pimhwang
/
mediamtx
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Browse Source

forbid usage of publishUser, publishPass, publishIps when source is not 'record'

pull/181/head
aler9 5 years ago
parent
3050893d32
commit
818307ff54
2 changed files with 38 additions and 23 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 4
      README.md
  2. 57
      internal/conf/pathconf.go

4
README.md
Unescape View File

@ -196,7 +196,7 @@ paths: @@ -196,7 +196,7 @@ paths:
readPass: userpass
```
If storing plain credentials in the configuration file is a security problem, username and passwords can be stored as sha256-hashed values; a value must be converted into sha256:
If storing plain credentials in the configuration file is a security problem, username and passwords can be stored as sha256-hashed strings; a string must be hashed with sha256 and encoded with base64:
```
echo -n "userpass" | openssl dgst -binary -sha256 | openssl base64
@ -211,7 +211,7 @@ paths: @@ -211,7 +211,7 @@ paths:
readPass: sha256:BdSWkrdV+ZxFBLUQQY7+7uv9RmiSVA8nrPmjGjJtZQQ=
```
**WARNING**: enable encryption or use a VPN to ensure that no one is intercepting and reading the credentials.
**WARNING**: enable encryption or use a VPN to ensure that no one is intercepting the credentials.
### RTSP proxy mode

57
internal/conf/pathconf.go
Unescape View File

@ -164,28 +164,47 @@ func (pconf *PathConf) fillAndCheck(name string) error { @@ -164,28 +164,47 @@ func (pconf *PathConf) fillAndCheck(name string) error {
}
}
if (pconf.PublishUser != "" && pconf.PublishPass == "") || (pconf.PublishUser == "" && pconf.PublishPass != "") {
return fmt.Errorf("read username and password must be both filled")
}
if pconf.PublishUser != "" {
if pconf.Source != "record" {
return fmt.Errorf("'publishUser' is useless when source is not 'record', since the stream is not provided by a publisher, but by a fixed source")
}
if !strings.HasPrefix(pconf.PublishUser, "sha256:") && !reUserPass.MatchString(pconf.PublishUser) {
return fmt.Errorf("publish username contains unsupported characters (supported are %s)", userPassSupportedChars)
}
}
if pconf.PublishPass != "" {
if pconf.Source != "record" {
return fmt.Errorf("'publishPass' is useless when source is not 'record', since the stream is not provided by a publisher, but by a fixed source")
}
if !strings.HasPrefix(pconf.PublishPass, "sha256:") && !reUserPass.MatchString(pconf.PublishPass) {
return fmt.Errorf("publish password contains unsupported characters (supported are %s)", userPassSupportedChars)
}
}
if len(pconf.PublishIps) > 0 {
var err error
pconf.PublishIpsParsed, err = parseIPCidrList(pconf.PublishIps)
if err != nil {
return err
}
} else {
// the configuration file doesn't use nil dicts - avoid test fails by using nil
if len(pconf.PublishIps) == 0 {
pconf.PublishIps = nil
}
var err error
pconf.PublishIpsParsed, err = func() ([]interface{}, error) {
if len(pconf.PublishIps) == 0 {
return nil, nil
}
if pconf.Source != "record" {
return nil, fmt.Errorf("'publishIps' is useless when source is not 'record', since the stream is not provided by a publisher, but by a fixed source")
}
return parseIPCidrList(pconf.PublishIps)
}()
if err != nil {
return err
}
if pconf.ReadUser != "" && pconf.ReadPass == "" || pconf.ReadUser == "" && pconf.ReadPass != "" {
if (pconf.ReadUser != "" && pconf.ReadPass == "") || (pconf.ReadUser == "" && pconf.ReadPass != "") {
return fmt.Errorf("read username and password must be both filled")
}
if pconf.ReadUser != "" {
@ -198,26 +217,22 @@ func (pconf *PathConf) fillAndCheck(name string) error { @@ -198,26 +217,22 @@ func (pconf *PathConf) fillAndCheck(name string) error {
return fmt.Errorf("read password contains unsupported characters (supported are %s)", userPassSupportedChars)
}
}
if pconf.ReadUser != "" && pconf.ReadPass == "" || pconf.ReadUser == "" && pconf.ReadPass != "" {
return fmt.Errorf("read username and password must be both filled")
}
if len(pconf.ReadIps) > 0 {
var err error
pconf.ReadIpsParsed, err = parseIPCidrList(pconf.ReadIps)
if err != nil {
return err
}
} else {
// the configuration file doesn't use nil dicts - avoid test fails by using nil
if len(pconf.ReadIps) == 0 {
pconf.ReadIps = nil
}
pconf.ReadIpsParsed, err = func() ([]interface{}, error) {
return parseIPCidrList(pconf.ReadIps)
}()
if err != nil {
return err
}
if pconf.RunOnInit != "" && pconf.Regexp != nil {
return fmt.Errorf("a path with a regular expression does not support option 'runOnInit'; use another path")
}
if pconf.RunOnPublish != "" && pconf.Source != "record" {
return fmt.Errorf("'runOnPublish' is useless when source is not 'record', since the stream is not provided by a publisher, but by another source")
return fmt.Errorf("'runOnPublish' is useless when source is not 'record', since the stream is not provided by a publisher, but by a fixed source")
}
if pconf.RunOnDemandStartTimeout == 0 {

Write Preview
Loading…
Cancel
Save