more escapes in case

2025-08-16 16:42:13 -06:00 · 2025-07-30 21:26:27 +00:00 · 2025-07-30 21:26:27 +00:00 · 13d5631b48
parent a8705e611d
commit 13d5631b48
4 changed files with 21 additions and 15 deletions
--- a/copyparty/authsrv.py
+++ b/copyparty/authsrv.py
@ -33,6 +33,7 @@ from .util import (
    afsenc,
    get_df,
    humansize,
+    json_hesc,
    min_ex,
    odfusion,
    read_utf8,
@ -2785,7 +2786,7 @@ class AuthSrv(object):
                "lifetime": vn.js_ls["lifetime"],
                "u2sort": self.args.u2sort,
            }
-            vn.js_htm = json.dumps(js_htm)
+            vn.js_htm = json_hesc(json.dumps(js_htm))

        vols = list(vfs.all_nodes.values())
        if enshare:
--- a/copyparty/httpcli.py
+++ b/copyparty/httpcli.py
@ -79,6 +79,7 @@ from .util import (
    hidedir,
    html_bescape,
    html_escape,
+    html_sh_esc,
    humansize,
    ipnorm,
    json_hesc,
@ -4912,11 +4913,8 @@ class HttpCli(object):
        else:
            rip = host

-        # safer than html_escape/quotep since this avoids both XSS and shell-stuff
-        pw = re.sub(r"[<>&$?`\"']", "_", self.pw or "hunter2")
-        vp = re.sub(r"[<>&$?`\"']", "_", self.uparam["hc"] or "").lstrip("/")
-        pw = pw.replace(" ", "%20")
-        vp = vp.replace(" ", "%20")
+        vp = (self.uparam["hc"] or "").lstrip("/")
+        pw = self.pw or "hunter2"
        if pw in self.asrv.sesa:
            pw = "hunter2"

@ -4925,14 +4923,14 @@ class HttpCli(object):
            args=self.args,
            accs=bool(self.asrv.acct),
            s="s" if self.is_https else "",
-            rip=rip,
-            ep=ep,
-            vp=vp,
-            rvp=vjoin(self.args.R, vp),
-            host=host,
-            hport=hport,
+            rip=html_sh_esc(rip),
+            ep=html_sh_esc(ep),
+            vp=html_sh_esc(vp),
+            rvp=html_sh_esc(vjoin(self.args.R, vp)),
+            host=html_sh_esc(host),
+            hport=html_sh_esc(hport),
            aname=aname,
-            pw=pw,
+            pw=html_sh_esc(pw),
        )
        self.reply(html.encode("utf-8"))
        return True
--- a/copyparty/util.py
+++ b/copyparty/util.py
@ -244,6 +244,7 @@ except:


 RE_ANSI = re.compile("\033\\[[^mK]*[mK]")
+RE_HTML_SH = re.compile(r"[<>&$?`\"';]")
 RE_CTYPE = re.compile(r"^content-type: *([^; ]+)", re.IGNORECASE)
 RE_CDISP = re.compile(r"^content-disposition: *([^; ]+)", re.IGNORECASE)
 RE_CDISP_FIELD = re.compile(
@ -2253,6 +2254,12 @@ def find_prefix(ips: list[str], cidrs: list[str]) -> list[str]:
    return ret


+def html_sh_esc(s: str) -> str:
+    s = re.sub(RE_HTML_SH, "_", s).replace(" ", "%20")
+    s = s.replace("\r", "_").replace("\n", "_")
+    return s
+
+
 def json_hesc(s: str) -> str:
    return s.replace("<", "\\u003c").replace(">", "\\u003e").replace("&", "\\u0026")

--- a/copyparty/web/browser.html
+++ b/copyparty/web/browser.html
@ -109,8 +109,8 @@
 {%- for f in files %}
 <tr><td>{{ f.lead }}</td><td><a href="{{ f.href }}">{{ f.name|e }}</a></td><td>{{ f.sz }}</td>
 {%- if f.tags is defined %}
-	{%- for k in taglist %}<td>{{ f.tags[k] }}</td>{%- endfor %}
-{%- endif %}<td>{{ f.ext }}</td><td>{{ f.dt }}</td></tr>
+	{%- for k in taglist %}<td>{{ f.tags[k]|e }}</td>{%- endfor %}
+{%- endif %}<td>{{ f.ext|e }}</td><td>{{ f.dt }}</td></tr>
 {%- endfor %}

 		</tbody>