Merge pull request from GHSA-wg4c-c9g9-rxhx

Fix issues 1 through 5 from GHSL-2021-050 (cherry picked from commit fe8cf29cad2ca1b5d3a78c86cacf3ba96608034f) Signed-off-by: Joshua M. Boniface <joshua@boniface.me>
author: Joshua M. Boniface <joshua@boniface.me> 2021-03-21 19:12:14 -0400
committer: Joshua M. Boniface <joshua@boniface.me> 2021-03-21 19:13:08 -0400
commit: 0183ef8e89195f420c48d2600bc0b72f6d3a7fd7 (patch)
tree: 164a39bc08d10d9cc1d7707726df270acf48883d /Jellyfin.Api/Controllers/HlsSegmentController.cs
parent: 75f39f0f2a3e43f4f65d4e56ba70e026ce4ab312 (diff)
1 files changed, 20 insertions, 3 deletions
diff --git a/Jellyfin.Api/Controllers/HlsSegmentController.cs b/Jellyfin.Api/Controllers/HlsSegmentController.cs
index 9ef969738..af272a617 100644
--- a/Jellyfin.Api/Controllers/HlsSegmentController.cs
+++ b/Jellyfin.Api/Controllers/HlsSegmentController.cs
@@ -63,7 +63,13 @@ namespace Jellyfin.Api.Controllers
         {
             // TODO: Deprecate with new iOS app
             var file = segmentId + Path.GetExtension(Request.Path);
-            file = Path.Combine(_serverConfigurationManager.GetTranscodePath(), file);
+            var transcodePath = _serverConfigurationManager.GetTranscodePath();
+            file = Path.GetFullPath(Path.Combine(transcodePath, file));
+            var fileDir = Path.GetDirectoryName(file);
+            if (string.IsNullOrEmpty(fileDir) || !fileDir.StartsWith(transcodePath))
+            {
+                return BadRequest("Invalid segment.");
+            }
 
             return FileStreamResponseHelpers.GetStaticFileResult(file, MimeTypes.GetMimeType(file)!, false, HttpContext);
         }
@@ -83,7 +89,13 @@ namespace Jellyfin.Api.Controllers
         public ActionResult GetHlsPlaylistLegacy([FromRoute, Required] string itemId, [FromRoute, Required] string playlistId)
         {
             var file = playlistId + Path.GetExtension(Request.Path);
-            file = Path.Combine(_serverConfigurationManager.GetTranscodePath(), file);
+            var transcodePath = _serverConfigurationManager.GetTranscodePath();
+            file = Path.GetFullPath(Path.Combine(transcodePath, file));
+            var fileDir = Path.GetDirectoryName(file);
+            if (string.IsNullOrEmpty(fileDir) || !fileDir.StartsWith(transcodePath) || Path.GetExtension(file) != ".m3u8")
+            {
+                return BadRequest("Invalid segment.");
+            }
 
             return GetFileResult(file, file);
         }
@@ -132,7 +144,12 @@ namespace Jellyfin.Api.Controllers
             var file = segmentId + Path.GetExtension(Request.Path);
             var transcodeFolderPath = _serverConfigurationManager.GetTranscodePath();
 
-            file = Path.Combine(transcodeFolderPath, file);
+            file = Path.GetFullPath(Path.Combine(transcodeFolderPath, file));
+            var fileDir = Path.GetDirectoryName(file);
+            if (string.IsNullOrEmpty(fileDir) || !fileDir.StartsWith(transcodeFolderPath))
+            {
+                return BadRequest("Invalid segment.");
+            }
 
             var normalizedPlaylistId = playlistId;
author	Joshua M. Boniface <joshua@boniface.me>	2021-03-21 19:12:14 -0400
committer	Joshua M. Boniface <joshua@boniface.me>	2021-03-21 19:13:08 -0400
commit	0183ef8e89195f420c48d2600bc0b72f6d3a7fd7 (patch)
tree	164a39bc08d10d9cc1d7707726df270acf48883d /Jellyfin.Api/Controllers/HlsSegmentController.cs
parent	75f39f0f2a3e43f4f65d4e56ba70e026ce4ab312 (diff)