starred/jellyfin
1
0
Fork 0
mirror of https://github.com/jellyfin/jellyfin.git synced 2026-01-23 23:20:51 +01:00
Code Issues 725 Projects Packages Wiki Activity Actions 2

[Issue]: Images resolved from the "Edit Images" modal aren't using the provider #6038

New issue
Open
opened 2025-12-22 03:27:19 +01:00 by backuprepo · 1 comment
backuprepo commented 2025-12-22 03:27:19 +01:00
Owner
Copy link

Originally created by @revam on GitHub (Jun 20, 2024).

Please describe your bug

Follow up for #12074.

Currently the resolution of remote images provided by plugins are handled differently in two places;

  • If a remote image is acquired internally in Jellyfin it will ask the provider to fetch the image for us. As seen here and here.

  • If a remote image is asked by a client to be added to an item, it will always be downloaded using a standard HTTP client. As seen here. I'll also note that the client is sending the image url, provider name, and image type with each request. As seen here.

@thornbill pointed out that https://github.com/jellyfin/jellyfin/security/advisories/GHSA-rgjw-4fwc-9v96 existed in the matrix dev. channel, so the new solution must be resistant to this attack vector.

@cvium mentioned in https://github.com/jellyfin/jellyfin/pull/12074#issuecomment-2174448293

[…] Ideally, and this is just my opinion:

  1. All images are proxied through the Jellyfin backend

  2. Identify (and other remote download flows?) stores an ID per image

  3. Remote image requests always use the ID and based on the ID, the server knows what to download and store

EDIT: This is a pretty big API breaking change, but ultimately the only reasonable (imo) fix for the security advisory. To ease clients into it, we could create a new set of endpoints.

This issue exists to find the best way to solve it if cvium's solution is not enough, or for somebody qualified to undertake the "pretty big API breakage change" to have a reference and/or reminder that it needs fixing at some point.

Reproduction Steps

Context: Install an image provider that uses local images fetched from another local server. Make sure Jellyfin is using one route to the server that it's clients cannot resolve, and versa visa. Images returned from the provider is directly resolvable by Jellyfin's clients, but not by Jellyfin itself as a result, but the provider is able to resolve the image for Jellyfin.

What works:

  1. Open any entity in jellyfin.

  2. Remove any existing images on the entity.

  3. Click "Refresh metadata", then "Search for missing metadata" or "Replace all metadata", and make sure to enable "Replace existing images", to force it to download images.

  4. Let it run.

  5. No errors in the UI, and the log is not filled with errors

  6. The entity have images again.

What doesn't work:

  1. Open any entity in Jellyfin

  2. Remove any existing images on the entity.

  3. Open "Edit Images", followed by searching for new images. Observe that the images are properly displaying in the "Search" modal.

  4. Press "Download" on any of the images.

  5. It errs out on the server side and the UI doesn't properly get rid of the loading animation.

  6. Refresh to see that you still don't have images in the UI (since it erred out).

Jellyfin Version

10.9.0

if other:

No response

Environment

- OS: All
- Linux Kernel: none
- Virtualization: none
- Clients: All
- Browser: none
- FFmpeg Version: N/A
- Playback Method: none
- Hardware Acceleration: none
- GPU Model: none
- Plugins: Any
- Reverse Proxy: none
- Base URL: none
- Networking: Any
- Storage: Any

Jellyfin logs

[2024-06-10 17:24:17.925 -04:00] [ERR] [32] Jellyfin.Api.Middleware.ExceptionMiddleware: Error processing request. URL "POST" "/Items/afddb0774e997c04cbee139da8304d84/RemoteImages/Download".
System.Net.Http.HttpRequestException: Response status code does not indicate success: 404 (Not Found).
   at System.Net.Http.HttpResponseMessage.EnsureSuccessStatusCode()
   at MediaBrowser.Providers.Manager.ProviderManager.SaveImage(BaseItem item, String url, ImageType type, Nullable`1 imageIndex, CancellationToken cancellationToken)
   at Jellyfin.Api.Controllers.RemoteImageController.DownloadRemoteImage(Guid itemId, ImageType type, String imageUrl)
   at lambda_method1269(Closure, Object)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ActionMethodExecutor.TaskOfActionResultExecutor.Execute(ActionContext actionContext, IActionResultTypeMapper mapper, ObjectMethodExecutor executor, Object controller, Object[] arguments)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeActionMethodAsync>g__Awaited|12_0(ControllerActionInvoker invoker, ValueTask`1 actionResultValueTask)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeNextActionFilterAsync>g__Awaited|10_0(ControllerActionInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Rethrow(ActionExecutedContextSealed context)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeInnerFilterAsync>g__Awaited|13_0(ControllerActionInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeNextResourceFilter>g__Awaited|25_0(ResourceInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.Rethrow(ResourceExecutedContextSealed context)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeFilterPipelineAsync>g__Awaited|20_0(ResourceInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Awaited|17_0(ResourceInvoker invoker, Task task, IDisposable scope)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Awaited|17_0(ResourceInvoker invoker, Task task, IDisposable scope)
   at Jellyfin.Api.Middleware.ServerStartupMessageMiddleware.Invoke(HttpContext httpContext, IServerApplicationHost serverApplicationHost, ILocalizationManager localizationManager)
   at Jellyfin.Api.Middleware.WebSocketHandlerMiddleware.Invoke(HttpContext httpContext, IWebSocketManager webSocketManager)
   at Jellyfin.Api.Middleware.IPBasedAccessValidationMiddleware.Invoke(HttpContext httpContext, INetworkManager networkManager)
   at Jellyfin.Api.Middleware.LanFilteringMiddleware.Invoke(HttpContext httpContext, INetworkManager networkManager, IServerConfigurationManager serverConfigurationManager)
   at Microsoft.AspNetCore.Authorization.AuthorizationMiddleware.Invoke(HttpContext context)
   at Jellyfin.Api.Middleware.QueryStringDecodingMiddleware.Invoke(HttpContext httpContext)
   at Swashbuckle.AspNetCore.ReDoc.ReDocMiddleware.Invoke(HttpContext httpContext)
   at Swashbuckle.AspNetCore.SwaggerUI.SwaggerUIMiddleware.Invoke(HttpContext httpContext)
   at Swashbuckle.AspNetCore.Swagger.SwaggerMiddleware.Invoke(HttpContext httpContext, ISwaggerProvider swaggerProvider)
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
   at Jellyfin.Api.Middleware.RobotsRedirectionMiddleware.Invoke(HttpContext httpContext)
   at Jellyfin.Api.Middleware.LegacyEmbyRouteRewriteMiddleware.Invoke(HttpContext httpContext)
   at Microsoft.AspNetCore.ResponseCompression.ResponseCompressionMiddleware.InvokeCore(HttpContext context)
   at Jellyfin.Api.Middleware.ResponseTimeMiddleware.Invoke(HttpContext context, IServerConfigurationManager serverConfigurationManager)
   at Jellyfin.Api.Middleware.ExceptionMiddleware.Invoke(HttpContext context)

FFmpeg logs

No response

Please attach any browser or client logs here

No response

Please attach any screenshots here

No response

Code of Conduct

  • I agree to follow this project's Code of Conduct
Originally created by @revam on GitHub (Jun 20, 2024). ### Please describe your bug Follow up for #12074. Currently the resolution of remote images provided by plugins are handled differently in two places; - If a remote image is acquired internally in Jellyfin it will ask the provider to fetch the image for us. As seen [here](https://github.com/jellyfin/jellyfin/blob/18dd6b2875b05d6b9c8249476ae509bfd20e8314/MediaBrowser.Providers/Manager/ItemImageProvider.cs#L535) and [here](https://github.com/jellyfin/jellyfin/blob/18dd6b2875b05d6b9c8249476ae509bfd20e8314/MediaBrowser.Providers/Manager/ItemImageProvider.cs#L644). - If a remote image is asked by a client to be added to an item, it will always be downloaded using a standard HTTP client. As seen [here](https://github.com/jellyfin/jellyfin/blob/6fb6b5f1766a1f37a61b9faaa40209bab995bf30/Jellyfin.Api/Controllers/RemoteImageController.cs#L166). I'll also note that the client is sending the image url, provider name, and image type with each request. As seen [here](https://github.com/jellyfin/jellyfin-web/blob/20381bd3ec2f23907ed53d7da568cae921b05506/src/components/imageDownloader/imageDownloader.js#L140-L154). @thornbill pointed out that https://github.com/jellyfin/jellyfin/security/advisories/GHSA-rgjw-4fwc-9v96 existed in the matrix dev. channel, so the new solution must be resistant to this attack vector. @cvium mentioned in https://github.com/jellyfin/jellyfin/pull/12074#issuecomment-2174448293 > […] Ideally, and this is just my opinion: > > 1. All images are proxied through the Jellyfin backend > > 2. Identify (and other remote download flows?) stores an ID per image > > 3. Remote image requests always use the ID and based on the ID, the server knows what to download and store > > > EDIT: This is a pretty big API breaking change, but ultimately the only reasonable (imo) fix for the security advisory. To ease clients into it, we could create a new set of endpoints. This issue exists to find the best way to solve it if cvium's solution is not enough, or for somebody qualified to undertake the "pretty big API breakage change" to have a reference and/or reminder that it needs fixing at some point. ### Reproduction Steps **Context**: Install an image provider that uses local images fetched from another local server. Make sure Jellyfin is using one route to the server that it's clients cannot resolve, and versa visa. Images returned from the provider is directly resolvable by Jellyfin's clients, but not by Jellyfin itself as a result, but the provider is able to resolve the image for Jellyfin. **What works**: 1. Open any entity in jellyfin. 2. Remove any existing images on the entity. 3. Click "Refresh metadata", then "Search for missing metadata" or "Replace all metadata", and **make sure** to enable "Replace existing images", to force it to download images. 4. Let it run. 5. No errors in the UI, and the log is not filled with errors 6. The entity have images again. **What doesn't work**: 1. Open any entity in Jellyfin 2. Remove any existing images on the entity. 3. Open "Edit Images", followed by searching for new images. Observe that the images are properly displaying in the "Search" modal. 4. Press "Download" on any of the images. 5. It errs out on the server side and the UI doesn't properly get rid of the loading animation. 6. Refresh to see that you still don't have images in the UI (since it erred out). ### Jellyfin Version 10.9.0 ### if other: _No response_ ### Environment ```markdown - OS: All - Linux Kernel: none - Virtualization: none - Clients: All - Browser: none - FFmpeg Version: N/A - Playback Method: none - Hardware Acceleration: none - GPU Model: none - Plugins: Any - Reverse Proxy: none - Base URL: none - Networking: Any - Storage: Any ``` ### Jellyfin logs ```shell [2024-06-10 17:24:17.925 -04:00] [ERR] [32] Jellyfin.Api.Middleware.ExceptionMiddleware: Error processing request. URL "POST" "/Items/afddb0774e997c04cbee139da8304d84/RemoteImages/Download". System.Net.Http.HttpRequestException: Response status code does not indicate success: 404 (Not Found). at System.Net.Http.HttpResponseMessage.EnsureSuccessStatusCode() at MediaBrowser.Providers.Manager.ProviderManager.SaveImage(BaseItem item, String url, ImageType type, Nullable`1 imageIndex, CancellationToken cancellationToken) at Jellyfin.Api.Controllers.RemoteImageController.DownloadRemoteImage(Guid itemId, ImageType type, String imageUrl) at lambda_method1269(Closure, Object) at Microsoft.AspNetCore.Mvc.Infrastructure.ActionMethodExecutor.TaskOfActionResultExecutor.Execute(ActionContext actionContext, IActionResultTypeMapper mapper, ObjectMethodExecutor executor, Object controller, Object[] arguments) at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeActionMethodAsync>g__Awaited|12_0(ControllerActionInvoker invoker, ValueTask`1 actionResultValueTask) at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeNextActionFilterAsync>g__Awaited|10_0(ControllerActionInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted) at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Rethrow(ActionExecutedContextSealed context) at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted) at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeInnerFilterAsync>g__Awaited|13_0(ControllerActionInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted) at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeNextResourceFilter>g__Awaited|25_0(ResourceInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted) at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.Rethrow(ResourceExecutedContextSealed context) at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted) at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeFilterPipelineAsync>g__Awaited|20_0(ResourceInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted) at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Awaited|17_0(ResourceInvoker invoker, Task task, IDisposable scope) at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Awaited|17_0(ResourceInvoker invoker, Task task, IDisposable scope) at Jellyfin.Api.Middleware.ServerStartupMessageMiddleware.Invoke(HttpContext httpContext, IServerApplicationHost serverApplicationHost, ILocalizationManager localizationManager) at Jellyfin.Api.Middleware.WebSocketHandlerMiddleware.Invoke(HttpContext httpContext, IWebSocketManager webSocketManager) at Jellyfin.Api.Middleware.IPBasedAccessValidationMiddleware.Invoke(HttpContext httpContext, INetworkManager networkManager) at Jellyfin.Api.Middleware.LanFilteringMiddleware.Invoke(HttpContext httpContext, INetworkManager networkManager, IServerConfigurationManager serverConfigurationManager) at Microsoft.AspNetCore.Authorization.AuthorizationMiddleware.Invoke(HttpContext context) at Jellyfin.Api.Middleware.QueryStringDecodingMiddleware.Invoke(HttpContext httpContext) at Swashbuckle.AspNetCore.ReDoc.ReDocMiddleware.Invoke(HttpContext httpContext) at Swashbuckle.AspNetCore.SwaggerUI.SwaggerUIMiddleware.Invoke(HttpContext httpContext) at Swashbuckle.AspNetCore.Swagger.SwaggerMiddleware.Invoke(HttpContext httpContext, ISwaggerProvider swaggerProvider) at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context) at Jellyfin.Api.Middleware.RobotsRedirectionMiddleware.Invoke(HttpContext httpContext) at Jellyfin.Api.Middleware.LegacyEmbyRouteRewriteMiddleware.Invoke(HttpContext httpContext) at Microsoft.AspNetCore.ResponseCompression.ResponseCompressionMiddleware.InvokeCore(HttpContext context) at Jellyfin.Api.Middleware.ResponseTimeMiddleware.Invoke(HttpContext context, IServerConfigurationManager serverConfigurationManager) at Jellyfin.Api.Middleware.ExceptionMiddleware.Invoke(HttpContext context) ``` ### FFmpeg logs _No response_ ### Please attach any browser or client logs here _No response_ ### Please attach any screenshots here _No response_ ### Code of Conduct - [x] I agree to follow this project's Code of Conduct
backuprepo added the
confirmed
bug
 labels 2025-12-22 03:27:19 +01:00
backuprepo commented 2025-12-22 03:27:21 +01:00
Author
Owner
Copy link

@jellyfin-bot commented on GitHub (Oct 19, 2024):

This issue has gone 120 days without an update and will be closed within 21 days if there is no new activity. To prevent this issue from being closed, please confirm the issue has not already been fixed by providing updated examples or logs.

If you have any questions you can use one of several ways to contact us.

@jellyfin-bot commented on GitHub (Oct 19, 2024): This issue has gone 120 days without an update and will be closed within 21 days if there is no new activity. To prevent this issue from being closed, please confirm the issue has not already been fixed by providing updated examples or logs. If you have any questions you can use one of several ways to [contact us](https://jellyfin.org/contact).
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
renovate/ci-deps
release-10.11.z
renovate/major-swashbuckle-aspnetcore-monorepo
renovate/svg.skia-3.x
explicit-load-v2
explicit-load
renovate/skiasharp-monorepo
only-count-folder-item
openapi-cache
release-10.10.z
release-10.9.z
feature/entity-framework
release-10.8.z
release-10.7.z
EraYaN-add-management-interface
release-10.6.z
release-10.5.z
release-10.4.z
release-10.3.z
release-10.2.z
release-10.1.0
v10.11.6
v10.11.5
v10.11.4
v10.11.3
v10.11.2
v10.11.1
v10.11.0
v10.11.0-rc9
v10.11.0-rc8
v10.11.0-rc7
v10.11.0-rc6
v10.11.0-rc5
v10.11.0-rc4
v10.11.0-rc3
v10.11.0-rc2
v10.11.0-rc1
v10.10.7
v10.10.6
v10.10.5
v10.10.4
v10.10.3
v10.10.2
v10.10.1
v10.10.0
v10.9.11
v10.9.10
v10.9.9
v10.9.8
v10.9.7
v10.9.6
v10.9.5
v10.9.4
v10.9.3
v10.9.2
v10.9.1
v10.9.0
v10.8.13
v10.8.12
v10.8.11
v10.8.10
v10.8.9
v10.8.8
v10.8.7
v10.8.6
v10.8.5
v10.8.4
v10.8.3
v10.8.2
v10.8.1
v10.8.0
v10.8.0-beta3
v10.8.0-beta2
v10.8.0-beta1
v10.8.0-alpha5
v10.8.0-alpha4
v10.8.0-alpha3
v10.8.0-alpha2
v10.8.0-alpha1
v10.7.7
v10.7.6
v10.7.5
v10.7.4
v10.7.3
v10.7.2
v10.7.1
v10.7.0
v10.7.0-rc4
v10.7.0-rc3
v10.7.0-rc2
v10.7.0-rc1
v10.6.4
v10.6.3
v10.6.2
v10.6.1
v10.6.0
v10.5.5
v10.5.4
v10.5.3
v10.5.2
v10.5.1
v10.5.0
v10.4.3
v10.4.2
v10.4.1
v10.4.0
v10.3.7
v10.3.6
v10.3.5
v10.3.4
v10.3.3
v10.3.2
v10.3.1
v10.3.0
v10.3.0-rc2
v10.3.0-rc1
v10.2.2
v10.2.1
v10.2.0
v10.1.0
v10.0.1
v10.0.0
v10.0.2
v3.5.2-5
Labels
Clear labels   
area:database

   
awaiting-feedback

   
backend

   
blocked

   
breaking change: web api

   
bug

   
build

   
ci

   
confirmed

   
discussion needed

   
dotnet future

   
downstream

   
duplicate

   
EFjellyfin.db

   
enhancement

   
feature

   
future

   
github-actions

   
good first issue

   
hdr

   
help wanted

   
invalid

   
investigation

   
librarydb

   
live-tv

   
lyrics

   
media playback

   
music

   
needs testing

   
nuget

   
performance

   
platform

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
regression

   
release critical

   
requires-web

   
roadmap

   
security

   
security

   
stale

   
support

   
syncplay

   
ui & ux

   
upstream

   
wontfix
No labels
area:database
awaiting-feedback
backend
blocked
breaking change: web api
bug
build
ci
confirmed
discussion needed
dotnet future
downstream
duplicate
EFjellyfin.db
enhancement
feature
future
github-actions
good first issue
hdr
help wanted
invalid
investigation
librarydb
live-tv
lyrics
media playback
music
needs testing
nuget
performance
platform
pull-request
question
regression
release critical
requires-web
roadmap
security
security
stale
support
syncplay
ui & ux
upstream
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: starred/jellyfin#6038
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?