configurable x-forwarded-for

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

no vulnerabilities since 2023-07-23

• there is a discord server with an @everyone in case of future important updates
• v1.8.7 (2023-07-23) - CVE-2023-38501 - reflected XSS
• v1.8.2 (2023-07-14) - CVE-2023-37474 - path traversal (first CVE)
  • all serverlogs reviewed so far (5 public servers) showed no signs of exploitation

new features

• rudimentary support for jython and graalpy, and directory tree sidebar in internet explorer 9 through 11, and firefox 10
  • all older browsers (ie4, ie6, ie8, Netscape) get basic html instead
• #35 adds a hook which extends the message-to-serverlog feature so it writes the message to a textfile on the server
  • could theoretically be extended into a full instant-messaging feature but that's silly, nobody would do that
    • r0c is much better than this joke

bugfixes

• 163e3fc the x-forwarded-for header was ignored if the nearest reverse-proxy is not asking from 127.0.0.1, which broke client IPs in containerized deployments
  • the serverlog will now explain how to trust the reverse-proxy to provide client IPs, but basically,
  • --xff-hdr specifies which header to read the client's real ip from
  • --xff-src is an allowlist of IP-addresses to trust that header from
• a62f744 if copyparty was started while an external HDD was not connected, and that volume's index was stored elsewhere, then the index would get wiped (since all the files are gone)
• 3b8f66c javascript could crash while uploading from a very unreliable internet connection

other changes

• copyparty.exe: updated pillow to 10.0.1 which fixes the webp cve
• alpine, which the docker images are based on, turns out to be fairly slow -- currently working on a new docker image (probably fedora-based) which will be 30% faster at analyzing multimedia files and in general 20% faster on average

---

⚠️ not the latest version!