mirror of
https://github.com/9001/copyparty.git
synced 2025-08-17 09:02:15 -06:00
block externally-hosted m3u files;
pointless security risk; made GHSA-9q4r-x2hj-jmvr much worse
This commit is contained in:
parent
895880aeb0
commit
2228f81f94
|
@ -6046,6 +6046,7 @@ var showfile = (function () {
|
|||
m = /[?&](k=[^&#]+)/.exec(url);
|
||||
|
||||
url = url.split('?')[0] + (m ? '?' + m[1] : '');
|
||||
assert_vp(url);
|
||||
if (r.taildoc)
|
||||
return r.tail(url, no_push);
|
||||
|
||||
|
@ -7540,6 +7541,7 @@ function ev_load_m3u(e) {
|
|||
return false;
|
||||
}
|
||||
function load_m3u(url) {
|
||||
assert_vp(url);
|
||||
var xhr = new XHR();
|
||||
xhr.open('GET', url, true);
|
||||
xhr.onload = render_m3u;
|
||||
|
|
|
@ -383,8 +383,10 @@ if (!String.prototype.format)
|
|||
});
|
||||
};
|
||||
|
||||
var have_URL = false;
|
||||
try {
|
||||
new URL('/a/', 'https://a.com/');
|
||||
have_URL = true;
|
||||
}
|
||||
catch (ex) {
|
||||
console.log('ie11 shim URL()');
|
||||
|
@ -732,6 +734,16 @@ function makeSortable(table, cb) {
|
|||
}
|
||||
|
||||
|
||||
function assert_vp(path) {
|
||||
if (path.indexOf('//') + 1)
|
||||
throw 'nonlocal1: ' + path;
|
||||
|
||||
var o = window.location.origin;
|
||||
if (have_URL && (new URL(path, o)).origin != o)
|
||||
throw 'nonlocal2: ' + path;
|
||||
}
|
||||
|
||||
|
||||
function linksplit(rp, id) {
|
||||
var ret = [],
|
||||
apath = '/',
|
||||
|
|
Loading…
Reference in a new issue