techwire/copyparty
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix GHSA-m2jw-cj8v-937r ;

Browse Source 
this fixes a DOM-Based XSS when preparing files for upload;
empty files would have their filenames rendered as HTML in
a messagebox, making it possible to trick users into running
arbitrary javascript by giving them maliciously-named files

note that, being a general-purpose webserver, it is still
intentionally possible to upload and execute arbitrary
javascript, just not in this unexpected manner
This commit is contained in:
ed 2025-02-24 21:23:13 +00:00
parent 598a29a733
commit 438ea6ccb0
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
copyparty/web/up2k.js
View File

@ -1319,7 +1319,7 @@ function up2k_init(subtle) {
if (bad_files.length) {
var msg = L.u_badf.format(bad_files.length, ntot);
for (var a = 0, aa = Math.min(20, bad_files.length); a < aa; a++)
msg += '-- ' + bad_files[a][1] + '\n';
msg += '-- ' + esc(bad_files[a][1]) + '\n';
msg += L.u_just1;
return modal.alert(msg, function () {
@ -1331,7 +1331,7 @@ function up2k_init(subtle) {
if (nil_files.length) {
var msg = L.u_blankf.format(nil_files.length, ntot);
for (var a = 0, aa = Math.min(20, nil_files.length); a < aa; a++)
msg += '-- ' + nil_files[a][1] + '\n';
msg += '-- ' + esc(nil_files[a][1]) + '\n';
msg += L.u_just1;
return modal.confirm(msg, function () {