alteropen/jellyfin
1
0
Fork 0
mirror of https://github.com/jellyfin/jellyfin.git synced 2026-06-05 07:18:47 +01:00
Code Issues Actions 8 Packages Projects Releases Wiki Activity

fixes #789 - Security Issue: API allows access to any folder of the PC running MediaBrowser

Browse Source
This commit is contained in:
Luke Pulverenti
2014-07-02 00:57:18 -04:00
parent 3bef6ead9c
commit 389390b82e
39 changed files with 587 additions and 267 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
MediaBrowser.Controller/Entities/Folder.cs
View File

@@ -780,7 +780,7 @@ namespace MediaBrowser.Controller.Entities
var list = new List<BaseItem>();
var hasLinkedChildren = AddChildrenToList(user, includeLinkedChildren, list, false, null);
var hasLinkedChildren = AddChildrenToList(user, includeLinkedChildren, list, false);
return hasLinkedChildren ? list.DistinctBy(i => i.Id).ToList() : list;
}
@@ -797,9 +797,8 @@ namespace MediaBrowser.Controller.Entities
/// <param name="includeLinkedChildren">if set to <c>true</c> [include linked children].</param>
/// <param name="list">The list.</param>
/// <param name="recursive">if set to <c>true</c> [recursive].</param>
/// <param name="filter">The filter.</param>
/// <returns><c>true</c> if XXXX, <c>false</c> otherwise</returns>
private bool AddChildrenToList(User user, bool includeLinkedChildren, List<BaseItem> list, bool recursive, Func<BaseItem, bool> filter)
private bool AddChildrenToList(User user, bool includeLinkedChildren, List<BaseItem> list, bool recursive)
{
var hasLinkedChildren = false;
@@ -807,19 +806,16 @@ namespace MediaBrowser.Controller.Entities
{
if (child.IsVisible(user))
{
if (filter == null || filter(child))
if (!child.IsHiddenFromUser(user))
{
if (!child.IsHiddenFromUser(user))
{
list.Add(child);
}
list.Add(child);
}
if (recursive && child.IsFolder)
{
var folder = (Folder)child;
if (folder.AddChildrenToList(user, includeLinkedChildren, list, true, filter))
if (folder.AddChildrenToList(user, includeLinkedChildren, list, true))
{
hasLinkedChildren = true;
}
@@ -831,11 +827,6 @@ namespace MediaBrowser.Controller.Entities
{
foreach (var child in GetLinkedChildren())
{
if (filter != null && !filter(child))
{
continue;
}
if (child.IsVisible(user))
{
hasLinkedChildren = true;
@@ -864,7 +855,7 @@ namespace MediaBrowser.Controller.Entities
var list = new List<BaseItem>();
var hasLinkedChildren = AddChildrenToList(user, includeLinkedChildren, list, true, null);
var hasLinkedChildren = AddChildrenToList(user, includeLinkedChildren, list, true);
return hasLinkedChildren ? list.DistinctBy(i => i.Id).ToList() : list;
}