alteropen/jellyfin
1
0
Fork 0
mirror of https://github.com/jellyfin/jellyfin.git synced 2026-06-04 06:48:35 +01:00
Code Issues Actions 9 Packages Projects Releases Wiki Activity

fixes #789 - Security Issue: API allows access to any folder of the PC running MediaBrowser

Browse Source
This commit is contained in:
Luke Pulverenti
2014-07-02 00:57:18 -04:00
parent 3bef6ead9c
commit 389390b82e
39 changed files with 587 additions and 267 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
MediaBrowser.Controller/Entities/Folder.cs
View File

@@ -780,7 +780,7 @@ namespace MediaBrowser.Controller.Entities
var list = new List<BaseItem>();
var hasLinkedChildren = AddChildrenToList(user, includeLinkedChildren, list, false, null);
var hasLinkedChildren = AddChildrenToList(user, includeLinkedChildren, list, false);
return hasLinkedChildren ? list.DistinctBy(i => i.Id).ToList() : list;
}
@@ -797,9 +797,8 @@ namespace MediaBrowser.Controller.Entities
/// <param name="includeLinkedChildren">if set to <c>true</c> [include linked children].</param>
/// <param name="list">The list.</param>
/// <param name="recursive">if set to <c>true</c> [recursive].</param>
/// <param name="filter">The filter.</param>
/// <returns><c>true</c> if XXXX, <c>false</c> otherwise</returns>
private bool AddChildrenToList(User user, bool includeLinkedChildren, List<BaseItem> list, bool recursive, Func<BaseItem, bool> filter)
private bool AddChildrenToList(User user, bool includeLinkedChildren, List<BaseItem> list, bool recursive)
{
var hasLinkedChildren = false;
@@ -807,19 +806,16 @@ namespace MediaBrowser.Controller.Entities
{
if (child.IsVisible(user))
{
if (filter == null || filter(child))
if (!child.IsHiddenFromUser(user))
{
if (!child.IsHiddenFromUser(user))
{
list.Add(child);
}
list.Add(child);
}
if (recursive && child.IsFolder)
{
var folder = (Folder)child;
if (folder.AddChildrenToList(user, includeLinkedChildren, list, true, filter))
if (folder.AddChildrenToList(user, includeLinkedChildren, list, true))
{
hasLinkedChildren = true;
}
@@ -831,11 +827,6 @@ namespace MediaBrowser.Controller.Entities
{
foreach (var child in GetLinkedChildren())
{
if (filter != null && !filter(child))
{
continue;
}
if (child.IsVisible(user))
{
hasLinkedChildren = true;
@@ -864,7 +855,7 @@ namespace MediaBrowser.Controller.Entities
var list = new List<BaseItem>();
var hasLinkedChildren = AddChildrenToList(user, includeLinkedChildren, list, true, null);
var hasLinkedChildren = AddChildrenToList(user, includeLinkedChildren, list, true);
return hasLinkedChildren ? list.DistinctBy(i => i.Id).ToList() : list;
}

8
MediaBrowser.Controller/MediaBrowser.Controller.csproj
View File

@@ -195,10 +195,18 @@
<Compile Include="MediaEncoding\ISubtitleEncoder.cs" />
<Compile Include="MediaEncoding\MediaStreamSelector.cs" />
<Compile Include="MediaEncoding\VideoEncodingOptions.cs" />
<Compile Include="Net\AuthenticatedAttribute.cs" />
<Compile Include="Net\AuthorizationInfo.cs" />
<Compile Include="Net\IAuthorizationContext.cs" />
<Compile Include="Net\IAuthService.cs" />
<Compile Include="Net\IHasAuthorization.cs" />
<Compile Include="Net\IHasResultFactory.cs" />
<Compile Include="Net\IHasSession.cs" />
<Compile Include="Net\IHttpResultFactory.cs" />
<Compile Include="Net\IHttpServer.cs" />
<Compile Include="Net\IRestfulService.cs" />
<Compile Include="Net\ISessionContext.cs" />
<Compile Include="Net\LoggedAttribute.cs" />
<Compile Include="News\INewsService.cs" />
<Compile Include="Notifications\INotificationManager.cs" />
<Compile Include="Notifications\INotificationService.cs" />

41
MediaBrowser.Controller/Net/AuthenticatedAttribute.cs Normal file
View File

@@ -0,0 +1,41 @@
using ServiceStack.Web;
using System;
namespace MediaBrowser.Controller.Net
{
public class AuthenticatedAttribute : Attribute, IHasRequestFilter
{
public IAuthService AuthService { get; set; }
/// <summary>
/// The request filter is executed before the service.
/// </summary>
/// <param name="request">The http request wrapper</param>
/// <param name="response">The http response wrapper</param>
/// <param name="requestDto">The request DTO</param>
public void RequestFilter(IRequest request, IResponse response, object requestDto)
{
AuthService.Authenticate(request, response, requestDto);
}
/// <summary>
/// A new shallow copy of this filter is used on every request.
/// </summary>
/// <returns>IHasRequestFilter.</returns>
public IHasRequestFilter Copy()
{
return this;
}
/// <summary>
/// Order in which Request Filters are executed.
/// &lt;0 Executed before global request filters
/// &gt;0 Executed after global request filters
/// </summary>
/// <value>The priority.</value>
public int Priority
{
get { return 0; }
}
}
}

32
MediaBrowser.Controller/Net/AuthorizationInfo.cs Normal file
View File

@@ -0,0 +1,32 @@

namespace MediaBrowser.Controller.Net
{
public class AuthorizationInfo
{
/// <summary>
/// Gets or sets the user identifier.
/// </summary>
/// <value>The user identifier.</value>
public string UserId { get; set; }
/// <summary>
/// Gets or sets the device identifier.
/// </summary>
/// <value>The device identifier.</value>
public string DeviceId { get; set; }
/// <summary>
/// Gets or sets the device.
/// </summary>
/// <value>The device.</value>
public string Device { get; set; }
/// <summary>
/// Gets or sets the client.
/// </summary>
/// <value>The client.</value>
public string Client { get; set; }
/// <summary>
/// Gets or sets the version.
/// </summary>
/// <value>The version.</value>
public string Version { get; set; }
}
}

9
MediaBrowser.Controller/Net/IAuthService.cs Normal file
View File

@@ -0,0 +1,9 @@
using ServiceStack.Web;
namespace MediaBrowser.Controller.Net
{
public interface IAuthService
{
void Authenticate(IRequest request, IResponse response, object requestDto);
}
}

14
MediaBrowser.Controller/Net/IAuthorizationContext.cs Normal file
View File

@@ -0,0 +1,14 @@
using ServiceStack.Web;
namespace MediaBrowser.Controller.Net
{
public interface IAuthorizationContext
{
/// <summary>
/// Gets the authorization information.
/// </summary>
/// <param name="requestContext">The request context.</param>
/// <returns>AuthorizationInfo.</returns>
AuthorizationInfo GetAuthorizationInfo(IRequest requestContext);
}
}

12
MediaBrowser.Controller/Net/IHasAuthorization.cs Normal file
View File

@@ -0,0 +1,12 @@

namespace MediaBrowser.Controller.Net
{
public interface IHasAuthorization
{
/// <summary>
/// Gets or sets the authorization context.
/// </summary>
/// <value>The authorization context.</value>
IAuthorizationContext AuthorizationContext { get; set; }
}
}

3
MediaBrowser.Controller/Net/IHasResultFactory.cs
View File

@@ -1,5 +1,4 @@
using MediaBrowser.Common.Net;
using ServiceStack.Web;
using ServiceStack.Web;
namespace MediaBrowser.Controller.Net
{

12
MediaBrowser.Controller/Net/IHasSession.cs Normal file
View File

@@ -0,0 +1,12 @@

namespace MediaBrowser.Controller.Net
{
public interface IHasSession
{
/// <summary>
/// Gets or sets the session context.
/// </summary>
/// <value>The session context.</value>
ISessionContext SessionContext { get; set; }
}
}

1
MediaBrowser.Controller/Net/IRestfulService.cs
View File

@@ -5,6 +5,7 @@ namespace MediaBrowser.Controller.Net
/// <summary>
/// Interface IRestfulService
/// </summary>
[Logged]
public interface IRestfulService : IService
{
}

13
MediaBrowser.Controller/Net/ISessionContext.cs Normal file
View File

@@ -0,0 +1,13 @@
using MediaBrowser.Controller.Entities;
using MediaBrowser.Controller.Session;
using ServiceStack.Web;
namespace MediaBrowser.Controller.Net
{
public interface ISessionContext
{
SessionInfo GetSession(IRequest requestContext);
User GetUser(IRequest requestContext);
}
}

73
MediaBrowser.Controller/Net/LoggedAttribute.cs Normal file
View File

@@ -0,0 +1,73 @@
using MediaBrowser.Controller.Entities;
using MediaBrowser.Controller.Library;
using MediaBrowser.Controller.Session;
using MediaBrowser.Model.Logging;
using ServiceStack.Web;
using System;
namespace MediaBrowser.Controller.Net
{
public class LoggedAttribute : Attribute, IHasRequestFilter
{
public ILogger Logger { get; set; }
public IUserManager UserManager { get; set; }
public ISessionManager SessionManager { get; set; }
public IAuthorizationContext AuthorizationContext { get; set; }
/// <summary>
/// The request filter is executed before the service.
/// </summary>
/// <param name="request">The http request wrapper</param>
/// <param name="response">The http response wrapper</param>
/// <param name="requestDto">The request DTO</param>
public void RequestFilter(IRequest request, IResponse response, object requestDto)
{
//This code is executed before the service
var auth = AuthorizationContext.GetAuthorizationInfo(request);
if (auth != null)
{
User user = null;
if (!string.IsNullOrWhiteSpace(auth.UserId))
{
var userId = auth.UserId;
user = UserManager.GetUserById(new Guid(userId));
}
string deviceId = auth.DeviceId;
string device = auth.Device;
string client = auth.Client;
string version = auth.Version;
if (!string.IsNullOrEmpty(client) && !string.IsNullOrEmpty(deviceId) && !string.IsNullOrEmpty(device) && !string.IsNullOrEmpty(version))
{
var remoteEndPoint = request.RemoteIp;
SessionManager.LogSessionActivity(client, version, deviceId, device, remoteEndPoint, user);
}
}
}
/// <summary>
/// A new shallow copy of this filter is used on every request.
/// </summary>
/// <returns>IHasRequestFilter.</returns>
public IHasRequestFilter Copy()
{
return this;
}
/// <summary>
/// Order in which Request Filters are executed.
/// &lt;0 Executed before global request filters
/// &gt;0 Executed after global request filters
/// </summary>
/// <value>The priority.</value>
public int Priority
{
get { return 0; }
}
}
}