fix(streams): reject names with spaces/special chars (#396)

Stream names with spaces broke MSE ("stream not found") and hung HLS.
Names flow through URL-encoded client requests, go2rtc (decoded keys),
and filesystem paths (sanitize_stream_name collapses to [A-Za-z0-9_-]),
so "Front Door" and "Front_Door" also collide on disk. Validate at
POST /api/streams and mirror the rule in the create form; add a
26-case Unity test covering the validator and sanitizer agreement.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: matteius

include/core/path_utils.h

@@ -1,6 +1,7 @@
 #ifndef LIGHTNVR_PATH_UTILS_H
 #define LIGHTNVR_PATH_UTILS_H
 
+#include <stdbool.h>
 #include <stddef.h>
 #include <sys/types.h>
 
@@ -14,6 +15,25 @@
  */
 void sanitize_stream_name(const char *input, char *output, size_t output_size);
 
+/**
+ * Check whether a stream name is valid for use as an identifier.
+ *
+ * A stream name flows through filesystem paths, URLs, WebSocket query
+ * parameters, and the go2rtc stream table. Allowing spaces or other
+ * special characters leads to URL-encoding mismatches (e.g. "mse: stream
+ * not found" when the client requests "Front%20Door%20Camera" but go2rtc
+ * registered "Front Door Camera"), and also causes filesystem collisions
+ * because sanitize_stream_name() collapses all non-[A-Za-z0-9-] characters
+ * to underscores.
+ *
+ * Allowed characters: [A-Za-z0-9._-]. The name must be non-empty and may
+ * not start with '.' (to avoid hidden-file paths).
+ *
+ * @param name NUL-terminated stream name, may be NULL
+ * @return true if the name is valid, false otherwise
+ */
+bool is_valid_stream_name(const char *name);
+
 /**
  * Ensure the specified directory exists, creating it if necessary. Does not recur.
  * Sets errno on failure.

src/core/path_utils.c

@@ -28,6 +28,23 @@ void sanitize_stream_name(const char *input, char *output, size_t output_size) {
     output[i] = '\0';
 }
 
+bool is_valid_stream_name(const char *name) {
+    if (!name || name[0] == '\0') {
+        return false;
+    }
+    // Reject leading '.' so names can't produce hidden-file paths.
+    if (name[0] == '.') {
+        return false;
+    }
+    for (size_t i = 0; name[i] != '\0'; i++) {
+        unsigned char c = (unsigned char) name[i];
+        if (!(isalpha(c) || isdigit(c) || c == '-' || c == '_' || c == '.')) {
+            return false;
+        }
+    }
+    return true;
+}
+
 // Ensure the specified directory exists, creating it if necessary. Does not recur.
 int ensure_dir(const char *path) {
     struct stat st;

src/web/api_handlers_streams_modify.c

@@ -14,6 +14,7 @@
 #define LOG_COMPONENT "StreamsAPI"
 #include "core/logger.h"
 #include "core/config.h"
+#include "core/path_utils.h"
 #include "core/url_utils.h"
 #include "utils/strings.h"
 #include "video/stream_manager.h"
@@ -469,6 +470,18 @@ void handle_post_stream(const http_request_t *req, http_response_t *res) {
     while (name_len > 0 && (config.name[name_len - 1] == ' ' || config.name[name_len - 1] == '\t')) {
         config.name[--name_len] = '\0';
     }
+
+    // Reject names with characters that would mismatch between URL-encoded
+    // client requests (MSE/HLS/WebRTC) and the decoded key stored by go2rtc
+    // and the filesystem sanitizer. See issue #396.
+    if (!is_valid_stream_name(config.name)) {
+        log_error("Invalid stream name: '%s' (allowed: letters, digits, '.', '-', '_')", config.name);
+        cJSON_Delete(stream_json);
+        http_response_set_json_error(res, 400,
+            "Stream name can only contain letters, digits, '.', '-', and '_'");
+        return;
+    }
+
     safe_strcpy(config.url, url->valuestring, sizeof(config.url), 0);
 
     // Optional fields with defaults

tests/unit/CMakeLists.txt

@@ -125,6 +125,7 @@ add_layer2_test(test_config)
 add_layer2_test(test_logger)
 add_layer2_test(test_strings)
 add_layer2_test(test_memory)
+add_layer2_test(test_path_utils)
 add_layer2_test(test_request_response)
 add_layer2_test(test_shutdown_coordinator)
 add_layer2_test(test_detection_config)

tests/unit/test_path_utils.c

@@ -0,0 +1,201 @@
+/**
+ * @file test_path_utils.c
+ * @brief Layer 2 unit tests — stream name validation and sanitization
+ *
+ * Covers is_valid_stream_name() (added for #396) and sanitize_stream_name().
+ *
+ * Stream names flow through filesystem paths, URLs, and the go2rtc stream
+ * table, so they must survive URL-encoding round-trips unchanged. Names
+ * containing spaces or other special characters produce "mse: stream not
+ * found" errors because the client sends the URL-encoded form while
+ * go2rtc registered the decoded form.
+ */
+
+#define _POSIX_C_SOURCE 200809L
+#define _GNU_SOURCE
+
+#include <string.h>
+
+#include "unity.h"
+#include "core/path_utils.h"
+
+void setUp(void)    {}
+void tearDown(void) {}
+
+/* ================================================================
+ * is_valid_stream_name — accepts
+ * ================================================================ */
+
+void test_valid_simple_lowercase(void) {
+    TEST_ASSERT_TRUE(is_valid_stream_name("front_door"));
+}
+
+void test_valid_mixed_case(void) {
+    TEST_ASSERT_TRUE(is_valid_stream_name("FrontDoor"));
+}
+
+void test_valid_digits(void) {
+    TEST_ASSERT_TRUE(is_valid_stream_name("cam01"));
+}
+
+void test_valid_hyphen(void) {
+    TEST_ASSERT_TRUE(is_valid_stream_name("front-door"));
+}
+
+void test_valid_underscore(void) {
+    TEST_ASSERT_TRUE(is_valid_stream_name("front_door_camera"));
+}
+
+void test_valid_dot_in_middle(void) {
+    TEST_ASSERT_TRUE(is_valid_stream_name("cam.1"));
+}
+
+void test_valid_single_char(void) {
+    TEST_ASSERT_TRUE(is_valid_stream_name("a"));
+}
+
+/* ================================================================
+ * is_valid_stream_name — rejects (the #396 cases)
+ * ================================================================ */
+
+void test_reject_null(void) {
+    TEST_ASSERT_FALSE(is_valid_stream_name(NULL));
+}
+
+void test_reject_empty(void) {
+    TEST_ASSERT_FALSE(is_valid_stream_name(""));
+}
+
+void test_reject_space_in_middle(void) {
+    /* The primary #396 case: "Front Door Camera" breaks MSE/HLS. */
+    TEST_ASSERT_FALSE(is_valid_stream_name("Front Door Camera"));
+}
+
+void test_reject_leading_space(void) {
+    TEST_ASSERT_FALSE(is_valid_stream_name(" front_door"));
+}
+
+void test_reject_trailing_space(void) {
+    TEST_ASSERT_FALSE(is_valid_stream_name("front_door "));
+}
+
+void test_reject_tab(void) {
+    TEST_ASSERT_FALSE(is_valid_stream_name("front\tdoor"));
+}
+
+void test_reject_slash(void) {
+    /* Would break path routing (/api/streams/{name}/...). */
+    TEST_ASSERT_FALSE(is_valid_stream_name("front/door"));
+}
+
+void test_reject_backslash(void) {
+    TEST_ASSERT_FALSE(is_valid_stream_name("front\\door"));
+}
+
+void test_reject_question_mark(void) {
+    /* Would become a query-string boundary. */
+    TEST_ASSERT_FALSE(is_valid_stream_name("front?door"));
+}
+
+void test_reject_ampersand(void) {
+    TEST_ASSERT_FALSE(is_valid_stream_name("front&door"));
+}
+
+void test_reject_hash(void) {
+    /* URL fragment boundary. */
+    TEST_ASSERT_FALSE(is_valid_stream_name("front#door"));
+}
+
+void test_reject_percent(void) {
+    /* Looks like URL-encoding. */
+    TEST_ASSERT_FALSE(is_valid_stream_name("front%20door"));
+}
+
+void test_reject_leading_dot(void) {
+    /* Would produce a hidden-file path. */
+    TEST_ASSERT_FALSE(is_valid_stream_name(".hidden"));
+}
+
+void test_reject_dot_dot(void) {
+    /* Path traversal. */
+    TEST_ASSERT_FALSE(is_valid_stream_name(".."));
+}
+
+void test_reject_non_ascii(void) {
+    /* Non-ASCII round-trips poorly through URL encoding. */
+    TEST_ASSERT_FALSE(is_valid_stream_name("caméra"));
+}
+
+void test_reject_null_byte_is_not_applicable(void) {
+    /* C strings terminate at NUL; nothing to test beyond empty case. */
+    TEST_PASS();
+}
+
+/* ================================================================
+ * sanitize_stream_name regression coverage
+ *
+ * The validator and sanitizer must agree on the "safe" character set:
+ * sanitize_stream_name() maps spaces to underscores, which means
+ * "Front Door" and "Front_Door" both collapse to "Front_Door" on disk.
+ * That collision is exactly why is_valid_stream_name() rejects spaces.
+ * ================================================================ */
+
+void test_sanitize_maps_space_to_underscore(void) {
+    char out[64];
+    sanitize_stream_name("Front Door", out, sizeof(out));
+    TEST_ASSERT_EQUAL_STRING("Front_Door", out);
+}
+
+void test_sanitize_preserves_valid_names(void) {
+    /* A name that passes is_valid_stream_name must be unchanged by sanitize. */
+    char out[64];
+    sanitize_stream_name("front_door-1", out, sizeof(out));
+    TEST_ASSERT_EQUAL_STRING("front_door-1", out);
+}
+
+void test_sanitize_two_names_that_would_collide(void) {
+    /* Demonstrates the collision that motivates rejecting spaces at creation. */
+    char out_a[64], out_b[64];
+    sanitize_stream_name("Front Door",  out_a, sizeof(out_a));
+    sanitize_stream_name("Front_Door",  out_b, sizeof(out_b));
+    TEST_ASSERT_EQUAL_STRING(out_a, out_b);
+}
+
+/* ================================================================
+ * main
+ * ================================================================ */
+
+int main(void) {
+    UNITY_BEGIN();
+
+    RUN_TEST(test_valid_simple_lowercase);
+    RUN_TEST(test_valid_mixed_case);
+    RUN_TEST(test_valid_digits);
+    RUN_TEST(test_valid_hyphen);
+    RUN_TEST(test_valid_underscore);
+    RUN_TEST(test_valid_dot_in_middle);
+    RUN_TEST(test_valid_single_char);
+
+    RUN_TEST(test_reject_null);
+    RUN_TEST(test_reject_empty);
+    RUN_TEST(test_reject_space_in_middle);
+    RUN_TEST(test_reject_leading_space);
+    RUN_TEST(test_reject_trailing_space);
+    RUN_TEST(test_reject_tab);
+    RUN_TEST(test_reject_slash);
+    RUN_TEST(test_reject_backslash);
+    RUN_TEST(test_reject_question_mark);
+    RUN_TEST(test_reject_ampersand);
+    RUN_TEST(test_reject_hash);
+    RUN_TEST(test_reject_percent);
+    RUN_TEST(test_reject_leading_dot);
+    RUN_TEST(test_reject_dot_dot);
+    RUN_TEST(test_reject_non_ascii);
+    RUN_TEST(test_reject_null_byte_is_not_applicable);
+
+    RUN_TEST(test_sanitize_maps_space_to_underscore);
+    RUN_TEST(test_sanitize_preserves_valid_names);
+    RUN_TEST(test_sanitize_two_names_that_would_collide);
+
+    return UNITY_END();
+}

web/js/components/preact/StreamConfigModal.jsx

@@ -433,10 +433,14 @@ export function StreamConfigModal({
                     onChange={onInputChange}
                     disabled={isEditing}
                     required
+                    pattern="[A-Za-z0-9_\-][A-Za-z0-9._\-]*"
+                    title={t('streamsConfig.streamNameAllowedChars')}
                     placeholder={t('streamsConfig.streamNamePlaceholder')}
                   />
-                  {isEditing && (
+                  {isEditing ? (
                     <p className="mt-1 text-xs text-muted-foreground">{t('streamsConfig.streamNameImmutable')}</p>
+                  ) : (
+                    <p className="mt-1 text-xs text-muted-foreground">{t('streamsConfig.streamNameAllowedChars')}</p>
                   )}
                 </div>
 

web/public/locales/en.json

@@ -753,6 +753,7 @@
   "streamsConfig.streamName": "Stream Name",
   "streamsConfig.streamNamePlaceholder": "e.g., front_door, backyard",
   "streamsConfig.streamNameImmutable": "Stream name cannot be changed after creation",
+  "streamsConfig.streamNameAllowedChars": "Only letters, digits, '.', '-', and '_' are allowed (no spaces).",
   "streamsConfig.streamUrl": "Stream URL",
   "streamsConfig.streamUrlPlaceholder": "rtsp://username:password@192.168.1.100:554/stream",
   "streamsConfig.subStreamUrl": "Sub-stream URL (optional)",