From 25d5e410c3b68d7b73e0a7c4f8db840d2e1630bb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=A4=8F=E6=A5=9A?= <771730766@qq.com> Date: Sat, 22 Jul 2023 17:30:20 +0800 Subject: [PATCH] =?UTF-8?q?=E7=A6=81=E6=AD=A2=E9=BB=98=E8=AE=A4http=20api?= =?UTF-8?q?=E5=AF=86=E9=92=A5=EF=BC=8C=E5=88=A0=E9=99=A4=E7=AE=A1=E7=90=86?= =?UTF-8?q?=E5=91=98=E8=B6=8A=E8=BF=87=E9=89=B4=E6=9D=83=E9=80=BB=E8=BE=91?= =?UTF-8?q?=20(#2655=20#2690)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit http api secret禁止使用默认的035c73f7-bb6b-4889-a715-d9eb2d1925cc 删除admin_params的设定 --- conf/config.ini | 5 ----- server/WebApi.h | 2 ++ server/WebHook.cpp | 13 +++++-------- server/main.cpp | 8 ++++++-- 4 files changed, 13 insertions(+), 15 deletions(-) diff --git a/conf/config.ini b/conf/config.ini index c6a7e545..f3c51015 100644 --- a/conf/config.ini +++ b/conf/config.ini @@ -142,9 +142,6 @@ deleteDelaySec=10 segKeep=0 [hook] -#在推流时,如果url参数匹对admin_params,那么可以不经过hook鉴权直接推流成功,播放时亦然 -#该配置项的目的是为了开发者自己调试测试,该参数暴露后会有泄露隐私的安全隐患 -admin_params=secret=035c73f7-bb6b-4889-a715-d9eb2d1925cc #是否启用hook事件,启用后,推拉流都将进行鉴权 enable=0 #播放器或推流器使用流量事件,置空则关闭 @@ -273,8 +270,6 @@ handshakeSecond=15 #rtmp超时时间,如果该时间内未收到客户端的数据, #或者tcp发送缓存超过这个时间,则会断开连接,单位秒 keepAliveSecond=15 -#在接收rtmp推流时,是否重新生成时间戳(很多推流器的时间戳着实很烂) -modifyStamp=0 #rtmp服务器监听端口 port=1935 #rtmps服务器监听地址 diff --git a/server/WebApi.h b/server/WebApi.h index 15210d53..d4d557f4 100755 --- a/server/WebApi.h +++ b/server/WebApi.h @@ -44,6 +44,8 @@ typedef enum { OtherFailed = -1,//业务代码执行失败, Success = 0//执行成功 } ApiErr; + +extern const std::string kSecret; }//namespace API class ApiRetException: public std::runtime_error { diff --git a/server/WebHook.cpp b/server/WebHook.cpp index 8eed641f..c185444b 100755 --- a/server/WebHook.cpp +++ b/server/WebHook.cpp @@ -48,7 +48,6 @@ const string kOnServerExited = HOOK_FIELD "on_server_exited"; const string kOnServerKeepalive = HOOK_FIELD "on_server_keepalive"; const string kOnSendRtpStopped = HOOK_FIELD "on_send_rtp_stopped"; const string kOnRtpServerTimeout = HOOK_FIELD "on_rtp_server_timeout"; -const string kAdminParams = HOOK_FIELD "admin_params"; const string kAliveInterval = HOOK_FIELD "alive_interval"; const string kRetry = HOOK_FIELD "retry"; const string kRetryDelay = HOOK_FIELD "retry_delay"; @@ -74,7 +73,6 @@ static onceToken token([]() { mINI::Instance()[kOnServerKeepalive] = ""; mINI::Instance()[kOnSendRtpStopped] = ""; mINI::Instance()[kOnRtpServerTimeout] = ""; - mINI::Instance()[kAdminParams] = "secret=035c73f7-bb6b-4889-a715-d9eb2d1925cc"; mINI::Instance()[kAliveInterval] = 30.0; mINI::Instance()[kRetry] = 1; mINI::Instance()[kRetryDelay] = 3.0; @@ -331,11 +329,10 @@ static mINI jsonToMini(const Value &obj) { void installWebHook() { GET_CONFIG(bool, hook_enable, Hook::kEnable); - GET_CONFIG(string, hook_adminparams, Hook::kAdminParams); NoticeCenter::Instance().addListener(&web_hook_tag, Broadcast::kBroadcastMediaPublish, [](BroadcastMediaPublishArgs) { GET_CONFIG(string, hook_publish, Hook::kOnPublish); - if (!hook_enable || args.param_strs == hook_adminparams || hook_publish.empty() || sender.get_peer_ip() == "127.0.0.1") { + if (!hook_enable || hook_publish.empty() || sender.get_peer_ip() == "127.0.0.1") { invoker("", ProtocolOption()); return; } @@ -360,7 +357,7 @@ void installWebHook() { NoticeCenter::Instance().addListener(&web_hook_tag, Broadcast::kBroadcastMediaPlayed, [](BroadcastMediaPlayedArgs) { GET_CONFIG(string, hook_play, Hook::kOnPlay); - if (!hook_enable || args.param_strs == hook_adminparams || hook_play.empty() || sender.get_peer_ip() == "127.0.0.1") { + if (!hook_enable || hook_play.empty() || sender.get_peer_ip() == "127.0.0.1") { invoker(""); return; } @@ -374,7 +371,7 @@ void installWebHook() { NoticeCenter::Instance().addListener(&web_hook_tag, Broadcast::kBroadcastFlowReport, [](BroadcastFlowReportArgs) { GET_CONFIG(string, hook_flowreport, Hook::kOnFlowReport); - if (!hook_enable || args.param_strs == hook_adminparams || hook_flowreport.empty() || sender.get_peer_ip() == "127.0.0.1") { + if (!hook_enable || hook_flowreport.empty() || sender.get_peer_ip() == "127.0.0.1") { return; } auto body = make_json(args); @@ -393,7 +390,7 @@ void installWebHook() { // 监听kBroadcastOnGetRtspRealm事件决定rtsp链接是否需要鉴权(传统的rtsp鉴权方案)才能访问 NoticeCenter::Instance().addListener(&web_hook_tag, Broadcast::kBroadcastOnGetRtspRealm, [](BroadcastOnGetRtspRealmArgs) { GET_CONFIG(string, hook_rtsp_realm, Hook::kOnRtspRealm); - if (!hook_enable || args.param_strs == hook_adminparams || hook_rtsp_realm.empty() || sender.get_peer_ip() == "127.0.0.1") { + if (!hook_enable || hook_rtsp_realm.empty() || sender.get_peer_ip() == "127.0.0.1") { // 无需认证 invoker(""); return; @@ -620,7 +617,7 @@ void installWebHook() { // 追踪用户的目的是为了缓存上次鉴权结果,减少鉴权次数,提高性能 NoticeCenter::Instance().addListener(&web_hook_tag, Broadcast::kBroadcastHttpAccess, [](BroadcastHttpAccessArgs) { GET_CONFIG(string, hook_http_access, Hook::kOnHttpAccess); - if (sender.get_peer_ip() == "127.0.0.1" || parser.params() == hook_adminparams) { + if (sender.get_peer_ip() == "127.0.0.1") { // 如果是本机或超级管理员访问,那么不做访问鉴权;权限有效期1个小时 invoker("", "", 60 * 60); return; diff --git a/server/main.cpp b/server/main.cpp index d09bf5d5..b9d84249 100644 --- a/server/main.cpp +++ b/server/main.cpp @@ -351,6 +351,11 @@ int start_main(int argc,char *argv[]) { #endif //defined(ENABLE_SRT) try { + auto secret = mINI::Instance()[API::kSecret]; + if (secret == "035c73f7-bb6b-4889-a715-d9eb2d1925cc" || secret.empty()) { + // 使用默认secret被禁止启动 + throw std::invalid_argument("please modify the configuration named " + API::kSecret + " in " + g_ini_file); + } //rtsp服务器,端口默认554 if (rtspPort) { rtspSrv->start(rtspPort); } //rtsps服务器,端口默认322 @@ -388,8 +393,7 @@ int start_main(int argc,char *argv[]) { #endif//defined(ENABLE_SRT) } catch (std::exception &ex) { - WarnL << "端口占用或无权限:" << ex.what(); - ErrorL << "程序启动失败,请修改配置文件中端口号后重试!"; + ErrorL << "Start server failed: " << ex.what(); sleep(1); #if !defined(_WIN32) if (pid != getpid() && kill_parent_if_failed) {