diff options
| author | Shadowghost <Ghost_of_Stone@web.de> | 2026-05-04 21:33:10 +0200 |
|---|---|---|
| committer | Shadowghost <Ghost_of_Stone@web.de> | 2026-05-04 21:33:10 +0200 |
| commit | 6be96100c72a77b5c1db5921ec731ee002b7c48d (patch) | |
| tree | 6e0919eb687feb7baedcafe84b24cebc6ea6ca19 | |
| parent | 57c0fcd674c659c658369f0aebfd5d9d6787a9d4 (diff) | |
Fix review and CodeQL comments
| -rw-r--r-- | src/Jellyfin.LiveTv/Listings/ListingsManager.cs | 11 | ||||
| -rw-r--r-- | src/Jellyfin.LiveTv/TunerHosts/TunerHostManager.cs | 11 |
2 files changed, 15 insertions, 7 deletions
diff --git a/src/Jellyfin.LiveTv/Listings/ListingsManager.cs b/src/Jellyfin.LiveTv/Listings/ListingsManager.cs index c18ebe0ab0..58683deb30 100644 --- a/src/Jellyfin.LiveTv/Listings/ListingsManager.cs +++ b/src/Jellyfin.LiveTv/Listings/ListingsManager.cs @@ -337,11 +337,18 @@ public class ListingsManager : IListingsManager // Clear in-memory EPG channel cache for this provider _epgChannels.TryRemove(providerId, out _); + // Provider IDs are generated as Guid.NewGuid().ToString("N") + // reject anything else so we never use untrusted input in a path or log entry. + if (!Guid.TryParseExact(providerId, "N", out var providerGuid)) + { + return; + } + // Delete the cached XMLTV file so a fresh copy is downloaded var cachePath = _config.CommonApplicationPaths?.CachePath; if (!string.IsNullOrEmpty(cachePath)) { - var safeId = Path.GetFileName(providerId); + var safeId = providerGuid.ToString("N", CultureInfo.InvariantCulture); var xmltvCacheFile = Path.Combine(cachePath, "xmltv", safeId + ".xml"); try { @@ -349,7 +356,7 @@ public class ListingsManager : IListingsManager } catch (IOException ex) { - _logger.LogWarning(ex, "Error deleting XMLTV cache file for provider {ProviderId}", providerId); + _logger.LogWarning(ex, "Error deleting XMLTV cache file for provider {ProviderId}", safeId); } } } diff --git a/src/Jellyfin.LiveTv/TunerHosts/TunerHostManager.cs b/src/Jellyfin.LiveTv/TunerHosts/TunerHostManager.cs index 7b2ebfe85e..cfd763b6fd 100644 --- a/src/Jellyfin.LiveTv/TunerHosts/TunerHostManager.cs +++ b/src/Jellyfin.LiveTv/TunerHosts/TunerHostManager.cs @@ -107,11 +107,12 @@ public class TunerHostManager : ITunerHostManager config.TunerHosts = config.TunerHosts.Where(i => !string.Equals(id, i.Id, StringComparison.OrdinalIgnoreCase)).ToArray(); _config.SaveConfiguration("livetv", config); - // Clean up the disk cache file for this tuner - if (!string.IsNullOrEmpty(id)) + // Clean up the disk cache file for this tuner. + // Tuner IDs are generated as Guid.NewGuid().ToString("N") + // reject anything else so we never use untrusted input in a path or log entry + if (Guid.TryParseExact(id, "N", out var tunerGuid)) { - // Sanitize to prevent path traversal — tuner IDs are GUIDs but come from config. - var safeId = Path.GetFileName(id); + var safeId = tunerGuid.ToString("N", CultureInfo.InvariantCulture); var channelCacheFile = Path.Combine(_config.CommonApplicationPaths.CachePath, safeId + "_channels"); try { @@ -119,7 +120,7 @@ public class TunerHostManager : ITunerHostManager } catch (IOException ex) { - _logger.LogWarning(ex, "Error deleting channel cache file for tuner {TunerId}", id); + _logger.LogWarning(ex, "Error deleting channel cache file for tuner {TunerId}", safeId); } } |