diff options
| author | Cody Robibero <cody@robibe.ro> | 2021-12-23 19:38:10 -0700 |
|---|---|---|
| committer | Cody Robibero <cody@robibe.ro> | 2021-12-23 19:38:10 -0700 |
| commit | a04ab6b87637fe378759aaf2b7fa71726150b2b1 (patch) | |
| tree | 62f4e5bdb272e9312bab469cbcda1e13591e7834 /Jellyfin.Api/Controllers/ImageByNameController.cs | |
| parent | c52a2f2f7b130d73a96cdac00f1e63531a04139b (diff) | |
| parent | 8c7dd0a691d150ac4fa5719853554ff569abf1bb (diff) | |
Merge branch 'master' into studios-images-plugin
# Conflicts:
# MediaBrowser.Providers/MediaBrowser.Providers.csproj
Diffstat (limited to 'Jellyfin.Api/Controllers/ImageByNameController.cs')
| -rw-r--r-- | Jellyfin.Api/Controllers/ImageByNameController.cs | 25 |
1 files changed, 21 insertions, 4 deletions
diff --git a/Jellyfin.Api/Controllers/ImageByNameController.cs b/Jellyfin.Api/Controllers/ImageByNameController.cs index 198dbc51f..89bbf22c9 100644 --- a/Jellyfin.Api/Controllers/ImageByNameController.cs +++ b/Jellyfin.Api/Controllers/ImageByNameController.cs @@ -74,7 +74,7 @@ namespace Jellyfin.Api.Controllers : type; var path = BaseItem.SupportedImageExtensions - .Select(i => Path.Combine(_applicationPaths.GeneralPath, name, filename + i)) + .Select(i => Path.GetFullPath(Path.Combine(_applicationPaths.GeneralPath, name, filename + i))) .FirstOrDefault(System.IO.File.Exists); if (path == null) @@ -82,8 +82,13 @@ namespace Jellyfin.Api.Controllers return NotFound(); } + if (!path.StartsWith(_applicationPaths.GeneralPath, StringComparison.InvariantCulture)) + { + return BadRequest("Invalid image path."); + } + var contentType = MimeTypes.GetMimeType(path); - return File(System.IO.File.OpenRead(path), contentType); + return File(AsyncFile.OpenRead(path), contentType); } /// <summary> @@ -163,7 +168,8 @@ namespace Jellyfin.Api.Controllers /// <returns>A <see cref="FileStreamResult"/> containing the image contents on success, or a <see cref="NotFoundResult"/> if the image could not be found.</returns> private ActionResult GetImageFile(string basePath, string theme, string? name) { - var themeFolder = Path.Combine(basePath, theme); + var themeFolder = Path.GetFullPath(Path.Combine(basePath, theme)); + if (Directory.Exists(themeFolder)) { var path = BaseItem.SupportedImageExtensions.Select(i => Path.Combine(themeFolder, name + i)) @@ -171,12 +177,18 @@ namespace Jellyfin.Api.Controllers if (!string.IsNullOrEmpty(path) && System.IO.File.Exists(path)) { + if (!path.StartsWith(basePath, StringComparison.InvariantCulture)) + { + return BadRequest("Invalid image path."); + } + var contentType = MimeTypes.GetMimeType(path); + return PhysicalFile(path, contentType); } } - var allFolder = Path.Combine(basePath, "all"); + var allFolder = Path.GetFullPath(Path.Combine(basePath, "all")); if (Directory.Exists(allFolder)) { var path = BaseItem.SupportedImageExtensions.Select(i => Path.Combine(allFolder, name + i)) @@ -184,6 +196,11 @@ namespace Jellyfin.Api.Controllers if (!string.IsNullOrEmpty(path) && System.IO.File.Exists(path)) { + if (!path.StartsWith(basePath, StringComparison.InvariantCulture)) + { + return BadRequest("Invalid image path."); + } + var contentType = MimeTypes.GetMimeType(path); return PhysicalFile(path, contentType); } |