starred/jellyfin-jellyfin-1
1
0
Fork 0
mirror of https://github.com/jellyfin/jellyfin.git synced 2025-12-24 01:34:45 +03:00
Code Issues Packages Projects Releases Wiki Activity

fixes #789 - Security Issue: API allows access to any folder of the PC running MediaBrowser

Browse Source
This commit is contained in:
Luke Pulverenti
2014-07-02 00:57:18 -04:00
parent 3bef6ead9c
commit 389390b82e
39 changed files with 587 additions and 267 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
MediaBrowser.Api/UserService.cs
View File

@@ -1,6 +1,7 @@
using MediaBrowser.Common.Extensions;
using MediaBrowser.Controller.Dto;
using MediaBrowser.Controller.Library;
using MediaBrowser.Controller.Net;
using MediaBrowser.Controller.Session;
using MediaBrowser.Model.Dto;
using MediaBrowser.Model.Serialization;
@@ -152,7 +153,7 @@ namespace MediaBrowser.Api
/// <summary>
/// Class UsersService
/// </summary>
public class UserService : BaseApiService
public class UserService : BaseApiService, IHasAuthorization
{
/// <summary>
/// The _XML serializer
@@ -166,6 +167,8 @@ namespace MediaBrowser.Api
private readonly IDtoService _dtoService;
private readonly ISessionManager _sessionMananger;
public IAuthorizationContext AuthorizationContext { get; set; }
/// <summary>
/// Initializes a new instance of the <see cref="UserService" /> class.
/// </summary>
@@ -295,7 +298,7 @@ namespace MediaBrowser.Api
throw new ResourceNotFoundException("User not found");
}
var auth = AuthorizationRequestFilterAttribute.GetAuthorization(Request);
var auth = AuthorizationContext.GetAuthorizationInfo(Request);
// Login in the old way if the header is missing
if (string.IsNullOrEmpty(auth.Client) ||