chrisryn/requestarr
1
0
Fork 0
Code Issues Pull Requests Actions 5 Packages Projects Releases Wiki Activity

Merge commit from fork

Browse Source 
Fix a logic flaw in the jellyfin auth guard that allowed unauthenticated users to register accounts
on Plex-configured instances by authenticating against an attacker-controlled Jellyfin server.
This commit is contained in:
fallenbagel
2026-02-27 21:36:17 +05:00
committed by GitHub
parent 0d40a42de7
commit 4ae2068409
1 changed files with 1 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
server/routes/auth.ts
View File

@@ -244,8 +244,7 @@ authRoutes.post('/jellyfin', async (req, res, next) => {
(settings.main.mediaServerLogin === false || (settings.main.mediaServerLogin === false ||
// media server is neither jellyfin or emby // media server is neither jellyfin or emby
(settings.main.mediaServerType !== MediaServerType.JELLYFIN && (settings.main.mediaServerType !== MediaServerType.JELLYFIN &&
settings.main.mediaServerType !== MediaServerType.EMBY && settings.main.mediaServerType !== MediaServerType.EMBY))
settings.jellyfin.ip !== ''))
) { ) {
return res.status(500).json({ error: 'Jellyfin login is disabled' }); return res.status(500).json({ error: 'Jellyfin login is disabled' });
} }