v1.8.8

9001 · Jul 25, 2023 · 999ee2e · 999ee2e
1 parent 1ff7f96
commit 999ee2e
Show file tree

Hide file tree

Showing 4 changed files with 24 additions and 4 deletions.
diff --git a/README.md b/README.md
@@ -109,7 +109,7 @@ just run **[copyparty-sfx.py](https://github.com/9001/copyparty/releases/latest/
 
 * or install through pypi: `python3 -m pip install --user -U copyparty`
 * or if you cannot install python, you can use [copyparty.exe](#copypartyexe) instead
-* or install [on arch](#arch-package) ╱ [on NixOS](#nixos-module) ╱ [through nix](#nix-package)
+* or install [on arch](#arch-package) ╱ [on fedora](#fedora-package) ╱ [on NixOS](#nixos-module) ╱ [through nix](#nix-package)
 * or if you are on android, [install copyparty in termux](#install-on-android)
 * or if you prefer to [use docker](./scripts/docker/) 🐋 you can do that too
   * docker has all deps built-in, so skip this step:

diff --git a/copyparty/__version__.py b/copyparty/__version__.py
@@ -1,8 +1,8 @@
 # coding: utf-8
 
-VERSION = (1, 8, 7)
+VERSION = (1, 8, 8)
 CODENAME = "argon"
-BUILD_DT = (2023, 7, 23)
+BUILD_DT = (2023, 7, 25)
 
 S_VERSION = ".".join(map(str, VERSION))
 S_BUILD_DT = "{0:04d}-{1:02d}-{2:02d}".format(*BUILD_DT)

diff --git a/copyparty/httpcli.py b/copyparty/httpcli.py
@@ -692,7 +692,7 @@ def urlq(self, add: dict[str, str], rm: list[str]) -> str:
         return "?" + "&amp;".join(r)
 
     def ourlq(self) -> str:
-        skip = ("pw", "k")
+        skip = ("pw", "h", "k")
         ret = []
         for k, v in self.ouparam.items():
             if k in skip:

diff --git a/docs/changelog.md b/docs/changelog.md
@@ -1,3 +1,23 @@
+▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀  
+# 2023-0723-1543  `v1.8.7`  XSS for days
+
+at the lack of better ideas, there is now a [discord server](https://discord.gg/25J8CdTT6G) with an `@everyone` for all future important updates such as this one
+
+## bugfixes
+* reflected XSS through `/?k304` and `/?setck`
+  * if someone tricked you into clicking a URL containing a chain of `%0d` and `%0a` they could potentially have moved/deleted existing files on the server, or uploaded new files, using your account
+  * if you use a reverse proxy, you can check if you have been exploited like so:
+    * nginx: grep your logs for URLs containing `%0d%0a%0d%0a`, for example using the following command:
+      ```bash
+      (gzip -dc access.log*.gz; cat access.log) | sed -r 's/" [0-9]+ .*//' | grep -iE '%0[da]%0[da]%0[da]%0[da]'
+      ```
+  * if you find any traces of exploitation (or just want to be on the safe side) it's recommended to change the passwords of your copyparty accounts
+  * huge thanks *again* to @TheHackyDog !
+* the original fix for CVE-2023-37474 broke the download links for u2c.py and partyfuse.py
+* fix mediaplayer spinlock if the server only has a single audio file
+
+
+
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀  
 # 2023-0721-0036  `v1.8.6`  fix reflected XSS