Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

/ Path based open redirect #2766

Closed
13 tasks
shanjunmei opened this issue Dec 1, 2023 · 4 comments
Closed
13 tasks

/ Path based open redirect #2766

shanjunmei opened this issue Dec 1, 2023 · 4 comments
Labels
bug Something isn't working general

Comments

@shanjunmei
Copy link

Which version are you using?

v0.0.0

Which operating system are you using?

  • Linux amd64 standard
  • Linux amd64 Docker
  • Linux arm64 standard
  • Linux arm64 Docker
  • Linux arm7 standard
  • Linux arm7 Docker
  • Linux arm6 standard
  • Linux arm6 Docker
  • Windows amd64 standard
  • Windows amd64 Docker (WSL backend)
  • macOS amd64 standard
  • macOS amd64 Docker
  • Other (please describe)

Describe the issue

Description

Describe how to replicate the issue

  1. start the server
  2. publish with ...
  3. read with ...

Did you attach the server logs?

yes / no

Did you attach a network dump?

yes / no
@shanjunmei shanjunmei mentioned this issue Dec 1, 2023
Closed
@aler9
Copy link
Member

aler9 commented Dec 1, 2023

Hello, i can't understand what the problem is. Please add more details.

@shanjunmei
Copy link
Author

Hello, i can't understand what the problem is. Please add more details.

http://host:8889//evil.com ,this request will be redirect to evil.com. This would be a security risk

@aler9 aler9 added bug Something isn't working general labels Dec 1, 2023
aler9 added a commit that referenced this issue Dec 1, 2023
@aler9
hls, webrtc: prevent XSS attack when appending slash to paths (#2766) (
a2fe55d 
…#2767)
aler9 added a commit that referenced this issue Dec 1, 2023
@aler9
hls, webrtc: prevent XSS attack when appending slash to paths (#2766) (
46b4356 
…#2767)
aler9 added a commit that referenced this issue Dec 1, 2023
@aler9
hls, webrtc: prevent XSS attack when appending slash to paths (#2766) (
73c0fbb 
…#2767)
aler9 added a commit that referenced this issue Dec 1, 2023
@aler9
hls, webrtc: prevent XSS attack when appending slash to paths (#2766) (
aade2ee 
…#2767) (#2772)
@aler9
Copy link
Member

aler9 commented Dec 1, 2023

Thanks for reporting the security flaw, i've fixed it with #2772, that is also compatible with the scenario in which MediaMTX is behind a reverse proxy, in a subpath.

@aler9 aler9 closed this as completed Dec 1, 2023
@github-actions GitHub Actions
Copy link
Contributor

This issue is mentioned in release v1.4.0 🚀
Check out the entire changelog by clicking here

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working general
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@shanjunmei @aler9