mirror of
https://github.com/jellyfin/jellyfin.git
synced 2026-07-01 03:42:51 +01:00
Fix GHSA-8fw7-f233-ffr8 with improved sanitization
Co-Authored-By: Shadowghost <Ghost_of_Stone@web.de>
This commit is contained in:
@@ -185,7 +185,7 @@ public static class UserEntityExtensions
|
|||||||
entity.Permissions.Add(new Permission(PermissionKind.EnableSyncTranscoding, true));
|
entity.Permissions.Add(new Permission(PermissionKind.EnableSyncTranscoding, true));
|
||||||
entity.Permissions.Add(new Permission(PermissionKind.EnableAudioPlaybackTranscoding, true));
|
entity.Permissions.Add(new Permission(PermissionKind.EnableAudioPlaybackTranscoding, true));
|
||||||
entity.Permissions.Add(new Permission(PermissionKind.EnableLiveTvAccess, true));
|
entity.Permissions.Add(new Permission(PermissionKind.EnableLiveTvAccess, true));
|
||||||
entity.Permissions.Add(new Permission(PermissionKind.EnableLiveTvManagement, true));
|
entity.Permissions.Add(new Permission(PermissionKind.EnableLiveTvManagement, false));
|
||||||
entity.Permissions.Add(new Permission(PermissionKind.EnableSharedDeviceControl, true));
|
entity.Permissions.Add(new Permission(PermissionKind.EnableSharedDeviceControl, true));
|
||||||
entity.Permissions.Add(new Permission(PermissionKind.EnableVideoPlaybackTranscoding, true));
|
entity.Permissions.Add(new Permission(PermissionKind.EnableVideoPlaybackTranscoding, true));
|
||||||
entity.Permissions.Add(new Permission(PermissionKind.ForceRemoteSourceTranscoding, false));
|
entity.Permissions.Add(new Permission(PermissionKind.ForceRemoteSourceTranscoding, false));
|
||||||
|
|||||||
@@ -93,6 +93,13 @@ namespace Jellyfin.LiveTv.TunerHosts
|
|||||||
}
|
}
|
||||||
else if (!string.IsNullOrWhiteSpace(extInf) && !trimmedLine.StartsWith('#'))
|
else if (!string.IsNullOrWhiteSpace(extInf) && !trimmedLine.StartsWith('#'))
|
||||||
{
|
{
|
||||||
|
if (!IsValidChannelUrl(trimmedLine))
|
||||||
|
{
|
||||||
|
_logger.LogWarning("Skipping M3U channel entry with non-HTTP path: {Path}", trimmedLine);
|
||||||
|
extInf = string.Empty;
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
var channel = GetChannelInfo(extInf, tunerHostId, trimmedLine);
|
var channel = GetChannelInfo(extInf, tunerHostId, trimmedLine);
|
||||||
channel.Id = channelIdPrefix + trimmedLine.GetMD5().ToString("N", CultureInfo.InvariantCulture);
|
channel.Id = channelIdPrefix + trimmedLine.GetMD5().ToString("N", CultureInfo.InvariantCulture);
|
||||||
|
|
||||||
@@ -247,6 +254,16 @@ namespace Jellyfin.LiveTv.TunerHosts
|
|||||||
return numberString;
|
return numberString;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private static bool IsValidChannelUrl(string url)
|
||||||
|
{
|
||||||
|
return Uri.TryCreate(url, UriKind.Absolute, out var uri)
|
||||||
|
&& (string.Equals(uri.Scheme, "http", StringComparison.OrdinalIgnoreCase)
|
||||||
|
|| string.Equals(uri.Scheme, "https", StringComparison.OrdinalIgnoreCase)
|
||||||
|
|| string.Equals(uri.Scheme, "rtsp", StringComparison.OrdinalIgnoreCase)
|
||||||
|
|| string.Equals(uri.Scheme, "rtp", StringComparison.OrdinalIgnoreCase)
|
||||||
|
|| string.Equals(uri.Scheme, "udp", StringComparison.OrdinalIgnoreCase));
|
||||||
|
}
|
||||||
|
|
||||||
private static bool IsValidChannelNumber(string numberString)
|
private static bool IsValidChannelNumber(string numberString)
|
||||||
{
|
{
|
||||||
if (string.IsNullOrWhiteSpace(numberString)
|
if (string.IsNullOrWhiteSpace(numberString)
|
||||||
|
|||||||
Reference in New Issue
Block a user