From 490c16b01dc8cf8d2b50a5983421bad8703b75c7 Mon Sep 17 00:00:00 2001 From: ed Date: Sun, 23 Jul 2023 13:23:52 +0000 Subject: [PATCH] be even stricter with ?hc --- copyparty/httpcli.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/copyparty/httpcli.py b/copyparty/httpcli.py index 70cb7522..e5012d39 100644 --- a/copyparty/httpcli.py +++ b/copyparty/httpcli.py @@ -3008,8 +3008,10 @@ class HttpCli(object): else self.conn.hsrv.nm.map(self.ip) or host ) # safer than html_escape/quotep since this avoids both XSS and shell-stuff - pw = re.sub(r"[<>&$?`]", "_", self.pw or "pw") - vp = re.sub(r"[<>&$?`]", "_", self.uparam["hc"] or "").lstrip("/") + pw = re.sub(r"[<>&$?`\"']", "_", self.pw or "pw") + vp = re.sub(r"[<>&$?`\"']", "_", self.uparam["hc"] or "").lstrip("/") + pw = pw.replace(" ", "%20") + vp = vp.replace(" ", "%20") html = self.j2s( "svcs", args=self.args,