Merge pull request #16577 from Bond-009/security-backports

Backport security fixes

1 files changed, 11 insertions, 4 deletions

diff --git a/MediaBrowser.Controller/Entities/BaseItem.cs b/MediaBrowser.Controller/Entities/BaseItem.cs
index 8f89c1c797..e312e9d80b 100644
--- a/MediaBrowser.Controller/Entities/BaseItem.cs
+++ b/MediaBrowser.Controller/Entities/BaseItem.cs
@@ -1171,11 +1171,18 @@ namespace MediaBrowser.Controller.Entities
                 info.Video3DFormat = video.Video3DFormat;
                 info.Timestamp = video.Timestamp;
 
-                if (video.IsShortcut)
+                if (video.IsShortcut && !string.IsNullOrEmpty(video.ShortcutPath))
                 {
-                    info.IsRemote = true;
-                    info.Path = video.ShortcutPath;
-                    info.Protocol = MediaSourceManager.GetPathProtocol(info.Path);
+                    var shortcutProtocol = MediaSourceManager.GetPathProtocol(video.ShortcutPath);
+
+                    // Only allow remote shortcut paths — local file paths in .strm files
+                    // could be used to read arbitrary files from the server.
+                    if (shortcutProtocol != MediaProtocol.File)
+                    {
+                        info.IsRemote = true;
+                        info.Path = video.ShortcutPath;
+                        info.Protocol = shortcutProtocol;
+                    }
                 }
 
                 if (string.IsNullOrEmpty(info.Container))