Add quote protection for password containing it (#858)

Co-authored-by: ilike2burnthing <59480337+ilike2burnthing@users.noreply.github.com>

.github/workflows/autotag.yml

@@ -1,4 +1,4 @@
-name: autotag
+name: Autotag
 
 on:
   push:
@@ -9,11 +9,10 @@ jobs:
   tag-release:
     runs-on: ubuntu-latest
     steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v4
-      -
-        name: Auto Tag
+      - name: Checkout repository
+        uses: actions/checkout@v5
+
+      - name: Auto Tag
         uses: Klemensas/action-autotag@stable
         with:
           GITHUB_TOKEN: "${{ secrets.GH_PAT }}"

.github/workflows/release-docker.yml

@@ -1,4 +1,4 @@
-name: release-docker
+name: Docker release
 
 on:
   push:
@@ -15,10 +15,10 @@ concurrency:
 jobs:
   build-docker-images:
     if: ${{ !github.event.pull_request.head.repo.fork }}
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-latest
     steps:
-      - name: Checkout
-        uses: actions/checkout@v4
+      - name: Checkout repository
+        uses: actions/checkout@v5
 
       - name: Downcase repo
         run: echo REPOSITORY=$(echo ${{ github.repository }} | tr '[:upper:]' '[:lower:]') >> $GITHUB_ENV
@@ -43,8 +43,8 @@ jobs:
         uses: docker/setup-buildx-action@v3
 
       - name: Login to DockerHub
-        uses: docker/login-action@v3
         if: github.event_name != 'pull_request'
+        uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}

.github/workflows/release.yml

@@ -1,4 +1,4 @@
-name: release
+name: Release
 
 on:
   push:
@@ -8,12 +8,12 @@ on:
 jobs:
   create-release:
     name: Create release
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-latest
     steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
+      - name: Checkout repository
+        uses: actions/checkout@v5
         with:
-          fetch-depth: 0 # get all commits, branches and tags (required for the changelog)
+          fetch-depth: 0
 
       - name: Build changelog
         id: github_changelog
@@ -22,74 +22,45 @@ jobs:
           changelog="${changelog//'%'/'%25'}"
           changelog="${changelog//$'\n'/'%0A'}"
           changelog="${changelog//$'\r'/'%0D'}"
-          echo "##[set-output name=changelog;]${changelog}"
+          echo "changelog=${changelog}" >> $GITHUB_ENV
 
       - name: Create release
-        id: create_release
-        uses: actions/create-release@v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GH_PAT }}
+        uses: softprops/action-gh-release@v2
         with:
           tag_name: ${{ github.ref }}
-          release_name: ${{ github.ref }}
-          body: ${{ steps.github_changelog.outputs.changelog }}
-          draft: false
-          prerelease: false
+          name: ${{ github.ref }}
+          body: ${{ env.changelog }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GH_PAT }}
 
-  build-linux-package:
-    name: Build Linux binary
+  build-package:
+    name: Build binaries
     needs: create-release
-    runs-on: ubuntu-24.04
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        os: [ubuntu-latest, windows-latest]
     steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
+      - name: Checkout repository
+        uses: actions/checkout@v5
         with:
-          fetch-depth: 0 # get all commits, branches and tags (required for the changelog)
+          fetch-depth: 0
 
       - name: Setup Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
         with:
           python-version: "3.13"
 
       - name: Build artifacts
         run: |
           python -m pip install -r requirements.txt
-          python -m pip install pyinstaller==6.14.2
+          python -m pip install pyinstaller==6.16.0
           cd src
           python build_package.py
 
       - name: Upload release artifacts
-        uses: alexellis/upload-assets@0.4.1
+        uses: softprops/action-gh-release@v2
+        with:
+          files: ./dist/flaresolverr_*
         env:
           GITHUB_TOKEN: ${{ secrets.GH_PAT }}
-        with:
-          asset_paths: '["./dist/flaresolverr_*"]'
-
-  build-windows-package:
-    name: Build Windows binary
-    needs: create-release
-    runs-on: windows-2022
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0 # get all commits, branches and tags (required for the changelog)
-
-      - name: Setup Python
-        uses: actions/setup-python@v5
-        with:
-          python-version: "3.13"
-
-      - name: Build artifacts
-        run: |
-          python -m pip install -r requirements.txt
-          python -m pip install pyinstaller==6.14.2
-          cd src
-          python build_package.py
-
-      - name: Upload release artifacts
-        uses: alexellis/upload-assets@0.4.1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GH_PAT }}
-        with:
-          asset_paths: '["./dist/flaresolverr_*"]'

CHANGELOG.md

@@ -1,5 +1,9 @@
 # Changelog
 
+## v3.4.1 (2025/09/15)
+* Fix regex pattern syntax in utils.py
+* Change access denied title check to use startswith
+
 ## v3.4.0 (2025/08/25)
 * Modernize and upgrade application. Thanks @TheCrazyLex
 * Remove disable software rasterizer option for ARM builds. Thanks @smrodman83

Dockerfile

@@ -62,17 +62,17 @@ ENTRYPOINT ["/usr/bin/dumb-init", "--"]
 CMD ["/usr/local/bin/python", "-u", "/app/flaresolverr.py"]
 
 # Local build
-# docker build -t ngosang/flaresolverr:3.4.0 .
-# docker run -p 8191:8191 ngosang/flaresolverr:3.4.0
+# docker build -t ngosang/flaresolverr:3.4.1 .
+# docker run -p 8191:8191 ngosang/flaresolverr:3.4.1
 
 # Multi-arch build
 # docker run --rm --privileged multiarch/qemu-user-static --reset -p yes
 # docker buildx create --use
-# docker buildx build -t ngosang/flaresolverr:3.4.0 --platform linux/386,linux/amd64,linux/arm/v7,linux/arm64/v8 .
+# docker buildx build -t ngosang/flaresolverr:3.4.1 --platform linux/386,linux/amd64,linux/arm/v7,linux/arm64/v8 .
 #   add --push to publish in DockerHub
 
 # Test multi-arch build
 # docker run --rm --privileged multiarch/qemu-user-static --reset -p yes
 # docker buildx create --use
-# docker buildx build -t ngosang/flaresolverr:3.4.0 --platform linux/arm/v7 --load .
-# docker run -p 8191:8191 --platform linux/arm/v7 ngosang/flaresolverr:3.4.0
+# docker buildx build -t ngosang/flaresolverr:3.4.1 --platform linux/arm/v7 --load .
+# docker run -p 8191:8191 --platform linux/arm/v7 ngosang/flaresolverr:3.4.1

LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2023 Diego Heras (ngosang / ngosang@hotmail.es)
+Copyright (c) 2025 Diego Heras (ngosang / ngosang@hotmail.es)
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

README.md

@@ -188,6 +188,7 @@ session. When you no longer need to use a session you should make sure to close
 | cookies             | Optional. Will be used by the headless browser. Eg: `"cookies": [{"name": "cookie1", "value": "value1"}, {"name": "cookie2", "value": "value2"}]`.                                                                                                                                                                                           |
 | returnOnlyCookies   | Optional, default false. Only returns the cookies. Response data, headers and other parts of the response are removed.                                                                                                                                                                                                                       |
 | proxy               | Optional, default disabled. Eg: `"proxy": {"url": "http://127.0.0.1:8888"}`. You must include the proxy schema in the URL: `http://`, `socks4://` or `socks5://`. Authorization (username/password) is not supported. (When the `session` parameter is set, the proxy is ignored; a session specific proxy can be set in `sessions.create`.) |
+| waitInSeconds       | Optional, default none. Length to wait in seconds after solving the challenge, and before returning the results. Useful to allow it to load dynamic content.                                                                                                                                                                        |
 
 > **Warning**
 > If you want to use Cloudflare clearance cookie in your scripts, make sure you use the FlareSolverr User-Agent too. If they don't match you will see the challenge.
@@ -265,6 +266,9 @@ This is the same as `request.get` but it takes one more param:
 |--------------------|------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | LOG_LEVEL          | info                   | Verbosity of the logging. Use `LOG_LEVEL=debug` for more information.                                                                                         |
 | LOG_HTML           | false                  | Only for debugging. If `true` all HTML that passes through the proxy will be logged to the console in `debug` level.                                          |
+| PROXY_URL               | none                   | URL for proxy. Will be overwritten by `request` or `sessions` proxy, if used. Example: `http://127.0.0.1:8080`.                                                                                   |
+| PROXY_USERNAME               | none                   | Username for proxy. Will be overwritten by `request` or `sessions` proxy, if used. Example: `testuser`.                                                                                   |
+| PROXY_PASSWORD               | none                   | Password for proxy. Will be overwritten by `request` or `sessions` proxy, if used. Example: `testpass`.                                                                                   |
 | CAPTCHA_SOLVER     | none                   | Captcha solving method. It is used when a captcha is encountered. See the Captcha Solvers section.                                                            |
 | TZ                 | UTC                    | Timezone used in the logs and the web browser. Example: `TZ=Europe/London`.                                                                                   |
 | LANG               | none                   | Language used in the web browser. Example: `LANG=en_GB`.                                                                                   |
@@ -321,3 +325,4 @@ to the file name of one of the adapters inside the `/captcha` directory.
 ## Related projects
 
 * C# implementation => https://github.com/FlareSolverr/FlareSolverrSharp
+

package.json

@@ -1,6 +1,6 @@
 {
   "name": "flaresolverr",
-  "version": "3.4.0",
+  "version": "3.4.1",
   "description": "Proxy server to bypass Cloudflare protection",
   "author": "Diego Heras (ngosang / ngosang@hotmail.es)",
   "license": "MIT"

requirements.txt

@@ -1,14 +1,14 @@
 bottle==0.13.4
 waitress==3.0.2
-selenium==4.34.2
+selenium==4.35.0
 func-timeout==4.3.5
 prometheus-client==0.22.1
-# required by undetected_chromedriver
-requests==2.32.4
-certifi==2025.7.9
+# Required by undetected_chromedriver
+requests==2.32.5
+certifi==2025.8.3
 websockets==15.0.1
 packaging==25.0
-# only required for linux and macos
-xvfbwrapper==0.2.13; platform_system != "Windows"
-# only required for windows
+# Only required for Linux and macOS
+xvfbwrapper==0.2.14; platform_system != "Windows"
+# Only required for Windows
 pefile==2024.8.26; platform_system == "Windows"

src/dtos.py

@@ -43,6 +43,7 @@ class V1RequestBase(object):
     returnOnlyCookies: bool = None
     download: bool = None   # deprecated v2.0.0, not used
     returnRawHtml: bool = None  # deprecated v2.0.0, not used
+    waitInSeconds: int = None
 
     def __init__(self, _dict):
         self.__dict__.update(_dict)

src/flaresolverr.py

@@ -13,6 +13,10 @@ from dtos import V1RequestBase
 import flaresolverr_service
 import utils
 
+env_proxy_url = os.environ.get('PROXY_URL', None)
+env_proxy_username = os.environ.get('PROXY_USERNAME', None)
+env_proxy_password = os.environ.get('PROXY_PASSWORD', None)
+
 
 class JSONErrorBottle(Bottle):
     """
@@ -50,7 +54,14 @@ def controller_v1():
     """
     Controller v1
     """
-    req = V1RequestBase(request.json)
+    data = request.json or {}
+    if (('proxy' not in data or not data.get('proxy')) and env_proxy_url is not None and (env_proxy_username is None and env_proxy_password is None)):
+        logging.info('Using proxy URL ENV')
+        data['proxy'] = {"url": env_proxy_url}
+    if (('proxy' not in data or not data.get('proxy')) and env_proxy_url is not None and (env_proxy_username is not None or env_proxy_password is not None)):
+        logging.info('Using proxy URL, username & password ENVs')
+        data['proxy'] = {"url": env_proxy_url, "username": env_proxy_username, "password": env_proxy_password}
+    req = V1RequestBase(data)
     res = flaresolverr_service.controller_v1_endpoint(req)
     if res.__error_500__:
         response.status = 500

src/flaresolverr_service.py

@@ -315,7 +315,7 @@ def _evil_logic(req: V1RequestBase, driver: WebDriver, method: str) -> Challenge
 
     # find access denied titles
     for title in ACCESS_DENIED_TITLES:
-        if title == page_title:
+        if page_title.startswith(title):
             raise Exception('Cloudflare has blocked this request. '
                             'Probably your IP is banned for this site, check in your web browser.')
     # find access denied selectors
@@ -390,6 +390,11 @@ def _evil_logic(req: V1RequestBase, driver: WebDriver, method: str) -> Challenge
 
     if not req.returnOnlyCookies:
         challenge_res.headers = {}  # todo: fix, selenium not provides this info
+
+        if req.waitInSeconds and req.waitInSeconds > 0:
+            logging.info("Waiting " + str(req.waitInSeconds) + " seconds before returning the response...")
+            time.sleep(req.waitInSeconds)
+
         challenge_res.response = driver.page_source
 
     res.result = challenge_res
@@ -398,10 +403,10 @@ def _evil_logic(req: V1RequestBase, driver: WebDriver, method: str) -> Challenge
 
 def _post_request(req: V1RequestBase, driver: WebDriver):
     post_form = f'<form id="hackForm" action="{req.url}" method="POST">'
-    query_string = req.postData if req.postData[0] != '?' else req.postData[1:]
+    query_string = req.postData if req.postData and req.postData[0] != '?' else req.postData[1:] if req.postData else ''
     pairs = query_string.split('&')
     for pair in pairs:
-        parts = pair.split('=')
+        parts = pair.split('=', 1)
         # noinspection PyBroadException
         try:
             name = unquote(parts[0])
@@ -411,9 +416,11 @@ def _post_request(req: V1RequestBase, driver: WebDriver):
             continue
         # noinspection PyBroadException
         try:
-            value = unquote(parts[1])
+            value = unquote(parts[1]) if len(parts) > 1 else ''
         except Exception:
-            value = parts[1]
+            value = parts[1] if len(parts) > 1 else ''
+        # Protection of " character, for syntax
+        value=value.replace('"','&quot;')
         post_form += f'<input type="text" name="{escape(quote(name))}" value="{escape(quote(value))}"><br>'
     post_form += '</form>'
     html_content = f"""

src/utils.py

@@ -296,7 +296,7 @@ def extract_version_nt_folder() -> str:
             paths = [f.path for f in os.scandir(path) if f.is_dir()]
             for path in paths:
                 filename = os.path.basename(path)
-                pattern = '\d+\.\d+\.\d+\.\d+'
+                pattern = r'\d+\.\d+\.\d+\.\d+'
                 match = re.search(pattern, filename)
                 if match and match.group():
                     # Found a Chrome version.