From 9b3d1427cfcf5c6b504d3844b352fea6a12e53ef Mon Sep 17 00:00:00 2001 From: chenhaibo <495810242@qq.com> Date: Thu, 7 Dec 2023 14:19:21 +0800 Subject: [PATCH 1/2] add security for hls/flv/rtc/srt --- trunk/src/app/srs_app_http_static.cpp | 6 ++++++ trunk/src/app/srs_app_http_static.hpp | 4 +++- trunk/src/app/srs_app_http_stream.cpp | 6 ++++++ trunk/src/app/srs_app_http_stream.hpp | 3 ++- trunk/src/app/srs_app_rtc_api.cpp | 12 ++++++++++++ trunk/src/app/srs_app_rtc_api.hpp | 4 +++- trunk/src/app/srs_app_security.cpp | 12 ++++++++++-- trunk/src/app/srs_app_srt_conn.cpp | 15 +++++++++++++-- trunk/src/app/srs_app_srt_conn.hpp | 2 ++ 9 files changed, 57 insertions(+), 7 deletions(-) diff --git a/trunk/src/app/srs_app_http_static.cpp b/trunk/src/app/srs_app_http_static.cpp index a1e7b93c89..69ecea1c02 100644 --- a/trunk/src/app/srs_app_http_static.cpp +++ b/trunk/src/app/srs_app_http_static.cpp @@ -64,6 +64,7 @@ void SrsHlsVirtualConn::expire() SrsHlsStream::SrsHlsStream() { _srs_hybrid->timer5s()->subscribe(this); + security_ = new SrsSecurity(); } SrsHlsStream::~SrsHlsStream() @@ -76,6 +77,7 @@ SrsHlsStream::~SrsHlsStream() srs_freep(info); } map_ctx_info_.clear(); + srs_freep(security_); } srs_error_t SrsHlsStream::serve_m3u8_ctx(ISrsHttpResponseWriter* w, ISrsHttpMessage* r, ISrsFileReaderFactory* factory, string fullpath, SrsRequest* req, bool* served) @@ -167,6 +169,10 @@ srs_error_t SrsHlsStream::serve_new_session(ISrsHttpResponseWriter* w, ISrsHttpM return srs_error_wrap(err, "stat on client"); } + if ((err = security_->check(SrsHlsPlay, req->ip, req)) != srs_success) { + return srs_error_wrap(err, "HLS: security check"); + } + // We must do hook after stat, because depends on it. if ((err = http_hooks_on_play(req)) != srs_success) { return srs_error_wrap(err, "HLS: http_hooks_on_play"); diff --git a/trunk/src/app/srs_app_http_static.hpp b/trunk/src/app/srs_app_http_static.hpp index 4d9da18537..6c2a02cf86 100644 --- a/trunk/src/app/srs_app_http_static.hpp +++ b/trunk/src/app/srs_app_http_static.hpp @@ -8,7 +8,7 @@ #define SRS_APP_HTTP_STATIC_HPP #include - +#include #include class ISrsFileReaderFactory; @@ -52,6 +52,8 @@ class SrsHlsStream : public ISrsFastTimer // interface ISrsFastTimer private: srs_error_t on_timer(srs_utime_t interval); +private: + SrsSecurity* security_; }; // The Vod streaming, like FLV, MP4 or HLS streaming. diff --git a/trunk/src/app/srs_app_http_stream.cpp b/trunk/src/app/srs_app_http_stream.cpp index eaa1984f3f..f738413d39 100755 --- a/trunk/src/app/srs_app_http_stream.cpp +++ b/trunk/src/app/srs_app_http_stream.cpp @@ -558,11 +558,13 @@ SrsLiveStream::SrsLiveStream(SrsLiveSource* s, SrsRequest* r, SrsBufferCache* c) source = s; cache = c; req = r->copy()->as_http(); + security_ = new SrsSecurity(); } SrsLiveStream::~SrsLiveStream() { srs_freep(req); + srs_freep(security_); } srs_error_t SrsLiveStream::update_auth(SrsLiveSource* s, SrsRequest* r) @@ -600,6 +602,10 @@ srs_error_t SrsLiveStream::serve_http(ISrsHttpResponseWriter* w, ISrsHttpMessage return srs_error_wrap(err, "stat on client"); } + if ((err = security_->check(SrsFlvPlay, req->ip, req)) != srs_success) { + return srs_error_wrap(err, "flv: security check"); + } + // We must do hook after stat, because depends on it. if ((err = http_hooks_on_play(r)) != srs_success) { return srs_error_wrap(err, "http hook"); diff --git a/trunk/src/app/srs_app_http_stream.hpp b/trunk/src/app/srs_app_http_stream.hpp index 0264f60698..087342f224 100755 --- a/trunk/src/app/srs_app_http_stream.hpp +++ b/trunk/src/app/srs_app_http_stream.hpp @@ -8,7 +8,7 @@ #define SRS_APP_HTTP_STREAM_HPP #include - +#include #include class SrsAacTransmuxer; @@ -180,6 +180,7 @@ class SrsLiveStream : public ISrsHttpHandler SrsRequest* req; SrsLiveSource* source; SrsBufferCache* cache; + SrsSecurity* security_; public: SrsLiveStream(SrsLiveSource* s, SrsRequest* r, SrsBufferCache* c); virtual ~SrsLiveStream(); diff --git a/trunk/src/app/srs_app_rtc_api.cpp b/trunk/src/app/srs_app_rtc_api.cpp index b0d695c4a3..115dc9dee6 100644 --- a/trunk/src/app/srs_app_rtc_api.cpp +++ b/trunk/src/app/srs_app_rtc_api.cpp @@ -31,10 +31,12 @@ using namespace std; SrsGoApiRtcPlay::SrsGoApiRtcPlay(SrsRtcServer* server) { server_ = server; + security_ = new SrsSecurity(); } SrsGoApiRtcPlay::~SrsGoApiRtcPlay() { + srs_freep(security_); } @@ -228,6 +230,10 @@ srs_error_t SrsGoApiRtcPlay::serve_http(ISrsHttpResponseWriter* w, ISrsHttpMessa } } + if ((err = security_->check(SrsRtcConnPlay, ruc->req_->ip, ruc->req_)) != srs_success) { + return srs_error_wrap(err, "RTC: security check"); + } + if ((err = http_hooks_on_play(ruc->req_)) != srs_success) { return srs_error_wrap(err, "RTC: http_hooks_on_play"); } @@ -324,10 +330,12 @@ srs_error_t SrsGoApiRtcPlay::http_hooks_on_play(SrsRequest* req) SrsGoApiRtcPublish::SrsGoApiRtcPublish(SrsRtcServer* server) { server_ = server; + security_ = new SrsSecurity(); } SrsGoApiRtcPublish::~SrsGoApiRtcPublish() { + srs_freep(security_); } // Request: @@ -503,6 +511,10 @@ srs_error_t SrsGoApiRtcPublish::serve_http(ISrsHttpResponseWriter* w, ISrsHttpMe return srs_error_wrap(err, "create session"); } + if ((err = security_->check(SrsRtcConnPublish, ruc->req_->ip, ruc->req_)) != srs_success) { + return srs_error_wrap(err, "RTC: security check"); + } + // We must do hook after stat, because depends on it. if ((err = http_hooks_on_publish(ruc->req_)) != srs_success) { return srs_error_wrap(err, "RTC: http_hooks_on_publish"); diff --git a/trunk/src/app/srs_app_rtc_api.hpp b/trunk/src/app/srs_app_rtc_api.hpp index a4797f7a9c..3aa4144cfc 100644 --- a/trunk/src/app/srs_app_rtc_api.hpp +++ b/trunk/src/app/srs_app_rtc_api.hpp @@ -8,7 +8,7 @@ #define SRS_APP_RTC_API_HPP #include - +#include #include class SrsRtcServer; @@ -20,6 +20,7 @@ class SrsGoApiRtcPlay : public ISrsHttpHandler { private: SrsRtcServer* server_; + SrsSecurity* security_; public: SrsGoApiRtcPlay(SrsRtcServer* server); virtual ~SrsGoApiRtcPlay(); @@ -39,6 +40,7 @@ class SrsGoApiRtcPublish : public ISrsHttpHandler { private: SrsRtcServer* server_; + SrsSecurity* security_; public: SrsGoApiRtcPublish(SrsRtcServer* server); virtual ~SrsGoApiRtcPublish(); diff --git a/trunk/src/app/srs_app_security.cpp b/trunk/src/app/srs_app_security.cpp index af4d6bec71..e92f332335 100644 --- a/trunk/src/app/srs_app_security.cpp +++ b/trunk/src/app/srs_app_security.cpp @@ -75,7 +75,10 @@ srs_error_t SrsSecurity::allow_check(SrsConfDirective* rules, SrsRtmpConnType ty switch (type) { case SrsRtmpConnPlay: - case SrsRtcConnPlay: + case SrsHlsPlay: + case SrsFlvPlay: + case SrsRtcConnPlay: + case SrsSrtConnPlay: if (rule->arg0() != "play") { break; } @@ -90,6 +93,7 @@ srs_error_t SrsSecurity::allow_check(SrsConfDirective* rules, SrsRtmpConnType ty case SrsRtmpConnFlashPublish: case SrsRtmpConnHaivisionPublish: case SrsRtcConnPublish: + case SrsSrtConnPublish: if (rule->arg0() != "publish") { break; } @@ -126,7 +130,10 @@ srs_error_t SrsSecurity::deny_check(SrsConfDirective* rules, SrsRtmpConnType typ switch (type) { case SrsRtmpConnPlay: - case SrsRtcConnPlay: + case SrsHlsPlay: + case SrsFlvPlay: + case SrsRtcConnPlay: + case SrsSrtConnPlay: if (rule->arg0() != "play") { break; } @@ -141,6 +148,7 @@ srs_error_t SrsSecurity::deny_check(SrsConfDirective* rules, SrsRtmpConnType typ case SrsRtmpConnFlashPublish: case SrsRtmpConnHaivisionPublish: case SrsRtcConnPublish: + case SrsSrtConnPublish: if (rule->arg0() != "publish") { break; } diff --git a/trunk/src/app/srs_app_srt_conn.cpp b/trunk/src/app/srs_app_srt_conn.cpp index 427f567f4d..c67dec3ab6 100644 --- a/trunk/src/app/srs_app_srt_conn.cpp +++ b/trunk/src/app/srs_app_srt_conn.cpp @@ -174,6 +174,8 @@ SrsMpegtsSrtConn::SrsMpegtsSrtConn(SrsSrtServer* srt_server, srs_srt_t srt_fd, s srt_source_ = NULL; req_ = new SrsRequest(); req_->ip = ip; + + security_ = new SrsSecurity(); } SrsMpegtsSrtConn::~SrsMpegtsSrtConn() @@ -184,6 +186,7 @@ SrsMpegtsSrtConn::~SrsMpegtsSrtConn() srs_freep(delta_); srs_freep(srt_conn_); srs_freep(req_); + srs_freep(security_); } std::string SrsMpegtsSrtConn::desc() @@ -311,6 +314,10 @@ srs_error_t SrsMpegtsSrtConn::publishing() return srs_error_wrap(err, "srt: stat client"); } + if ((err = security_->check(SrsSrtConnPublish, ip_, req_)) != srs_success) { + return srs_error_wrap(err, "srt: security check"); + } + // We must do hook after stat, because depends on it. if ((err = http_hooks_on_publish()) != srs_success) { return srs_error_wrap(err, "srt: callback on publish"); @@ -333,12 +340,16 @@ srs_error_t SrsMpegtsSrtConn::playing() // We must do stat the client before hooks, because hooks depends on it. SrsStatistic* stat = SrsStatistic::instance(); if ((err = stat->on_client(_srs_context->get_id().c_str(), req_, this, SrsSrtConnPlay)) != srs_success) { - return srs_error_wrap(err, "rtmp: stat client"); + return srs_error_wrap(err, "srt: stat client"); + } + + if ((err = security_->check(SrsSrtConnPlay, ip_, req_)) != srs_success) { + return srs_error_wrap(err, "srt: security check"); } // We must do hook after stat, because depends on it. if ((err = http_hooks_on_play()) != srs_success) { - return srs_error_wrap(err, "rtmp: callback on play"); + return srs_error_wrap(err, "srt: callback on play"); } err = do_playing(); diff --git a/trunk/src/app/srs_app_srt_conn.hpp b/trunk/src/app/srs_app_srt_conn.hpp index 0b9f04884a..e4c6767c29 100644 --- a/trunk/src/app/srs_app_srt_conn.hpp +++ b/trunk/src/app/srs_app_srt_conn.hpp @@ -16,6 +16,7 @@ #include #include #include +#include class SrsBuffer; class SrsLiveSource; @@ -123,6 +124,7 @@ class SrsMpegtsSrtConn : public ISrsConnection, public ISrsStartable, public ISr SrsRequest* req_; SrsSrtSource* srt_source_; + SrsSecurity* security_; }; #endif From 3f7605f9ff4934e233384d0cdad1fa0606731b82 Mon Sep 17 00:00:00 2001 From: john Date: Thu, 14 Dec 2023 21:24:04 +0800 Subject: [PATCH 2/2] Update release to v5.0.202 v6.0.104 --- trunk/doc/CHANGELOG.md | 2 ++ trunk/src/core/srs_core_version5.hpp | 4 ++-- trunk/src/core/srs_core_version6.hpp | 2 +- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/trunk/doc/CHANGELOG.md b/trunk/doc/CHANGELOG.md index 1d4965f730..1f32d08ee8 100644 --- a/trunk/doc/CHANGELOG.md +++ b/trunk/doc/CHANGELOG.md @@ -7,6 +7,7 @@ The changelog for SRS. ## SRS 6.0 Changelog +* v6.0, 2023-12-14, Merge [#3902](https://github.com/ossrs/srs/pull/3902): Security: Support IP whitelist for HTTP-FLV, HLS, WebRTC, and SRT. v6.0.104 (#3902) * v6.0, 2023-11-22, Merge [#3891](https://github.com/ossrs/srs/pull/3891): fix 'sed' error in options.sh. v6.0.103 (#3891) * v6.0, 2023-11-22, Merge [#3883](https://github.com/ossrs/srs/pull/3883): Fix opus delay options, use ffmpeg-opus in docker test. v6.0.102 (#3883) * v6.0, 2023-11-19, Merge [#3886](https://github.com/ossrs/srs/pull/3886): Change the hls_aof_ratio to 2.1. v6.0.101 (#3886) @@ -115,6 +116,7 @@ The changelog for SRS. ## SRS 5.0 Changelog +* v5.0, 2023-12-14, Merge [#3902](https://github.com/ossrs/srs/pull/3902): Security: Support IP whitelist for HTTP-FLV, HLS, WebRTC, and SRT. v5.0.202 (#3902) * v5.0, 2023-11-22, Merge [#3891](https://github.com/ossrs/srs/pull/3891): fix 'sed' error in options.sh. v5.0.201 (#3891) * v5.0, 2023-11-19, Merge [#3886](https://github.com/ossrs/srs/pull/3886): Change the hls_aof_ratio to 2.1. v5.0.200 (#3886) * v5.0, 2023-11-15, Merge [#3879](https://github.com/ossrs/srs/pull/3879): Add --extra-ldflags. v5.0.199 (#3879) diff --git a/trunk/src/core/srs_core_version5.hpp b/trunk/src/core/srs_core_version5.hpp index 236ecd9b90..4c3b41c010 100644 --- a/trunk/src/core/srs_core_version5.hpp +++ b/trunk/src/core/srs_core_version5.hpp @@ -1,5 +1,5 @@ // -// Copyright (c) 2013-2023 The SRS Authors +// Copyright (c) 2023-2023 The SRS Authors // // SPDX-License-Identifier: MIT // @@ -9,6 +9,6 @@ #define VERSION_MAJOR 5 #define VERSION_MINOR 0 -#define VERSION_REVISION 201 +#define VERSION_REVISION 202 #endif diff --git a/trunk/src/core/srs_core_version6.hpp b/trunk/src/core/srs_core_version6.hpp index cb4db62aae..f25224cff8 100644 --- a/trunk/src/core/srs_core_version6.hpp +++ b/trunk/src/core/srs_core_version6.hpp @@ -9,6 +9,6 @@ #define VERSION_MAJOR 6 #define VERSION_MINOR 0 -#define VERSION_REVISION 103 +#define VERSION_REVISION 104 #endif