|
@@ -74,7 +74,7 @@ namespace Jellyfin.Api.Controllers
|
|
|
: type;
|
|
: type;
|
|
|
|
|
|
|
|
var path = BaseItem.SupportedImageExtensions
|
|
var path = BaseItem.SupportedImageExtensions
|
|
|
- .Select(i => Path.Combine(_applicationPaths.GeneralPath, name, filename + i))
|
|
|
|
|
|
|
+ .Select(i => Path.GetFullPath(Path.Combine(_applicationPaths.GeneralPath, name, filename + i)))
|
|
|
.FirstOrDefault(System.IO.File.Exists);
|
|
.FirstOrDefault(System.IO.File.Exists);
|
|
|
|
|
|
|
|
if (path == null)
|
|
if (path == null)
|
|
@@ -82,6 +82,11 @@ namespace Jellyfin.Api.Controllers
|
|
|
return NotFound();
|
|
return NotFound();
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
|
|
+ if (!path.StartsWith(_applicationPaths.GeneralPath))
|
|
|
|
|
+ {
|
|
|
|
|
+ return BadRequest("Invalid image path.");
|
|
|
|
|
+ }
|
|
|
|
|
+
|
|
|
var contentType = MimeTypes.GetMimeType(path);
|
|
var contentType = MimeTypes.GetMimeType(path);
|
|
|
return File(System.IO.File.OpenRead(path), contentType);
|
|
return File(System.IO.File.OpenRead(path), contentType);
|
|
|
}
|
|
}
|
|
@@ -163,7 +168,8 @@ namespace Jellyfin.Api.Controllers
|
|
|
/// <returns>A <see cref="FileStreamResult"/> containing the image contents on success, or a <see cref="NotFoundResult"/> if the image could not be found.</returns>
|
|
/// <returns>A <see cref="FileStreamResult"/> containing the image contents on success, or a <see cref="NotFoundResult"/> if the image could not be found.</returns>
|
|
|
private ActionResult GetImageFile(string basePath, string theme, string? name)
|
|
private ActionResult GetImageFile(string basePath, string theme, string? name)
|
|
|
{
|
|
{
|
|
|
- var themeFolder = Path.Combine(basePath, theme);
|
|
|
|
|
|
|
+ var themeFolder = Path.GetFullPath(Path.Combine(basePath, theme));
|
|
|
|
|
+
|
|
|
if (Directory.Exists(themeFolder))
|
|
if (Directory.Exists(themeFolder))
|
|
|
{
|
|
{
|
|
|
var path = BaseItem.SupportedImageExtensions.Select(i => Path.Combine(themeFolder, name + i))
|
|
var path = BaseItem.SupportedImageExtensions.Select(i => Path.Combine(themeFolder, name + i))
|
|
@@ -171,12 +177,18 @@ namespace Jellyfin.Api.Controllers
|
|
|
|
|
|
|
|
if (!string.IsNullOrEmpty(path) && System.IO.File.Exists(path))
|
|
if (!string.IsNullOrEmpty(path) && System.IO.File.Exists(path))
|
|
|
{
|
|
{
|
|
|
|
|
+ if (!path.StartsWith(basePath))
|
|
|
|
|
+ {
|
|
|
|
|
+ return BadRequest("Invalid image path.");
|
|
|
|
|
+ }
|
|
|
|
|
+
|
|
|
var contentType = MimeTypes.GetMimeType(path);
|
|
var contentType = MimeTypes.GetMimeType(path);
|
|
|
|
|
+
|
|
|
return PhysicalFile(path, contentType);
|
|
return PhysicalFile(path, contentType);
|
|
|
}
|
|
}
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
- var allFolder = Path.Combine(basePath, "all");
|
|
|
|
|
|
|
+ var allFolder = Path.GetFullPath(Path.Combine(basePath, "all"));
|
|
|
if (Directory.Exists(allFolder))
|
|
if (Directory.Exists(allFolder))
|
|
|
{
|
|
{
|
|
|
var path = BaseItem.SupportedImageExtensions.Select(i => Path.Combine(allFolder, name + i))
|
|
var path = BaseItem.SupportedImageExtensions.Select(i => Path.Combine(allFolder, name + i))
|
|
@@ -184,6 +196,11 @@ namespace Jellyfin.Api.Controllers
|
|
|
|
|
|
|
|
if (!string.IsNullOrEmpty(path) && System.IO.File.Exists(path))
|
|
if (!string.IsNullOrEmpty(path) && System.IO.File.Exists(path))
|
|
|
{
|
|
{
|
|
|
|
|
+ if (!path.StartsWith(basePath))
|
|
|
|
|
+ {
|
|
|
|
|
+ return BadRequest("Invalid image path.");
|
|
|
|
|
+ }
|
|
|
|
|
+
|
|
|
var contentType = MimeTypes.GetMimeType(path);
|
|
var contentType = MimeTypes.GetMimeType(path);
|
|
|
return PhysicalFile(path, contentType);
|
|
return PhysicalFile(path, contentType);
|
|
|
}
|
|
}
|
Erwin de Haan