From fddd4e7e6b4de03060d190ac7f332bf34d949ce0 Mon Sep 17 00:00:00 2001
From: "Joshua M. Boniface" <joshua@boniface.me>
Date: Sun, 29 Mar 2026 17:30:09 -0400
Subject: [PATCH] Fix GHSA-8fw7-f233-ffr8 with improved sanitization

Co-Authored-By: Shadowghost <Ghost_of_Stone@web.de>
---
 Jellyfin.Data/UserEntityExtensions.cs       |  2 +-
 src/Jellyfin.LiveTv/TunerHosts/M3uParser.cs | 17 +++++++++++++++++
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/Jellyfin.Data/UserEntityExtensions.cs b/Jellyfin.Data/UserEntityExtensions.cs
index 149fc9042d..0fc8d3cd25 100644
--- a/Jellyfin.Data/UserEntityExtensions.cs
+++ b/Jellyfin.Data/UserEntityExtensions.cs
@@ -185,7 +185,7 @@ public static class UserEntityExtensions
         entity.Permissions.Add(new Permission(PermissionKind.EnableSyncTranscoding, true));
         entity.Permissions.Add(new Permission(PermissionKind.EnableAudioPlaybackTranscoding, true));
         entity.Permissions.Add(new Permission(PermissionKind.EnableLiveTvAccess, true));
-        entity.Permissions.Add(new Permission(PermissionKind.EnableLiveTvManagement, true));
+        entity.Permissions.Add(new Permission(PermissionKind.EnableLiveTvManagement, false));
         entity.Permissions.Add(new Permission(PermissionKind.EnableSharedDeviceControl, true));
         entity.Permissions.Add(new Permission(PermissionKind.EnableVideoPlaybackTranscoding, true));
         entity.Permissions.Add(new Permission(PermissionKind.ForceRemoteSourceTranscoding, false));
diff --git a/src/Jellyfin.LiveTv/TunerHosts/M3uParser.cs b/src/Jellyfin.LiveTv/TunerHosts/M3uParser.cs
index 2270758454..5da7762f6f 100644
--- a/src/Jellyfin.LiveTv/TunerHosts/M3uParser.cs
+++ b/src/Jellyfin.LiveTv/TunerHosts/M3uParser.cs
@@ -93,6 +93,13 @@ namespace Jellyfin.LiveTv.TunerHosts
                 }
                 else if (!string.IsNullOrWhiteSpace(extInf) && !trimmedLine.StartsWith('#'))
                 {
+                    if (!IsValidChannelUrl(trimmedLine))
+                    {
+                        _logger.LogWarning("Skipping M3U channel entry with non-HTTP path: {Path}", trimmedLine);
+                        extInf = string.Empty;
+                        continue;
+                    }
+
                     var channel = GetChannelInfo(extInf, tunerHostId, trimmedLine);
                     channel.Id = channelIdPrefix + trimmedLine.GetMD5().ToString("N", CultureInfo.InvariantCulture);
 
@@ -247,6 +254,16 @@ namespace Jellyfin.LiveTv.TunerHosts
             return numberString;
         }
 
+        private static bool IsValidChannelUrl(string url)
+        {
+            return Uri.TryCreate(url, UriKind.Absolute, out var uri)
+                && (string.Equals(uri.Scheme, "http", StringComparison.OrdinalIgnoreCase)
+                    || string.Equals(uri.Scheme, "https", StringComparison.OrdinalIgnoreCase)
+                    || string.Equals(uri.Scheme, "rtsp", StringComparison.OrdinalIgnoreCase)
+                    || string.Equals(uri.Scheme, "rtp", StringComparison.OrdinalIgnoreCase)
+                    || string.Equals(uri.Scheme, "udp", StringComparison.OrdinalIgnoreCase));
+        }
+
         private static bool IsValidChannelNumber(string numberString)
         {
             if (string.IsNullOrWhiteSpace(numberString)