New upstream version 4.5.1.0

ChangeLog

@@ -1,5 +1,45 @@
-27/09/2018 Oleg Moskalenko <[email protected]> Mihály Mészáros <[email protected]>
-Version 4.5.0.9 'dan Eider':
+24/11/2018 Oleg Moskalenko <[email protected]> Mihály Mészáros <[email protected]>
+Version 4.5.1.0 'dan Eider':
+	Consider to change config file after upgrade, because it contains some 
+	not backward compatible breaking changes !!
+	- Security fixes 
+	  Many thanks to Nicolas Edet (Cisco) !!
+	  who reported all of the following issues:
+		* DB/SQL injection in stun realm. Fix: add extra string validation.
+		* DB/SQL injection in web-admin interface lack of admin user validation. 
+		  Fix: add extra string validation.
+	 	* Fix for earlier unsafe default settings: 
+			o HTTPS administrator interface should be disabled by default
+			  It could be enbled with "web-admin" option.
+			o Default configuration allowed earlier forwarding traffic 
+			  from an external interface to loopback interface. Now it
+			  has been changed and option name is also changed!
+
+			  !!BREAKING change!! Don't forget to change config!!
+			  "no-loopback-peers" replaced by "allow-loopback-peers"
+
+			o Unauthenticated telnet admin interface runs on the 
+			  loopback interface, which can be accessed by exploiting the
+			  loopback relay that was enabled by default.
+		*  Add username string sanity check on web admin interface to
+		   avoid any sql-injection attacks.
+	- Admin portal does not list TCP session ( reported and fixed by Nicolas Edet )
+	- Fix memory leak in read_config_file (by Thibaut Ackermann)
+	- Add a release helper script.
+	- Web Admin interface use own listener (it is disableb by default) (by Thibaut ACKERMANN)
+
+	  !!BREAKING change!! Don't forget to change/review config!!
+
+		* Add new option "web-admin-ip" to set listener ip. By default (127.0.0.1)
+		* Add new option "web-admin-port" to set webadmin listen port
+		* Add new option "web-admin-listen-on-workers" to change back to earlier 
+		  behaviour and listen web admin on all worker processes and ports.
+	- Not allow to start server if "allow-loopback-peers" set without "cli-password"
+
+	  !!BREAKING change!! Don't forget to change config!!
+
+	  Added a warning if cli-password is empty or missing, but allow-loopback-peers
+	  set, and so loopback allocation is enalbed.
 
 27/09/2018 Oleg Moskalenko <[email protected]> Mihály Mészáros <[email protected]>
 Version 4.5.0.8 'dan Eider':

README.turnserver

@@ -234,7 +234,11 @@ Flags:
 --no-stun		Run as TURN server only, all STUN requests will be ignored. 
 			Option to suppress STUN functionality, only TURN requests will be processed.
 
---no-loopback-peers	Disallow peers on the loopback addresses (127.x.x.x and ::1).
+--allow-loopback-peers	Allow peers on the loopback addresses (127.x.x.x and ::1).
+             Allow it only for testing in a development environment! 
+             In production it adds a possible security vulnerability, 
+             and so due to security reasons, it is not allowed 
+             using it together with empty cli-password.
 
 --no-multicast-peers	Disallow peers on well-known broadcast addresses 
 			(224.0.0.0 and above, and FFXX:*).
@@ -552,6 +556,15 @@ Options with values:
 --cli-max-output-sessions	Maximum number of output sessions in ps CLI command.
 			This value can be changed on-the-fly in CLI. The default value is 256.
 
+--web-admin		Enable Turn Web-admin support. By default it is disabled.
+
+--web-admin-ip=<IP>	Local system IP address to be used for Web-admin server endpoint. Default value is 127.0.0.1.
+
+--web-admin-port=<port>  Web-admin server port. Default is 8080.
+--web-admin-listen-on-workers   Enable for web-admin server to listens on STUN/TURN workers STUN/TURN ports.
+			By default it is disabled for security resons!
+			(This beahvior used to be the default bahavior, and was enabled by default.)
+
 --ne=[1|2|3]		Set network engine type for the process (for internal purposes).
 
 ==================================

examples/cpu-mem.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+while sleep 1; do
+	DATE="$(date)";
+	PS="$( ps -p `pidof turnserver` -o 'pcpu,pmem,rss,vsz')";
+	TOP="$( top -p `pidof turnserver` -n1 -b -H -c )"
+	OUTPUT=$DATE"\n\n"$TOP"\n\nps\n"$PS"\n";
+	echo -e "$OUTPUT" | tee -a cpu-mem.log;
+done;

examples/etc/turnserver.conf

@@ -569,10 +569,17 @@
 # The default value is ':'.
 # rest-api-separator=:	
 
-# Flag that can be used to disallow peers on the loopback addresses (127.x.x.x and ::1).
+# Flag that can be used to allow peers on the loopback addresses (127.x.x.x and ::1).
 # This is an extra security measure.
 #
-#no-loopback-peers
+# (To avoid any security issue that allowing loopback access may raise,
+# the no-loopback-peers option is replaced by allow-loopback-peers.)
+#
+# Allow it only for testing in a development environment! 
+# In production it adds a possible security vulnerability, so for security reasons 
+# it is not allowed using it together with empty cli-password. 
+#
+#allow-loopback-peers
 
 # Flag that can be used to disallow peers on well-known broadcast addresses (224.0.0.0 and above, and FFXX:*).
 # This is an extra security measure.
@@ -658,6 +665,20 @@
 #
 #cli-password=qwerty
 
+# Enable Web-admin support on https. By default it is Disabled.
+# If it is enabled it also enables a http a simple static banner page
+# with a small reminder that the admin page is available only on https.
+#
+#web-admin
+
+# Local system IP address to be used for Web-admin server endpoint. Default value is 127.0.0.1.
+#
+#web-admin-ip=127.0.0.1
+
+# Web-admin server port. Default is 8080.
+#
+#web-admin-port=8080
+
 # Server relay. NON-STANDARD AND DANGEROUS OPTION. 
 # Only for those applications when we want to run 
 # server applications on the relay endpoints.