github ZL154/JellyfinSecurity v2.5.15

latest releases: v2.5.18, v2.5.17, v2.5.16...
15 days ago

v2.5.15 — Setup page survives reverse-proxy HTML rewriting

A targeted fix for #95. In-place upgrade from any 2.5.x — no schema or data migration, no config changes.

Fixed

  • The Setup page no longer breaks behind a reverse proxy that rewrites HTML (#95, chrisbehectik). If your proxy injects a browser-title/branding script with an nginx sub_filter on </head> (a common setup for rebranding "Jellyfin" in the tab), it was also matching the </head> that appeared inside one of the Setup page's own inline-JS strings (the recovery-codes print template). That injected a </script> mid-script, which prematurely closed the page's script element — dumping the rest of the page out as a wall of raw text and leaving sections like Linked Sign-In Methods stuck on "Loading…", so admins couldn't link a provider. The print template now builds every structural tag in split pieces, so no </head> / </title> / </style> / </script> ever appears as a literal substring for a proxy sub_filter (or another plugin's injection middleware) to latch onto.

Notes

  • This was the root cause behind the "I can't link an admin account from Setup" reports on #95 for users running Jellyfin behind a rewriting reverse proxy. If you hit the symptom, update and reload Setup; the page should render normally and the linked-providers list should load.
  • Supports Jellyfin 10.11.x (10.11.9 and newer). Sigstore-signed + SLSA build-provenance attested.

Don't miss a new JellyfinSecurity release

NewReleases is sending notifications on new releases.