mirrors/copyparty
1
0
Fork 0
mirror of https://github.com/9001/copyparty.git synced 2025-08-17 09:02:15 -06:00
Code Issues Actions Packages Projects Releases Wiki Activity

fix GHSA-m2jw-cj8v-937r ;

Browse source 
this fixes a DOM-Based XSS when preparing files for upload;
empty files would have their filenames rendered as HTML in
a messagebox, making it possible to trick users into running
arbitrary javascript by giving them maliciously-named files

note that, being a general-purpose webserver, it is still
intentionally possible to upload and execute arbitrary
javascript, just not in this unexpected manner
This commit is contained in:
ed 2025-02-24 21:23:13 +00:00
parent 598a29a733
commit 438ea6ccb0
1 changed files with 2 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
copyparty/web/up2k.js
View file

@ -1319,7 +1319,7 @@ function up2k_init(subtle) {
if (bad_files.length) { if (bad_files.length) {
var msg = L.u_badf.format(bad_files.length, ntot); var msg = L.u_badf.format(bad_files.length, ntot);
for (var a = 0, aa = Math.min(20, bad_files.length); a < aa; a++) for (var a = 0, aa = Math.min(20, bad_files.length); a < aa; a++)
msg += '-- ' + bad_files[a][1] + '\n'; msg += '-- ' + esc(bad_files[a][1]) + '\n';
msg += L.u_just1; msg += L.u_just1;
return modal.alert(msg, function () { return modal.alert(msg, function () {
@ -1331,7 +1331,7 @@ function up2k_init(subtle) {
if (nil_files.length) { if (nil_files.length) {
var msg = L.u_blankf.format(nil_files.length, ntot); var msg = L.u_blankf.format(nil_files.length, ntot);
for (var a = 0, aa = Math.min(20, nil_files.length); a < aa; a++) for (var a = 0, aa = Math.min(20, nil_files.length); a < aa; a++)
msg += '-- ' + nil_files[a][1] + '\n'; msg += '-- ' + esc(nil_files[a][1]) + '\n';
msg += L.u_just1; msg += L.u_just1;
return modal.confirm(msg, function () { return modal.confirm(msg, function () {