v1.8.8
This commit is contained in:
		
							parent
							
								
									1ff7f968e8
								
							
						
					
					
						commit
						999ee2e7bc
					
				| @ -109,7 +109,7 @@ just run **[copyparty-sfx.py](https://github.com/9001/copyparty/releases/latest/ | ||||
| 
 | ||||
| * or install through pypi: `python3 -m pip install --user -U copyparty` | ||||
| * or if you cannot install python, you can use [copyparty.exe](#copypartyexe) instead | ||||
| * or install [on arch](#arch-package) ╱ [on NixOS](#nixos-module) ╱ [through nix](#nix-package) | ||||
| * or install [on arch](#arch-package) ╱ [on fedora](#fedora-package) ╱ [on NixOS](#nixos-module) ╱ [through nix](#nix-package) | ||||
| * or if you are on android, [install copyparty in termux](#install-on-android) | ||||
| * or if you prefer to [use docker](./scripts/docker/) 🐋 you can do that too | ||||
|   * docker has all deps built-in, so skip this step: | ||||
|  | ||||
| @ -1,8 +1,8 @@ | ||||
| # coding: utf-8 | ||||
| 
 | ||||
| VERSION = (1, 8, 7) | ||||
| VERSION = (1, 8, 8) | ||||
| CODENAME = "argon" | ||||
| BUILD_DT = (2023, 7, 23) | ||||
| BUILD_DT = (2023, 7, 25) | ||||
| 
 | ||||
| S_VERSION = ".".join(map(str, VERSION)) | ||||
| S_BUILD_DT = "{0:04d}-{1:02d}-{2:02d}".format(*BUILD_DT) | ||||
|  | ||||
| @ -692,7 +692,7 @@ class HttpCli(object): | ||||
|         return "?" + "&".join(r) | ||||
| 
 | ||||
|     def ourlq(self) -> str: | ||||
|         skip = ("pw", "k") | ||||
|         skip = ("pw", "h", "k") | ||||
|         ret = [] | ||||
|         for k, v in self.ouparam.items(): | ||||
|             if k in skip: | ||||
|  | ||||
| @ -1,3 +1,23 @@ | ||||
| ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀   | ||||
| # 2023-0723-1543  `v1.8.7`  XSS for days | ||||
| 
 | ||||
| at the lack of better ideas, there is now a [discord server](https://discord.gg/25J8CdTT6G) with an `@everyone` for all future important updates such as this one | ||||
| 
 | ||||
| ## bugfixes | ||||
| * reflected XSS through `/?k304` and `/?setck` | ||||
|   * if someone tricked you into clicking a URL containing a chain of `%0d` and `%0a` they could potentially have moved/deleted existing files on the server, or uploaded new files, using your account | ||||
|   * if you use a reverse proxy, you can check if you have been exploited like so: | ||||
|     * nginx: grep your logs for URLs containing `%0d%0a%0d%0a`, for example using the following command: | ||||
|       ```bash | ||||
|       (gzip -dc access.log*.gz; cat access.log) | sed -r 's/" [0-9]+ .*//' | grep -iE '%0[da]%0[da]%0[da]%0[da]' | ||||
|       ``` | ||||
|   * if you find any traces of exploitation (or just want to be on the safe side) it's recommended to change the passwords of your copyparty accounts | ||||
|   * huge thanks *again* to @TheHackyDog ! | ||||
| * the original fix for CVE-2023-37474 broke the download links for u2c.py and partyfuse.py | ||||
| * fix mediaplayer spinlock if the server only has a single audio file | ||||
| 
 | ||||
| 
 | ||||
| 
 | ||||
| ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀   | ||||
| # 2023-0721-0036  `v1.8.6`  fix reflected XSS | ||||
| 
 | ||||
|  | ||||
		Loading…
	
		Reference in New Issue
	
	Block a user
	 ed
						ed