Reporter Michal J.
`Product: Wowza Media Server
Description: WMS is a quite popular RTMP/HLS/HDS/RTSP streaming server
In early 2009 I reported problem with processing of requests with
The issue surfaced again.
In a nutshell, you can escape Applications StorageDir using relative
Lets say you have two applications:
* vod1 with /usr/local/WowzaMediaServer/content1/ as StorageDir
* vod2 with /usr/local/WowzaMediaServer/content2/ as StorageDir
Requesting to play `mp4:../content1/file.mp4` from `vod2` will work
just fine thus bypassing configured StorageDir.
* Implement custom module that supplies either
`IMediaStreamNameAliasProvider2` or `IMediaStreamFileMapper` override
which blocks requests falling outside configured `StorageDir`
* Use StreamNameAlias module to block requests with relative paths
* Upgrade to Wowza 3.5.2.06 (patch that hopefully fixes this issue)
* Don't use predictable paths
* 2013-04-06 Wowza Media Services contacted about this issue
* 2013-04-08 Wowza acknowledges this bug, no further info received
* 2013-04-30 Public release due to vendor's non-cooperation
Michal J. <wejn(at)box.cz>
"I honestly think it is better to be a failure at something you love
than to be a success at something you hate..." -- George Burns