Add v2.7.7 critical security patch

2025-09-22 14:33:29 +00:00
commit c5b55a3e7c
2 changed files with 207 additions and 0 deletions
@@ -0,0 +1,134 @@
+#!/bin/bash
+# IPTV Server Patch v2.7.7 - Critical Security Fix: Hardware ID Isolation
+# This patch fixes a critical vulnerability where Hardware IDs were synchronized between servers
+
+set -e
+
+echo "====================================="
+echo "IPTV Server Security Patch v2.7.7"
+echo "Critical: Hardware ID Isolation Fix"
+echo "====================================="
+echo
+
+# Check if running as root
+if [ "$EUID" -ne 0 ]; then
+   echo "❌ Please run as root (use sudo)"
+   exit 1
+fi
+
+# Find IPTV installation directory
+INSTALL_DIR="/opt/iptv"
+if [ ! -d "$INSTALL_DIR/app" ]; then
+    echo "❌ IPTV Server not found at $INSTALL_DIR"
+    echo "Looking for alternative locations..."
+
+    # Check common locations
+    for dir in /home/*/iptv-server* /root/iptv-server*; do
+        if [ -d "$dir/app" ]; then
+            INSTALL_DIR="$dir"
+            echo "✅ Found IPTV installation at: $INSTALL_DIR"
+            break
+        fi
+    done
+
+    if [ ! -d "$INSTALL_DIR/app" ]; then
+        echo "❌ Could not find IPTV installation"
+        exit 1
+    fi
+fi
+
+APP_DIR="$INSTALL_DIR/app"
+
+echo "🔍 Installation directory: $INSTALL_DIR"
+echo "📁 Application directory: $APP_DIR"
+echo
+
+# Backup current files
+echo "📦 Creating backup..."
+BACKUP_DIR="/tmp/iptv-backup-$(date +%Y%m%d-%H%M%S)"
+mkdir -p "$BACKUP_DIR"
+
+# Backup files that will be modified
+cp -p "$APP_DIR/license_validator.py" "$BACKUP_DIR/" 2>/dev/null || true
+cp -p "$APP_DIR/license_manager.py" "$BACKUP_DIR/" 2>/dev/null || true
+cp -p "$APP_DIR/demo_middleware.py" "$BACKUP_DIR/" 2>/dev/null || true
+cp -p "$APP_DIR/app.py" "$BACKUP_DIR/" 2>/dev/null || true
+cp -p "$APP_DIR/startup_fix.py" "$BACKUP_DIR/" 2>/dev/null || true
+cp -p "$APP_DIR/version.py" "$BACKUP_DIR/" 2>/dev/null || true
+cp -p "$APP_DIR/VERSION" "$BACKUP_DIR/" 2>/dev/null || true
+
+echo "✅ Backup created at: $BACKUP_DIR"
+echo
+
+# Stop services
+echo "🛑 Stopping IPTV services..."
+docker-compose -f "$INSTALL_DIR/docker-compose.yml" down 2>/dev/null || \
+docker-compose -f "$INSTALL_DIR/docker/docker-compose.iptv.yml" down 2>/dev/null || \
+echo "⚠️  Could not stop services automatically"
+
+# Apply the patch - copy files from current working directory
+echo "🔧 Applying security patch..."
+
+# Get the directory where this script is located
+PATCH_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+SOURCE_DIR="$(dirname "$PATCH_DIR")/iptv-server-install-v2.0.0-licensed/app"
+
+if [ ! -d "$SOURCE_DIR" ]; then
+    echo "❌ Source files not found at: $SOURCE_DIR"
+    echo "Please ensure the patched files are in the correct location"
+    exit 1
+fi
+
+# Copy the patched files
+echo "📝 Updating files..."
+cp "$SOURCE_DIR/license_validator.py" "$APP_DIR/"
+cp "$SOURCE_DIR/license_manager.py" "$APP_DIR/"
+cp "$SOURCE_DIR/demo_middleware.py" "$APP_DIR/"
+cp "$SOURCE_DIR/app.py" "$APP_DIR/"
+cp "$SOURCE_DIR/startup_fix.py" "$APP_DIR/"
+cp "$SOURCE_DIR/version.py" "$APP_DIR/"
+cp "$SOURCE_DIR/VERSION" "$APP_DIR/"
+
+echo "✅ Files updated successfully"
+echo
+
+# Clear Redis license cache (critical for this security fix)
+echo "🗑️  Clearing Redis license cache..."
+docker exec iptv-redis redis-cli --scan --pattern 'license:*' | xargs docker exec iptv-redis redis-cli del 2>/dev/null || \
+echo "⚠️  Could not clear Redis cache automatically - please do this manually"
+
+echo
+echo "📋 Manual Redis cleanup (if automatic failed):"
+echo "   docker exec -it iptv-redis redis-cli"
+echo "   KEYS license:* | xargs DEL"
+echo "   exit"
+echo
+
+# Start services
+echo "🚀 Starting IPTV services..."
+docker-compose -f "$INSTALL_DIR/docker-compose.yml" up -d 2>/dev/null || \
+docker-compose -f "$INSTALL_DIR/docker/docker-compose.iptv.yml" up -d 2>/dev/null || \
+echo "⚠️  Please start services manually"
+
+echo
+echo "====================================="
+echo "✅ Security Patch v2.7.7 Applied!"
+echo "====================================="
+echo
+echo "🔒 SECURITY FIX: Hardware IDs are now isolated per server"
+echo "🔒 Each server maintains its own license state"
+echo "🔒 Prevents license sharing between servers"
+echo
+echo "🔄 Each server will regenerate its license validation on first run"
+echo "📝 Backup saved at: $BACKUP_DIR"
+echo
+echo "⚠️  IMPORTANT: If you have multiple servers:"
+echo "   - Apply this patch to ALL servers"
+echo "   - Each server will validate independently"
+echo "   - License sharing is no longer possible"
+echo
+echo "If you encounter issues:"
+echo "1. Check logs: docker logs iptv-backend"
+echo "2. Restore from backup: cp $BACKUP_DIR/* $APP_DIR/"
+echo "3. Contact support@powerdata.dk"
+echo
@@ -0,0 +1,73 @@
+{
+  "version": "2.7.7",
+  "release_date": "2025-09-22",
+  "severity": "critical",
+  "description": "Critical Security Fix - Hardware ID Isolation",
+  "changelog": [
+    "CRITICAL: Fixed security vulnerability where Hardware IDs were synchronized between servers through Redis",
+    "SECURITY: Each server now maintains completely isolated license state using hardware_id-specific Redis keys",
+    "SECURITY: Prevents license sharing between cloned VMs or servers sharing Redis instance",
+    "FIX: Hardware IDs no longer stored in global Redis keys",
+    "FIX: All license data now scoped to individual hardware_id namespaces",
+    "FIX: Updated license_validator.py to use hardware_id-specific cache keys",
+    "FIX: Updated license_manager.py to always use local hardware_id",
+    "FIX: Updated demo_middleware.py to use hardware_id-specific keys",
+    "FIX: Updated app.py license refresh to clear hardware_id-specific cache",
+    "ENHANCEMENT: Added security comments throughout codebase"
+  ],
+  "files": [
+    {
+      "path": "app/license_validator.py",
+      "action": "update",
+      "content": "# File content will be retrieved from repository"
+    },
+    {
+      "path": "app/license_manager.py",
+      "action": "update",
+      "content": "# File content will be retrieved from repository"
+    },
+    {
+      "path": "app/demo_middleware.py",
+      "action": "update",
+      "content": "# File content will be retrieved from repository"
+    },
+    {
+      "path": "app/app.py",
+      "action": "update",
+      "content": "# Partial update - license refresh endpoint only"
+    },
+    {
+      "path": "app/startup_fix.py",
+      "action": "update",
+      "content": "# Updated version to 2.7.7"
+    },
+    {
+      "path": "app/version.py",
+      "action": "update",
+      "content": "# Updated fallback version to 2.7.7"
+    },
+    {
+      "path": "app/VERSION",
+      "action": "update",
+      "content": "2.7.7"
+    }
+  ],
+  "requirements": {
+    "min_version": "2.7.0",
+    "restart_required": true,
+    "clear_redis_required": true
+  },
+  "install_instructions": [
+    "1. This patch fixes a critical security vulnerability",
+    "2. Stop all services before applying",
+    "3. Apply the patch",
+    "4. Clear Redis license keys: redis-cli --scan --pattern 'license:*' | xargs redis-cli del",
+    "5. Restart all services",
+    "6. Each server will regenerate its own isolated license state"
+  ],
+  "rollback_instructions": [
+    "1. Restore previous version files",
+    "2. Restart services",
+    "Note: Rolling back will re-introduce the security vulnerability"
+  ]
+}