[Live-devel] RTSP server extending
Gustaf Räntilä
opera at kth.se
Tue Apr 24 08:23:38 PDT 2007
Igor Bukanov wrote:
> On 24/04/07, Gustaf Räntilä <opera at kth.se> wrote:
>
>> Igor Bukanov wrote:
>>
>>> The question: is client supposed to call DESCRIBE before calling any
>>> other commands within the same TCP session? If so the authentication
>>> bug is that the RTSPServer.cpp does not check for that.
>>>
>>>
>> What? I just wrote, that it's not enough to trust that clients won't
>> send PLAY after an "unauthorized" DESCRIBE. That's why I fixed it in the
>> patch also. And obviously some clients _don't_ give a wuzz about
>> DESCRIBE at all, so putting any trust in that is nuts. In my patch, the
>> authorization function (with my session callback, or with the current
>> user/pass class) is called from the other (critical) command functions.
>>
>
> Right, one really needs to check for allowed ip address before
> starting a session as your patch is doing. The only problem with the
> patch is that incomingConnectionHandler1 needs to close the
> clientSocket when sessionAccept fails.
>
> Regards, Igor
>
Correct. I used to have function pointers as callbacks, so my patch was
rewritten (into virtual functions) and this got lost. A close() is
needed as you say. I'm sorry for this.
But Ross is satisfied with your solution, even though you can't track
connections, what they're doing, when they're disconnecting, or
disallowing a client to "PLAY" (which at least I consider pretty
serious), and controlling authorization for individual resources and
commands.
I have what I need, and I shared it here. Hopefully more people than me
and Vlad will find it useful.
Cheers,
Gustaf
More information about the live-devel
mailing list