Pre Merge pull request !46 from 阿斌/N/A

优化播放效果
SDP 注入攻击 / 非法 SDP 协议数据
2026-06-29 21:47:50 +08:00 · 2026-05-22 06:15:09 +00:00 · 2026-05-22 14:14:41 +08:00 · 2026-03-21 16:15:47 +00:00
4 changed files with 36 additions and 8 deletions
--- a/src/main/java/com/genersoft/iot/vmp/gb28181/utils/SipUtils.java
+++ b/src/main/java/com/genersoft/iot/vmp/gb28181/utils/SipUtils.java
@ -205,6 +205,21 @@ public class SipUtils {
    }
    public static Gb28181Sdp parseSDP(String sdpStr) throws SdpParseException {
        // 校验：拦截空内容与注入攻击特征
        if (sdpStr == null || sdpStr.trim().isEmpty()) {
            throw new SdpParseException(0, 0, "SDP内容为空");
        }
        // 标准SDP每行格式固定为 "x=value"，不存在SQL关键字；出现则视为注入攻击
        String sdpUpper = sdpStr.toUpperCase();
        if (sdpUpper.contains("' OR '") || sdpUpper.contains("' OR 1") || sdpUpper.contains(" OR 1=1")
                || sdpUpper.contains("--") || sdpUpper.contains("/*") || sdpUpper.contains("*/")
                || sdpUpper.contains("DROP ") || sdpUpper.contains("INSERT ") || sdpUpper.contains("UPDATE ")
                || sdpUpper.contains("DELETE ") || sdpUpper.contains("UNION ") || sdpUpper.contains("SELECT ")) {
            log.error("[SDP注入攻击] 检测到非法SDP内容，已拒绝解析，内容长度: {}", sdpStr.length());
            throw new SdpParseException(0, 0, "非法SDP内容");
        }
        //校验结束
        // jainSip不支持y= f=字段， 移除以解析。
        int ssrcIndex = sdpStr.indexOf("y=");
--- a/web/src/views/common/jessibuca.vue
+++ b/web/src/views/common/jessibuca.vue
@ -54,10 +54,12 @@ export default {
    }
  },
  created() {
-    const paramUrl = decodeURIComponent(this.$route.params.url)
+    if (this.$route.params.url) {
-    console.log(paramUrl)
+      const paramUrl = decodeURIComponent(this.$route.params.url)
-    if (!this.videoUrl && paramUrl) {
+      console.log(paramUrl)
-      this.videoUrl = paramUrl
+      if (!this.videoUrl) {
        this.videoUrl = paramUrl
      }
    }
    this.btnDom = document.getElementById('buttonsBox')
  },
@ -217,6 +219,10 @@ export default {
      this.play(this.videoUrl)
    },
    play: function(url) {
      if (!url) {
        console.warn('Jessibuca -> invalid url, skip play')
        return
      }
      this.videoUrl = url
      console.log('Jessibuca -> url: ', url)
      if (!jessibucaPlayer[this._uid]) {
--- a/web/src/views/common/mediaInfo.vue
+++ b/web/src/views/common/mediaInfo.vue
@ -44,6 +44,9 @@ export default {
  },
  methods: {
    getMediaInfo: function() {
      if (!this.app || !this.stream || !this.mediaServerId) {
        return
      }
      this.$store.dispatch('server/getMediaInfo', {
        app: this.app,
        stream: this.stream,
@ -52,6 +55,7 @@ export default {
        .then(data => {
          this.info = data
        })
        .catch(() => {})
    },
    startTask: function() {
      this.task = setInterval(this.getMediaInfo, 1000)
--- a/web/src/views/dialog/devicePlayer.vue
+++ b/web/src/views/dialog/devicePlayer.vue
@ -473,10 +473,13 @@ export default {
      this.mediaServerId = streamInfo.mediaServerId
      this.playFromStreamInfo(false, streamInfo)
    },
-    getUrlByStreamInfo() {
+    getUrlByStreamInfo(streamInfo) {
-      let streamInfo = this.streamInfo
+      streamInfo = streamInfo || this.streamInfo
-      if (this.streamInfo.transcodeStream) {
+      if (!streamInfo) {
-        streamInfo = this.streamInfo.transcodeStream
+        return ''
      }
      if (streamInfo.transcodeStream) {
        streamInfo = streamInfo.transcodeStream
      }
      let videoUrl
      if (location.protocol === 'https:') {