merge branch 'master' into syncplay-clear-queue

author: dkanada <dkanada@users.noreply.github.com> 2021-09-06 13:35:58 +0900
committer: dkanada <dkanada@users.noreply.github.com> 2021-09-06 13:35:58 +0900
commit: 5e3905d41a1aad6825a1a9def66cc6c7c3c59917 (patch)
tree: 177ce6bd380591f35192ba5a8c3cb2dbabb2da21 /Jellyfin.Api/Controllers/ImageByNameController.cs
parent: 68969c9530c42ab88da084c55cbeced8099d8ddd (diff)
parent: e9508616cc90c01a22ca28c13694587dd16b49d6 (diff)
1 files changed, 20 insertions, 3 deletions
diff --git a/Jellyfin.Api/Controllers/ImageByNameController.cs b/Jellyfin.Api/Controllers/ImageByNameController.cs
index 198dbc51f..e1b808098 100644
--- a/Jellyfin.Api/Controllers/ImageByNameController.cs
+++ b/Jellyfin.Api/Controllers/ImageByNameController.cs
@@ -74,7 +74,7 @@ namespace Jellyfin.Api.Controllers
                 : type;
 
             var path = BaseItem.SupportedImageExtensions
-                .Select(i => Path.Combine(_applicationPaths.GeneralPath, name, filename + i))
+                .Select(i => Path.GetFullPath(Path.Combine(_applicationPaths.GeneralPath, name, filename + i)))
                 .FirstOrDefault(System.IO.File.Exists);
 
             if (path == null)
@@ -82,6 +82,11 @@ namespace Jellyfin.Api.Controllers
                 return NotFound();
             }
 
+            if (!path.StartsWith(_applicationPaths.GeneralPath))
+            {
+                return BadRequest("Invalid image path.");
+            }
+
             var contentType = MimeTypes.GetMimeType(path);
             return File(System.IO.File.OpenRead(path), contentType);
         }
@@ -163,7 +168,8 @@ namespace Jellyfin.Api.Controllers
         /// <returns>A <see cref="FileStreamResult"/> containing the image contents on success, or a <see cref="NotFoundResult"/> if the image could not be found.</returns>
         private ActionResult GetImageFile(string basePath, string theme, string? name)
         {
-            var themeFolder = Path.Combine(basePath, theme);
+            var themeFolder = Path.GetFullPath(Path.Combine(basePath, theme));
+
             if (Directory.Exists(themeFolder))
             {
                 var path = BaseItem.SupportedImageExtensions.Select(i => Path.Combine(themeFolder, name + i))
@@ -171,12 +177,18 @@ namespace Jellyfin.Api.Controllers
 
                 if (!string.IsNullOrEmpty(path) && System.IO.File.Exists(path))
                 {
+                    if (!path.StartsWith(basePath))
+                    {
+                        return BadRequest("Invalid image path.");
+                    }
+
                     var contentType = MimeTypes.GetMimeType(path);
+
                     return PhysicalFile(path, contentType);
                 }
             }
 
-            var allFolder = Path.Combine(basePath, "all");
+            var allFolder = Path.GetFullPath(Path.Combine(basePath, "all"));
             if (Directory.Exists(allFolder))
             {
                 var path = BaseItem.SupportedImageExtensions.Select(i => Path.Combine(allFolder, name + i))
@@ -184,6 +196,11 @@ namespace Jellyfin.Api.Controllers
 
                 if (!string.IsNullOrEmpty(path) && System.IO.File.Exists(path))
                 {
+                    if (!path.StartsWith(basePath))
+                    {
+                        return BadRequest("Invalid image path.");
+                    }
+
                     var contentType = MimeTypes.GetMimeType(path);
                     return PhysicalFile(path, contentType);
                 }
author	dkanada <dkanada@users.noreply.github.com>	2021-09-06 13:35:58 +0900
committer	dkanada <dkanada@users.noreply.github.com>	2021-09-06 13:35:58 +0900
commit	5e3905d41a1aad6825a1a9def66cc6c7c3c59917 (patch)
tree	177ce6bd380591f35192ba5a8c3cb2dbabb2da21 /Jellyfin.Api/Controllers/ImageByNameController.cs
parent	68969c9530c42ab88da084c55cbeced8099d8ddd (diff)
parent	e9508616cc90c01a22ca28c13694587dd16b49d6 (diff)