Fix command injection in api-server for HTTP callback. v5.0.157, v6.0.48

Author: panda1986

trunk/doc/CHANGELOG.md

@@ -8,6 +8,7 @@ The changelog for SRS.
 
 ## SRS 5.0 Changelog
 
+* v5.0, 2023-06-05, Fix command injection in demonstration api-server for HTTP callback. v5.0.157
 * v5.0, 2023-06-05, Merge [#3565](https://github.com/ossrs/srs/pull/3565): DTLS: Use bio callback to get fragment packet. v5.0.156 (#3565)
 * v5.0, 2023-05-29, Merge [#3513](https://github.com/ossrs/srs/pull/3513): SSL: Fix SSL_get_error get the error of other coroutine. v5.0.155 (#3513)
 * v5.0, 2023-05-14, Support the publishing of RTP plaintext packets using WHIP. v5.0.155

trunk/research/api-server/server.go

@@ -400,10 +400,18 @@ func (v *SnapshotJob) do(ffmpegPath, inputUrl string) (err error) {
 	normalPicPath := path.Join(outputPicDir, fmt.Sprintf("%v", v.Stream)+"-%03d.png")
 	bestPng := path.Join(outputPicDir, fmt.Sprintf("%v-best.png", v.Stream))
 
-	param := fmt.Sprintf("%v -i %v -vf fps=1 -vcodec png -f image2 -an -y -vframes %v -y %v", ffmpegPath, inputUrl, v.vframes, normalPicPath)
-	log.Println(fmt.Sprintf("start snapshot, cmd param=%v", param))
+	params := []string{
+		"-i", inputUrl,
+		"-vf", "fps=1",
+		"-vcodec", "png",
+		"-f", "image2",
+		"-an",
+		"-vframes", strconv.Itoa(v.vframes),
+		"-y", normalPicPath,
+	}
+	log.Println(fmt.Sprintf("start snapshot, cmd param=%v %v", ffmpegPath, strings.Join(params, " ")))
 	timeoutCtx, _ := context.WithTimeout(v.cancelCtx, v.timeout)
-	cmd := exec.CommandContext(timeoutCtx, "/bin/bash", "-c", param)
+	cmd := exec.CommandContext(timeoutCtx, ffmpegPath, params...)
 	if err = cmd.Run(); err != nil {
 		log.Println(fmt.Sprintf("run snapshot %v cmd failed, err is %v", v.Tag(), err))
 		return

trunk/src/core/srs_core_version5.hpp

@@ -9,6 +9,6 @@
 
 #define VERSION_MAJOR       5
 #define VERSION_MINOR       0
-#define VERSION_REVISION    156
+#define VERSION_REVISION    157
 
 #endif