Skip to content

Commit

Permalink
Merge pull request from GHSA-wg4c-c9g9-rxhx
Browse files Browse the repository at this point in the history 
Fix issues 1 through 5 from GHSL-2021-050

(cherry picked from commit fe8cf29)
Signed-off-by: Joshua M. Boniface <joshua@boniface.me>
  • Loading branch information
@joshuaboniface
joshuaboniface committed Mar 21, 2021
1 parent 75f39f0 commit 0183ef8
Show file tree
Hide file tree
Showing 3 changed files with 61 additions and 9 deletions.
23 changes: 20 additions & 3 deletions Jellyfin.Api/Controllers/HlsSegmentController.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,13 @@ public ActionResult GetHlsAudioSegmentLegacy([FromRoute, Required] string itemId
{
// TODO: Deprecate with new iOS app
var file = segmentId + Path.GetExtension(Request.Path);
file = Path.Combine(_serverConfigurationManager.GetTranscodePath(), file);
var transcodePath = _serverConfigurationManager.GetTranscodePath();
file = Path.GetFullPath(Path.Combine(transcodePath, file));
var fileDir = Path.GetDirectoryName(file);
if (string.IsNullOrEmpty(fileDir) || !fileDir.StartsWith(transcodePath))
{
return BadRequest("Invalid segment.");
}

return FileStreamResponseHelpers.GetStaticFileResult(file, MimeTypes.GetMimeType(file)!, false, HttpContext);
}
Expand All @@ -83,7 +89,13 @@ public ActionResult GetHlsAudioSegmentLegacy([FromRoute, Required] string itemId
public ActionResult GetHlsPlaylistLegacy([FromRoute, Required] string itemId, [FromRoute, Required] string playlistId)
{
var file = playlistId + Path.GetExtension(Request.Path);
file = Path.Combine(_serverConfigurationManager.GetTranscodePath(), file);
var transcodePath = _serverConfigurationManager.GetTranscodePath();
file = Path.GetFullPath(Path.Combine(transcodePath, file));
var fileDir = Path.GetDirectoryName(file);
if (string.IsNullOrEmpty(fileDir) || !fileDir.StartsWith(transcodePath) || Path.GetExtension(file) != ".m3u8")
{
return BadRequest("Invalid segment.");
}

return GetFileResult(file, file);
}
Expand Down Expand Up @@ -132,7 +144,12 @@ public ActionResult GetHlsVideoSegmentLegacy(
var file = segmentId + Path.GetExtension(Request.Path);
var transcodeFolderPath = _serverConfigurationManager.GetTranscodePath();

file = Path.Combine(transcodeFolderPath, file);
file = Path.GetFullPath(Path.Combine(transcodeFolderPath, file));
var fileDir = Path.GetDirectoryName(file);
if (string.IsNullOrEmpty(fileDir) || !fileDir.StartsWith(transcodeFolderPath))
{
return BadRequest("Invalid segment.");
}

var normalizedPlaylistId = playlistId;

Expand Down
23 changes: 20 additions & 3 deletions Jellyfin.Api/Controllers/ImageByNameController.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -74,14 +74,19 @@ public ActionResult GetGeneralImage([FromRoute, Required] string name, [FromRout
: type;

var path = BaseItem.SupportedImageExtensions
.Select(i => Path.Combine(_applicationPaths.GeneralPath, name, filename + i))
.Select(i => Path.GetFullPath(Path.Combine(_applicationPaths.GeneralPath, name, filename + i)))
.FirstOrDefault(System.IO.File.Exists);

if (path == null)
{
return NotFound();
}

if (!path.StartsWith(_applicationPaths.GeneralPath))
{
return BadRequest("Invalid image path.");
}

var contentType = MimeTypes.GetMimeType(path);
return File(System.IO.File.OpenRead(path), contentType);
}
Expand Down Expand Up @@ -163,27 +168,39 @@ public ActionResult GetMediaInfoImage(
/// <returns>A <see cref="FileStreamResult"/> containing the image contents on success, or a <see cref="NotFoundResult"/> if the image could not be found.</returns>
private ActionResult GetImageFile(string basePath, string theme, string? name)
{
var themeFolder = Path.Combine(basePath, theme);
var themeFolder = Path.GetFullPath(Path.Combine(basePath, theme));

if (Directory.Exists(themeFolder))
{
var path = BaseItem.SupportedImageExtensions.Select(i => Path.Combine(themeFolder, name + i))
.FirstOrDefault(System.IO.File.Exists);

if (!string.IsNullOrEmpty(path) && System.IO.File.Exists(path))
{
if (!path.StartsWith(basePath))
{
return BadRequest("Invalid image path.");
}

var contentType = MimeTypes.GetMimeType(path);

return PhysicalFile(path, contentType);
}
}

var allFolder = Path.Combine(basePath, "all");
var allFolder = Path.GetFullPath(Path.Combine(basePath, "all"));
if (Directory.Exists(allFolder))
{
var path = BaseItem.SupportedImageExtensions.Select(i => Path.Combine(allFolder, name + i))
.FirstOrDefault(System.IO.File.Exists);

if (!string.IsNullOrEmpty(path) && System.IO.File.Exists(path))
{
if (!path.StartsWith(basePath))
{
return BadRequest("Invalid image path.");
}

var contentType = MimeTypes.GetMimeType(path);
return PhysicalFile(path, contentType);
}
Expand Down
24 changes: 21 additions & 3 deletions MediaBrowser.Providers/Subtitles/SubtitleManager.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -205,12 +205,30 @@ private async Task TrySaveSubtitle(

if (saveInMediaFolder)
{
savePaths.Add(Path.Combine(video.ContainingFolderPath, saveFileName));
var mediaFolderPath = Path.GetFullPath(Path.Combine(video.ContainingFolderPath, saveFileName));
// TODO: Add some error handling to the API user: return BadRequest("Could not save subtitle, bad path.");
if (mediaFolderPath.StartsWith(video.ContainingFolderPath))
{
savePaths.Add(mediaFolderPath);
}
}

savePaths.Add(Path.Combine(video.GetInternalMetadataPath(), saveFileName));
var internalPath = Path.GetFullPath(Path.Combine(video.GetInternalMetadataPath(), saveFileName));

// TODO: Add some error to the user: return BadRequest("Could not save subtitle, bad path.");
if (internalPath.StartsWith(video.GetInternalMetadataPath()))
{
savePaths.Add(internalPath);
}

await TrySaveToFiles(memoryStream, savePaths).ConfigureAwait(false);
if (savePaths.Count > 0)
{
await TrySaveToFiles(memoryStream, savePaths).ConfigureAwait(false);
}
else
{
_logger.LogError("An uploaded subtitle could not be saved because the resulting paths were invalid.");
}
}
}

Expand Down

0 comments on commit 0183ef8

Please sign in to comment.