v1.8.7

2025-08-17 17:12:13 -06:00 · 2023-07-23 15:43:38 +00:00 · 2023-07-23 15:43:38 +00:00 · d0aa20e17c
parent 1a658dedb7
commit d0aa20e17c
4 changed files with 24 additions and 3 deletions
--- a/README.md
+++ b/README.md
@ -84,7 +84,7 @@ turn almost any device into a file server with resumable uploads/downloads using
 * [iOS shortcuts](#iOS-shortcuts) - there is no iPhone app, but
 * [performance](#performance) - defaults are usually fine - expect `8 GiB/s` download, `1 GiB/s` upload
    * [client-side](#client-side) - when uploading files
-* [security](#security) - some notes on hardening
+* [security](#security) - there is a [discord server](https://discord.gg/25J8CdTT6G)
    * [gotchas](#gotchas) - behavior that might be unexpected
    * [cors](#cors) - cross-site request config
    * [password hashing](#password-hashing) - you can hash passwords
@ -1537,6 +1537,8 @@ when uploading files,

 # security

+there is a [discord server](https://discord.gg/25J8CdTT6G)  with an `@everyone` for all important updates (at the lack of better ideas)
+
 some notes on hardening

 * set `--rproxy 0` if your copyparty is directly facing the internet (not through a reverse-proxy)
--- a/copyparty/version.py
+++ b/copyparty/version.py
@ -1,8 +1,8 @@
 # coding: utf-8

-VERSION = (1, 8, 6)
+VERSION = (1, 8, 7)
 CODENAME = "argon"
-BUILD_DT = (2023, 7, 21)
+BUILD_DT = (2023, 7, 23)

 S_VERSION = ".".join(map(str, VERSION))
 S_BUILD_DT = "{0:04d}-{1:02d}-{2:02d}".format(*BUILD_DT)
--- a/docs/changelog.md
+++ b/docs/changelog.md
@ -1,3 +1,19 @@
+▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀  
+# 2023-0721-0036  `v1.8.6`  fix reflected XSS
+
+## bugfixes
+* reflected XSS through `/?hc` (the optional subfolder parameter to the [connect](https://a.ocv.me/?hc) page)
+  * if someone tricked you into clicking `http://127.0.0.1:3923/?hc=<script>alert(1)</script>` they could potentially have moved/deleted existing files on the server, or uploaded new files, using your account
+  * if you use a reverse proxy, you can check if you have been exploited like so:
+    * nginx: grep your logs for URLs containing `?hc=` with `<` somewhere in its value, for example using the following command:
+      ```bash
+      (gzip -dc access.log*.gz; cat access.log) | sed -r 's/" [0-9]+ .*//' | grep -E '[?&](hc|pw)=.*[<>]'
+      ```
+  * if you find any traces of exploitation (or just want to be on the safe side) it's recommended to change the passwords of your copyparty accounts
+  * thanks again to @TheHackyDog !
+
+
+
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀  
 # 2023-0718-0746  `v1.8.4`  range-select v2

--- a/tests/util.py
+++ b/tests/util.py
@ -1,4 +1,5 @@
 import os
+import re
 import sys
 import time
 import shutil
@ -179,6 +180,8 @@ class VHttpSrv(object):
        self.gpwd = Garda("")
        self.g404 = Garda("")

+        self.ptn_cc = re.compile(r"[\x00-\x1f]")
+
    def cachebuster(self):
        return "a"