fixes #789 - Security Issue: API allows access to any folder of the PC running MediaBrowser

2025-12-24 01:34:45 +03:00 · 2014-07-02 00:57:18 -04:00
parent 3bef6ead9c
commit 389390b82e
39 changed files with 587 additions and 267 deletions
--- a/MediaBrowser.Api/SessionsService.cs
+++ b/MediaBrowser.Api/SessionsService.cs
@@ -285,7 +285,7 @@ namespace MediaBrowser.Api
                SeekPositionTicks = request.SeekPositionTicks
            };

-            var task = _sessionManager.SendPlaystateCommand(GetSession(_sessionManager).Id, request.Id, command, CancellationToken.None);
+            var task = _sessionManager.SendPlaystateCommand(GetSession().Id, request.Id, command, CancellationToken.None);

            Task.WaitAll(task);
        }
@@ -303,7 +303,7 @@ namespace MediaBrowser.Api
                ItemType = request.ItemType
            };

-            var task = _sessionManager.SendBrowseCommand(GetSession(_sessionManager).Id, request.Id, command, CancellationToken.None);
+            var task = _sessionManager.SendBrowseCommand(GetSession().Id, request.Id, command, CancellationToken.None);

            Task.WaitAll(task);
        }
@@ -318,7 +318,7 @@ namespace MediaBrowser.Api

            if (Enum.TryParse(request.Command, true, out commandType))
            {
-                var currentSession = GetSession(_sessionManager);
+                var currentSession = GetSession();

                var command = new GeneralCommand
                {
@@ -345,7 +345,7 @@ namespace MediaBrowser.Api
                Text = request.Text
            };

-            var task = _sessionManager.SendMessageCommand(GetSession(_sessionManager).Id, request.Id, command, CancellationToken.None);
+            var task = _sessionManager.SendMessageCommand(GetSession().Id, request.Id, command, CancellationToken.None);

            Task.WaitAll(task);
        }
@@ -364,14 +364,14 @@ namespace MediaBrowser.Api
                StartPositionTicks = request.StartPositionTicks
            };

-            var task = _sessionManager.SendPlayCommand(GetSession(_sessionManager).Id, request.Id, command, CancellationToken.None);
+            var task = _sessionManager.SendPlayCommand(GetSession().Id, request.Id, command, CancellationToken.None);

            Task.WaitAll(task);
        }

        public void Post(SendGeneralCommand request)
        {
-            var currentSession = GetSession(_sessionManager);
+            var currentSession = GetSession();

            var command = new GeneralCommand
            {
@@ -386,7 +386,7 @@ namespace MediaBrowser.Api

        public void Post(SendFullGeneralCommand request)
        {
-            var currentSession = GetSession(_sessionManager);
+            var currentSession = GetSession();

            request.ControllingUserId = currentSession.UserId.HasValue ? currentSession.UserId.Value.ToString("N") : null;

@@ -409,7 +409,7 @@ namespace MediaBrowser.Api
        {
            if (string.IsNullOrWhiteSpace(request.Id))
            {
-                request.Id = GetSession(_sessionManager).Id;
+                request.Id = GetSession().Id;
            }
            _sessionManager.ReportCapabilities(request.Id, new SessionCapabilities
            {