From 999ee2e7bc30739ff5e8e0eafa8bf6b974a0a979 Mon Sep 17 00:00:00 2001 From: ed Date: Tue, 25 Jul 2023 15:50:48 +0000 Subject: [PATCH] v1.8.8 --- README.md | 2 +- copyparty/__version__.py | 4 ++-- copyparty/httpcli.py | 2 +- docs/changelog.md | 20 ++++++++++++++++++++ 4 files changed, 24 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 0d22b2c4..d81d2ef6 100644 --- a/README.md +++ b/README.md @@ -109,7 +109,7 @@ just run **[copyparty-sfx.py](https://github.com/9001/copyparty/releases/latest/ * or install through pypi: `python3 -m pip install --user -U copyparty` * or if you cannot install python, you can use [copyparty.exe](#copypartyexe) instead -* or install [on arch](#arch-package) ╱ [on NixOS](#nixos-module) ╱ [through nix](#nix-package) +* or install [on arch](#arch-package) ╱ [on fedora](#fedora-package) ╱ [on NixOS](#nixos-module) ╱ [through nix](#nix-package) * or if you are on android, [install copyparty in termux](#install-on-android) * or if you prefer to [use docker](./scripts/docker/) 🐋 you can do that too * docker has all deps built-in, so skip this step: diff --git a/copyparty/__version__.py b/copyparty/__version__.py index 7b56d9c2..78f7332e 100644 --- a/copyparty/__version__.py +++ b/copyparty/__version__.py @@ -1,8 +1,8 @@ # coding: utf-8 -VERSION = (1, 8, 7) +VERSION = (1, 8, 8) CODENAME = "argon" -BUILD_DT = (2023, 7, 23) +BUILD_DT = (2023, 7, 25) S_VERSION = ".".join(map(str, VERSION)) S_BUILD_DT = "{0:04d}-{1:02d}-{2:02d}".format(*BUILD_DT) diff --git a/copyparty/httpcli.py b/copyparty/httpcli.py index b6c9caeb..0c324c7b 100644 --- a/copyparty/httpcli.py +++ b/copyparty/httpcli.py @@ -692,7 +692,7 @@ class HttpCli(object): return "?" + "&".join(r) def ourlq(self) -> str: - skip = ("pw", "k") + skip = ("pw", "h", "k") ret = [] for k, v in self.ouparam.items(): if k in skip: diff --git a/docs/changelog.md b/docs/changelog.md index 80b75c80..7b66619a 100644 --- a/docs/changelog.md +++ b/docs/changelog.md @@ -1,3 +1,23 @@ +▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ +# 2023-0723-1543 `v1.8.7` XSS for days + +at the lack of better ideas, there is now a [discord server](https://discord.gg/25J8CdTT6G) with an `@everyone` for all future important updates such as this one + +## bugfixes +* reflected XSS through `/?k304` and `/?setck` + * if someone tricked you into clicking a URL containing a chain of `%0d` and `%0a` they could potentially have moved/deleted existing files on the server, or uploaded new files, using your account + * if you use a reverse proxy, you can check if you have been exploited like so: + * nginx: grep your logs for URLs containing `%0d%0a%0d%0a`, for example using the following command: + ```bash + (gzip -dc access.log*.gz; cat access.log) | sed -r 's/" [0-9]+ .*//' | grep -iE '%0[da]%0[da]%0[da]%0[da]' + ``` + * if you find any traces of exploitation (or just want to be on the safe side) it's recommended to change the passwords of your copyparty accounts + * huge thanks *again* to @TheHackyDog ! +* the original fix for CVE-2023-37474 broke the download links for u2c.py and partyfuse.py +* fix mediaplayer spinlock if the server only has a single audio file + + + ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ # 2023-0721-0036 `v1.8.6` fix reflected XSS