Merge commit from fork

Fix GHSA-8fw7-f233-ffr8 with improved sanitization
2026-04-01 16:02:01 +01:00 · 2026-03-31 19:17:17 -04:00
parent 8bf0d372c6 3f656ade7a
commit 66ea1b50e6
3 changed files with 27 additions and 10 deletions
--- a/Jellyfin.Api/Controllers/LiveTvController.cs
+++ b/Jellyfin.Api/Controllers/LiveTvController.cs
@@ -458,7 +458,7 @@ public class LiveTvController : BaseJellyfinApiController
    /// <returns>A <see cref="NoContentResult"/>.</returns>
    [HttpPost("Tuners/{tunerId}/Reset")]
    [ProducesResponseType(StatusCodes.Status204NoContent)]
-    [Authorize(Policy = Policies.LiveTvManagement)]
+    [Authorize(Policy = Policies.RequiresElevation)]
    public async Task<ActionResult> ResetTuner([FromRoute, Required] string tunerId)
    {
        await _liveTvManager.ResetTuner(tunerId, CancellationToken.None).ConfigureAwait(false);
@@ -983,7 +983,7 @@ public class LiveTvController : BaseJellyfinApiController
    /// <response code="200">Created tuner host returned.</response>
    /// <returns>A <see cref="OkResult"/> containing the created tuner host.</returns>
    [HttpPost("TunerHosts")]
-    [Authorize(Policy = Policies.LiveTvManagement)]
+    [Authorize(Policy = Policies.RequiresElevation)]
    [ProducesResponseType(StatusCodes.Status200OK)]
    public async Task<ActionResult<TunerHostInfo>> AddTunerHost([FromBody] TunerHostInfo tunerHostInfo)
        => await _tunerHostManager.SaveTunerHost(tunerHostInfo).ConfigureAwait(false);
@@ -995,7 +995,7 @@ public class LiveTvController : BaseJellyfinApiController
    /// <response code="204">Tuner host deleted.</response>
    /// <returns>A <see cref="NoContentResult"/>.</returns>
    [HttpDelete("TunerHosts")]
-    [Authorize(Policy = Policies.LiveTvManagement)]
+    [Authorize(Policy = Policies.RequiresElevation)]
    [ProducesResponseType(StatusCodes.Status204NoContent)]
    public ActionResult DeleteTunerHost([FromQuery] string? id)
    {
@@ -1028,7 +1028,7 @@ public class LiveTvController : BaseJellyfinApiController
    /// <response code="200">Created listings provider returned.</response>
    /// <returns>A <see cref="OkResult"/> containing the created listings provider.</returns>
    [HttpPost("ListingProviders")]
-    [Authorize(Policy = Policies.LiveTvManagement)]
+    [Authorize(Policy = Policies.RequiresElevation)]
    [ProducesResponseType(StatusCodes.Status200OK)]
    [SuppressMessage("Microsoft.Performance", "CA5350:RemoveSha1", MessageId = "AddListingProvider", Justification = "Imported from ServiceStack")]
    public async Task<ActionResult<ListingsProviderInfo>> AddListingProvider(
@@ -1054,7 +1054,7 @@ public class LiveTvController : BaseJellyfinApiController
    /// <response code="204">Listing provider deleted.</response>
    /// <returns>A <see cref="NoContentResult"/>.</returns>
    [HttpDelete("ListingProviders")]
-    [Authorize(Policy = Policies.LiveTvManagement)]
+    [Authorize(Policy = Policies.RequiresElevation)]
    [ProducesResponseType(StatusCodes.Status204NoContent)]
    public ActionResult DeleteListingProvider([FromQuery] string? id)
    {
@@ -1087,7 +1087,7 @@ public class LiveTvController : BaseJellyfinApiController
    /// <response code="200">Available countries returned.</response>
    /// <returns>A <see cref="FileResult"/> containing the available countries.</returns>
    [HttpGet("ListingProviders/SchedulesDirect/Countries")]
-    [Authorize(Policy = Policies.LiveTvAccess)]
+    [Authorize(Policy = Policies.RequiresElevation)]
    [ProducesResponseType(StatusCodes.Status200OK)]
    [ProducesFile(MediaTypeNames.Application.Json)]
    public async Task<ActionResult> GetSchedulesDirectCountries()
@@ -1108,7 +1108,7 @@ public class LiveTvController : BaseJellyfinApiController
    /// <response code="200">Channel mapping options returned.</response>
    /// <returns>An <see cref="OkResult"/> containing the channel mapping options.</returns>
    [HttpGet("ChannelMappingOptions")]
-    [Authorize(Policy = Policies.LiveTvAccess)]
+    [Authorize(Policy = Policies.RequiresElevation)]
    [ProducesResponseType(StatusCodes.Status200OK)]
    public Task<ChannelMappingOptionsDto> GetChannelMappingOptions([FromQuery] string? providerId)
        => _listingsManager.GetChannelMappingOptions(providerId);
@@ -1120,7 +1120,7 @@ public class LiveTvController : BaseJellyfinApiController
    /// <response code="200">Created channel mapping returned.</response>
    /// <returns>An <see cref="OkResult"/> containing the created channel mapping.</returns>
    [HttpPost("ChannelMappings")]
-    [Authorize(Policy = Policies.LiveTvManagement)]
+    [Authorize(Policy = Policies.RequiresElevation)]
    [ProducesResponseType(StatusCodes.Status200OK)]
    public Task<TunerChannelMapping> SetChannelMapping([FromBody, Required] SetChannelMappingDto dto)
        => _listingsManager.SetChannelMapping(dto.ProviderId, dto.TunerChannelId, dto.ProviderChannelId);
@@ -1144,7 +1144,7 @@ public class LiveTvController : BaseJellyfinApiController
    /// <returns>An <see cref="OkResult"/> containing the tuners.</returns>
    [HttpGet("Tuners/Discvover", Name = "DiscvoverTuners")]
    [HttpGet("Tuners/Discover")]
-    [Authorize(Policy = Policies.LiveTvManagement)]
+    [Authorize(Policy = Policies.RequiresElevation)]
    [ProducesResponseType(StatusCodes.Status200OK)]
    public IAsyncEnumerable<TunerHostInfo> DiscoverTuners([FromQuery] bool newDevicesOnly = false)
        => _tunerHostManager.DiscoverTuners(newDevicesOnly);
--- a/Jellyfin.Data/UserEntityExtensions.cs
+++ b/Jellyfin.Data/UserEntityExtensions.cs
@@ -185,7 +185,7 @@ public static class UserEntityExtensions
        entity.Permissions.Add(new Permission(PermissionKind.EnableSyncTranscoding, true));
        entity.Permissions.Add(new Permission(PermissionKind.EnableAudioPlaybackTranscoding, true));
        entity.Permissions.Add(new Permission(PermissionKind.EnableLiveTvAccess, true));
-        entity.Permissions.Add(new Permission(PermissionKind.EnableLiveTvManagement, true));
+        entity.Permissions.Add(new Permission(PermissionKind.EnableLiveTvManagement, false));
        entity.Permissions.Add(new Permission(PermissionKind.EnableSharedDeviceControl, true));
        entity.Permissions.Add(new Permission(PermissionKind.EnableVideoPlaybackTranscoding, true));
        entity.Permissions.Add(new Permission(PermissionKind.ForceRemoteSourceTranscoding, false));
--- a/src/Jellyfin.LiveTv/TunerHosts/M3uParser.cs
+++ b/src/Jellyfin.LiveTv/TunerHosts/M3uParser.cs
@@ -93,6 +93,13 @@ namespace Jellyfin.LiveTv.TunerHosts
                }
                else if (!string.IsNullOrWhiteSpace(extInf) && !trimmedLine.StartsWith('#'))
                {
+                    if (!IsValidChannelUrl(trimmedLine))
+                    {
+                        _logger.LogWarning("Skipping M3U channel entry with non-HTTP path: {Path}", trimmedLine);
+                        extInf = string.Empty;
+                        continue;
+                    }
+
                    var channel = GetChannelInfo(extInf, tunerHostId, trimmedLine);
                    channel.Id = channelIdPrefix + trimmedLine.GetMD5().ToString("N", CultureInfo.InvariantCulture);

@@ -247,6 +254,16 @@ namespace Jellyfin.LiveTv.TunerHosts
            return numberString;
        }

+        private static bool IsValidChannelUrl(string url)
+        {
+            return Uri.TryCreate(url, UriKind.Absolute, out var uri)
+                && (string.Equals(uri.Scheme, "http", StringComparison.OrdinalIgnoreCase)
+                    || string.Equals(uri.Scheme, "https", StringComparison.OrdinalIgnoreCase)
+                    || string.Equals(uri.Scheme, "rtsp", StringComparison.OrdinalIgnoreCase)
+                    || string.Equals(uri.Scheme, "rtp", StringComparison.OrdinalIgnoreCase)
+                    || string.Equals(uri.Scheme, "udp", StringComparison.OrdinalIgnoreCase));
+        }
+
        private static bool IsValidChannelNumber(string numberString)
        {
            if (string.IsNullOrWhiteSpace(numberString)