Skip to content

Commit

Permalink
fix GHSA-cw7j-v52w-fp5r: reflected-XSS through /?hc
Browse files Browse the repository at this point in the history
  • Loading branch information
9001 committed Jul 21, 2023
1 parent a1bb100 commit 0778da6
Showing 1 changed file with 4 additions and 2 deletions.
6 changes: 4 additions & 2 deletions copyparty/httpcli.py
Original file line number Diff line number Diff line change
Expand Up @@ -2985,7 +2985,9 @@ def tx_svcs(self) -> bool:
if self.args.rclone_mdns or not self.args.zm
else self.conn.hsrv.nm.map(self.ip) or host
)
vp = (self.uparam["hc"] or "").lstrip("/")
# safer than html_escape/quotep since this avoids both XSS and shell-stuff
pw = re.sub(r"[<>&$?`]", "_", self.pw or "pw")
vp = re.sub(r"[<>&$?`]", "_", self.uparam["hc"] or "").lstrip("/")
html = self.j2s(
"svcs",
args=self.args,
Expand All @@ -2998,7 +3000,7 @@ def tx_svcs(self) -> bool:
host=host,
hport=hport,
aname=aname,
pw=self.pw or "pw",
pw=pw,
)
self.reply(html.encode("utf-8"))
return True
Expand Down

0 comments on commit 0778da6

Please sign in to comment.