mirrors/copyparty
1
0
Fork 0
mirror of https://github.com/9001/copyparty.git synced 2025-08-17 00:52:16 -06:00
Code Issues Actions Packages Projects Releases Wiki Activity

more escapes in case

Browse source
This commit is contained in:
ed 2025-07-30 21:26:27 +00:00
parent a8705e611d
commit 13d5631b48
4 changed files with 21 additions and 15 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
copyparty/authsrv.py
View file

@ -33,6 +33,7 @@ from .util import (
afsenc, afsenc,
get_df, get_df,
humansize, humansize,
json_hesc,
min_ex, min_ex,
odfusion, odfusion,
read_utf8, read_utf8,
@ -2785,7 +2786,7 @@ class AuthSrv(object):
"lifetime": vn.js_ls["lifetime"], "lifetime": vn.js_ls["lifetime"],
"u2sort": self.args.u2sort, "u2sort": self.args.u2sort,
} }
vn.js_htm = json.dumps(js_htm) vn.js_htm = json_hesc(json.dumps(js_htm))
vols = list(vfs.all_nodes.values()) vols = list(vfs.all_nodes.values())
if enshare: if enshare:

22
copyparty/httpcli.py
View file

@ -79,6 +79,7 @@ from .util import (
hidedir, hidedir,
html_bescape, html_bescape,
html_escape, html_escape,
html_sh_esc,
humansize, humansize,
ipnorm, ipnorm,
json_hesc, json_hesc,
@ -4912,11 +4913,8 @@ class HttpCli(object):
else: else:
rip = host rip = host
# safer than html_escape/quotep since this avoids both XSS and shell-stuff vp = (self.uparam["hc"] or "").lstrip("/")
pw = re.sub(r"[<>&$?`\"']", "_", self.pw or "hunter2") pw = self.pw or "hunter2"
vp = re.sub(r"[<>&$?`\"']", "_", self.uparam["hc"] or "").lstrip("/")
pw = pw.replace(" ", "%20")
vp = vp.replace(" ", "%20")
if pw in self.asrv.sesa: if pw in self.asrv.sesa:
pw = "hunter2" pw = "hunter2"
@ -4925,14 +4923,14 @@ class HttpCli(object):
args=self.args, args=self.args,
accs=bool(self.asrv.acct), accs=bool(self.asrv.acct),
s="s" if self.is_https else "", s="s" if self.is_https else "",
rip=rip, rip=html_sh_esc(rip),
ep=ep, ep=html_sh_esc(ep),
vp=vp, vp=html_sh_esc(vp),
rvp=vjoin(self.args.R, vp), rvp=html_sh_esc(vjoin(self.args.R, vp)),
host=host, host=html_sh_esc(host),
hport=hport, hport=html_sh_esc(hport),
aname=aname, aname=aname,
pw=pw, pw=html_sh_esc(pw),
) )
self.reply(html.encode("utf-8")) self.reply(html.encode("utf-8"))
return True return True

7
copyparty/util.py
View file

@ -244,6 +244,7 @@ except:
RE_ANSI = re.compile("\033\\[[^mK]*[mK]") RE_ANSI = re.compile("\033\\[[^mK]*[mK]")
RE_HTML_SH = re.compile(r"[<>&$?`\"';]")
RE_CTYPE = re.compile(r"^content-type: *([^; ]+)", re.IGNORECASE) RE_CTYPE = re.compile(r"^content-type: *([^; ]+)", re.IGNORECASE)
RE_CDISP = re.compile(r"^content-disposition: *([^; ]+)", re.IGNORECASE) RE_CDISP = re.compile(r"^content-disposition: *([^; ]+)", re.IGNORECASE)
RE_CDISP_FIELD = re.compile( RE_CDISP_FIELD = re.compile(
@ -2253,6 +2254,12 @@ def find_prefix(ips: list[str], cidrs: list[str]) -> list[str]:
return ret return ret
def html_sh_esc(s: str) -> str:
s = re.sub(RE_HTML_SH, "_", s).replace(" ", "%20")
s = s.replace("\r", "_").replace("\n", "_")
return s
def json_hesc(s: str) -> str: def json_hesc(s: str) -> str:
return s.replace("<", "\\u003c").replace(">", "\\u003e").replace("&", "\\u0026") return s.replace("<", "\\u003c").replace(">", "\\u003e").replace("&", "\\u0026")

4
copyparty/web/browser.html
View file

@ -109,8 +109,8 @@
{%- for f in files %} {%- for f in files %}
<tr><td>{{ f.lead }}</td><td><a href="{{ f.href }}">{{ f.name|e }}</a></td><td>{{ f.sz }}</td> <tr><td>{{ f.lead }}</td><td><a href="{{ f.href }}">{{ f.name|e }}</a></td><td>{{ f.sz }}</td>
{%- if f.tags is defined %} {%- if f.tags is defined %}
{%- for k in taglist %}<td>{{ f.tags[k] }}</td>{%- endfor %} {%- for k in taglist %}<td>{{ f.tags[k]|e }}</td>{%- endfor %}
{%- endif %}<td>{{ f.ext }}</td><td>{{ f.dt }}</td></tr> {%- endif %}<td>{{ f.ext|e }}</td><td>{{ f.dt }}</td></tr>
{%- endfor %} {%- endfor %}
</tbody> </tbody>