Security sandbox violation: BitmapData.draw

[ir73]

I have an application that makes a bitmap data snapshot from RTMP streamed video via Bitmapdata.draw() method. It all worked fine till I decided to update to the rev. 3284 (29 Oct 2008). Now flash throws an exception.

Here is the actionscript code that worked in revision 3093

var m:Matrix = new Matrix();
m.scale(scaleX, scaleY);

video.attachNetStream(null);
bmpData.draw(ui, m);
video.attachNetStream(_ns);

After I updated to rev. 3284 the flash player throws an exception with THE SAME SWF WITHOUT RECOMPILING IT.

SecurityError: Error #2123: Security sandbox violation: BitmapData.draw:  http://192.168.2.62:8080/videobroadcast/VideoViewer.swf cannot access unknown URL. No policy files granted access.

at flash.display::BitmapData/draw()
.......................

....................]

So the problem must be in red5. Is there some new security policy in some red5 config?

[orieg]

There is a packet call "RtmpSampleAccess" send from the server to the client, in such case there is no security sandbox violation.

[orieg]

cf  http://milgra.com/news.html

"27 January 2008

7c 52 74 6d 70 53 61 6d 70 6c 65 41 63 63 65 73 73 01 01 01 01 , what means "|RtmpSampleAccess( true , true )", and Mileania now enables bitmapdrata draws, and computespectrums on rtmp streams. yeah!!!"

[ir73]

where can I find RtmpSampleAccess class and how it could be used/send to the client

[orieg]

I did this patch to do a quick test. It's working great ! No more security error. There is still some security error if you try to access data when the buffer is empty, on AS3 side a simple lister on NetStream.Buffer.Full and NetStream.Buffer.Empty do the trick.

Becarefull, I did the patch without any knowledge of Red5 sources, I'm pretty sure to misuse the setData() method, but I was looking for a quick way to insert some bytes quickly in the data flow while doing my tests.

[aclarke]

Paul, let's look at this one as well (with nice patch attached).

[paul]

The patch had some bad paths, but I believe the correct code has been applied. I would like to ask someone who has the swf to test with to please go ahead and verify the fix.
Applied at r3429

[aclarke]

assigned to me so I can go push people to verify.

[aclarke]

Bumping to RC3; this is likely fixed in RC2 but I won't resolve until either (a) we hear back from the field that it's resolved for RC2 or (b) we're in RC3 land and gotten no response.

[aclarke]

and that sounds like resolution to me.

[ir73]

I am trying to migrate my current project to latest trunk version for the moment. After done, I will be able to verify that issue.

[ir73]

bug still exists. The same error occurs.
Red5 version 3432.
Flash Player 10,0,12,36

Do I need to do some changes in the client side? Is Netstream.checkPolicyFile required?

[paul]

Sergei, could you provide a small swf which performs the action you require? This would go a long way towards a fix by allowing us to track the error down on our sandboxes.

[aclarke]

Re-opening based on comments, but a test swf is required before we can work on this.

[ir73]

Paul, I will try to create that small swf, but the project I am working on is really complex.

The main point is to make a snapshot from someone else video stream, not from your own.

[ir73]

While I was making a sample swf with this problem, I found why it was not working in my project.
As you can see from my first post, I had the following lines in my code:

video.attachNetStream(null);
bmpData.draw(ui, m);
video.attachNetStream(_ns);

this threw an error. But if you remove first and last lines, it will work fine!
bmpData.draw(ui, m);
and that's it. No more code is necessary!

Thanks guys and sorry for the confusion. It is fixed.

[aclarke]

Resolved per last comment.

[aclarke]

Reopening per Walter Tak:

[aclarke]

Here someone "patches" a problem in which this line

+ final Call call2 = new Call(null, "|RtmpSampleAccess", null);
+ Notify n = new Notify();
+ n.setInvokeId(1);
+ n.setCall(call2);
+ n.setData(ByteBuffer.wrap(new byte[] {0x01, 0x01, 0x01, 0x01}));
+ write(n, connection.getStreamIdForChannel(id));

from:  http://jira.red5.org/secure/attachment/10185/RtmpSampleAccess.patch

However my Flash IDE (while compiling AS3 code) now returns me this error:

Error #2044: Unhandled AsyncErrorEvent:. text=Error #2095:

flash.net.NetStream was unable to invoke callback |RtmpSampleAccess. error=ReferenceError: Error #1069: Property |RtmpSampleAccess not found on .CustomClient and there is no default value.

The pipe in the name "|RtmpSampleAccess" makes creating a handler on the Flash side impossible. What is that odd named callback doing and why is it there ? A even better how to fix it ?

Tested with 080RC2 final

[aclarke]

Paul, are you able to take a look?

[waltertak]

Simple FLA that has a movieclip with a textfield object in it.

[waltertak]

AS3 class that has the code, shows the RtmpSampleAccess error in the textfield.

[waltertak]

Compiled SWF. Connects to  rtmp://localhost/oflaDemo by default.

[orieg]

You don't need any public function call "RtmpSampleAccess" on the client object. It's deal by the player for security access on the stream.

[flavio]

I've applied the patch and still get the Security Error.

[flavio]

It's working now, sorry - my mistake.

Thanks for the patch.

[ir73]

what's the status of this issue? As for me it is working fine. What steps should be done to reproduce this issue in latest trunk?

[aclarke]

I'm marking this closed as most people seem to thing the problems gone, and/or didn't exist in the first place. This way, if you think it's still an issue, please add a very simple test case again :)

[orieg]

Finally, I took sometime to do the expected test app. I also improved the patch so now we can use a bean, this give the same behavior than on FMS (you can define permission by apps and on audio and video). Previous patch authorize byte access on all stream, which is not good. Flash player doesn't let your app access to bytes (ie: pixels for videos) if the RtmpSampleAccess doesn't allow it. Let me know if I'm not clear enough.

New patch restore the default behavior as on FMS (audio and video byte acces to false, so it throw a SecurityError). On the test app I did, you have on left screen the stream, on right screen a bitmap capture then a draw of this bitmap, then a box than display the securityerros catched. The App work with the demo red5 app "oflademo", you just need to have a stream called "sample.flv".

Default behavior will display the stream on left screen, nothing in right screen and a bunch of security error (actually one by frame captured). To change this behavior, add this bean to the oflademo red5-web.xml

<bean id="rtmpSampleAccess" class="org.red5.server.stream.RtmpSampleAccess">

<property name="audioAllowed" value="true"/>
<property name="videoAllowed" value="true"/>

</bean>

Now, in the test app you should have your video played in both screen and no more security error.

Feedbacks welcome.

[paul]

Ill review the latest patches and apply as needed. I certainly prefer the configurability of your bean instead of turning it on for everything by default.

[paul]

New patch applied at r3599 after quick local test.

[bascorp]

 mobile pictures