Open Jake4-CX opened 2 weeks ago
It's not a vulnerability; the behavior of not proxying URLs when no headers are passed is intentional. Click the "More Info" link to learn more about how it works. This script isn’t designed to hide streams from your ISP, so it’s not a proxy in the typical sense. Instead, it acts as a bridge to access streams from a client that doesn’t support setting the required headers.
Streams without assigned headers aren’t proxied to save bandwidth when using free-tier services like Vercel. However, if you want to proxy these streams from another location, you can simply set a User-Agent or similar header to force the proxy.
Additionally, I’ve tested the same setup you’re using for DaddyLive and haven’t encountered a 403 error. Just to check, can you access the DaddyLive streams directly from their website in your browser from the same location where you’re running the script?
Edit: Check if you can access the key directly, or if you’re receiving a 403 error when trying. I know Daddylive recently began blocking Cloudflare Workers, so it’s possible they've restricted other servers from accessing the key request as well.
http://0.0.0.0:4123/?url=https%3A%2F%2Fkey2.keylocking.ru%2Fwmsxx.php%3Ftest%3Dtrue%26name%3Dpremium303%26number%3D1&data=VXNlci1BZ2VudD1Nb3ppbGxhLzUuMCAoV2luZG93cyBOVCAxMC4wOyBXaW42NDsgeDY0KSBBcHBsZVdlYktpdC81MzcuMzYgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvMTMwLjAuMC4wIFNhZmFyaS81MzcuMzZ8UmVmZXJlcj1odHRwczovL2lsb3ZldG9wbGF5Lnh5ei98T3JpZ2luPWh0dHBzOi8vaWxvdmV0b3BsYXkueHl6&key=true
Hello, I have spent the last hour deploying your m3u8 playlist proxy solution (via docker - latest version) but I'm unable to proxy the provided m3u8 streams, and I also found a potential vulnerability within your proxy.
Vulnerability: If I provide an m3u8 playlist with no headers (I.e. let's say your
moj-m3u8
bit.ly link), the generated link will not proxy each stream (direct URL tomoveonjoy
's servers) - Exposing the requesters IP, potentially resulting in troubles with your ISP (If the user is intentionally deploying the proxy remotely to avoid this).The other problem is that when individual streams are proxied, if I try and access them, I always run into HTTP errors (i.e. 403) preventing proxied playback.
Example requests (For DaddyLive - Channel:
ABC.(WABC).New.York,.NY.us
):Here is also a screenshot of my created link along with the URL created
Docker console screenshot (of requests)