[Issue]: User files can get deleted when transcode/cache/log path is imporoperly set

backuprepo commented

2025-12-22 00:44:41 +01:00

Owner

Originally created by @oddstr13 on GitHub (May 18, 2023).

Tracking https://old.reddit.com/r/jellyfin/comments/13l3jnw/changes_transcoding_folder_deleted_my_entire/

It is possible to set the transcoding folder to any path, including the root of a drive.
The «Clean Transcode Directory» task is regularly ran and deletes files with a modification time older than one day.

3aa03a4640/Emby.Server.Implementations/ScheduledTasks/Tasks/DeleteTranscodeFileTask.cs (L82-L90)

This is also a potential problem with the «Clean Cache Directory» and «Clean Log Directory» tasks.

3aa03a4640/Emby.Server.Implementations/ScheduledTasks/Tasks/DeleteCacheFileTask.cs (L83)
3aa03a4640/Emby.Server.Implementations/ScheduledTasks/Tasks/DeleteLogFileTask.cs (L73)

Originally created by @oddstr13 on GitHub (May 18, 2023). Tracking https://old.reddit.com/r/jellyfin/comments/13l3jnw/changes_transcoding_folder_deleted_my_entire/ It is possible to set the transcoding folder to any path, including the root of a drive. The ***«Clean Transcode Directory»*** task is regularly ran and deletes files with a modification time older than one day. https://github.com/jellyfin/jellyfin/blob/3aa03a46402ea4293f35058909b81c4e914e17f3/Emby.Server.Implementations/ScheduledTasks/Tasks/DeleteTranscodeFileTask.cs#L82-L90 This is also a potential problem with the ***«Clean Cache Directory»*** and ***«Clean Log Directory»*** tasks. https://github.com/jellyfin/jellyfin/blob/3aa03a46402ea4293f35058909b81c4e914e17f3/Emby.Server.Implementations/ScheduledTasks/Tasks/DeleteCacheFileTask.cs#L83 https://github.com/jellyfin/jellyfin/blob/3aa03a46402ea4293f35058909b81c4e914e17f3/Emby.Server.Implementations/ScheduledTasks/Tasks/DeleteLogFileTask.cs#L73

backuprepo added the

security

bug

labels 2025-12-22 00:44:41 +01:00

backuprepo commented

2025-12-22 00:44:44 +01:00

Author

Owner

@oddstr13 commented on GitHub (May 18, 2023):

I propose the following solution;

Checking if the directory is empty, and if not, checking for a dotfile marking it as ours to do with as we please.
.jellyfin-may-delete ?

Care must be taken to create dotfiles in the appropriate directories as part of the update migrations.

The check could be made on boot, on task run or on config change (won't protect offline changes).

@oddstr13 commented on GitHub (May 18, 2023): I propose the following solution; Checking if the directory is empty, and if not, checking for a dotfile marking it as ours to do with as we please. `.jellyfin-may-delete` ? Care must be taken to create dotfiles in the appropriate directories as part of the update migrations. The check could be made on boot, on task run or on config change (won't protect offline changes).

backuprepo commented

2025-12-22 00:44:46 +01:00

Author

Owner

@nielsvanvelzen commented on GitHub (May 18, 2023):

Checking for an empty directory might cause issues when the directory is currently used for temporary files (e.g. playback of a transcoded stream is in progress). The main issue is people thinking they need to use their media library here, so I believe just preventing those directories from usage should be enough.

My proposal is to collect folders defined in the libraries, and check if any of them starts with the transcoding path provided.

val containsLibraryPath = libraries.any { library ->
    library.folders.any { folder ->
        folder.startsWith(transcodePath)
    }
}

if (containsLibraryPath) prevent()
else goAheadButMakeSureToNotUseYourRootFolder()

@nielsvanvelzen commented on GitHub (May 18, 2023): Checking for an empty directory might cause issues when the directory is currently used for temporary files (e.g. playback of a transcoded stream is in progress). The main issue is people thinking they need to use their media library here, so I believe just preventing those directories from usage should be enough. My proposal is to collect folders defined in the libraries, and check if any of them starts with the transcoding path provided. ```kotlin val containsLibraryPath = libraries.any { library -> library.folders.any { folder -> folder.startsWith(transcodePath) } } if (containsLibraryPath) prevent() else goAheadButMakeSureToNotUseYourRootFolder() ```

backuprepo commented

2025-12-22 00:44:49 +01:00

Author

Owner

@oddstr13 commented on GitHub (May 18, 2023):

Checking for an empty directory might cause issues when the directory is currently used for temporary files (e.g. playback of a transcoded stream is in progress).

This is where the dotfile comes into play; a empty directory is all good, and the dotfile existing means we've already marked the directory as fine to use, and as such it doesn't matter if it contains other files.

@oddstr13 commented on GitHub (May 18, 2023): > > Checking for an empty directory might cause issues when the directory is currently used for temporary files (e.g. playback of a transcoded stream is in progress). This is where the dotfile comes into play; a empty directory is all good, and the dotfile existing means we've already marked the directory as fine to use, and as such it doesn't matter if it contains other files.

backuprepo commented

2025-12-22 00:44:52 +01:00

Author

Owner

@nielsvanvelzen commented on GitHub (May 18, 2023):

Ok that might be a better option then, because it would prevent all data from being removed instead of just Jellyfin content 👍

@nielsvanvelzen commented on GitHub (May 18, 2023): Ok that might be a better option then, because it would prevent all data from being removed instead of just Jellyfin content 👍

backuprepo commented

2025-12-22 00:44:53 +01:00

Author

Owner

@oddstr13 commented on GitHub (May 18, 2023):

Yes, it would also protect configs, plugins and any other paths writable by Jellyfin.

Naming the file something that wouldn't be hidden by default should also be considered, such as jellyfin-may-delete.txt, just to make it clear what would happen if you started storing your documents in the same directory for whatever reason.

@oddstr13 commented on GitHub (May 18, 2023): Yes, it would also protect configs, plugins and any other paths writable by Jellyfin. Naming the file something that wouldn't be hidden by default should also be considered, such as `jellyfin-may-delete.txt`, just to make it clear what would happen if you started storing your documents in the same directory for whatever reason.

backuprepo commented

2025-12-22 00:44:54 +01:00

Author

Owner

@jconnop commented on GitHub (May 19, 2023):

More ideas:

Instead of assuming ownership over the full contents of the user-supplied path, always suffix it with a well-known subdirectory. i.e. if user supplies /media as the transcoding path, internally translate this to /media/Jellyfin-Transcoding/ . Any files/directories the user inadvertently has in the path they supply are therefore always ignored by Jellyfin.
When deleting, apply a regex to delete only filenames which are expected to be found, instead of anything at all.

@jconnop commented on GitHub (May 19, 2023): More ideas: - Instead of assuming ownership over the full contents of the user-supplied path, always suffix it with a well-known subdirectory. i.e. if user supplies /media as the transcoding path, internally translate this to /media/Jellyfin-Transcoding/ . Any files/directories the user inadvertently has in the path they supply are therefore always ignored by Jellyfin. - When deleting, apply a regex to delete only filenames which are expected to be found, instead of anything at all.

backuprepo commented

2025-12-22 00:44:55 +01:00

Author

Owner

@jasonm23 commented on GitHub (Aug 27, 2023):

This happened to me a couple of days ago. Unfortunately I lost movies and tv shows collected since 1999. If this is the state of Jellyfin... wow. Seriously cooled me on this product.

Of course I should have a backup of my 5TB drive, I'm not a wealthy man at the moment, and this is something that I can't afford to do.

Point being, if you are writing a file and somehow wipe an entire drive... ...sigh, your code is just unsafe.

I hope you guys fix it, I won't ever touch the transcoding options again.

I'll still use Jellyfin but way more cautiously than any other self contained app.

/rant

@jasonm23 commented on GitHub (Aug 27, 2023): This happened to me a couple of days ago. Unfortunately I lost movies and tv shows collected since 1999. If this is the state of Jellyfin... wow. Seriously cooled me on this product. Of course I should have a backup of my 5TB drive, I'm not a wealthy man at the moment, and this is something that I can't afford to do. Point being, if you are writing a file and somehow wipe an entire drive... ...sigh, your code is just unsafe. I hope you guys fix it, I won't ever touch the transcoding options again. I'll still use Jellyfin but way more cautiously than any other self contained app. /rant

backuprepo commented

2025-12-22 00:44:56 +01:00

Author

Owner

@jasonm23 commented on GitHub (Aug 27, 2023):

Suggestion, instead of a dotfile, which while a neat idea is finnicky in practice.

Alternatively, simply DON'T use the path given as is, create a transcoding workspace directory inside it.

It's simple to implement and no one gets a nasty surprise when they go to watch something.

@jasonm23 commented on GitHub (Aug 27, 2023): Suggestion, instead of a dotfile, which while a neat idea is finnicky in practice. Alternatively, simply DON'T use the path given as is, create a transcoding workspace directory inside it. It's simple to implement and no one gets a nasty surprise when they go to watch something.

backuprepo commented

2025-12-22 00:44:57 +01:00

Author

Owner

@Hukuma1 commented on GitHub (Aug 25, 2024):

Holy moly just ran into this myself after having to temporarily re-map the transcode folder. Why would Jellyfin delete anything other than the files it creates? Yikes. Either please make a directory as suggested above or have Jellyfin only delete the transcode files. Deleting everything is... poor design to put it lightly.

@Hukuma1 commented on GitHub (Aug 25, 2024): Holy moly just ran into this myself after having to temporarily re-map the transcode folder. Why would Jellyfin delete anything other than the files it creates? Yikes. Either please make a directory as suggested above or have Jellyfin only delete the transcode files. Deleting everything is... poor design to put it lightly.

backuprepo commented

2025-12-22 00:44:58 +01:00

Author

Owner

@felix920506 commented on GitHub (Aug 25, 2024):

maybe a nasty warning in the help text in the mean time?

@felix920506 commented on GitHub (Aug 25, 2024): maybe a nasty warning in the help text in the mean time?

backuprepo commented

2025-12-22 00:44:59 +01:00

Author

Owner

@jasonm23 commented on GitHub (Aug 26, 2024):

Given this issue has been given DGAF status (my post above is a year old... How long ago was last maintainer comment?!?)

I already switched away at the beginning of the year.

JellyFin ... nope.

@jasonm23 commented on GitHub (Aug 26, 2024): Given this issue has been given DGAF status (my post above is a year old... How long ago was last maintainer comment?!?) I already switched away at the beginning of the year. JellyFin ... nope.

Rows
Columns

[Issue]: User files can get deleted when transcode/cache/log path is imporoperly set #4858