Dispatcharr/apps
Goldenfreddy0703 abdf2d7864 Fix credential release on deleted profile and round 3 review items.
Store credential Redis keys at reserve so release works when the profile row is deleted. Return reserve failure reasons to avoid fingerprint DB queries on logging paths. Document unlimited profile bypass in pool logic and Server Group UI.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-04 19:51:20 -04:00
..
accounts Enhancement: Initial fmp4 support and major ts_proxy refactor 2026-05-08 17:46:47 -05:00
api initial connect feature 2026-02-08 09:29:22 -05:00
backups security: Fixed path traversal vulnerability in file uploads. The M3U account upload (apps/m3u/api_views.py), logo upload (apps/channels/api_views.py), and backup upload (apps/backups/api_views.py) all used the uploaded filename directly without sanitization. os.path.join() discards all preceding components when it encounters an absolute path segment, and pathlib's / operator behaves identically; a relative ../ sequence also escapes via OS path resolution at open() time. All three upload paths now strip directory components via Path(name).name and validate the resolved path remains within the intended upload directory. Exploiting any of these required admin credentials. 2026-04-09 21:32:36 -05:00
channels Fix credential release on deleted profile and round 3 review items. 2026-06-04 19:51:20 -04:00
connect fix: replace fork()-based subprocess with posix_spawn at all uWSGI spawn sites 2026-05-15 16:45:09 -05:00
dashboard modified database fields for consistency, removed custom_url from streams (no longer needed) 2025-03-16 09:07:10 -04:00
epg feat: Enhance series rule evaluation and management 2026-05-04 20:45:40 -05:00
hdhr feat: Add HDHR output profile support and reorganize settings 2026-05-10 11:14:02 -05:00
m3u Fix credential release on deleted profile and round 3 review items. 2026-06-04 19:51:20 -04:00
output fix: update xc_stream_live_streams to yield opening bracket at start. 2026-05-16 11:08:41 -05:00
plugins fix: Ensure plugin discovery runs in all non-Celery processes to apply monkey-patches in uWSGI workers 2026-05-13 17:30:09 -05:00
proxy Fix credential release on deleted profile and round 3 review items. 2026-06-04 19:51:20 -04:00
vod fix: clear previous failure entries after successful logo fetch in LogoViewSet and VODLogoViewSet 2026-04-14 13:34:17 -05:00