starred/jellyfin
1
0
Fork 0
mirror of https://github.com/jellyfin/jellyfin.git synced 2026-05-04 18:09:12 +03:00
Code Issues 822 Packages Projects Releases 10 Wiki Activity

Security issue when browsing libraries #396

New Issue
Closed
opened 2026-02-06 19:39:38 +03:00 by OVERLORD · 14 comments
OVERLORD commented 2026-02-06 19:39:38 +03:00
Owner
Copy Link

Originally created by @quentinus95 on GitHub (Feb 7, 2019).

Originally assigned to: @joshuaboniface on GitHub.

Hi,

I'm not (yet) using Jellyfin, but there was a security issue in Emby I pointed out almost one year ago.

Does the issue still exist in Jellyfin? It is pretty serious in my opinion.

https://github.com/MediaBrowser/Emby/issues/3270

Thanks!

Originally created by @quentinus95 on GitHub (Feb 7, 2019). Originally assigned to: @joshuaboniface on GitHub. Hi, I'm not (yet) using Jellyfin, but there was a security issue in Emby I pointed out almost one year ago. Does the issue still exist in Jellyfin? It is pretty serious in my opinion. https://github.com/MediaBrowser/Emby/issues/3270 Thanks!
OVERLORD added the bug label 2026-02-06 19:39:38 +03:00
OVERLORD commented 2026-02-06 19:39:41 +03:00
Author
Owner
Copy Link

@joshuaboniface commented on GitHub (Feb 7, 2019):

Ooh that is a heck of a security hole. I don't think we've explicitly fixed it, but will take a look.

@joshuaboniface commented on GitHub (Feb 7, 2019): Ooh that is a heck of a security hole. I don't think we've explicitly fixed it, but will take a look.
OVERLORD commented 2026-02-06 19:39:42 +03:00
Author
Owner
Copy Link

@bobberb commented on GitHub (Feb 7, 2019):

oh, who knew my requested feature of "public share links" was here the whole time @joshuaboniface 🤣

@bobberb commented on GitHub (Feb 7, 2019): oh, who knew my requested feature of "public share links" was here the whole time @joshuaboniface 🤣
OVERLORD commented 2026-02-06 19:39:43 +03:00
Author
Owner
Copy Link

@JustAMan commented on GitHub (Feb 8, 2019):

oh, who knew my requested feature of "public share links" was here the whole time @joshuaboniface 🤣

Don't worry, we'll fix it so it won't work @bobberb ;)

@JustAMan commented on GitHub (Feb 8, 2019): > oh, who knew my requested feature of "public share links" was here the whole time @joshuaboniface 🤣 Don't worry, we'll fix it so it won't work @bobberb ;)
OVERLORD commented 2026-02-06 19:39:44 +03:00
Author
Owner
Copy Link

@hawken93 commented on GitHub (Feb 9, 2019):

I think Luke's thing in that thread and fixing this hole could be done by passing on auth to the target device instead of making a big gaping hole and having a relatively short timeout on that. Does this mean that the chromecast working at all is because of this? Lol

@hawken93 commented on GitHub (Feb 9, 2019): I think Luke's thing in that thread and fixing this hole could be done by passing on auth to the target device instead of making a big gaping hole and having a relatively short timeout on that. Does this mean that the chromecast working at all is because of this? Lol
OVERLORD commented 2026-02-06 19:39:45 +03:00
Author
Owner
Copy Link

@JustAMan commented on GitHub (Feb 9, 2019):

I am not sure I support Luke idea of allowing admin to cast to target device no matter who is logged there...

Though we can still support that use case if we properly support temporary links to media, like @bobberb asks.

@JustAMan commented on GitHub (Feb 9, 2019): I am not sure I support Luke idea of allowing admin to cast to target device no matter who is logged there... Though we can still support that use case if we properly support temporary links to media, like @bobberb asks.
OVERLORD commented 2026-02-06 19:39:46 +03:00
Author
Owner
Copy Link

@hawken93 commented on GitHub (Feb 9, 2019):

How does the chromecast authenticate?

@hawken93 commented on GitHub (Feb 9, 2019): How does the chromecast authenticate?
OVERLORD commented 2026-02-06 19:39:47 +03:00
Author
Owner
Copy Link

@cvium commented on GitHub (Feb 9, 2019):

It uses the user's auth token

@cvium commented on GitHub (Feb 9, 2019): It uses the user's auth token
OVERLORD commented 2026-02-06 19:39:47 +03:00
Author
Owner
Copy Link

@hawken93 commented on GitHub (Feb 11, 2019):

Aha, then I agree with @justaman. Sharing links could be used with some kind of share token :)

@hawken93 commented on GitHub (Feb 11, 2019): Aha, then I agree with @justaman. Sharing links could be used with some kind of share token :)
OVERLORD commented 2026-02-06 19:39:48 +03:00
Author
Owner
Copy Link

@bobberb commented on GitHub (Feb 11, 2019):

tokens a la seafile +/- expiry times?
ss

@bobberb commented on GitHub (Feb 11, 2019): tokens a la seafile +/- expiry times? ![ss](https://user-images.githubusercontent.com/1891836/52590961-a854e080-2e10-11e9-95fa-a384b31a7975.png)
OVERLORD commented 2026-02-06 19:39:49 +03:00
Author
Owner
Copy Link

@JustAMan commented on GitHub (Feb 11, 2019):

Something along this lines, yes.

@JustAMan commented on GitHub (Feb 11, 2019): Something along this lines, yes.
OVERLORD commented 2026-02-06 19:39:49 +03:00
Author
Owner
Copy Link

@Tolriq commented on GitHub (Feb 18, 2019):

I do not follow actively this project, but be aware that this will require proper thinking for many cases.

Typically you can send http header when streaming to UPnP devices and many other cases. Protecting the media require proper thinking and documentation as you'll break things on the road (Including my app :p)

Plex support passing the token via url get params, don't know if Emby/JellyFin also support that, but it would be mandatory to support both headers and a GET param to be able to support all the players currently usable.

@Tolriq commented on GitHub (Feb 18, 2019): I do not follow actively this project, but be aware that this will require proper thinking for many cases. Typically you can send http header when streaming to UPnP devices and many other cases. Protecting the media require proper thinking and documentation as you'll break things on the road (Including my app :p) Plex support passing the token via url get params, don't know if Emby/JellyFin also support that, but it would be mandatory to support both headers and a GET param to be able to support all the players currently usable.
OVERLORD commented 2026-02-06 19:39:49 +03:00
Author
Owner
Copy Link

@dkanada commented on GitHub (Apr 10, 2019):

passing the token via url get params

I think we support this in some capacity already because the log pages are sent with the token in the query strings. Not sure how often it gets used but seems like the ideal solution in most cases, excepting the public share feature listed above.

@dkanada commented on GitHub (Apr 10, 2019): > passing the token via url get params I think we support this in some capacity already because the log pages are sent with the token in the query strings. Not sure how often it gets used but seems like the ideal solution in most cases, excepting the public share feature listed above.
OVERLORD commented 2026-02-06 19:39:50 +03:00
Author
Owner
Copy Link

@joshuaboniface commented on GitHub (Apr 16, 2019):

Well, good news - I can't seem to reproduce this!

I followed the steps you outlined:

  1. Set a non-admin user to be unable to view my TV library.
  2. Copy the URL of the Library itself, as well as a specific element (show) within it.
  3. Logged out of my admin user, and in as the non-admin user.
  4. Pasted both URLs in the address bar.

In both cases, nothing happened - no errors, but also no unexpected access to the library.

I think based on this that we're good here - when and how it was fixed I'm not sure, but it does seem to be. If you can verify that would be appreciated, otherwise we can close this one out!

@joshuaboniface commented on GitHub (Apr 16, 2019): Well, good news - I can't seem to reproduce this! I followed the steps you outlined: 1. Set a non-admin user to be unable to view my TV library. 2. Copy the URL of the Library itself, as well as a specific element (show) within it. 3. Logged out of my admin user, and in as the non-admin user. 4. Pasted both URLs in the address bar. In both cases, nothing happened - no errors, but also no unexpected access to the library. I *think* based on this that we're good here - when and how it was fixed I'm not sure, but it does seem to be. If you can verify that would be appreciated, otherwise we can close this one out!
OVERLORD commented 2026-02-06 19:39:50 +03:00
Author
Owner
Copy Link

@joshuaboniface commented on GitHub (Apr 20, 2019):

Closing based on my testing above - if this still occurs and can be replicated please let us know!

@joshuaboniface commented on GitHub (Apr 20, 2019): Closing based on my testing above - if this still occurs and can be replicated please let us know!
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
EFjellyfin.db
area:database
awaiting-feedback
backend
blocked
breaking change: web api
bug
build
ci
confirmed
discussion needed
dotnet future
downstream
duplicate
enhancement
feature
future
github-actions
good first issue
hdr
help wanted
invalid
investigation
librarydb
live-tv
lyrics
media playback
music
needs testing
nuget
performance
platform
pull-request
Mirrored from GitHub Pull Request
 question
regression
release critical
requires-web
roadmap
security
security
stale
support
syncplay
ui & ux
upstream
wontfix
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/jellyfin#396
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?