From d0aa20e17c037f1d67a2f1aae16f46c41427f32c Mon Sep 17 00:00:00 2001
From: ed <s@ocv.me>
Date: Sun, 23 Jul 2023 15:43:38 +0000
Subject: [PATCH] v1.8.7

---
 README.md                |  4 +++-
 copyparty/__version__.py |  4 ++--
 docs/changelog.md        | 16 ++++++++++++++++
 tests/util.py            |  3 +++
 4 files changed, 24 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index a5ba600d..0d22b2c4 100644
--- a/README.md
+++ b/README.md
@@ -84,7 +84,7 @@ turn almost any device into a file server with resumable uploads/downloads using
 * [iOS shortcuts](#iOS-shortcuts) - there is no iPhone app, but
 * [performance](#performance) - defaults are usually fine - expect `8 GiB/s` download, `1 GiB/s` upload
     * [client-side](#client-side) - when uploading files
-* [security](#security) - some notes on hardening
+* [security](#security) - there is a [discord server](https://discord.gg/25J8CdTT6G)
     * [gotchas](#gotchas) - behavior that might be unexpected
     * [cors](#cors) - cross-site request config
     * [password hashing](#password-hashing) - you can hash passwords
@@ -1537,6 +1537,8 @@ when uploading files,
 
 # security
 
+there is a [discord server](https://discord.gg/25J8CdTT6G)  with an `@everyone` for all important updates (at the lack of better ideas)
+
 some notes on hardening
 
 * set `--rproxy 0` if your copyparty is directly facing the internet (not through a reverse-proxy)
diff --git a/copyparty/__version__.py b/copyparty/__version__.py
index 3896541b..7b56d9c2 100644
--- a/copyparty/__version__.py
+++ b/copyparty/__version__.py
@@ -1,8 +1,8 @@
 # coding: utf-8
 
-VERSION = (1, 8, 6)
+VERSION = (1, 8, 7)
 CODENAME = "argon"
-BUILD_DT = (2023, 7, 21)
+BUILD_DT = (2023, 7, 23)
 
 S_VERSION = ".".join(map(str, VERSION))
 S_BUILD_DT = "{0:04d}-{1:02d}-{2:02d}".format(*BUILD_DT)
diff --git a/docs/changelog.md b/docs/changelog.md
index a0ac551f..80b75c80 100644
--- a/docs/changelog.md
+++ b/docs/changelog.md
@@ -1,3 +1,19 @@
+▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀  
+# 2023-0721-0036  `v1.8.6`  fix reflected XSS
+
+## bugfixes
+* reflected XSS through `/?hc` (the optional subfolder parameter to the [connect](https://a.ocv.me/?hc) page)
+  * if someone tricked you into clicking `http://127.0.0.1:3923/?hc=<script>alert(1)</script>` they could potentially have moved/deleted existing files on the server, or uploaded new files, using your account
+  * if you use a reverse proxy, you can check if you have been exploited like so:
+    * nginx: grep your logs for URLs containing `?hc=` with `<` somewhere in its value, for example using the following command:
+      ```bash
+      (gzip -dc access.log*.gz; cat access.log) | sed -r 's/" [0-9]+ .*//' | grep -E '[?&](hc|pw)=.*[<>]'
+      ```
+  * if you find any traces of exploitation (or just want to be on the safe side) it's recommended to change the passwords of your copyparty accounts
+  * thanks again to @TheHackyDog !
+
+
+
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀  
 # 2023-0718-0746  `v1.8.4`  range-select v2
 
diff --git a/tests/util.py b/tests/util.py
index 9f4e42df..ccfb445a 100644
--- a/tests/util.py
+++ b/tests/util.py
@@ -1,4 +1,5 @@
 import os
+import re
 import sys
 import time
 import shutil
@@ -179,6 +180,8 @@ class VHttpSrv(object):
         self.gpwd = Garda("")
         self.g404 = Garda("")
 
+        self.ptn_cc = re.compile(r"[\x00-\x1f]")
+
     def cachebuster(self):
         return "a"