Bump version to 3.3.7 and improve URL safety

Updated version references to 3.3.7 across the project. Enhanced _is_safe_url in app.py to better prevent unsafe redirects by handling backslashes and stricter path validation.

Author: dbccccccc

CHANGELOG.md

@@ -5,6 +5,10 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [3.3.2-3.3.7] - 2025-10-21
+
+fixes and improvements since 3.3.1
+
 ## [3.3.1] - 2025-10-18
 
 ### Changed

pyproject.toml

@@ -86,7 +86,7 @@ ttsfm = "ttsfm.cli:main"
 version_scheme = "no-guess-dev"
 local_scheme = "no-local-version"
 
-fallback_version = "3.3.4"
+fallback_version = "3.3.7"
 [tool.setuptools]
 packages = ["ttsfm"]
 

ttsfm-web/app.py

@@ -295,9 +295,14 @@ def _is_safe_url(target: Optional[str]) -> bool:
     if not target:
         return False
 
+    # Replace backslashes to prevent bypass (browsers accept \ as /)
+    target = target.replace("\\", "")
+
     parsed = urlparse(target)
+    # Reject if scheme or netloc is present, or if it starts with //
     if parsed.scheme or parsed.netloc or target.startswith("//"):
         return False
+    # Only allow paths starting with /
     if not parsed.path.startswith("/"):
         return False
     joined = urljoin(request.host_url, target)
@@ -763,7 +768,7 @@ def get_status():
             {
                 "status": "online",
                 "tts_service": "openai.fm (free)",
-                "package_version": "3.3.1",
+                "package_version": "3.3.7",
                 "timestamp": datetime.now().isoformat(),
             }
         )
@@ -787,7 +792,7 @@ def get_status():
 def health_check():
     """Simple health check endpoint."""
     return jsonify(
-        {"status": "healthy", "package_version": "3.3.4", "timestamp": datetime.now().isoformat()}
+        {"status": "healthy", "package_version": "3.3.7", "timestamp": datetime.now().isoformat()}
     )
 
 

ttsfm-web/templates/base.html

@@ -88,7 +88,7 @@
             <a class="navbar-brand" href="{{ url_for('index') }}">
                 <i class="fas fa-microphone-alt me-2"></i>
                 <span class="fw-bold">TTSFM</span>
-                <span class="badge bg-primary ms-2 small">v3.3.4</span>
+                <span class="badge bg-primary ms-2 small">v3.3.7</span>
             </a>
 
             <button class="navbar-toggler border-0" type="button" data-bs-toggle="collapse" data-bs-target="#navbarNav" aria-controls="navbarNav" aria-expanded="false" aria-label="Toggle navigation">
@@ -159,7 +159,7 @@
                     <div class="d-flex align-items-center">
                         <i class="fas fa-microphone-alt me-2 text-primary"></i>
                         <strong class="text-dark">TTSFM</strong>
-                        <span class="ms-2 text-muted">v3.3.4</span>
+                        <span class="ms-2 text-muted">v3.3.7</span>
                     </div>
                 </div>
                 <div class="col-md-6 text-md-end">

ttsfm/__init__.py

@@ -62,7 +62,7 @@
 )
 from .utils import split_text_by_length, validate_text_length
 
-__version__ = "3.3.4"
+__version__ = "3.3.7"
 __author__ = "dbcccc"
 __email__ = "[email protected]"
 __description__ = "Text-to-Speech API Client with OpenAI compatibility"