Merge remote-tracking branch 'origin/main'

Add v2.7.7 critical security patch
2025-09-22 14:42:34 +00:00 · 2025-09-22 14:33:29 +00:00
2 changed files with 207 additions and 0 deletions
@@ -0,0 +1,134 @@
 #!/bin/bash
 # IPTV Server Patch v2.7.7 - Critical Security Fix: Hardware ID Isolation
 # This patch fixes a critical vulnerability where Hardware IDs were synchronized between servers
 set -e
 echo "====================================="
 echo "IPTV Server Security Patch v2.7.7"
 echo "Critical: Hardware ID Isolation Fix"
 echo "====================================="
 echo
 # Check if running as root
 if [ "$EUID" -ne 0 ]; then
   echo "❌ Please run as root (use sudo)"
   exit 1
 fi
 # Find IPTV installation directory
 INSTALL_DIR="/opt/iptv"
 if [ ! -d "$INSTALL_DIR/app" ]; then
    echo "❌ IPTV Server not found at $INSTALL_DIR"
    echo "Looking for alternative locations..."
    # Check common locations
    for dir in /home/*/iptv-server* /root/iptv-server*; do
        if [ -d "$dir/app" ]; then
            INSTALL_DIR="$dir"
            echo "✅ Found IPTV installation at: $INSTALL_DIR"
            break
        fi
    done
    if [ ! -d "$INSTALL_DIR/app" ]; then
        echo "❌ Could not find IPTV installation"
        exit 1
    fi
 fi
 APP_DIR="$INSTALL_DIR/app"
 echo "🔍 Installation directory: $INSTALL_DIR"
 echo "📁 Application directory: $APP_DIR"
 echo
 # Backup current files
 echo "📦 Creating backup..."
 BACKUP_DIR="/tmp/iptv-backup-$(date +%Y%m%d-%H%M%S)"
 mkdir -p "$BACKUP_DIR"
 # Backup files that will be modified
 cp -p "$APP_DIR/license_validator.py" "$BACKUP_DIR/" 2>/dev/null || true
 cp -p "$APP_DIR/license_manager.py" "$BACKUP_DIR/" 2>/dev/null || true
 cp -p "$APP_DIR/demo_middleware.py" "$BACKUP_DIR/" 2>/dev/null || true
 cp -p "$APP_DIR/app.py" "$BACKUP_DIR/" 2>/dev/null || true
 cp -p "$APP_DIR/startup_fix.py" "$BACKUP_DIR/" 2>/dev/null || true
 cp -p "$APP_DIR/version.py" "$BACKUP_DIR/" 2>/dev/null || true
 cp -p "$APP_DIR/VERSION" "$BACKUP_DIR/" 2>/dev/null || true
 echo "✅ Backup created at: $BACKUP_DIR"
 echo
 # Stop services
 echo "🛑 Stopping IPTV services..."
 docker-compose -f "$INSTALL_DIR/docker-compose.yml" down 2>/dev/null || \
 docker-compose -f "$INSTALL_DIR/docker/docker-compose.iptv.yml" down 2>/dev/null || \
 echo "⚠️  Could not stop services automatically"
 # Apply the patch - copy files from current working directory
 echo "🔧 Applying security patch..."
 # Get the directory where this script is located
 PATCH_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 SOURCE_DIR="$(dirname "$PATCH_DIR")/iptv-server-install-v2.0.0-licensed/app"
 if [ ! -d "$SOURCE_DIR" ]; then
    echo "❌ Source files not found at: $SOURCE_DIR"
    echo "Please ensure the patched files are in the correct location"
    exit 1
 fi
 # Copy the patched files
 echo "📝 Updating files..."
 cp "$SOURCE_DIR/license_validator.py" "$APP_DIR/"
 cp "$SOURCE_DIR/license_manager.py" "$APP_DIR/"
 cp "$SOURCE_DIR/demo_middleware.py" "$APP_DIR/"
 cp "$SOURCE_DIR/app.py" "$APP_DIR/"
 cp "$SOURCE_DIR/startup_fix.py" "$APP_DIR/"
 cp "$SOURCE_DIR/version.py" "$APP_DIR/"
 cp "$SOURCE_DIR/VERSION" "$APP_DIR/"
 echo "✅ Files updated successfully"
 echo
 # Clear Redis license cache (critical for this security fix)
 echo "🗑️  Clearing Redis license cache..."
 docker exec iptv-redis redis-cli --scan --pattern 'license:*' | xargs docker exec iptv-redis redis-cli del 2>/dev/null || \
 echo "⚠️  Could not clear Redis cache automatically - please do this manually"
 echo
 echo "📋 Manual Redis cleanup (if automatic failed):"
 echo "   docker exec -it iptv-redis redis-cli"
 echo "   KEYS license:* | xargs DEL"
 echo "   exit"
 echo
 # Start services
 echo "🚀 Starting IPTV services..."
 docker-compose -f "$INSTALL_DIR/docker-compose.yml" up -d 2>/dev/null || \
 docker-compose -f "$INSTALL_DIR/docker/docker-compose.iptv.yml" up -d 2>/dev/null || \
 echo "⚠️  Please start services manually"
 echo
 echo "====================================="
 echo "✅ Security Patch v2.7.7 Applied!"
 echo "====================================="
 echo
 echo "🔒 SECURITY FIX: Hardware IDs are now isolated per server"
 echo "🔒 Each server maintains its own license state"
 echo "🔒 Prevents license sharing between servers"
 echo
 echo "🔄 Each server will regenerate its license validation on first run"
 echo "📝 Backup saved at: $BACKUP_DIR"
 echo
 echo "⚠️  IMPORTANT: If you have multiple servers:"
 echo "   - Apply this patch to ALL servers"
 echo "   - Each server will validate independently"
 echo "   - License sharing is no longer possible"
 echo
 echo "If you encounter issues:"
 echo "1. Check logs: docker logs iptv-backend"
 echo "2. Restore from backup: cp $BACKUP_DIR/* $APP_DIR/"
 echo "3. Contact support@powerdata.dk"
 echo
@@ -0,0 +1,73 @@
 {
  "version": "2.7.7",
  "release_date": "2025-09-22",
  "severity": "critical",
  "description": "Critical Security Fix - Hardware ID Isolation",
  "changelog": [
    "CRITICAL: Fixed security vulnerability where Hardware IDs were synchronized between servers through Redis",
    "SECURITY: Each server now maintains completely isolated license state using hardware_id-specific Redis keys",
    "SECURITY: Prevents license sharing between cloned VMs or servers sharing Redis instance",
    "FIX: Hardware IDs no longer stored in global Redis keys",
    "FIX: All license data now scoped to individual hardware_id namespaces",
    "FIX: Updated license_validator.py to use hardware_id-specific cache keys",
    "FIX: Updated license_manager.py to always use local hardware_id",
    "FIX: Updated demo_middleware.py to use hardware_id-specific keys",
    "FIX: Updated app.py license refresh to clear hardware_id-specific cache",
    "ENHANCEMENT: Added security comments throughout codebase"
  ],
  "files": [
    {
      "path": "app/license_validator.py",
      "action": "update",
      "content": "# File content will be retrieved from repository"
    },
    {
      "path": "app/license_manager.py",
      "action": "update",
      "content": "# File content will be retrieved from repository"
    },
    {
      "path": "app/demo_middleware.py",
      "action": "update",
      "content": "# File content will be retrieved from repository"
    },
    {
      "path": "app/app.py",
      "action": "update",
      "content": "# Partial update - license refresh endpoint only"
    },
    {
      "path": "app/startup_fix.py",
      "action": "update",
      "content": "# Updated version to 2.7.7"
    },
    {
      "path": "app/version.py",
      "action": "update",
      "content": "# Updated fallback version to 2.7.7"
    },
    {
      "path": "app/VERSION",
      "action": "update",
      "content": "2.7.7"
    }
  ],
  "requirements": {
    "min_version": "2.7.0",
    "restart_required": true,
    "clear_redis_required": true
  },
  "install_instructions": [
    "1. This patch fixes a critical security vulnerability",
    "2. Stop all services before applying",
    "3. Apply the patch",
    "4. Clear Redis license keys: redis-cli --scan --pattern 'license:*' | xargs redis-cli del",
    "5. Restart all services",
    "6. Each server will regenerate its own isolated license state"
  ],
  "rollback_instructions": [
    "1. Restore previous version files",
    "2. Restart services",
    "Note: Rolling back will re-introduce the security vulnerability"
  ]
 }
Author	SHA1	Message	Date
root	3c537924ce	Merge remote-tracking branch 'origin/main'	2025-09-22 14:42:34 +00:00
root	c5b55a3e7c	Add v2.7.7 critical security patch	2025-09-22 14:33:29 +00:00