Fix GHSA-8fw7-f233-ffr8 with improved sanitization

Co-Authored-By: Shadowghost <Ghost_of_Stone@web.de>
author: Joshua M. Boniface <joshua@boniface.me> 2026-03-29 17:30:09 -0400
committer: Bond_009 <bond.009@outlook.com> 2026-04-06 11:37:45 +0200
commit: 3c9b71e1241237107c260bb84b9221f532ef8105 (patch)
tree: d17ea6aba0da512dfb99ca9fb8b8e9d7ce07d098
parent: 8cecf53057b112a5b169d04e3994d1fb233e22f3 (diff)
2 files changed, 18 insertions, 1 deletions
diff --git a/Jellyfin.Data/UserEntityExtensions.cs b/Jellyfin.Data/UserEntityExtensions.cs
index 149fc9042d..0fc8d3cd25 100644
--- a/Jellyfin.Data/UserEntityExtensions.cs
+++ b/Jellyfin.Data/UserEntityExtensions.cs
@@ -185,7 +185,7 @@ public static class UserEntityExtensions
         entity.Permissions.Add(new Permission(PermissionKind.EnableSyncTranscoding, true));
         entity.Permissions.Add(new Permission(PermissionKind.EnableAudioPlaybackTranscoding, true));
         entity.Permissions.Add(new Permission(PermissionKind.EnableLiveTvAccess, true));
-        entity.Permissions.Add(new Permission(PermissionKind.EnableLiveTvManagement, true));
+        entity.Permissions.Add(new Permission(PermissionKind.EnableLiveTvManagement, false));
         entity.Permissions.Add(new Permission(PermissionKind.EnableSharedDeviceControl, true));
         entity.Permissions.Add(new Permission(PermissionKind.EnableVideoPlaybackTranscoding, true));
         entity.Permissions.Add(new Permission(PermissionKind.ForceRemoteSourceTranscoding, false));
diff --git a/src/Jellyfin.LiveTv/TunerHosts/M3uParser.cs b/src/Jellyfin.LiveTv/TunerHosts/M3uParser.cs
index 2270758454..5da7762f6f 100644
--- a/src/Jellyfin.LiveTv/TunerHosts/M3uParser.cs
+++ b/src/Jellyfin.LiveTv/TunerHosts/M3uParser.cs
@@ -93,6 +93,13 @@ namespace Jellyfin.LiveTv.TunerHosts
                 }
                 else if (!string.IsNullOrWhiteSpace(extInf) && !trimmedLine.StartsWith('#'))
                 {
+                    if (!IsValidChannelUrl(trimmedLine))
+                    {
+                        _logger.LogWarning("Skipping M3U channel entry with non-HTTP path: {Path}", trimmedLine);
+                        extInf = string.Empty;
+                        continue;
+                    }
+
                     var channel = GetChannelInfo(extInf, tunerHostId, trimmedLine);
                     channel.Id = channelIdPrefix + trimmedLine.GetMD5().ToString("N", CultureInfo.InvariantCulture);
 
@@ -247,6 +254,16 @@ namespace Jellyfin.LiveTv.TunerHosts
             return numberString;
         }
 
+        private static bool IsValidChannelUrl(string url)
+        {
+            return Uri.TryCreate(url, UriKind.Absolute, out var uri)
+                && (string.Equals(uri.Scheme, "http", StringComparison.OrdinalIgnoreCase)
+                    || string.Equals(uri.Scheme, "https", StringComparison.OrdinalIgnoreCase)
+                    || string.Equals(uri.Scheme, "rtsp", StringComparison.OrdinalIgnoreCase)
+                    || string.Equals(uri.Scheme, "rtp", StringComparison.OrdinalIgnoreCase)
+                    || string.Equals(uri.Scheme, "udp", StringComparison.OrdinalIgnoreCase));
+        }
+
         private static bool IsValidChannelNumber(string numberString)
         {
             if (string.IsNullOrWhiteSpace(numberString)
author	Joshua M. Boniface <joshua@boniface.me>	2026-03-29 17:30:09 -0400
committer	Bond_009 <bond.009@outlook.com>	2026-04-06 11:37:45 +0200
commit	3c9b71e1241237107c260bb84b9221f532ef8105 (patch)
tree	d17ea6aba0da512dfb99ca9fb8b8e9d7ce07d098
parent	8cecf53057b112a5b169d04e3994d1fb233e22f3 (diff)