Add back restricted Stream.AddStream functionality (#1331)

* Allow back Stream.AddStream but don't allow a process stream type * Don't allow controlscript parameters when creating streams through RPC * Added back documentation for Straem.AddStream and Stream.removeStream * Fixed checking controlscript parameter It is actually a property of the streamUri URI instead of a separate parameter * Small doc update to clarify things * Fixed missing doc delimiter * Removed unused checkParamsNotAllowed method
2025-07-29 14:28:42 +02:00 · 2025-01-19 21:57:25 +01:00 · 2025-01-19 21:57:25 +01:00 · 9254be1a8f
commit 9254be1a8f
parent fab6646025
2 changed files with 44 additions and 3 deletions
--- a/doc/json_rpc_api/control.md
+++ b/doc/json_rpc_api/control.md
@ -161,6 +161,8 @@ The Server JSON object contains a list of Groups and Streams. Every Group holds
 * Stream
  * [Stream.Control](#streamcontrol)
  * [Stream.SetProperty](#streamsetproperty)
  * [Stream.AddStream](#streamaddstream)
  * [Stream.RemoveStream](#streamremovestream)
 ### Notifications
@ -480,6 +482,38 @@ See [Plugin.Stream.Player.SetProperty](stream_plugin.md#pluginstreamplayersetpro
 {"id": 1, "jsonrpc": "2.0", "result": "ok"}
 ```
 ### Stream.AddStream
 Note: for security purposes, we don't allow adding `process` streams.
 We also don't allow setting the `controlscript` query parameter of streamUri.
 #### Request
 ```json
 {"id":8,"jsonrpc":"2.0","method":"Stream.AddStream","params":{"streamUri":"pipe:///tmp/snapfifo?name=stream 2"}}
 ```
 #### Response
 ```json
 {"id":8,"jsonrpc":"2.0","result":{"stream_id":"stream 2"}}
 ```
 ### Stream.RemoveStream
 #### Request
 ```json
 {"id":8,"jsonrpc":"2.0","method":"Stream.RemoveStream","params":{"id":"stream 2"}}
 ```
 #### Response
 ```json
 {"id":8,"jsonrpc":"2.0","result":{"stream_id":"stream 2"}}
 ```
 ##### Error
 ```json
--- a/server/control_requests.cpp
+++ b/server/control_requests.cpp
@ -99,10 +99,8 @@ ControlRequestFactory::ControlRequestFactory(const Server& server)
    // Stream requests
    add_request(std::make_shared<StreamControlRequest>(server));
    add_request(std::make_shared<StreamSetPropertyRequest>(server));
 #if 0 // Removed to fix CVE-2023-36177
    add_request(std::make_shared<StreamAddRequest>(server));
    add_request(std::make_shared<StreamRemoveRequest>(server));
 #endif
    // Server requests
    add_request(std::make_shared<ServerGetRpcVersionRequest>(server));
@ -692,11 +690,20 @@ void StreamAddRequest::execute(const jsonrpcpp::request_ptr& request, AuthInfo&
    checkParams(request, {"streamUri"});
    // Don't allow adding a process stream: CVE-2023-36177
    const std::string streamUri = request->params().get("streamUri");
    const StreamUri parsedUri(streamUri);
    if(parsedUri.scheme == "process")
        throw jsonrpcpp::InvalidParamsException("Adding process streams is not allowed", request->id());
    // Don't allow settings the controlscript streamUri property
    if (!parsedUri.getQuery("controlscript").empty())
        throw jsonrpcpp::InvalidParamsException("No controlscript streamUri property allowed", request->id());
    std::ignore = authinfo;
    LOG(INFO, LOG_TAG) << "Stream.AddStream(" << request->params().get("streamUri") << ")\n";
    // Add stream
    std::string streamUri = request->params().get("streamUri");
    PcmStreamPtr stream = getStreamManager().addStream(streamUri);
    if (stream == nullptr)
        throw jsonrpcpp::InternalErrorException("Stream not created", request->id());