header auth

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

no vulnerabilities since 2023-07-23

• there is a discord server with an @everyone in case of future important updates
• v1.8.7 (2023-07-23) - CVE-2023-38501 - reflected XSS
• v1.8.2 (2023-07-14) - CVE-2023-37474 - path traversal (first CVE)

new features

• initial work on #62 (support identity providers, oauth/SSO/...); see readme
  • only authentication so far; no authorization yet, and users must exist in the copyparty config with bogus passwords
• new option --ipa rejects connections from clients outside of a given allowlist of IP prefixes
• environment variables can be used almost everywhere that takes a filesystem path; should make it way more comfy to write configs for docker / systemd
• #59 added a basic docker-compose yaml and an example config
  • probably much room for improvement on everything docker still

bugfixes

• the nftables-based port-forwarding in the systemd example was buggy; replaced with CAP_NET_BIND_SERVICE
• palemoon-specific js crash if a text selection was dragged
• text selection in messageboxes was jank

other changes

• improved systemd example with hardening and a better example config
• logfiles are flushed for every line written; can be disabled with --no-logflush for ~3% more performance best-case
• iphones probably won't broadcast cover-art to car stereos over bluetooth anymore since the thingamajig in iOS that's in charge of that doesn't have cookie-access, and strapping in the auth is too funky so let's stop doing that b7723ac
  • can be remedied by enabling filekeys and granting unauthenticated people access that way, but that's too much effort for anyone to bother with I'm sure

---

⚠️ not the latest version!

in a bind

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

no vulnerabilities since 2023-07-23

• there is a discord server with an @everyone in case of future important updates
• v1.8.7 (2023-07-23) - CVE-2023-38501 - reflected XSS
• v1.8.2 (2023-07-14) - CVE-2023-37474 - path traversal (first CVE)

new features

• #63 the grid-view will open textfiles in the textfile viewer
• prisonparty now accepts user/group names (in addition to IDs)

bugfixes

• the Y hotkey (which turns all links into download links) didn't affect the grid-view
• on some servers with unusual filesystem layouts (especially ubuntu-zfs), prisonparty would make an unholy mess of recursive bind-mounts, quickly running out of inodes and requiring a server reboot
  • added several safeguards to avoid anything like this in the future
    • mutex around jail setup/teardown to prevent racing other instances
    • verify jail status by inspecting /proc/mounts between each folder to bind

---

⚠️ not the latest version!

nice

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

no vulnerabilities since 2023-07-23

• there is a discord server with an @everyone in case of future important updates
• v1.8.7 (2023-07-23) - CVE-2023-38501 - reflected XSS
• v1.8.2 (2023-07-14) - CVE-2023-37474 - path traversal (first CVE)

new features

• expensive subprocesses (ffmpeg, parsers, hooks) will run with nice to reduce cpu priority
  • ...so listening to flacs won't grind everything else to a halt

bugfixes

• the "load more" search results button didn't disappear if you hit the serverside limit
• the "show all" button for huge folders didn't disappear when navigating into a smaller folder
• trying to play the previous track when you're already playing the first track in a folder would send you on a wild adventure

---

⚠️ not the latest version!

shadow filter

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

no vulnerabilities since 2023-07-23

• there is a discord server with an @everyone in case of future important updates
• v1.8.7 (2023-07-23) - CVE-2023-38501 - reflected XSS
• v1.8.2 (2023-07-14) - CVE-2023-37474 - path traversal (first CVE)

bugfixes

• #61 Mk.II: filter search results to also handle this issue in volumes where reindexing is disabled, or (spoiler warning:) a bug in the directory indexer prevents shadowed files from being forgotten
• filekeys didn't always get included in the up2k UI for world-readable folders

---

⚠️ not the latest version!

cache invalidation

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

no vulnerabilities since 2023-07-23

• there is a discord server with an @everyone in case of future important updates
• v1.8.7 (2023-07-23) - CVE-2023-38501 - reflected XSS
• v1.8.2 (2023-07-14) - CVE-2023-37474 - path traversal (first CVE)

bugfixes

• #61 search results could contain stale records from overlapping volumes:
  • if volume /foo is indexed and then volume /foo/bar is later created, any files inside the bar subfolder would not become forgotten in /foo's database until something in /foo changes, which could be never
  • as a result, search results could show stale metadata from /foo's database regarding files in /foo/bar
  • fix this by dropping caches and reindexing if copyparty is started with a different list of volumes than last time
• #60 client error when ctrl-clicking search results
• icons for the close/more buttons in search results are now pillow-10.x compatible

other changes

• u2c.exe: upgraded certifi to version 2023.11.17

---

⚠️ not the latest version!

11-11

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

no vulnerabilities since 2023-07-23

• there is a discord server with an @everyone in case of future important updates
• v1.8.7 (2023-07-23) - CVE-2023-38501 - reflected XSS
• v1.8.2 (2023-07-14) - CVE-2023-37474 - path traversal (first CVE)
  • all serverlogs reviewed so far (5 public servers) showed no signs of exploitation

new features

• u2c.py / u2c.exe (the commandline uploader):
  • -x is now case-insensitive
  • if a file fails to upload after 30 attempts, give up (bitflips)
  • add 5 sec delay before reattempts (configurable with --cd)

bugfixes

• clients could crash the file indexer by uploading and then instantly deleting files (as some webdav clients tend to do)
• and fix some upload errorhandling which broke during a refactoring in v1.9.16

other changes

• upgraded pyftpdlib to v1.5.9

---

⚠️ not the latest version!

windedup

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

no vulnerabilities since 2023-07-23

• there is a discord server with an @everyone in case of future important updates
• v1.8.7 (2023-07-23) - CVE-2023-38501 - reflected XSS
• v1.8.2 (2023-07-14) - CVE-2023-37474 - path traversal (first CVE)
  • all serverlogs reviewed so far (5 public servers) showed no signs of exploitation

breaking changes

• two of the prometheus metrics have changed slightly; see the breaking changes readme section
  • (i'm not familiar with prometheus so i'm not sure if this is a big deal)

new features

• #58 versioned docker images! no longer just latest
• browser: the mkdir feature now accepts foo/bar/qux and ../foo and /bar
• add 14 more prometheus metrics; see readme for details
  • connections, requests, malicious requests, volume state, file hashing/analyzation queues
• catch some more malicious requests in the autoban filters
  • some malicious requests are now answered with HTTP 422, so that they count against --ban-422

bugfixes

• windows: fix symlink-based upload deduplication
  • MS decided to make symlinks relative to working-directory rather than destination-path...
• --stats would produce invalid metrics if a volume was offline
• minor improvements to password hashing ux:
  • properly warn if --ah-cli or --ah-gen is used without --ah-alg
  • support ^D during --ah-cli
• browser-ux / cosmetics:
  • fix toast/tooltip colors on splashpage
  • easier to do partial text selection inside links (search results, breadcrumbs, uploads)
  • more rclone-related hints on the connect-page

other changes

• malformed http headers from clients are no longer included in the client error-message
  • just in case there are deployments with a reverse-proxy inserting interesting stuff on the way in
  • the serverlog still contains all the necessary info to debug your own clients
• updated example nginx config to recover faster from brief server outages
  • the default value of fail_timeout (10sec) makes nginx cache the outage for longer than necessary

---

⚠️ not the latest version!

expand placeholder

made it just in time! (EDIT: nevermind, three of the containers didn't finish uploading to ghcr before takeoff ;_; all up now)

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

no vulnerabilities since 2023-07-23

• there is a discord server with an @everyone in case of future important updates
• v1.8.7 (2023-07-23) - CVE-2023-38501 - reflected XSS
• v1.8.2 (2023-07-14) - CVE-2023-37474 - path traversal (first CVE)
  • all serverlogs reviewed so far (5 public servers) showed no signs of exploitation

new features

• #56 placeholder variables in markdown documents and prologue/epilogue html files
  • default-disabled; must be enabled globally with --exp or per-volume with volflag exp
  • {{self.ip}} becomes the client IP; see /srv/expand/README.md for more examples
• dynamic-range-compressor: reduced volume jumps between songs when enabled

bugfixes

• v1.9.14 broke the scan volflag, causing volume rescans to happen every 10sec if enabled
  • its global counterpart --re-maxage was not affected

---

⚠️ not the latest version!

uptime

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

no vulnerabilities since 2023-07-23

• there is a discord server with an @everyone in case of future important updates
• v1.8.7 (2023-07-23) - CVE-2023-38501 - reflected XSS
• v1.8.2 (2023-07-14) - CVE-2023-37474 - path traversal (first CVE)
  • all serverlogs reviewed so far (5 public servers) showed no signs of exploitation

new features

• search for files by upload time
• option to display upload time in directory listings
  • enable globally with -e2d -mte +.up_at or per-volume with volflags e2d,mte=+.up_at
  • has a ~17% performance impact on directory listings
• dynamic range compressor in the audioplayer settings
• --ban-404 is now default-enabled
  • the turbo-uploader will now un-turbo when necessary to avoid banning itself
  • this only affects accounts with permissions g, G, or h
    • accounts with read-access (which are able to see directory listings anyways) and accounts with write-only access are no longer affected by --ban-404 or --ban-url

bugfixes

• #55 clients could hit the --url-ban filter when uploading over webdav
  • fixed by limiting --ban-404 and --ban-url to accounts with permission g, G, or h
• fixed 20% performance drop in python 3.12 due to utcfromtimestamp deprecation
  • but 3.12.0 is still 5% slower than 3.11.6 for some reason
• volume listing on startup would display some redundant info

other changes

• timeout for unfinished uploads increased from 6 to 24 hours
  • and is now configurable with --snap-drop

---

⚠️ not the latest version!

more buttons

just adding requested features, nothing important

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

no vulnerabilities since 2023-07-23

• there is a discord server with an @everyone in case of future important updates
• v1.8.7 (2023-07-23) - CVE-2023-38501 - reflected XSS
• v1.8.2 (2023-07-14) - CVE-2023-37474 - path traversal (first CVE)
  • all serverlogs reviewed so far (5 public servers) showed no signs of exploitation

new features

• button 📅 in the uploader (default-enabled) sends your local last-modified timestamps to the server
  • when deselected, the files on the server will have the upload time as their timestamps instead
  • --u2ts specifies the default setting, c client-last-modified or u upload-time, or fc and fu to force
• button full in the gridview decides if thumbnails should be center-cropped or not
  • --no-crop and the nocrop volflag now sets the default value of this instead of forcing the setting
  • thumbnail cleanup is now more granular, cleaning full-jpg separately from cropped-webp for example
• set default sort order with --sort or volflag sort
  • one or more comma-separated values; tags/Cirle,tags/.tn,tags/Artist,tags/Title,href
    • see the column header tooltips in the browser to know what names (id) to use
  • prefix a column name with - for descending sort
  • specifying a sort order in the client will override all server-defined ones
• when visiting a read-only folder, the upload-or-filesearch toggle will remember its previous state and restore it when leaving the folder
  • much more intuitive, if anything about this UI can be called that...

bugfixes

• iPhone: rare javascript panic when switching between safari and another app
• ie9: file-rename ui was borked

other changes

• copyparty.exe: upgrade to pillow 10.1 (which adds a new font for thumbnails in chrome)
  • still based on python 3.11.6 because 3.12 is currently slower than 3.11

---

⚠️ not the latest version!