CERBERUS/jellyfin
1
0
Fork 0
mirror of https://github.com/jellyfin/jellyfin.git synced 2026-05-13 08:37:07 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 7

Fix GHSA-j2hf-x4q5-47j3 with improved sanitization

Browse source 
Co-Authored-By: Shadowghost <Ghost_of_Stone@web.de>
This commit is contained in:
Joshua M. Boniface 2026-03-29 17:22:14 -04:00 committed by Bond_009
parent c008f28d31
commit 8cecf53057
3 changed files with 46 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

15
MediaBrowser.Controller/Entities/BaseItem.cs
View file

@ -1171,11 +1171,18 @@ namespace MediaBrowser.Controller.Entities
info.Video3DFormat = video.Video3DFormat;
info.Timestamp = video.Timestamp;
if (video.IsShortcut)
if (video.IsShortcut && !string.IsNullOrEmpty(video.ShortcutPath))
{
info.IsRemote = true;
info.Path = video.ShortcutPath;
info.Protocol = MediaSourceManager.GetPathProtocol(info.Path);
var shortcutProtocol = MediaSourceManager.GetPathProtocol(video.ShortcutPath);
// Only allow remote shortcut paths — local file paths in .strm files
// could be used to read arbitrary files from the server.
if (shortcutProtocol != MediaProtocol.File)
{
info.IsRemote = true;
info.Path = video.ShortcutPath;
info.Protocol = shortcutProtocol;
}
}
if (string.IsNullOrEmpty(info.Container))