fix GHSA-cw7j-v52w-fp5r: reflected-XSS through /?hc

2025-08-17 09:02:15 -06:00 · 2023-07-21 00:35:43 +00:00 · 2023-07-21 00:35:43 +00:00 · 0778da6c4d
parent a1bb10012d
commit 0778da6c4d
1 changed files with 4 additions and 2 deletions
--- a/copyparty/httpcli.py
+++ b/copyparty/httpcli.py
@ -2985,7 +2985,9 @@ class HttpCli(object):
            if self.args.rclone_mdns or not self.args.zm
            else self.conn.hsrv.nm.map(self.ip) or host
        )
-        vp = (self.uparam["hc"] or "").lstrip("/")
+        # safer than html_escape/quotep since this avoids both XSS and shell-stuff
+        pw = re.sub(r"[<>&$?`]", "_", self.pw or "pw")
+        vp = re.sub(r"[<>&$?`]", "_", self.uparam["hc"] or "").lstrip("/")
        html = self.j2s(
            "svcs",
            args=self.args,
@ -2998,7 +3000,7 @@ class HttpCli(object):
            host=host,
            hport=hport,
            aname=aname,
-            pw=self.pw or "pw",
+            pw=pw,
        )
        self.reply(html.encode("utf-8"))
        return True