fix GHSA-62cr-6wp5-q43h: setck xss

copyparty/httpcli.py

@@ -178,6 +178,7 @@ RE_HTTP1 = re.compile(r"(GET|HEAD|POST|PUT) [^ ]+ HTTP/1.1$")
 RE_HR = re.compile(r"[<>\"'&]")
 RE_MDV = re.compile(r"(.*)\.([0-9]+\.[0-9]{3})(\.[Mm][Dd])$")
 RE_RSS_KW = re.compile(r"(\{[^} ]+\})")
+RE_SETCK = re.compile(r"[^0-9a-z=]")
 
 UPARAM_CC_OK = set("doc move tree".split())
 
@@ -650,7 +651,7 @@ class HttpCli(object):
                 self.loud_reply("cookie header too big", status=400)
                 return False
             zsll = [x.split("=", 1) for x in zso.split(";") if "=" in x]
-            cookies = {k.strip(): unescape_cookie(zs) for k, zs in zsll}
+            cookies = {k.strip(): unescape_cookie(zs, k) for k, zs in zsll}
             cookie_pw = cookies.get("cppws" if self.is_https else "cppwd") or ""
             if "b" in cookies and "b" not in uparam:
                 uparam["b"] = cookies["b"]
@@ -5628,7 +5629,10 @@ class HttpCli(object):
         return True
 
     def setck(self) -> bool:
-        k, v = self.uparam["setck"].split("=", 1)
+        zs = self.uparam["setck"]
+        if len(zs) > 9 or RE_SETCK.search(zs):
+            raise Pebkac(400, "illegal value")
+        k, v = zs.split("=")
         t = 0 if v in ("", "x") else 86400 * 299
         ck = gencookie(k, v, self.args.R, True, False, t)
         self.out_headerlist.append(("Set-Cookie", ck))

copyparty/util.py

@@ -3439,8 +3439,10 @@ def rmdirs_up(top: str, stop: str) -> tuple[list[str], list[str]]:
     return [top] + ok, ng
 
 
-def unescape_cookie(orig: str) -> str:
+def unescape_cookie(orig: str, name: str) -> str:
     # mw=idk; doot=qwe%2Crty%3Basd+fgh%2Bjkl%25zxc%26vbn  # qwe,rty;asd fgh+jkl%zxc&vbn
+    if not name.startswith("cppw"):
+        orig = orig[:3]
     ret = []
     esc = ""
     for ch in orig: