From 2228f81f949bf05c943221381f46f1e66fb94c5e Mon Sep 17 00:00:00 2001
From: ed <s@ocv.me>
Date: Sun, 27 Jul 2025 22:59:16 +0000
Subject: [PATCH] block externally-hosted m3u files;

pointless security risk; made GHSA-9q4r-x2hj-jmvr much worse
---
 copyparty/web/browser.js |  2 ++
 copyparty/web/util.js    | 12 ++++++++++++
 2 files changed, 14 insertions(+)

diff --git a/copyparty/web/browser.js b/copyparty/web/browser.js
index 8820e3aa..ce204757 100644
--- a/copyparty/web/browser.js
+++ b/copyparty/web/browser.js
@@ -6046,6 +6046,7 @@ var showfile = (function () {
 			m = /[?&](k=[^&#]+)/.exec(url);
 
 		url = url.split('?')[0] + (m ? '?' + m[1] : '');
+		assert_vp(url);
 		if (r.taildoc)
 			return r.tail(url, no_push);
 
@@ -7540,6 +7541,7 @@ function ev_load_m3u(e) {
 	return false;
 }
 function load_m3u(url) {
+	assert_vp(url);
 	var xhr = new XHR();
 	xhr.open('GET', url, true);
 	xhr.onload = render_m3u;
diff --git a/copyparty/web/util.js b/copyparty/web/util.js
index e5c3ff07..b246e145 100644
--- a/copyparty/web/util.js
+++ b/copyparty/web/util.js
@@ -383,8 +383,10 @@ if (!String.prototype.format)
         });
     };
 
+var have_URL = false;
 try {
     new URL('/a/', 'https://a.com/');
+    have_URL = true;
 }
 catch (ex) {
     console.log('ie11 shim URL()');
@@ -732,6 +734,16 @@ function makeSortable(table, cb) {
 }
 
 
+function assert_vp(path) {
+    if (path.indexOf('//') + 1)
+        throw 'nonlocal1: ' + path;
+
+    var o = window.location.origin;
+    if (have_URL && (new URL(path, o)).origin != o)
+        throw 'nonlocal2: ' + path;
+}
+
+
 function linksplit(rp, id) {
     var ret = [],
         apath = '/',