Authenticated arbitrary file overwrite in SubtitleController -> Subti…

…tleManager GHSL-2021-050: Issue 5 Arbitrary file overwrite.
jellyfin · Mar 20, 2021 · 470305f · 470305f
1 parent 239a715
commit 470305f
Showing 1 changed file with 21 additions and 3 deletions.
diff --git a/MediaBrowser.Providers/Subtitles/SubtitleManager.cs b/MediaBrowser.Providers/Subtitles/SubtitleManager.cs
@@ -205,12 +205,30 @@ public Task UploadSubtitle(Video video, SubtitleResponse response)
 
                 if (saveInMediaFolder)
                 {
-                    savePaths.Add(Path.Combine(video.ContainingFolderPath, saveFileName));
+                    var mediaFolderPath = Path.GetFullPath(Path.Combine(video.ContainingFolderPath, saveFileName));
+                    // TODO: Add some error handling to the API user: return BadRequest("Could not save subtitle, bad path.");
+                    if (mediaFolderPath.StartsWith(video.ContainingFolderPath))
+                    {
+                        savePaths.Add(mediaFolderPath);
+                    }
                 }
 
-                savePaths.Add(Path.Combine(video.GetInternalMetadataPath(), saveFileName));
+                var internalPath = Path.GetFullPath(Path.Combine(video.GetInternalMetadataPath(), saveFileName));
+
+                // TODO: Add some error to the user: return BadRequest("Could not save subtitle, bad path.");
+                if (internalPath.StartsWith(video.GetInternalMetadataPath()))
+                {
+                    savePaths.Add(internalPath);
+                }
 
-                await TrySaveToFiles(memoryStream, savePaths).ConfigureAwait(false);
+                if (savePaths.Count > 0)
+                {
+                    await TrySaveToFiles(memoryStream, savePaths).ConfigureAwait(false);
+                }
+                else
+                {
+                    _logger.LogError("An uploaded subtitle could not be saved because the resulting paths were invalid.");
+                }
             }
         }