mirrors/copyparty
1
0
Fork 0
mirror of https://github.com/9001/copyparty.git synced 2025-08-17 09:02:15 -06:00
Code Issues Actions Packages Projects Releases Wiki Activity

be even stricter with ?hc

Browse source
This commit is contained in:
ed 2023-07-23 13:23:52 +00:00
parent 2437a4e864
commit 490c16b01d
1 changed files with 4 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
copyparty/httpcli.py
View file

@ -3008,8 +3008,10 @@ class HttpCli(object):
else self.conn.hsrv.nm.map(self.ip) or host else self.conn.hsrv.nm.map(self.ip) or host
) )
# safer than html_escape/quotep since this avoids both XSS and shell-stuff # safer than html_escape/quotep since this avoids both XSS and shell-stuff
pw = re.sub(r"[<>&$?`]", "_", self.pw or "pw") pw = re.sub(r"[<>&$?`\"']", "_", self.pw or "pw")
vp = re.sub(r"[<>&$?`]", "_", self.uparam["hc"] or "").lstrip("/") vp = re.sub(r"[<>&$?`\"']", "_", self.uparam["hc"] or "").lstrip("/")
pw = pw.replace(" ", "%20")
vp = vp.replace(" ", "%20")
html = self.j2s( html = self.j2s(
"svcs", "svcs",
args=self.args, args=self.args,