From 043e3c7dd683113e2b1c15cacb9c8e68f76513ff Mon Sep 17 00:00:00 2001
From: ed <s@ocv.me>
Date: Fri, 14 Jul 2023 15:55:49 +0000
Subject: [PATCH] fix traversal vulnerability GHSA-pxfv-7rr3-2qjg: the /.cpr
 endpoint allowed full access to server filesystem, unless mitigated by
 prisonparty

---
 copyparty/httpcli.py | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/copyparty/httpcli.py b/copyparty/httpcli.py
index 5de3da00..e23f5fc9 100644
--- a/copyparty/httpcli.py
+++ b/copyparty/httpcli.py
@@ -42,6 +42,7 @@ from .util import (
     Pebkac,
     UnrecvEOF,
     alltrace,
+    absreal,
     atomic_move,
     exclude_dotfiles,
     fsenc,
@@ -779,7 +780,14 @@ class HttpCli(object):
                 self.reply(b"", 301, headers=h)
                 return True
 
-            static_path = os.path.join(self.E.mod, "web/", self.vpath[5:])
+            path_base = os.path.join(self.E.mod, "web")
+            static_path = absreal(os.path.join(path_base, self.vpath[5:]))
+            if not static_path.startswith(path_base):
+                t = "attempted path traversal [{}] => [{}]"
+                self.log(t.format(self.vpath, static_path), 1)
+                self.tx_404()
+                return False
+
             return self.tx_file(static_path)
 
         if "cf_challenge" in self.uparam: