[Live-devel] RTSPClient::describeURL authentication problems
Igor Bukanov
igor at mir2.org
Mon Feb 19 12:36:34 PST 2007
On 19/02/07, Ross Finlayson <finlayson at live555.com> wrote:
> >Plus there is the third issue: the library does not srip
> >username:password@ prefix from the URL and sends them in clear text
> >even with the digest authentication.
>
> This is not our problem - nothing in the RTSP specification mentions
> modifying the supplied RTSP URL in any way, so we don't do it.
> People should not really be putting a "username:password@" in URLs
> anyway.
RTSP is very clear about the format of URL:
http://tools.ietf.org/html/rfc2326#page-14
That does not allow any user:password@ prefix. Yet live555 supports it
while not striping during DESCRIBE/OPTIONS. This violates RFC while
making potential security hole. Thus live555 should be fixed to either
strip the prefix or explicitly reject it. I am fine with either.
> That's not a 'problem' - that's just the way that the code works.
> The code can resubmit the command (after an authentication failure)
> only if the user gave it a (username,password) to try.
The problem (a minor one I must admit) is that this still would print
useless error message about failed DESCRIBE when in fact there is no
failure, just a requirement to resent DESCRIBE with an updated
authentication information.
>
> This suggests that the real solution would be to change the VLC code
> to call "describeWithPassword()" rather than "describeURL()". Or,
> even better, call "describeWithPassword()" iff the user supplied a
> (username,password), otherwise call "describeURL()".
This requires changing both live555 and vlc since vls depends on the
ability to pass kassena flag to describeUrl and there is no such
option in describeWithPassword.
>
> Do you agree with this - i.e., that the best solution would be to
> change the way that VLC calls the LIVE555 libraries in this case??
I agree that from a practical point of view changing only live555 or
vlc ie better then chnaging both. If you think that changing vlc is
simpler, then I will prepare a patch for vlc to continue to use
describeUrl but repeat the failed call if the passed authenticator
gained the the digest info. I also make sure that it strips the
username and password from URL.
Regards, Igor
More information about the live-devel
mailing list