Dispatcharr/apps
SergeantPanda f8407610c8
Some checks failed
CI Pipeline / prepare (push) Waiting to run
CI Pipeline / docker (amd64, ubuntu-24.04) (push) Blocked by required conditions
CI Pipeline / docker (arm64, ubuntu-24.04-arm) (push) Blocked by required conditions
CI Pipeline / create-manifest (push) Blocked by required conditions
Build and Push Multi-Arch Docker Image / build-and-push (push) Waiting to run
Frontend Tests / test (push) Has been cancelled
Bug Fix/Enhancement: Improve logic for get xc epg endpoint for short epgs. Also support epg_days from xc user for xc epg endpoint.
2026-04-12 18:51:40 -05:00
..
accounts security: Extended rate limiting to the session-auth login alias (POST /api/accounts/auth/login/). It now delegates entirely to TokenObtainPairView, inheriting its throttle, network access check, and audit logging, and returns JWT tokens instead of a session cookie (the session-based response was unusable since SessionAuthentication is not in DEFAULT_AUTHENTICATION_CLASSES). Both endpoints share the same "login" throttle scope, so attempts across either path count against the same per-IP limit. 2026-04-10 19:54:10 -05:00
api initial connect feature 2026-02-08 09:29:22 -05:00
backups security: Fixed path traversal vulnerability in file uploads. The M3U account upload (apps/m3u/api_views.py), logo upload (apps/channels/api_views.py), and backup upload (apps/backups/api_views.py) all used the uploaded filename directly without sanitization. os.path.join() discards all preceding components when it encounters an absolute path segment, and pathlib's / operator behaves identically; a relative ../ sequence also escapes via OS path resolution at open() time. All three upload paths now strip directory components via Path(name).name and validate the resolved path remains within the intended upload directory. Exploiting any of these required admin credentials. 2026-04-09 21:32:36 -05:00
channels Bug Fix: Fixed several incorrect or incomplete OpenAPI (@extend_schema) schemas across the API 2026-04-11 17:02:07 -05:00
connect Bug Fix: Fixed several incorrect or incomplete OpenAPI (@extend_schema) schemas across the API 2026-04-11 17:02:07 -05:00
dashboard modified database fields for consistency, removed custom_url from streams (no longer needed) 2025-03-16 09:07:10 -04:00
epg Enhancement: EPG channel scanning now automatically removes stale EPGData entries. 2026-04-12 15:37:28 -05:00
hdhr security: 2026-04-09 21:36:51 -05:00
m3u Enhancements: 2026-04-11 14:57:52 -05:00
output Bug Fix/Enhancement: Improve logic for get xc epg endpoint for short epgs. Also support epg_days from xc user for xc epg endpoint. 2026-04-12 18:51:40 -05:00
plugins enhance plugin installation and manifest fetching error handling with code review suggestions 2026-04-10 14:44:07 -04:00
proxy Bug Fix: Fixed stream switch metadata (url, user_agent, stream_id, m3u_profile) being written to Redis before the switch was confirmed to succeed 2026-04-12 12:02:20 -05:00
vod fleshed out user limits and termination logic 2026-03-25 17:33:26 -04:00