more buttons

just adding requested features, nothing important

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

no vulnerabilities since 2023-07-23

• there is a discord server with an @everyone in case of future important updates
• v1.8.7 (2023-07-23) - CVE-2023-38501 - reflected XSS
• v1.8.2 (2023-07-14) - CVE-2023-37474 - path traversal (first CVE)
  • all serverlogs reviewed so far (5 public servers) showed no signs of exploitation

new features

• button 📅 in the uploader (default-enabled) sends your local last-modified timestamps to the server
  • when deselected, the files on the server will have the upload time as their timestamps instead
  • --u2ts specifies the default setting, c client-last-modified or u upload-time, or fc and fu to force
• button full in the gridview decides if thumbnails should be center-cropped or not
  • --no-crop and the nocrop volflag now sets the default value of this instead of forcing the setting
  • thumbnail cleanup is now more granular, cleaning full-jpg separately from cropped-webp for example
• set default sort order with --sort or volflag sort
  • one or more comma-separated values; tags/Cirle,tags/.tn,tags/Artist,tags/Title,href
    • see the column header tooltips in the browser to know what names (id) to use
  • prefix a column name with - for descending sort
  • specifying a sort order in the client will override all server-defined ones
• when visiting a read-only folder, the upload-or-filesearch toggle will remember its previous state and restore it when leaving the folder
  • much more intuitive, if anything about this UI can be called that...

bugfixes

• iPhone: rare javascript panic when switching between safari and another app
• ie9: file-rename ui was borked

other changes

• copyparty.exe: upgrade to pillow 10.1 (which adds a new font for thumbnails in chrome)
  • still based on python 3.11.6 because 3.12 is currently slower than 3.11

---

⚠️ not the latest version!

bustin'

okay, i swear this is the last version for weeks! probably

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

no vulnerabilities since 2023-07-23

• there is a discord server with an @everyone in case of future important updates
• v1.8.7 (2023-07-23) - CVE-2023-38501 - reflected XSS
• v1.8.2 (2023-07-14) - CVE-2023-37474 - path traversal (first CVE)
  • all serverlogs reviewed so far (5 public servers) showed no signs of exploitation

bugfixes

• cachebuster didn't apply to dynamically loaded javascript files
  • READMEs could fail to render with ReferenceError: DOMPurify is not defined after upgrading from a copyparty older than v1.9.2

---

⚠️ not the latest version!

badpwd

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

no vulnerabilities since 2023-07-23

• there is a discord server with an @everyone in case of future important updates
• v1.8.7 (2023-07-23) - CVE-2023-38501 - reflected XSS
• v1.8.2 (2023-07-14) - CVE-2023-37474 - path traversal (first CVE)
  • all serverlogs reviewed so far (5 public servers) showed no signs of exploitation

new features

• argument --log-badpwd specifies how to log invalid login attempts;
  • 0 = just a warning with no further information
  • 1 = log incorrect password in plaintext (default)
  • 2 = log sha512 hash of the incorrect password
  • 1 and 2 are convenient for stuff like setting up autoban triggers for common passwords using fail2ban or similar

bugfixes

• none!
  • the formerly mentioned caching-directives bug turned out to be unreachable... oh well, better safe than sorry

---

⚠️ not the latest version!

fix cross-volume dedup moves

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

no vulnerabilities since 2023-07-23

• there is a discord server with an @everyone in case of future important updates
• v1.8.7 (2023-07-23) - CVE-2023-38501 - reflected XSS
• v1.8.2 (2023-07-14) - CVE-2023-37474 - path traversal (first CVE)
  • all serverlogs reviewed so far (5 public servers) showed no signs of exploitation

bugfixes

• v1.6.2 introduced a bug which, when moving files between volumes, could cause the move operation to abort when it encounters a deduplicated file

---

⚠️ not the latest version!

static filekeys

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

no vulnerabilities since 2023-07-23

• there is a discord server with an @everyone in case of future important updates
• v1.8.7 (2023-07-23) - CVE-2023-38501 - reflected XSS
• v1.8.2 (2023-07-14) - CVE-2023-37474 - path traversal (first CVE)
  • all serverlogs reviewed so far (5 public servers) showed no signs of exploitation

new features

• #52 add alternative filekey generator:
  • volflag fka changes the calculation to ignore filesize and inode-number, only caring about the absolute-path on the filesystem and the --fk-salt
  • good for linking to markdown files which might be edited, but reduces security a tiny bit
• add warning on startup if --fk-salt is too weak (for example when it was upgraded from before v1.7.6)
  • removed the filekey upgrade feaure to ensure a weak fk-salt is not selected; a new filekey will be generated from scratch on startup if necessary

other changes

• pyftpdlib upgraded to 1.5.8
• copyparty.exe built on python 3.11.6
  • the exe in this release will be replaced with an 3.12.0 exe as soon as pillow adds 3.12 support

---

⚠️ not the latest version!

better column hider

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

no vulnerabilities since 2023-07-23

• there is a discord server with an @everyone in case of future important updates
• v1.8.7 (2023-07-23) - CVE-2023-38501 - reflected XSS
• v1.8.2 (2023-07-14) - CVE-2023-37474 - path traversal (first CVE)
  • all serverlogs reviewed so far (5 public servers) showed no signs of exploitation

new features

• column hiding on phones is much more intuitive
  • since you usually want to hide multiple columns, the hiding mode must now be manually disengaged
  • click-handler now covers the entire header cell, preventing a misclick from accidentally sorting the table instead

bugfixes

• #51 running copyparty with an invalid value for --lang made it crash with a confusing error message
  • also makes it more compatible with other localStorage-using webservices running on the same domain

other changes

• CVE-2023-5217, a vulnerability in libvpx, was fixed by alpine recently and no longer present in the docker images
  • unlike the fix in v1.9.6, this is irrelevant since it was impossible to reach in all conceivable setups, but still nice

---

⚠️ not the latest version!

configurable x-forwarded-for

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

no vulnerabilities since 2023-07-23

• there is a discord server with an @everyone in case of future important updates
• v1.8.7 (2023-07-23) - CVE-2023-38501 - reflected XSS
• v1.8.2 (2023-07-14) - CVE-2023-37474 - path traversal (first CVE)
  • all serverlogs reviewed so far (5 public servers) showed no signs of exploitation

new features

• rudimentary support for jython and graalpy, and directory tree sidebar in internet explorer 9 through 11, and firefox 10
  • all older browsers (ie4, ie6, ie8, Netscape) get basic html instead
• #35 adds a hook which extends the message-to-serverlog feature so it writes the message to a textfile on the server
  • could theoretically be extended into a full instant-messaging feature but that's silly, nobody would do that
    • r0c is much better than this joke

bugfixes

• 163e3fc the x-forwarded-for header was ignored if the nearest reverse-proxy is not asking from 127.0.0.1, which broke client IPs in containerized deployments
  • the serverlog will now explain how to trust the reverse-proxy to provide client IPs, but basically,
  • --xff-hdr specifies which header to read the client's real ip from
  • --xff-src is an allowlist of IP-addresses to trust that header from
• a62f744 if copyparty was started while an external HDD was not connected, and that volume's index was stored elsewhere, then the index would get wiped (since all the files are gone)
• 3b8f66c javascript could crash while uploading from a very unreliable internet connection

other changes

• copyparty.exe: updated pillow to 10.0.1 which fixes the webp cve
• alpine, which the docker images are based on, turns out to be fairly slow -- currently working on a new docker image (probably fedora-based) which will be 30% faster at analyzing multimedia files and in general 20% faster on average

---

⚠️ not the latest version!

webhotell

happy 9/9!

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

no vulnerabilities since 2023-07-23

• there is a discord server with an @everyone in case of future important updates
• v1.8.7 (2023-07-23) - CVE-2023-38501 - reflected XSS
• v1.8.2 (2023-07-14) - CVE-2023-37474 - path traversal (first CVE)
  • all serverlogs reviewed so far (5 public servers) showed no signs of exploitation

new features

• new permission h disables directory listing (so works like g) except it redirects to the folder's index.html instead of 404
  • index.html is accessible by anyone with h even if filekeys are enabled
  • well suited for running a shared-webhosting gig (thx kipu) especially now that the...
• markdown editor can now be used on non-markdown files if account has write and delete
  • hotkey e to edit a textfile while it's open in the textfile viewer
• SMB: account permissions now work fully as intended, thanks to impacket 0.11
  • but enabling --smb is still strongly discouraged as it's a massive security hazard
• download-as-zip can be 2.5x faster on tiny files, at least 15% faster in general
• download folders as pax-format tarfiles with ?tar=pax or ?tar=pax,xz:9

bugfixes

• 422-autoban accidentally triggered when uploading lots of duplicate files (thx hiem!)
• --css-browser and --js-browser now accepts URLs with cache directives
  • --css-browser=/the.css?cache=600 (seconds) or --js-browser=/.res/the.js?cache=i (7 days)
• SMB: avoid windows freaking out and disconnecting if it hits an offline volume
• hotkey shift-r to rotate pictures counter-clockwise didn't do anything
• hacker theme wasn't hacker enough (everything is monospace now)

---

⚠️ not the latest version!

yes symlink times

hello! it's been a while, an entire day even...

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

no vulnerabilities since 2023-07-23

• there is a discord server with an @everyone in case of future important updates
• v1.8.7 (2023-07-23) - CVE-2023-38501 - reflected XSS
• v1.8.2 (2023-07-14) - CVE-2023-37474 - path traversal (first CVE)
  • all serverlogs reviewed so far (5 public servers) showed no signs of exploitation

new features

• download folder as tar.gz, tar.bz2, tar.xz
  • single-threaded, so extremely slow, but nice for easily compressed data or challenged networks
  • append ?tar=gz, ?tar=bz2 or ?tar=xz to a folder URL to do it
  • default compression levels are gz:3, bz2:2, xz:1; override with ?tar=gz:9

bugfixes

• c1efd22 symlink-deduplicated files got indexed with the wrong last-modified timestamp
  • mostly inconsequential; would cause the dupe's uploader-ip to be forgotten on the next server restart since it would reindex to "fix" the timestamp
• when linking a search query it loads the results faster

other changes

• update readme to mention that iPhones and iPads dislike the preload feature and respond by glitching the audio a bit when a song is exactly 20 seconds away from ending and yet how it's probably a bad idea to disable preloading since i bet it's load-bearing against other iOS bugs
  • speaking of iPhones and iPads, the previous version should have fixed album playback on those

---

⚠️ not the latest version!

iOS and http fixes

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

no vulnerabilities since 2023-07-23

• there is a discord server with an @everyone in case of future important updates
• v1.8.7 (2023-07-23) - CVE-2023-38501 - reflected XSS
• v1.8.2 (2023-07-14) - CVE-2023-37474 - path traversal (first CVE)
  • all serverlogs reviewed so far (5 public servers) showed no signs of exploitation

new features

• iPhones and iPads are now able to...
  • 9986136 play entire albums while the screen is off without the music randomly stopping
    • apple keeps breaking AudioContext in new and interesting ways; time to give up (no more equalizer)
  • 1c0d978 perform search queries and execude js code
    • by translating smart-quotes into regular ' and " characters
• python 3.12 support
  • technically a bugfix since it was added a year ago way before the first py3.12 alpha was released but turns out i botched it, oh well
• filter error messages so they never include the filesystem path where copyparty's python files reside
• print more context in server logs if someone hits an unexpected permission-denied

bugfixes

found some iffy stuff combing over the code but, as far as I can tell, luckily none of these were dangerous:

• URL normalization was a bit funky, but it appears everything access-control-related was unaffected
• some url parameters were double-decoded, causing the unpost filtering and file renaming to fail if the values contained %
• clients could cause the server to return an invalid cache-control header, but newlines and control-characters got rejected correctly
• minor cosmetics / qol fixes:
  • reduced flickering on page load in chrome
  • fixed some console spam in search results
  • markdown documents now have the same line-height in directory listings and the editor

---

⚠️ not the latest version!