TinyIce: Missing authentication on WebRTC ingest endpoint allows unauthorized stream injection
TinyIce's WebRTC source-ingest HTTP endpoint, POST /webrtc/source-offer?mount=<mount>, accepted any inbound WebRTC SDP offer with no authentication check. The handler routed the offer to WebRTCManager.HandleSourceOffer, which then accepted whatever audio/video tracks the peer published and broadcast them on the named mount as if they were the legitimate source. The other ingest paths (POST /<mount> over HTTP/1 with the icecast SOURCE / PUT verb, RTMP, SRT) all require the per-mount source password, …