Wejn s.r.o.

Solving complicated IT problems is our hobby.

Wowza StorageDir Escape Regression

Issue

This issue was reported to Wowza Media Services in early 2009.

Now it surfaced again.

In a nutshell, you can escape Application’s StorageDir using relative path.

Let’s say you have two applications:

  • vod1 with /usr/local/WowzaMediaServer/content1/ as StorageDir
  • vod2 with /usr/local/WowzaMediaServer/content2/ as StorageDir

Requesting to play mp4:../content1/file.mp4 from vod2 will work just fine thus bypassing configured StorageDir.

Possible workarounds

  • Implement custom module that supplies either IMediaStreamNameAliasProvider2 or IMediaStreamFileMapper override which blocks requests falling outside configured StorageDir
  • Use StreamNameAlias module to block requests with relative paths
  • Upgrade to Wowza 3.5.2.06 (patch that hopefully fixes this issue)
  • Don’t use predictable paths

Timeline

  • 2013-04-06 Wowza Media Services contacted about this issue
  • 2013-04-08 Wowza acknowledges this bug, no further info received
  • 2013-04-30 Public release due to vendor’s non-cooperation