Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issues with FFProbe and paths with double quotes in name #6001

Open
1 task done
ColinHebert opened this issue Sep 3, 2023 · 1 comment
Open
1 task done

Issues with FFProbe and paths with double quotes in name #6001

ColinHebert opened this issue Sep 3, 2023 · 1 comment
Labels
suboptimal

Comments

@ColinHebert
Copy link

Is there an existing issue for this?

  • I have searched the existing open and closed issues

Current Behavior

When importing from a folder which contains double quotes in the name, Sonarr has issues processing the data.
In particular it will fail ffprobe and fail to move files around.

Note from a security perspective: Because of the way parameters are passed to ffprobe ( https://github.com/Servarr/FFMpegCore/blob/master/FFMpegCore/FFProbe/FFProbe.cs#L199-L217 ), it is possible for some malicious actor to craft a path which will allow the injection of any parameters; sonarr would then try to automatically import the content and execute ffprobe with any parameter desired.

This issue would affect any of the Servarr applications relying on the FFMpegCore module to run FFProbe

Expected Behavior

Sonarr should sanitise folder names before using them as strings to be concatenated into paths. When this is done Sonarr should be able to handle any special characters that may be slipped into folder/file names.

Steps To Reproduce

  1. Create a folder which contains double quotes (and spaces) in the name mkdir '"test test"'.
  2. Move a file to be imported into that folder
  3. Use manual import (in the sonarr UI) to import the file from that folder

Environment

- OS: Linux (Docker)
- Sonarr: 4.0.0.657
- Docker Install: Yes
- Using Reverse Proxy: Yes
- Browser: 
- Database: Sqlite 3.41.2

What branch are you running?

Main

Trace Logs?

https://privatebin.net/?552284f5f9cf26e3#EY8HTeqA2ZVi9UYQAE95oC37pWDUwDqVjHkoLNgApqU

Anything else?

Rather than concatenating a string together as arguments for ffprobe, the list of arguments should be provided as an ArgumentList which handles sanitisation automatically ( https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.processstartinfo.argumentlist?view=net-7.0#system-diagnostics-processstartinfo-argumentlist )

Also worth noting, Sonarr has further issues dealing with the file when attempting to import/link it.
@markus101 markus101 changed the title Sonarr does not handle properly folders with double quotes in their names (possibly security issue) Issues with FFProbe and paths with double quotes in name Sep 4, 2023
@salomj
Copy link

salomj commented Jan 27, 2024

Plex also has issues with this, which is why it is nice to use {Series CleanTitle} and {Episode CleanTitle}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
suboptimal
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ColinHebert @markus101 @salomj