the CVE-2023-37474 fix was overly strict; loosen

2026-01-13 07:51:50 +10:00 · 2023-07-23 11:31:11 +00:00
parent 007d948cb9
commit 2437a4e864
2 changed files with 17 additions and 4 deletions
--- a/copyparty/httpsrv.py
+++ b/copyparty/httpsrv.py
@@ -55,7 +55,6 @@ except SyntaxError:
    )
    sys.exit(1)

-from .bos import bos
 from .httpconn import HttpConn
 from .u2idx import U2idx
 from .util import (
@@ -66,6 +65,7 @@ from .util import (
    Magician,
    Netdev,
    NetMap,
+    absreal,
    ipnorm,
    min_ex,
    shut_socket,
@@ -139,6 +139,9 @@ class HttpSrv(object):
        zs = os.path.join(self.E.mod, "web", "deps", "prism.js.gz")
        self.prism = os.path.exists(zs)

+        self.statics: set[str] = set()
+        self._build_statics()
+
        self.ptn_cc = re.compile(r"[\x00-\x1f]")

        self.mallow = "GET HEAD POST PUT DELETE OPTIONS".split()
@@ -171,6 +174,14 @@ class HttpSrv(object):
        except:
            pass

+    def _build_statics(self) -> None:
+        for dp, _, df in os.walk(os.path.join(self.E.mod, "web")):
+            for fn in df:
+                ap = absreal(os.path.join(dp, fn))
+                self.statics.add(ap)
+                if ap.endswith(".gz") or ap.endswith(".br"):
+                    self.statics.add(ap[:-3])
+
    def set_netdevs(self, netdevs: dict[str, Netdev]) -> None:
        ips = set()
        for ip, _ in self.bound: