Fix directory traversal in the HlsSegmentController in a fairly rudimentary but working way.

GHSL-2021-050: Issue 1,2,3 Arbitrary file read and directory traversal. The segment id's can probably just be verified to be an actual ID or to not contain any forward or backward slashes
author: Erwin de Haan <EraYaN@users.noreply.github.com> 2021-03-20 00:38:58 +0100
committer: Erwin de Haan <EraYaN@users.noreply.github.com> 2021-03-20 01:14:59 +0100
commit: f61d18612b2e6c6e9a5dd4510331ac8d89a337d5 (patch)
tree: 6954d8bb64542f4215296cec331251d87d22e219 /Jellyfin.Api/Controllers/HlsSegmentController.cs
parent: 9360fecb316973181a120027f70b311b219740cd (diff)
1 files changed, 20 insertions, 0 deletions
diff --git a/Jellyfin.Api/Controllers/HlsSegmentController.cs b/Jellyfin.Api/Controllers/HlsSegmentController.cs
index d0ed45acb..5a8542048 100644
--- a/Jellyfin.Api/Controllers/HlsSegmentController.cs
+++ b/Jellyfin.Api/Controllers/HlsSegmentController.cs
@@ -62,6 +62,13 @@ namespace Jellyfin.Api.Controllers
             // TODO: Deprecate with new iOS app
             var file = segmentId + Path.GetExtension(Request.Path);
             file = Path.Combine(_serverConfigurationManager.GetTranscodePath(), file);
+            var transcodePath = _serverConfigurationManager.GetTranscodePath();
+            file = Path.GetFullPath(Path.Combine(transcodePath, file));
+            var fileDir = Path.GetDirectoryName(file);
+            if (string.IsNullOrEmpty(fileDir) || !fileDir.StartsWith(transcodePath))
+            {
+                return BadRequest("Invalid segment.");
+            }
 
             return FileStreamResponseHelpers.GetStaticFileResult(file, MimeTypes.GetMimeType(file)!, false, HttpContext);
         }
@@ -82,6 +89,13 @@ namespace Jellyfin.Api.Controllers
         {
             var file = playlistId + Path.GetExtension(Request.Path);
             file = Path.Combine(_serverConfigurationManager.GetTranscodePath(), file);
+            var transcodePath = _serverConfigurationManager.GetTranscodePath();
+            file = Path.GetFullPath(Path.Combine(transcodePath, file));
+            var fileDir = Path.GetDirectoryName(file);
+            if (string.IsNullOrEmpty(fileDir) || !fileDir.StartsWith(transcodePath) || Path.GetExtension(file) != ".m3u8")
+            {
+                return BadRequest("Invalid segment.");
+            }
 
             return GetFileResult(file, file);
         }
@@ -131,6 +145,12 @@ namespace Jellyfin.Api.Controllers
             var transcodeFolderPath = _serverConfigurationManager.GetTranscodePath();
 
             file = Path.Combine(transcodeFolderPath, file);
+            file = Path.GetFullPath(Path.Combine(transcodeFolderPath, file));
+            var fileDir = Path.GetDirectoryName(file);
+            if (string.IsNullOrEmpty(fileDir) || !fileDir.StartsWith(transcodeFolderPath))
+            {
+                return BadRequest("Invalid segment.");
+            }
 
             var normalizedPlaylistId = playlistId;
author	Erwin de Haan <EraYaN@users.noreply.github.com>	2021-03-20 00:38:58 +0100
committer	Erwin de Haan <EraYaN@users.noreply.github.com>	2021-03-20 01:14:59 +0100
commit	f61d18612b2e6c6e9a5dd4510331ac8d89a337d5 (patch)
tree	6954d8bb64542f4215296cec331251d87d22e219 /Jellyfin.Api/Controllers/HlsSegmentController.cs
parent	9360fecb316973181a120027f70b311b219740cd (diff)