3pp-mirror/snapcast
1
0
Fork 0
mirror of https://github.com/badaix/snapcast.git synced 2025-06-05 12:21:43 +02:00
Code Issues Projects Releases Packages Wiki Activity

Add back restricted Stream.AddStream functionality (#1331)

Browse source 
* Allow back Stream.AddStream but don't allow a process stream type

* Don't allow controlscript parameters when creating streams through RPC

* Added back documentation for Straem.AddStream and Stream.removeStream

* Fixed checking controlscript parameter

It is actually a property of the streamUri URI instead of a separate parameter

* Small doc update to clarify things

* Fixed missing doc delimiter

* Removed unused checkParamsNotAllowed method
This commit is contained in:
Jeroen Dierckx 2025-01-19 21:57:25 +01:00 committed by GitHub
parent fab6646025
commit 9254be1a8f
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 44 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

13
server/control_requests.cpp
View file

@ -99,10 +99,8 @@ ControlRequestFactory::ControlRequestFactory(const Server& server)
// Stream requests
add_request(std::make_shared<StreamControlRequest>(server));
add_request(std::make_shared<StreamSetPropertyRequest>(server));
#if 0 // Removed to fix CVE-2023-36177
add_request(std::make_shared<StreamAddRequest>(server));
add_request(std::make_shared<StreamRemoveRequest>(server));
#endif
// Server requests
add_request(std::make_shared<ServerGetRpcVersionRequest>(server));
@ -692,11 +690,20 @@ void StreamAddRequest::execute(const jsonrpcpp::request_ptr& request, AuthInfo&
checkParams(request, {"streamUri"});
// Don't allow adding a process stream: CVE-2023-36177
const std::string streamUri = request->params().get("streamUri");
const StreamUri parsedUri(streamUri);
if(parsedUri.scheme == "process")
throw jsonrpcpp::InvalidParamsException("Adding process streams is not allowed", request->id());
// Don't allow settings the controlscript streamUri property
if (!parsedUri.getQuery("controlscript").empty())
throw jsonrpcpp::InvalidParamsException("No controlscript streamUri property allowed", request->id());
std::ignore = authinfo;
LOG(INFO, LOG_TAG) << "Stream.AddStream(" << request->params().get("streamUri") << ")\n";
// Add stream
std::string streamUri = request->params().get("streamUri");
PcmStreamPtr stream = getStreamManager().addStream(streamUri);
if (stream == nullptr)
throw jsonrpcpp::InternalErrorException("Stream not created", request->id());