starred/jellyfin-jellyfin-1
1
0
Fork 0
mirror of https://github.com/jellyfin/jellyfin.git synced 2025-12-23 01:05:19 +03:00
Code Issues Packages Projects Releases Wiki Activity

fixes #789 - Security Issue: API allows access to any folder of the PC running MediaBrowser

Browse Source
This commit is contained in:
Luke Pulverenti
2014-07-02 00:57:18 -04:00
parent 3bef6ead9c
commit 389390b82e
39 changed files with 587 additions and 267 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
MediaBrowser.Api/BaseApiService.cs
View File

@@ -14,8 +14,7 @@ namespace MediaBrowser.Api
/// <summary>
/// Class BaseApiService
/// </summary>
[AuthorizationRequestFilter]
public class BaseApiService : IHasResultFactory, IRestfulService
public class BaseApiService : IHasResultFactory, IRestfulService, IHasSession
{
/// <summary>
/// Gets or sets the logger.
@@ -35,6 +34,8 @@ namespace MediaBrowser.Api
/// <value>The request context.</value>
public IRequest Request { get; set; }
public ISessionContext SessionContext { get; set; }
public string GetHeader(string name)
{
return Request.Headers[name];
@@ -82,13 +83,11 @@ namespace MediaBrowser.Api
/// <summary>
/// Gets the session.
/// </summary>
/// <param name="sessionManager">The session manager.</param>
/// <returns>SessionInfo.</returns>
protected SessionInfo GetSession(ISessionManager sessionManager)
/// <exception cref="System.ArgumentException">Session not found.</exception>
protected SessionInfo GetSession()
{
var auth = AuthorizationRequestFilterAttribute.GetAuthorization(Request);
var session = sessionManager.GetSession(auth.DeviceId, auth.Client, auth.Version);
var session = SessionContext.GetSession(Request);
if (session == null)
{