[Live-devel] Possible bug with OPTIONS request Authorization header

Александр А. Прохоров ProhorovAA at rvigroup.ru
Thu Apr 23 23:42:14 PDT 2020 

Hello,

I found some behavior in proxyServer that might be a bug. It can be reproduced on latest version on live555 library.
If I specify username and password with -u command line argument then
OPTIONS keepalive request is sent without Authorization header.
And  subsequent requests (e.g. PAUSE or TEARDOWN) are also sent without authorization info.
If server requires every request to be authorized than such request breaks session.

If I supply username and password in the url then OPTIONS request is sent with Authorization header and
everything works fine.

I have found that described behavior could be caused by next lines of code:

                unsigned RTSPClient::sendOptionsCommand(responseHandler* responseHandler, Authenticator* authenticator) {
                  if (authenticator != NULL) fCurrentAuthenticator = *authenticator;
                  return sendRequest(new RequestRecord(++fCSeq, "OPTIONS", responseHandler));
                }

If username and password are supplied with -u command line argument then authenticator passed to this  method is not null
and it replaces valid (filled with realm, nonce etc.) fCurrentAuthenticator.

Suggested fix is to replace if statement with

                if (fCurrentAuthenticator < authenticator) fCurrentAuthenticator = *authenticator;

similarly to other send... methods of RTSPClient. But I am not sure this is the best way to handle this situation.
Is there a reason to handle OPTIONS request differently of other requests?

Here is rtsp exchange:

    Request: DESCRIBE rtsp://10.41.170.250:554/PSIA/streaming/channels/102 RTSP/1.0\r\n
    CSeq: 86\r\n
    User-Agent: ProxyRTSPClient (LIVE555 Streaming Media v2018.12.14)\r\n
    Accept: application/sdp\r\n
    \r\n

    Response: RTSP/1.0 401 Unauthorized\r\n
    CSeq: 86\r\n
    WWW-Authenticate: Digest realm="9d321e21c4dd9bd63b1a80bd", nonce="867e523c35", algorithm="MD5"\r\n
    WWW-Authenticate: Basic realm="/"\r\n
    \r\n


    Request: DESCRIBE rtsp://10.41.170.250:554/PSIA/streaming/channels/102 RTSP/1.0\r\n
    CSeq: 87\r\n
    Authorization: Digest username="admin", realm="9d321e21c4dd9bd63b1a80bd", nonce="867e523c35", uri="rtsp://10.41.170.250:554/PSIA/streaming/channels/102", response="01e817521210b74227b60711cf079ca4"\r\n
    User-Agent: ProxyRTSPClient (LIVE555 Streaming Media v2018.12.14)\r\n
    Accept: application/sdp\r\n
    \r\n

    Response: RTSP/1.0 200 OK\r\n
    CSeq: 87\r\n
    Content-type: application/sdp
    Content-length: 518
    Date: Thu, 23 Apr 2020 09:22:37 GMT\r\n
    \r\n
    Session Description Protocol


    Request: SETUP rtsp://10.41.170.250:554/PSIA/streaming/channels/102/trackID=video RTSP/1.0\r\n
    CSeq: 88\r\n
    Authorization: Digest username="admin", realm="9d321e21c4dd9bd63b1a80bd", nonce="867e523c35", uri="rtsp://10.41.170.250:554/PSIA/streaming/channels/102", response="197123fa4219c96a2e4b8d7ade28f3a4"\r\n
    User-Agent: ProxyRTSPClient (LIVE555 Streaming Media v2018.12.14)\r\n
    Transport: RTP/AVP/TCP;unicast;interleaved=28-29
    \r\n

    Response: RTSP/1.0 200 OK\r\n
    Session: 258361686;timeout=60
    Transport: RTP/AVP/TCP;unicast;interleaved=28-29;ssrc=f664956
    CSeq: 88\r\n
    Accept-Ranges: NPT\r\n
    Media-Properties: No-Seeking, Time-Progressing, Time-Duration=0\r\n
    Date: Thu, 23 Apr 2020 09:22:38 GMT\r\n
    \r\n

    Request: PLAY rtsp://10.41.170.250:554/PSIA/streaming/channels/102 RTSP/1.0\r\n
    CSeq: 89\r\n
    Authorization: Digest username="admin", realm="9d321e21c4dd9bd63b1a80bd", nonce="867e523c35", uri="rtsp://10.41.170.250:554/PSIA/streaming/channels/102", response="e11c9fb29d110e853a5ea54402114bd4"\r\n
    User-Agent: ProxyRTSPClient (LIVE555 Streaming Media v2018.12.14)\r\n
    Session: 258361686
    \r\n

    Response: RTSP/1.0 200 OK\r\n
    Session: 258361686
    CSeq: 89\r\n
    Date: Thu, 23 Apr 2020 09:22:38 GMT\r\n
    \r\n

    Request: OPTIONS rtsp://10.41.170.250:554/PSIA/streaming/channels/102 RTSP/1.0\r\n
    CSeq: 90\r\n
    User-Agent: ProxyRTSPClient (LIVE555 Streaming Media v2018.12.14)\r\n
    Session: 258361686
    \r\n

    Request: TEARDOWN rtsp://10.41.170.250:554/PSIA/streaming/channels/102 RTSP/1.0\r\n
    CSeq: 91\r\n
    User-Agent: ProxyRTSPClient (LIVE555 Streaming Media v2018.12.14)\r\n
    Session: 258361686
    \r\n

    Response: RTSP/1.0 401 Unauthorized\r\n
    CSeq: 91\r\n
    WWW-Authenticate: Digest realm="9d321e21c4dd9bd63b1a80bd", nonce="913dd31768", algorithm="MD5"\r\n
    WWW-Authenticate: Basic realm="/"\r\n
    \r\n

Thanks,

Alexander Prokhorov

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.live555.com/pipermail/live-devel/attachments/20200424/05ed8d46/attachment.htm>

More information about the live-devel mailing list