alteropen/jellyfin
1
0
Fork 0
mirror of https://github.com/jellyfin/jellyfin.git synced 2026-04-01 16:02:01 +01:00
Code Issues Actions 8 Packages Projects Releases Wiki Activity

Fix GHSA-8fw7-f233-ffr8 with improved sanitization

Browse Source 
Co-Authored-By: Shadowghost <Ghost_of_Stone@web.de>
This commit is contained in:
Joshua M. Boniface
2026-03-29 17:30:09 -04:00
parent 0f1732e5f5
commit fddd4e7e6b
2 changed files with 18 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
Jellyfin.Data/UserEntityExtensions.cs
View File

@@ -185,7 +185,7 @@ public static class UserEntityExtensions
entity.Permissions.Add(new Permission(PermissionKind.EnableSyncTranscoding, true));
entity.Permissions.Add(new Permission(PermissionKind.EnableAudioPlaybackTranscoding, true));
entity.Permissions.Add(new Permission(PermissionKind.EnableLiveTvAccess, true));
entity.Permissions.Add(new Permission(PermissionKind.EnableLiveTvManagement, true));
entity.Permissions.Add(new Permission(PermissionKind.EnableLiveTvManagement, false));
entity.Permissions.Add(new Permission(PermissionKind.EnableSharedDeviceControl, true));
entity.Permissions.Add(new Permission(PermissionKind.EnableVideoPlaybackTranscoding, true));
entity.Permissions.Add(new Permission(PermissionKind.ForceRemoteSourceTranscoding, false));

17
src/Jellyfin.LiveTv/TunerHosts/M3uParser.cs
View File

@@ -93,6 +93,13 @@ namespace Jellyfin.LiveTv.TunerHosts
}
else if (!string.IsNullOrWhiteSpace(extInf) && !trimmedLine.StartsWith('#'))
{
if (!IsValidChannelUrl(trimmedLine))
{
_logger.LogWarning("Skipping M3U channel entry with non-HTTP path: {Path}", trimmedLine);
extInf = string.Empty;
continue;
}
var channel = GetChannelInfo(extInf, tunerHostId, trimmedLine);
channel.Id = channelIdPrefix + trimmedLine.GetMD5().ToString("N", CultureInfo.InvariantCulture);
@@ -247,6 +254,16 @@ namespace Jellyfin.LiveTv.TunerHosts
return numberString;
}
private static bool IsValidChannelUrl(string url)
{
return Uri.TryCreate(url, UriKind.Absolute, out var uri)
&& (string.Equals(uri.Scheme, "http", StringComparison.OrdinalIgnoreCase)
|| string.Equals(uri.Scheme, "https", StringComparison.OrdinalIgnoreCase)
|| string.Equals(uri.Scheme, "rtsp", StringComparison.OrdinalIgnoreCase)
|| string.Equals(uri.Scheme, "rtp", StringComparison.OrdinalIgnoreCase)
|| string.Equals(uri.Scheme, "udp", StringComparison.OrdinalIgnoreCase));
}
private static bool IsValidChannelNumber(string numberString)
{
if (string.IsNullOrWhiteSpace(numberString)