CasparCG Server - Flash Content File Loading Problem #1352
Comments
|
It would be nice if that could be changed also in the 2.0.7 version. As this is still a very stable, used and loved version. Does git allow changes to ripple up? |
|
One addition to what Jeromie said. I did only get the logging to file working with this content of mm.cfg: My mms.cfg is: I testet with 2.0.7 and 2.3.0 LTS and got the same issue: The AllowList blocks the template host and, thanks to the setting AllowListRootMovieOnly=1, allows every template, that is loaded into the template host. So only the filenames of the calls to the template hosts need be made to comply with RFC 8089. In the log I get it as: 'M:\Caspar\templates\cg20.fth.1080i5000', While it should read 'file:///M:/CasparCG/templates/cg20.fth.1080i5000'. |
|
Thanks Didi for your work. Can you check what is logged (if anything) if you set your templates folder in config to |
|
Yes, I tried this already: It gets blocked. The reason, according to what Jeromie Clark of Adobe said, is, that the algorithm inside Flash only handles RCF 8089 compliant filenames correctly. It can not handle other formats. |
|
Thanks. Is it logged with the file prefix and some slashes the wrong way round or not logged at all? |
|
It sais: |
|
I think this line is the culprit: It may be as simple as swapping that double backslash to a forward slash and using the uri format in the config. Or the path may need converting with something like UrlCreateFromPath from shlwapi. |
|
If you can fix that and could build me a test version, that would be of great use. I also asked the guys at Superfly to do it, but did not get any response yet. |
|
See #1352 (comment) |
|
I shall try and be of help with this, but I don't currently have a win7 machine around to do any testing on. |
|
Thanks a lot to both of you. I will do the test in the morning and post my findings back. I could also give access to a Win 7 machine via TeamViewer, if that is of any help. |
|
Start with this one as I have fixed some issues and I think this works: From my log: |
|
I tested it and got this result: So it's a success! Thanks a lot! What are the next steps? @silid: Will you do a pull request for that for the 2.3.0 LTS branch? @Julusian: Can you do the same fix for the 2.0.7 branch also? |
|
PR has been created. #1353 Please review as ideally we need new builds before the end of the year. |
|
@didikunz This is new build of 2.3.0 with the requested changes. Can you double check it still works? |
Yes, I checked it, it still works. Thanks a lot. |
|
@didikunz I've managed to get a build env for 2.0.x - Are you in a position to test this? |
|
@silid I should have said that I started on this yesterday, I have it working and just want to do a little more testing before publishing the 2.0 release. |
|
There is a 2.0.7.1 release now published https://github.com/CasparCG/server/releases/tag/v2.0.7.1-flash-eol And a forum post to announce the release https://casparcgforum.org/t/casparcg-hotfix-releases-for-flash-player-end-of-life/3757 2.3.1 is still being worked on #1355, and the forum shall be updated once it is done |
|
@silid Hello |
Background:
Adobe is retiring Flash Player at the end of 2020. To facilitate the ability for enterprise users (including broadcasters) to continue to use Flash Player for critical legacy applications, we introduced a set of "Enterprise Enablement" features in recent Flash Player versions, which allow administrators to specify what content Flash Player is allowed to load.
Once Flash Player is retired and security updates are no longer available, Flash Player will only load content explicitly allowed by system administrators. The goal is to minimize the risk that average end-users will encounter malware targeting unpatched instances of Flash Player, while allowing system administrators to continue to use Flash for legacy application. This approach creates a secure-by-default state, and the requirement to explicitly allow required content minimizes the attack surface presented to client endpoints by limiting or elimintating exposure to untrusted content, depending on the administrator’s choices.
You can read more about those features and related config file directives on page 28 of the Flash Player System Administrators guide, here:
https://www.adobe.com/content/dam/acom/en/devnet/flashplayer/articles/flash_player_admin_guide/pdf/latest/flash_player_32_0_admin_guide.pdf
Problem:
We received a number of inquiries from the CapsparCG community indicating that our AllowListUrlPattern feature does not work for Flash content loaded by CasparCG Server.
On closer inspection, we observed that CasparCG Server is not sending file URIs that conform to RFC 8089.
https://tools.ietf.org/html/rfc8089
Historically, many of the early security issues in Flash Player were related to ambiguity around URI resolution and normalization issues. We believe that attempting to normalize these paths to conform to the URI standard from Flash Player may lead to unexpected side-effects (including security issues). Because we are days away from the last planned Flash Player release to ever ship from Adobe, the risk of injecting a bug that could persist indefinitely in the web ecosystem is too high to consider. It's much safer and more reasonable to require that file URIs be normalized at the client application. In the supported browser plug-in use-case, the browser does this normalization automatically.
In the case of CaparCG Server, we see a number of non-conformant URIs in our cursory testing which, when passed to Flash Player, result in a failure to match any of the possible AllowListUrlPattern options.
Examples:
C:\Users\labuser\Desktop\CasparCG Server 2.0.7\CasparCG Server\Server\templates\cg20.fth.pal
file:///C|/Users/labuser/Desktop/CasparCG%20Server%202.0.7/CasparCG%20Server/Server/templates//CASPARCG_FLASH_TEMPLATES_EXAMPLE_PACK_1/ADVANCEDTEMPLATE1.ft
Troubleshooting:
To troubleshoot this issue from the Flash Player side, you'll need to use a Flash Player Debugger variant, capable of writing logs to the filesystem.
On Windows, the ActiveX Flash Player debugger is only available on Windows 7 and below (due to a Microsoft decision to not make a debugger available on Windows 8+, where they exclusively control Flash Player installation and distribution). Instructions on how to configure a Flash Player debugger on a test machine follow.
On a Win7 machine:
Install "Flash Player content debugger for Internet Explorer - ActiveX", from here: https://www.adobe.com/support/flashplayer/debug_downloads.html
Using your favorite text editor, create a file called mm.cfg (the Flash Player debugger config file), with the following contents:
TraceOutputEnable=1
Place mm.cfg in the user's %HOMEPATH% (e.g. C:\Users<username>\mm.cfg)
Create a second file called mms.cfg (the primary Flash Player config file), with the following contents:
EnableAllowList=1
AllowListPreview=1
AllowListUrlPattern=file:*
Place mms.cfg in the following location(s):
C:\Windows<System32 || SysWow64>\Macromed\Flash\mms.cfg
The location used depends on the bitness of the Flash Player used.
For 32-bit Windows:
C:\Windows\System32\Macromed\Flash
For 32-bit Flash Player on 64-bit Windows:
C:\Windows\SysWow64\Macromed\Flash
For 64-bit Flash Player on 64-bit Windows:
C:\Windows\System32\Macromed\Flash
When in doubt, just update it in both places.
Flash Player is now configured to log attempts to load URIs that would normally be blocked (but continue to load them), and it will write those files to a log, which you can tail.
The log should be located here, and created the first time you attempt to play content using Flash Player:
C:\Users<User>\AppData\Roaming\Macromedia\Flash Player\Logs\flashlog.txt
(I personally find it convenient to use a Windows port of the tail utility, and I just leave it up in a dedicated terminal window.)
To reproduce the bug on this test environment:
I tested with default CasparCG Server 2.0.7 and CasparCG Client 2.0.8 instances, installed locally on my test machine.
The AllowListUrlPattern=file:* should allow any RFC 8098 compliant URIs to load. Anything failing will most likely need to be normalized before it's passed back.
I didn't see any evidence that CasparCG Server loads content from remote URIs, but it's clear that sophisticated installations are possible. Those remote sources would also need to be referenced by valid URIs and explicitly allowed.
Also, just as a tip, you’ll need to restart CasparCG Server after updating mms.cfg or mm.cfg. Flash Player reads the config file each time it’s spawned, but when invoked by CasparCG Server, it looks like it’s instantiated once and persists for the lifetime of the host process.
Thanks!
The text was updated successfully, but these errors were encountered: