prometheable

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

recent security / vulnerability fixes

• there is a discord server with an @everyone in case of future important updates
• v1.8.7 (2023-07-23) - CVE-2023-38501 - reflected XSS
• v1.8.2 (2023-07-14) - CVE-2023-37474 - path traversal (first CVE)
  • all serverlogs reviewed so far (5 public servers) showed no signs of exploitation

new features

• #49 prometheus / grafana / openmetrics integration (see readme)
  • read metrics from http://127.0.0.1:3923/.cpr/metrics after enabling with --stats
• download a folder with all music transcoded to opus by adding ?tar=opus or ?zip&opus to the URL
  • can also be used to download thumbnails instead of full images; ?tar=w for webp, ?tar=j for jpg
    • so i guess the long-time requested feature of pre-generating thumbnails kind of happened after all, if you schedule a curl http://127.0.0.1:3923/?tar=w >/dev/null after server startup
• u2c (commandline uploader): argument -x to exclude files by regex (compares absolute filesystem paths)
• --zm-spam 30 can be used to improve zeroconf / mDNS reliability on crazy networks
  • only necessary if there are clients with multiple IPs and some of the IPs are outside the subnets that copyparty are in -- not spec-compliant, not really recommended, but shouldn't cause any issues either
  • and --mc-hop wasn't actually implemented until now
• dragging an image from another browser window onto the upload button is now possible
  • only works on chrome, and only on windows or linux (not macos)
• server hostname is prefixed in all window titles
  • can be adjusted with --bname (the file explorer) and --doctitle (all other documents)
  • can be disabled with --nth (just window title) or --nih (title + header)

bugfixes

• docker: the autogenerated seeds for filekeys and account passwords now get persisted to the config volume (thx noktuas)
• uploading files with fancy filenames could fail if the copyparty server is running on android
• improve workarounds for some apple/iphone/ios jank (thx noktuas and spiky)
  • some ui elements had their font-size selected by fair dice roll
  • the volume control does nothing because apple disabled it, so add a warning
  • the image gallery cannot be fullscreened as apple intended so add a warning

other changes

• file table columns are now limited to browser window width
• readme: mention that nginx-QUIC is currently very slow (thx noktuas)
• #50 add a safeguard to the wget plugin in case wget at some point adds support for file:// or similar
• show a suggestion on startup to enable the database

---

⚠️ not the latest version!

just boring bugfixes

final release until late august unless something bad happens and i end up building this thing on a shinkansen

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

recent security / vulnerability fixes

• there is a discord server with an @everyone in case of future important updates
• v1.8.7 (2023-07-23) - CVE-2023-38501 - reflected XSS
• v1.8.2 (2023-07-14) - CVE-2023-37474 - path traversal (first CVE)
  • all serverlogs reviewed so far (5 public servers) showed no signs of exploitation

bugfixes

• range-select with shiftclick:
  • don't crash when entering another folder and shift-clicking some more
  • remember selection origin when lazy-loading more stuff into the viewport
• markdown editor:
  • fix confusing warnings when the browser cache decides it really wants to cache
  • and when a document starts with a newline
• remember intended actions such as ?edit on login prompts
• Windows: TLS-cert generation (triggered by network changes) could occasionally fail

---

⚠️ not the latest version!

XSS for days

at the lack of better ideas, there is now a discord server with an @everyone for all future important updates such as this one

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

IMPORTANT - recent security / vulnerability fixes

• v1.8.7 (this release) - GHSA-f54q-j679-p9hh - reflected XSS
• v1.8.6 (2023-07-21) - GHSA-cw7j-v52w-fp5r - reflected XSS
• v1.8.2 (2023-07-14) - CVE-2023-37474 - path traversal
  • all serverlogs reviewed so far (5 public servers) showed no signs of exploitation

bugfixes

• reflected XSS through /?k304 and /?setck
  • if someone tricked you into clicking a URL containing a chain of %0d and %0a they could potentially have moved/deleted existing files on the server, or uploaded new files, using your account
  • if you use a reverse proxy, you can check if you have been exploited like so (also checks for GHSA-cw7j-v52w-fp5r):
    • nginx: grep your logs for URLs containing %0d%0a%0d%0a, for example using the following command:

      (gzip -dc access.log*.gz; cat access.log) | sed -r 's/" [0-9]+ .*//' | grep -iE '%0[da]%0[da]%0[da]%0[da]|[?&](hc|pw)=.*[<>]'

  • if you find any traces of exploitation (or just want to be on the safe side) it's recommended to change the passwords of your copyparty accounts
  • huge thanks again to @TheHackyDog !
• the original fix for CVE-2023-37474 broke the download links for u2c.py and partyfuse.py
• fix mediaplayer spinlock if the server only has a single audio file

---

⚠️ not the latest version!

fix reflected XSS

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

IMPORTANT - recent security / vulnerability fixes

• v1.8.6 (this release) - GHSA-cw7j-v52w-fp5r - reflected XSS
• v1.8.2 (2023-07-14) - CVE-2023-37474 - path traversal
  • all serverlogs reviewed so far (5 public servers) showed no signs of exploitation

bugfixes

• reflected XSS through /?hc (the optional subfolder parameter to the connect page)
  • if someone tricked you into clicking http://127.0.0.1:3923/?hc=<script>alert(1)</script> they could potentially have moved/deleted existing files on the server, or uploaded new files, using your account
  • if you use a reverse proxy, you can check if you have been exploited like so:
    • nginx: grep your logs for URLs containing ?hc= with < somewhere in its value, for example using the following command:

      (gzip -dc access.log*.gz; cat access.log) | sed -r 's/" [0-9]+ .*//' | grep -E '[?&](hc|pw)=.*[<>]'

  • if you find any traces of exploitation (or just want to be on the safe side) it's recommended to change the passwords of your copyparty accounts
  • thanks again to @TheHackyDog !

---

⚠️ not the latest version!

range-select v2

IMPORTANT: v1.8.2 (previous release) fixed CVE-2023-37474 ; please see the 1.8.2 release notes (all serverlogs reviewed so far showed no signs of exploitation)

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

new features

• #47 file selection by shift-clicking
  • in list-view: click a table row to select it, then shift-click another to select all files in-between
  • in grid-view: either enable the multiselect button (mainly for phones/tablets), or the new sel button in the [⚙️] settings tab (better for mouse+keyboard), then shift-click two files
• volflag fat32 avoids a bug in android's sdcardfs causing excessive reindexing on startup if any files were modified on the sdcard since last reboot

bugfixes

• minor corrections to the new features from #45
  • uploader IPs are now visible for admin accounts in d2t volumes as well

other changes

• the admin-panel is only accessible for accounts which have the a (admin) permission-level in one or more volumes; so instead of giving your user rwmd access, you'll want rwmda instead:

  python3 copyparty-sfx.py -a joe:hunter2 -v /mnt/nas/pub:pub:rwmda,joe

  or in a settings file,

  [/pub]
    /mnt/nas/pub
    accs:
      rwmda: joe

  • until now, rw was enough, however most readwrite users don't need access to those features
  • grabbing a stacktrace with ?stack is permitted for both rw and a

---

⚠️ not the latest version!

range-select

⚠️ not the latest version!

(the v2 of this release permits stacktrace for either a or rw accounts, and requires a for other admin-panel operations)

URGENT: fix path traversal vulnerability

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

Starting with the bad and important news; this release fixes GHSA-pxfv-7rr3-2qjg / CVE-2023-37474 -- so please upgrade!

Every version until now had a path traversal vulnerability which allowed read-access to any file on the server's filesystem.

The logs from 5 public servers have been reviewed so far, with no signs of exploitation.

To summarize,

• Every file that the copyparty process had the OS-level permissions to read, could be retrieved over HTTP without password authentication
• However, an attacker would need to know the full (or copyparty-module-relative) path to the file; it was luckily impossible to list directory contents to discover files on the server
• You may have been running copyparty with some mitigations against this:
  • prisonparty limited the scope of access to files which were intentionally given to copyparty for sharing; meaning all volumes, as well as the following read-only filesystem locations: /bin, /lib, /lib32, /lib64, /sbin, /usr, /etc/alternatives
  • the nix package has a similar mitigation implemented using systemd concepts
  • docker containers would only expose the files which were intentionally mounted into the container, so even better
• More conventional setups, such as just running the sfx (python or exe editions), would unfortunately expose all files readable by the current user
• The following configurations would have made the impact much worse:
  • running copyparty as root

So, three years, and finally a CVE -- which has been there since day one... Not great huh. There is a list of all the copyparty alternatives that I know of in the similar software link above.

Thanks for flying copyparty! And especially if you decide to continue doing so :-)

new features

• #43 volflags to specify thumbnailer behavior per-volume;
  • --th-no-crop / volflag nocrop to specify whether autocrop should be disabled
  • --th-size / volflag thsize to set a custom thumbnail resolution
  • --th-convt / volflag convt to specify conversion timeout
• #45 resulted in a handful of opportunities to tighten security in intentionally-dangerous setups (public folders with anonymous uploads enabled):
  • a new permission, a (in addition to the existing rwmdgG), to show the uploader-IP and upload-time for each file in the file listing
    • accidentally incompatible with the d2t volflag (will be fixed in the next ver)
  • volflag nohtml is a good defense against (un)intentional XSS; it returns HTML-files and markdown-files as plaintext instead of rendering them, meaning any malicious <script> won't run -- bad idea for regular use since it breaks fundamental functionality, but good when you really need it
    • the README-previews below the file-listing still renders as usual, as this is fine thanks to the sandbox
  • a new eventhook --xban to run a plugin when copyparty decides to ban someone (for password bruteforcing or excessive 404's), for example to blackhole the IP using fail2ban or similar

bugfixes

• fixes a path traversal vulnerability, GHSA-pxfv-7rr3-2qjg / CVE-2023-37474
  • HUGE thanks to @TheHackyDog for reporting this !!
  • if you use a reverse proxy, you can check if you have been exploited like so:
    • nginx: grep your logs for URLs containing both .cpr/ and %2[^0], for example using the following command:

      (gzip -dc access.log*.gz; cat access.log) | sed -r 's/" [0-9]+ .*//' | grep -E 'cpr/.*%2[^0]' | grep -vF data:image/svg

• 77f1e51 fixes an extremely unlikely race-condition (see the commit for details)
• 8f59afb fixes another race-condition which is a bit worse:
  • the unpost feature could collide with other database activity, with the worst-case outcome being aborted batch operations, for example a directory move or a batch-rename which stops halfways

---

⚠️ not the latest version!

in case of 404

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

new features

• handlers; change the behavior of 404 / 403 with plugins
  • makes it possible to use copyparty as a caching proxy
• #42 add mpv + streamlink support to very-bad-idea
• add support for Pillow 10
  • also improved text rendering in icons
• mention the fedora package in the readme

bugfixes

• theme 6 (hacker) didn't show the state of some toggle-switches
• windows: keep quickedit enabled when hashing passwords interactively

---

⚠️ not the latest version!

argon

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

News: if you use rclone as a copyparty webdav client, upgrading to rclone v1.63 (just released) will give you a huge speed boost for small files

new features

• #39 hashed passwords
  • instead of keeping plaintext account passwords in config files, you can now store hashed ones instead
  • --ah-alg specifies algorithm; best to worst: argon2, scrypt, sha2, or the default none
  • the default settings of each algorithm takes 0.4 sec to hash a password, and argon2 eats 256 MiB RAM
    • can be adjusted with optional comma-separated args after the algorithm name; see --help-pwhash
  • --ah-salt is the static salt for all passwords, and is autogenerated-and-persisted if not specified
  • --ah-cli switches copyparty into a shell where you can hash passwords interactively
    • but copyparty will also autoconvert any unhashed passwords on startup and give you the values to insert into the config anyways
• #40 volume size limit
  • volflag vmaxb specifies max size of a volume
  • volflag vmaxn specifies max number of files in a volume
  • example: -v [...]:c,vmaxb=900g:c,vmaxn=20k blocks uploads if the volume reaches 900 GiB or a total of 20480 files
  • good alternative to --df since it works per-volume

bugfixes

• autogenerated TLS certs didn't include the mDNS name

other changes

• improved cloudflare challenge detection
• markdown edits will now trigger upload hooks

---

⚠️ not the latest version!

NO_COLOR

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

new features

• #31 --grid shows thumbnails instead of file-list by default
• #28 --unlist regex-exclude files from browser listings
  • for example --unlist '\.(js|css)$' hides all .js and .css files
  • purely cosmetic! the files are still fully accessible, and still appear in API calls
• auto-generate TLS certificates on startup / network-change
  • mostly good for LAN, requires cfssl, can be disabled with --no-crt
  • creates a self-signed CA and certs with SANs of all detected server IPs
    • so it's still recommended to use a reverse-proxy / letsencrypt for WAN servers
• the default --fk-salt is now much stronger
  • all existing installations will keep the previously selected seed -- you can choose to upgrade by deleting ~/.config/copyparty/cert.pem but this will change all filekeys / per-file passwords
• the NO_COLOR environment-variable is now supported, removing colors from stdout
  • see https://no-color.org/ and more importantly https://youtu.be/biW5UVGkPMA?t=150
  • --ansi and --no-ansi can also be used to force-enable/disable colored output
• #33 disable colors when stdout is redirected to a pipe/file -- by @clach04
• #32 simplify building sfx from source
• upgraded copyparty.exe to python 3.11.4

bugfixes

• #30 --ftps didn't work without --ftp
• tiny css bug in light themes (opaque thumbnail controls)

---

⚠️ not the latest version!