From 26e18ae8008478ea374a40406d47c162f36fad4e Mon Sep 17 00:00:00 2001
From: ed <s@ocv.me>
Date: Wed, 12 May 2021 23:22:43 +0200
Subject: [PATCH] disallow uploading logues

---
 copyparty/httpcli.py | 4 +++-
 copyparty/szip.py    | 2 +-
 copyparty/up2k.py    | 2 +-
 copyparty/util.py    | 8 ++++----
 4 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/copyparty/httpcli.py b/copyparty/httpcli.py
index d1816f96..e1d1d0d6 100644
--- a/copyparty/httpcli.py
+++ b/copyparty/httpcli.py
@@ -741,7 +741,9 @@ class HttpCli(object):
 
                 if p_file and not nullwrite:
                     fdir = os.path.join(vfs.realpath, rem)
-                    fname = sanitize_fn(p_file)
+                    fname = sanitize_fn(
+                        p_file, bad=[".prologue.html", ".epilogue.html"]
+                    )
 
                     if not os.path.isdir(fsenc(fdir)):
                         raise Pebkac(404, "that folder does not exist")
diff --git a/copyparty/szip.py b/copyparty/szip.py
index 1a3d360b..d3e5c088 100644
--- a/copyparty/szip.py
+++ b/copyparty/szip.py
@@ -87,7 +87,7 @@ def gen_hdr(h_pos, fn, sz, lastmod, utf8, crc32, pre_crc):
     ret += struct.pack("<LL", vsz, vsz)
 
     # windows support (the "?" replace below too)
-    fn = sanitize_fn(fn, "/")
+    fn = sanitize_fn(fn, ok="/")
     bfn = fn.encode("utf-8" if utf8 else "cp437", "replace").replace(b"?", b"_")
 
     z64_len = len(z64v) * 8 + 4 if z64v else 0
diff --git a/copyparty/up2k.py b/copyparty/up2k.py
index 6ede618b..c323a223 100644
--- a/copyparty/up2k.py
+++ b/copyparty/up2k.py
@@ -891,7 +891,7 @@ class Up2k(object):
             if cj["ptop"] not in self.registry:
                 raise Pebkac(410, "location unavailable")
 
-        cj["name"] = sanitize_fn(cj["name"])
+        cj["name"] = sanitize_fn(cj["name"], bad=[".prologue.html", ".epilogue.html"])
         cj["poke"] = time.time()
         wark = self._get_wark(cj)
         now = time.time()
diff --git a/copyparty/util.py b/copyparty/util.py
index 98902ae2..90983851 100644
--- a/copyparty/util.py
+++ b/copyparty/util.py
@@ -576,7 +576,7 @@ def undot(path):
     return "/".join(ret)
 
 
-def sanitize_fn(fn, ok=""):
+def sanitize_fn(fn, ok="", bad=[]):
     if "/" not in ok:
         fn = fn.replace("\\", "/").split("/")[-1]
 
@@ -595,12 +595,12 @@ def sanitize_fn(fn, ok=""):
         for bad, good in [x for x in remap if x[0] not in ok]:
             fn = fn.replace(bad, good)
 
-        bad = ["con", "prn", "aux", "nul"]
+        bad.extend(["con", "prn", "aux", "nul"])
         for n in range(1, 10):
             bad += "com{0} lpt{0}".format(n).split(" ")
 
-        if fn.lower() in bad:
-            fn = "_" + fn
+    if fn.lower() in bad:
+        fn = "_" + fn
 
     return fn.strip()