You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have searched the existing open and closed issues
Current Behavior
When importing from a folder which contains double quotes in the name, Sonarr has issues processing the data.
In particular it will fail ffprobe and fail to move files around.
Note from a security perspective: Because of the way parameters are passed to ffprobe ( https://github.com/Servarr/FFMpegCore/blob/master/FFMpegCore/FFProbe/FFProbe.cs#L199-L217 ), it is possible for some malicious actor to craft a path which will allow the injection of any parameters; sonarr would then try to automatically import the content and execute ffprobe with any parameter desired.
This issue would affect any of the Servarr applications relying on the FFMpegCore module to run FFProbe
Expected Behavior
Sonarr should sanitise folder names before using them as strings to be concatenated into paths. When this is done Sonarr should be able to handle any special characters that may be slipped into folder/file names.
Steps To Reproduce
Create a folder which contains double quotes (and spaces) in the name mkdir '"test test"'.
Move a file to be imported into that folder
Use manual import (in the sonarr UI) to import the file from that folder
markus101
changed the title
Sonarr does not handle properly folders with double quotes in their names (possibly security issue)
Issues with FFProbe and paths with double quotes in name
Sep 4, 2023
Is there an existing issue for this?
Current Behavior
When importing from a folder which contains double quotes in the name, Sonarr has issues processing the data.
In particular it will fail ffprobe and fail to move files around.
Note from a security perspective: Because of the way parameters are passed to ffprobe ( https://github.com/Servarr/FFMpegCore/blob/master/FFMpegCore/FFProbe/FFProbe.cs#L199-L217 ), it is possible for some malicious actor to craft a path which will allow the injection of any parameters; sonarr would then try to automatically import the content and execute ffprobe with any parameter desired.
This issue would affect any of the Servarr applications relying on the FFMpegCore module to run FFProbe
Expected Behavior
Sonarr should sanitise folder names before using them as strings to be concatenated into paths. When this is done Sonarr should be able to handle any special characters that may be slipped into folder/file names.
Steps To Reproduce
mkdir '"test test"'
.Environment
What branch are you running?
Main
Trace Logs?
https://privatebin.net/?552284f5f9cf26e3#EY8HTeqA2ZVi9UYQAE95oC37pWDUwDqVjHkoLNgApqU
Anything else?
Rather than concatenating a string together as arguments for ffprobe, the list of arguments should be provided as an
ArgumentList
which handles sanitisation automatically ( https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.processstartinfo.argumentlist?view=net-7.0#system-diagnostics-processstartinfo-argumentlist )Also worth noting, Sonarr has further issues dealing with the file when attempting to import/link it.
The text was updated successfully, but these errors were encountered: