Cutlery/jellyfin
1
0
Fork 0
mirror of https://github.com/jellyfin/jellyfin.git synced 2025-07-07 10:14:14 -04:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request from GHSA-wg4c-c9g9-rxhx

Browse Source 
Fix issues 1 through 5 from GHSL-2021-050
This commit is contained in:
Joshua M. Boniface 2021-03-21 19:12:14 -04:00 committed by GitHub
commit fe8cf29cad
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 61 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
Jellyfin.Api/Controllers/HlsSegmentController.cs
View File

@ -61,7 +61,13 @@ namespace Jellyfin.Api.Controllers
{ {
// TODO: Deprecate with new iOS app // TODO: Deprecate with new iOS app
var file = segmentId + Path.GetExtension(Request.Path); var file = segmentId + Path.GetExtension(Request.Path);
file = Path.Combine(_serverConfigurationManager.GetTranscodePath(), file); var transcodePath = _serverConfigurationManager.GetTranscodePath();
file = Path.GetFullPath(Path.Combine(transcodePath, file));
var fileDir = Path.GetDirectoryName(file);
if (string.IsNullOrEmpty(fileDir) || !fileDir.StartsWith(transcodePath))
{
return BadRequest("Invalid segment.");
}
return FileStreamResponseHelpers.GetStaticFileResult(file, MimeTypes.GetMimeType(file)!, false, HttpContext); return FileStreamResponseHelpers.GetStaticFileResult(file, MimeTypes.GetMimeType(file)!, false, HttpContext);
} }
@ -81,7 +87,13 @@ namespace Jellyfin.Api.Controllers
public ActionResult GetHlsPlaylistLegacy([FromRoute, Required] string itemId, [FromRoute, Required] string playlistId) public ActionResult GetHlsPlaylistLegacy([FromRoute, Required] string itemId, [FromRoute, Required] string playlistId)
{ {
var file = playlistId + Path.GetExtension(Request.Path); var file = playlistId + Path.GetExtension(Request.Path);
file = Path.Combine(_serverConfigurationManager.GetTranscodePath(), file); var transcodePath = _serverConfigurationManager.GetTranscodePath();
file = Path.GetFullPath(Path.Combine(transcodePath, file));
var fileDir = Path.GetDirectoryName(file);
if (string.IsNullOrEmpty(fileDir) || !fileDir.StartsWith(transcodePath) || Path.GetExtension(file) != ".m3u8")
{
return BadRequest("Invalid segment.");
}
return GetFileResult(file, file); return GetFileResult(file, file);
} }
@ -130,7 +142,12 @@ namespace Jellyfin.Api.Controllers
var file = segmentId + Path.GetExtension(Request.Path); var file = segmentId + Path.GetExtension(Request.Path);
var transcodeFolderPath = _serverConfigurationManager.GetTranscodePath(); var transcodeFolderPath = _serverConfigurationManager.GetTranscodePath();
file = Path.Combine(transcodeFolderPath, file); file = Path.GetFullPath(Path.Combine(transcodeFolderPath, file));
var fileDir = Path.GetDirectoryName(file);
if (string.IsNullOrEmpty(fileDir) || !fileDir.StartsWith(transcodeFolderPath))
{
return BadRequest("Invalid segment.");
}
var normalizedPlaylistId = playlistId; var normalizedPlaylistId = playlistId;

23
Jellyfin.Api/Controllers/ImageByNameController.cs
View File

@ -74,7 +74,7 @@ namespace Jellyfin.Api.Controllers
: type; : type;
var path = BaseItem.SupportedImageExtensions var path = BaseItem.SupportedImageExtensions
.Select(i => Path.Combine(_applicationPaths.GeneralPath, name, filename + i)) .Select(i => Path.GetFullPath(Path.Combine(_applicationPaths.GeneralPath, name, filename + i)))
.FirstOrDefault(System.IO.File.Exists); .FirstOrDefault(System.IO.File.Exists);
if (path == null) if (path == null)
@ -82,6 +82,11 @@ namespace Jellyfin.Api.Controllers
return NotFound(); return NotFound();
} }
if (!path.StartsWith(_applicationPaths.GeneralPath))
{
return BadRequest("Invalid image path.");
}
var contentType = MimeTypes.GetMimeType(path); var contentType = MimeTypes.GetMimeType(path);
return File(System.IO.File.OpenRead(path), contentType); return File(System.IO.File.OpenRead(path), contentType);
} }
@ -163,7 +168,8 @@ namespace Jellyfin.Api.Controllers
/// <returns>A <see cref="FileStreamResult"/> containing the image contents on success, or a <see cref="NotFoundResult"/> if the image could not be found.</returns> /// <returns>A <see cref="FileStreamResult"/> containing the image contents on success, or a <see cref="NotFoundResult"/> if the image could not be found.</returns>
private ActionResult GetImageFile(string basePath, string theme, string? name) private ActionResult GetImageFile(string basePath, string theme, string? name)
{ {
var themeFolder = Path.Combine(basePath, theme); var themeFolder = Path.GetFullPath(Path.Combine(basePath, theme));
if (Directory.Exists(themeFolder)) if (Directory.Exists(themeFolder))
{ {
var path = BaseItem.SupportedImageExtensions.Select(i => Path.Combine(themeFolder, name + i)) var path = BaseItem.SupportedImageExtensions.Select(i => Path.Combine(themeFolder, name + i))
@ -171,12 +177,18 @@ namespace Jellyfin.Api.Controllers
if (!string.IsNullOrEmpty(path) && System.IO.File.Exists(path)) if (!string.IsNullOrEmpty(path) && System.IO.File.Exists(path))
{ {
if (!path.StartsWith(basePath))
{
return BadRequest("Invalid image path.");
}
var contentType = MimeTypes.GetMimeType(path); var contentType = MimeTypes.GetMimeType(path);
return PhysicalFile(path, contentType); return PhysicalFile(path, contentType);
} }
} }
var allFolder = Path.Combine(basePath, "all"); var allFolder = Path.GetFullPath(Path.Combine(basePath, "all"));
if (Directory.Exists(allFolder)) if (Directory.Exists(allFolder))
{ {
var path = BaseItem.SupportedImageExtensions.Select(i => Path.Combine(allFolder, name + i)) var path = BaseItem.SupportedImageExtensions.Select(i => Path.Combine(allFolder, name + i))
@ -184,6 +196,11 @@ namespace Jellyfin.Api.Controllers
if (!string.IsNullOrEmpty(path) && System.IO.File.Exists(path)) if (!string.IsNullOrEmpty(path) && System.IO.File.Exists(path))
{ {
if (!path.StartsWith(basePath))
{
return BadRequest("Invalid image path.");
}
var contentType = MimeTypes.GetMimeType(path); var contentType = MimeTypes.GetMimeType(path);
return PhysicalFile(path, contentType); return PhysicalFile(path, contentType);
} }

22
MediaBrowser.Providers/Subtitles/SubtitleManager.cs
View File

@ -205,13 +205,31 @@ namespace MediaBrowser.Providers.Subtitles
if (saveInMediaFolder) if (saveInMediaFolder)
{ {
savePaths.Add(Path.Combine(video.ContainingFolderPath, saveFileName)); var mediaFolderPath = Path.GetFullPath(Path.Combine(video.ContainingFolderPath, saveFileName));
// TODO: Add some error handling to the API user: return BadRequest("Could not save subtitle, bad path.");
if (mediaFolderPath.StartsWith(video.ContainingFolderPath))
{
savePaths.Add(mediaFolderPath);
}
} }
savePaths.Add(Path.Combine(video.GetInternalMetadataPath(), saveFileName)); var internalPath = Path.GetFullPath(Path.Combine(video.GetInternalMetadataPath(), saveFileName));
// TODO: Add some error to the user: return BadRequest("Could not save subtitle, bad path.");
if (internalPath.StartsWith(video.GetInternalMetadataPath()))
{
savePaths.Add(internalPath);
}
if (savePaths.Count > 0)
{
await TrySaveToFiles(memoryStream, savePaths).ConfigureAwait(false); await TrySaveToFiles(memoryStream, savePaths).ConfigureAwait(false);
} }
else
{
_logger.LogError("An uploaded subtitle could not be saved because the resulting paths were invalid.");
}
}
} }
private async Task TrySaveToFiles(Stream stream, List<string> savePaths) private async Task TrySaveToFiles(Stream stream, List<string> savePaths)