Dispatcharr/apps
2026-04-09 21:46:50 -05:00
..
accounts security: Added rate limiting to the login endpoint (POST /api/accounts/token/) using DRF's built-in throttling. A LoginRateThrottle (3 requests/minute per IP, sliding window) is applied to the TokenObtainPairView. Repeated failed attempts from the same IP receive 429 Too Many Requests. 2026-04-09 21:46:50 -05:00
api initial connect feature 2026-02-08 09:29:22 -05:00
backups security: Fixed path traversal vulnerability in file uploads. The M3U account upload (apps/m3u/api_views.py), logo upload (apps/channels/api_views.py), and backup upload (apps/backups/api_views.py) all used the uploaded filename directly without sanitization. os.path.join() discards all preceding components when it encounters an absolute path segment, and pathlib's / operator behaves identically; a relative ../ sequence also escapes via OS path resolution at open() time. All three upload paths now strip directory components via Path(name).name and validate the resolved path remains within the intended upload directory. Exploiting any of these required admin credentials. 2026-04-09 21:32:36 -05:00
channels security: Fixed path traversal vulnerability in file uploads. The M3U account upload (apps/m3u/api_views.py), logo upload (apps/channels/api_views.py), and backup upload (apps/backups/api_views.py) all used the uploaded filename directly without sanitization. os.path.join() discards all preceding components when it encounters an absolute path segment, and pathlib's / operator behaves identically; a relative ../ sequence also escapes via OS path resolution at open() time. All three upload paths now strip directory components via Path(name).name and validate the resolved path remains within the intended upload directory. Exploiting any of these required admin credentials. 2026-04-09 21:32:36 -05:00
connect Migrations: Add missing migrations. 2026-02-26 13:25:51 -06:00
dashboard modified database fields for consistency, removed custom_url from streams (no longer needed) 2025-03-16 09:07:10 -04:00
epg Enhancement: Improved the EPG BOM fix from v0.22.1: replaced the lstrip(b'\xef\xbb\xbf') / startswith approach with start.find(b'<?xml'), which locates the XML declaration regardless of any leading bytes BOM, whitespace, or other encoding markers without needing to know what those bytes are. 2026-04-09 11:16:04 -05:00
hdhr security: 2026-04-09 21:36:51 -05:00
m3u security: Fixed path traversal vulnerability in file uploads. The M3U account upload (apps/m3u/api_views.py), logo upload (apps/channels/api_views.py), and backup upload (apps/backups/api_views.py) all used the uploaded filename directly without sanitization. os.path.join() discards all preceding components when it encounters an absolute path segment, and pathlib's / operator behaves identically; a relative ../ sequence also escapes via OS path resolution at open() time. All three upload paths now strip directory components via Path(name).name and validate the resolved path remains within the intended upload directory. Exploiting any of these required admin credentials. 2026-04-09 21:32:36 -05:00
output Enhancement: EPG output when no days parameter is specified now excludes already-ended programs instead of returning all historical data. 2026-03-05 12:31:36 -06:00
plugins added event support to plugins 2026-02-11 19:50:11 -05:00
proxy chore(cleanup): - Removed dead VODConnectionManager class (apps/proxy/vod_proxy/connection_manager.py) and its associated helpers, which had been superseded by MultiWorkerVODConnectionManager. All active code already used the multi-worker implementation. Removed the unused VODConnectionManager import from vod_proxy/views.py, the unscheduled cleanup_vod_connections task from apps/proxy/tasks.py, and the unscheduled cleanup_vod_persistent_connections task from core/tasks.py. 2026-04-09 19:59:50 -05:00
vod fleshed out user limits and termination logic 2026-03-25 17:33:26 -04:00