diff options
| author | Joshua M. Boniface <joshua@boniface.me> | 2026-04-06 09:37:59 -0400 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2026-04-06 09:37:59 -0400 |
| commit | 179db631f73a7e34e89acbdabc555a9d3b92ff6d (patch) | |
| tree | f3c202a880ee05241ad46c9e54e7a2076e303b9c /src | |
| parent | c008f28d3126186e0a646121a3f69bd1624e37f5 (diff) | |
| parent | 740e9f8749ccf54afe8c0c2b1ff39a9775ed305b (diff) | |
Merge pull request #16577 from Bond-009/security-backports
Backport security fixes
Diffstat (limited to 'src')
| -rw-r--r-- | src/Jellyfin.LiveTv/TunerHosts/M3uParser.cs | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/src/Jellyfin.LiveTv/TunerHosts/M3uParser.cs b/src/Jellyfin.LiveTv/TunerHosts/M3uParser.cs index 2270758454..5da7762f6f 100644 --- a/src/Jellyfin.LiveTv/TunerHosts/M3uParser.cs +++ b/src/Jellyfin.LiveTv/TunerHosts/M3uParser.cs @@ -93,6 +93,13 @@ namespace Jellyfin.LiveTv.TunerHosts } else if (!string.IsNullOrWhiteSpace(extInf) && !trimmedLine.StartsWith('#')) { + if (!IsValidChannelUrl(trimmedLine)) + { + _logger.LogWarning("Skipping M3U channel entry with non-HTTP path: {Path}", trimmedLine); + extInf = string.Empty; + continue; + } + var channel = GetChannelInfo(extInf, tunerHostId, trimmedLine); channel.Id = channelIdPrefix + trimmedLine.GetMD5().ToString("N", CultureInfo.InvariantCulture); @@ -247,6 +254,16 @@ namespace Jellyfin.LiveTv.TunerHosts return numberString; } + private static bool IsValidChannelUrl(string url) + { + return Uri.TryCreate(url, UriKind.Absolute, out var uri) + && (string.Equals(uri.Scheme, "http", StringComparison.OrdinalIgnoreCase) + || string.Equals(uri.Scheme, "https", StringComparison.OrdinalIgnoreCase) + || string.Equals(uri.Scheme, "rtsp", StringComparison.OrdinalIgnoreCase) + || string.Equals(uri.Scheme, "rtp", StringComparison.OrdinalIgnoreCase) + || string.Equals(uri.Scheme, "udp", StringComparison.OrdinalIgnoreCase)); + } + private static bool IsValidChannelNumber(string numberString) { if (string.IsNullOrWhiteSpace(numberString) |