMP service still listens and accepts the denied publishers' stream data. |
If you want to make a patch with a PR, I'd be glad to look it over for merging. |
I have managed to modify securityPlugin from red5-plugins collection to filter broadcasters based on IP address. However when I tested publishing using nanoStream's publishing app on iOS, I managed to get past the security despite the logs showing it should have failed/been rejected by the server. This does not seem to happen with other RTMP publishing tools I tested.
Environment
[] Operating system and version: Ubuntu Linux 16.04 LTS
[] Java version: openjdk version "11.0.4" 2019-07-16 LTS
OpenJDK Runtime Environment 18.9 (build 11.0.4+11-LTS)
OpenJDK 64-Bit Server VM 18.9 (build 11.0.4+11-LTS, mixed mode, sharing)
[] Red5 version: 1.2.2
Expected behavior
It should reject the publishers without any exception thrown in the logs.
Actual behavior
nanoStream manages to publish on Red5 server despite being prohibited. Affects latest Red5 Pro too.
Steps to reproduce
The RTMP URL is now live(EDIT: correction) Red5 accepts the connection from a denied publisher and continue to receive stream data although the stream URL remain not accessible by subscribersLogs
https://pastebin.com/Ey2QguXw
The text was updated successfully, but these errors were encountered: