mirrors/copyparty
1
0
Fork 0
mirror of https://github.com/9001/copyparty.git synced 2025-08-17 09:02:15 -06:00
Code Issues Actions Packages Projects Releases Wiki Activity

fix GHSA-8mx2-rjh8-q3jq ;

Browse source 
this fixes a DOM-Based XSS in the recent-uploads page:

it was possible to execute arbitrary javascript by
tricking someone into visiting `/?ru&filter=</script>`

huge thanks to @Ju0x for finding and reporting this!
This commit is contained in:
ed 2025-07-30 21:19:39 +00:00
parent b7ca6f4a66
commit a8705e611d
2 changed files with 6 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
copyparty/httpcli.py
View file

@ -81,6 +81,7 @@ from .util import (
html_escape, html_escape,
humansize, humansize,
ipnorm, ipnorm,
json_hesc,
justcopy, justcopy,
load_resource, load_resource,
loadpy, loadpy,
@ -5595,7 +5596,7 @@ class HttpCli(object):
self.reply(jtxt.encode("utf-8", "replace"), mime="application/json") self.reply(jtxt.encode("utf-8", "replace"), mime="application/json")
return True return True
html = self.j2s("rups", this=self, v=jtxt) html = self.j2s("rups", this=self, v=json_hesc(jtxt))
self.reply(html.encode("utf-8"), status=200) self.reply(html.encode("utf-8"), status=200)
return True return True

4
copyparty/util.py
View file

@ -2253,6 +2253,10 @@ def find_prefix(ips: list[str], cidrs: list[str]) -> list[str]:
return ret return ret
def json_hesc(s: str) -> str:
return s.replace("<", "\\u003c").replace(">", "\\u003e").replace("&", "\\u0026")
def html_escape(s: str, quot: bool = False, crlf: bool = False) -> str: def html_escape(s: str, quot: bool = False, crlf: bool = False) -> str:
"""html.escape but also newlines""" """html.escape but also newlines"""
s = s.replace("&", "&amp;").replace("<", "&lt;").replace(">", "&gt;") s = s.replace("&", "&amp;").replace("<", "&lt;").replace(">", "&gt;")