From 0778da6c4d04de870c61f970763a7b619094093c Mon Sep 17 00:00:00 2001
From: ed <s@ocv.me>
Date: Fri, 21 Jul 2023 00:35:43 +0000
Subject: [PATCH] fix GHSA-cw7j-v52w-fp5r: reflected-XSS through /?hc

---
 copyparty/httpcli.py | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/copyparty/httpcli.py b/copyparty/httpcli.py
index c2aea8cc..bcbe5197 100644
--- a/copyparty/httpcli.py
+++ b/copyparty/httpcli.py
@@ -2985,7 +2985,9 @@ class HttpCli(object):
             if self.args.rclone_mdns or not self.args.zm
             else self.conn.hsrv.nm.map(self.ip) or host
         )
-        vp = (self.uparam["hc"] or "").lstrip("/")
+        # safer than html_escape/quotep since this avoids both XSS and shell-stuff
+        pw = re.sub(r"[<>&$?`]", "_", self.pw or "pw")
+        vp = re.sub(r"[<>&$?`]", "_", self.uparam["hc"] or "").lstrip("/")
         html = self.j2s(
             "svcs",
             args=self.args,
@@ -2998,7 +3000,7 @@ class HttpCli(object):
             host=host,
             hport=hport,
             aname=aname,
-            pw=self.pw or "pw",
+            pw=pw,
         )
         self.reply(html.encode("utf-8"))
         return True