I need fast solution because I discovered this loophole the hard way on the production environment which is now offline until this is fixed.
This is the scenario:
There is a security module (onHTTPSessionCreate) that checks if the user is authenticated when he requests the stream with the link:
http://my.domain:1935/ChannelName/smil:channel.smil/playlist.m3u8
If the user is not authenticated session is rejected and no problem here.
Now this is happening, an authenticated user requests the link and a chunklist is returned to him
#EXTM3U
#EXT-X-VERSION:3
#EXT-X-STREAM-INF:PROGRAM-ID=1,BANDWIDTH=1000000
http://my.domain:1935/ChannelName/_definst_/smil:channel.smil/chunklist_w1314649056_b1000000.m3u8
#EXT-X-STREAM-INF:PROGRAM-ID=1,BANDWIDTH=2000000
http://my.domain:1935/ChannelName/_definst_/smil:channel.smil/chunklist_w1314649056_b2000000.m3u8
#EXT-X-STREAM-INF:PROGRAM-ID=1,BANDWIDTH=4000000
http://my.domain:1935/ChannelName/_definst_/smil:channel.smil/chunklist_w1314649056_b4000000.m3u8
Then he opens the links in a player to keep the session opened, and then shares this links to other users.
On server we noticed this behaviour when only one connection is shown active and the download speed was corresponding for more then 100 users.
Running a test with 3 active connections on same session in the :8086/connectioncounts this was shown
<Name>ChannelName</Name>
<Status>loaded</Status>
<TimeRunning>4940.908</TimeRunning>
<ConnectionsCurrent>1</ConnectionsCurrent>
<ConnectionsTotal>2</ConnectionsTotal>
<ConnectionsTotalAccepted>2</ConnectionsTotalAccepted>
<ConnectionsTotalRejected>0</ConnectionsTotalRejected>
<MessagesInBytesRate>1034681.0</MessagesInBytesRate>
<MessagesOutBytesRate>589403.0</MessagesOutBytesRate>
Also when openening the chunklist link directly
http://my.domain:1935/ChannelName/definst/smil:channel.smil/chunklist_w1314649056_b1000000.m3u8
the method onHTTPSessionCreate is not called, it is called only when first connection to the playlist is requested.
Regards,