yetangitu/Peertube
1
0
Fork 0
mirror of https://github.com/Chocobozzz/PeerTube.git synced 2025-10-03 09:49:20 +02:00
Code Issues Releases Wiki Activity

Fix path traversal when getting a private playlist

Browse source
This commit is contained in:
Chocobozzz 2025-04-03 10:54:13 +02:00
parent 71744313f0
commit 69c851c8e6
No known key found for this signature in database
GPG key ID: 583A612D890159BE
5 changed files with 119 additions and 20 deletions
Download patch file Download diff file Expand all files Collapse all files

6
server/core/controllers/static.ts
View file

@ -55,7 +55,7 @@ const privateHLSStaticMiddlewares = CONFIG.STATIC_FILES.PRIVATE_FILES_REQUIRE_AU
: []
staticRouter.use(
STATIC_PATHS.STREAMING_PLAYLISTS.PRIVATE_HLS + ':videoUUID/:playlistName.m3u8',
STATIC_PATHS.STREAMING_PLAYLISTS.PRIVATE_HLS + ':videoUUID/:playlistNameWithoutExtension.m3u8',
...privateHLSStaticMiddlewares,
asyncMiddleware(servePrivateM3U8)
)
@ -81,8 +81,8 @@ export {
// ---------------------------------------------------------------------------
async function servePrivateM3U8 (req: express.Request, res: express.Response) {
const path = join(DIRECTORIES.HLS_STREAMING_PLAYLIST.PRIVATE, req.params.videoUUID, req.params.playlistName + '.m3u8')
const filename = req.params.playlistName + '.m3u8'
const path = join(DIRECTORIES.HLS_STREAMING_PLAYLIST.PRIVATE, req.params.videoUUID, req.params.playlistNameWithoutExtension + '.m3u8')
const filename = req.params.playlistNameWithoutExtension + '.m3u8'
let playlistContent: string