Fix directory traversal in the HlsSegmentController in a fairly rudimentary but working way.

GHSL-2021-050: Issue 1,2,3 Arbitrary file read and directory traversal. The segment id's can probably just be verified to be an actual ID or to not contain any forward or backward slashes
4 years ago · f61d18612b
parent 9360fecb31
commit f61d18612b
1 changed files with 20 additions and 0 deletions
--- a/Jellyfin.Api/Controllers/HlsSegmentController.cs
+++ b/Jellyfin.Api/Controllers/HlsSegmentController.cs
@ -62,6 +62,13 @@ namespace Jellyfin.Api.Controllers
            // TODO: Deprecate with new iOS app
            var file = segmentId + Path.GetExtension(Request.Path);
            file = Path.Combine(_serverConfigurationManager.GetTranscodePath(), file);
+            var transcodePath = _serverConfigurationManager.GetTranscodePath();
+            file = Path.GetFullPath(Path.Combine(transcodePath, file));
+            var fileDir = Path.GetDirectoryName(file);
+            if (string.IsNullOrEmpty(fileDir) || !fileDir.StartsWith(transcodePath))
+            {
+                return BadRequest("Invalid segment.");
+            }

            return FileStreamResponseHelpers.GetStaticFileResult(file, MimeTypes.GetMimeType(file)!, false, HttpContext);
        }
@ -82,6 +89,13 @@ namespace Jellyfin.Api.Controllers
        {
            var file = playlistId + Path.GetExtension(Request.Path);
            file = Path.Combine(_serverConfigurationManager.GetTranscodePath(), file);
+            var transcodePath = _serverConfigurationManager.GetTranscodePath();
+            file = Path.GetFullPath(Path.Combine(transcodePath, file));
+            var fileDir = Path.GetDirectoryName(file);
+            if (string.IsNullOrEmpty(fileDir) || !fileDir.StartsWith(transcodePath) || Path.GetExtension(file) != ".m3u8")
+            {
+                return BadRequest("Invalid segment.");
+            }

            return GetFileResult(file, file);
        }
@ -131,6 +145,12 @@ namespace Jellyfin.Api.Controllers
            var transcodeFolderPath = _serverConfigurationManager.GetTranscodePath();

            file = Path.Combine(transcodeFolderPath, file);
+            file = Path.GetFullPath(Path.Combine(transcodeFolderPath, file));
+            var fileDir = Path.GetDirectoryName(file);
+            if (string.IsNullOrEmpty(fileDir) || !fileDir.StartsWith(transcodeFolderPath))
+            {
+                return BadRequest("Invalid segment.");
+            }

            var normalizedPlaylistId = playlistId;