Skip to content

Releases: 9001/copyparty

RAM friendly

14 Jan 07:17
@9001 9001
v1.9.29
e7d00ba
Compare
Choose a tag to compare
RAM friendly

no vulnerabilities since 2023-07-23

new features

  • try to keep track of RAM usage in the thumbnailer 95a5999
    • very inaccurate, just wild guessing really, but probably good enough:
    • an attempt to stop FFmpeg from eating all the RAM when generating spectrograms
    • --th-ram-max specifies how much RAM it's allowed to use (default 6 GB), crank it up if thumbnailing is too slow now
  • much faster startup on devices with slow filesystems and lots of files in the volume root (especially android phones) f1358db
  • uncache button (in mediaplayer settings) a55e0d6
    • rotates all audio URLs, in case the browser has a cached copy of a broken mp3 or whatnot
  • now possible to POST files without having to set the act: bput multipart field 9bc09ce
    • mainly to support igloo irc and other simplistic upload clients
  • try to point the linux oom-killer at FFmpeg so it doesn't kill innocent processes instead dc8e621
    • only works if copyparty has acces to /proc, so not in prisonparty, and maybe not in docker (todo)
  • UX:
    • do another search immediately if a search-filter gets unchecked a4239a4
    • several ie11 fixes (keyboard hotkeys and a working text editor) 2fd2c6b

bugfixes

  • POSTing files could block for a really long time if the database is busy (filesystem reindexing), now it schedules the indexing for later instead e8a653c
  • less confusing behavior when reindexing a file (keep uploader-ip/time if file contents turn out to be unmodified, and drop both otherwise) 226c7c3

other changes

  • better log messages when clients decide to disconnect in the middle of a POST 0243035
  • add a warning if copyparty is started with an account definition (-a) which isn't used in any volumes e01ba85
  • when running on macos, don't index apple metadata files (.DS_Store and such) d0eb014
    • they are still downloadable by anyone with read-access, and still appear in directory listings for users with access to see dotfiles
  • added a log repacker to shrink/optimize old logs dee0950
  • and a contextlet example

⚠️ not the latest version!

Loading

eo2023

31 Dec 19:47
@9001 9001
v1.9.28
987caec
Compare
Choose a tag to compare
eo2023

was hoping to finish the IdP stuff during 37c3 but that fell through, so here's all the other recent fixes instead -- happy newyears

no vulnerabilities since 2023-07-23

new features

  • #66 new permission . to grant access to see dotfiles (hidden files) to specific users
    • and new volflag dots to grant access to all users with read
    • -ed still behaves like before (anyone with r can see dotfiles in all volumes)
  • #70 new permission A (alias of rwmda.) grants read/write/move/delete/admin/dotfiles
  • #67 folder thumbnails can be dotfiles (.cover.jpg, .folder.png) if the database is enabled (-e2dsa)
  • new option --u2j to specify default number of parallel file uploads in the up2k browser client
    • default (2) is good on average; 16 can be good when most uploaders are overseas
  • curl gets plaintext 404/403 messages

bugfixes

  • cors-checking is disabled if the PW header is provided, just like the readme always claimed
  • server would return 200 OK while trying to return a file that is unreadable due to filesystem permissions
  • --xdev still doesn't work on windows, but at least now it doesn't entirely break filesystem indexing
  • fix tiny resource leak due to funky dualstack on macos

other changes

  • logfiles are padded to align messages when -q is specified, similar to current/previous behavior without -q
  • --hdr-au-usr was renamed to --idp-h-usr in preparation for other --idp things
    • any mentions of --hdr-au-usr are translated to the new name on startup

regarding fedora packages

fedora is currently not maintaining the copr-pypi build servers and they died;
if you installed copyparty from copr-pypi, you can upgrade to this release by running one of the following:

dnf install https://ocv.me/copyparty/fedora/37/python3-copyparty.fc37.noarch.rpm
dnf install https://ocv.me/copyparty/fedora/38/python3-copyparty.fc38.noarch.rpm
dnf install https://ocv.me/copyparty/fedora/39/python3-copyparty.fc39.noarch.rpm

⚠️ not the latest version!

Loading

another dedup bug

08 Dec 22:09
@9001 9001
v1.9.27
d150000
Compare
Choose a tag to compare
another dedup bug

so v1.9.26 fixed how moving a symlink could break other related symlinks, and then it turns out symlinks themselves could also die when moving them to another location, and somehow nobody encountered any of these until now... surely there are no more deduplication-related issues left at this point, yeah?

no vulnerabilities since 2023-07-23

bugfixes

  • #65 moving deduplicated copies of files (symlinks) from one location to another could make them disappear (break the symlinks)

    • don't worry, we are not talking about data loss! but see the release notes for v1.9.26 which explain how to deal with this issue (how to find, diagnose, and repair broken symlinks)

regarding fedora packages

copr-pypi (fedora's build service) is not building at the moment; if you installed copyparty from copr-pypi, you can upgrade to this release by running one of the following:

dnf install https://ocv.me/copyparty/fedora/37/python3-copyparty.fc37.noarch.rpm
dnf install https://ocv.me/copyparty/fedora/38/python3-copyparty.fc38.noarch.rpm
dnf install https://ocv.me/copyparty/fedora/39/python3-copyparty.fc39.noarch.rpm

⚠️ not the latest version!

Loading

dont break symlinks

08 Dec 02:21
@9001 9001
v1.9.26
a360ac2
Compare
Choose a tag to compare
dont break symlinks

no vulnerabilities since 2023-07-23

new features

  • tumbleweed

bugfixes

  • deleting files from the server could make some duplicates of that file unavailable (by breaking nested symlinks)

    • don't worry, we are not talking about data loss! but such broken links would disappear from the directory listing and would need to be remedied by replacing the broken links manually, either by using a file explorer or commandline

    • only affected linux/macos, did not affect servers with --hardlink or --never-symlink or --no-dedup, and mainly affected servers with lots of duplicate files (with some dupes in the same folder and some elsewhere)

    • if you want to check for such broken symlinks, the following unix command will find all of them: find -L -type l

      • to also see creation times (and the invalid targets), find -L /srv/w/ -type l -printf 'in folder \033[36m%h\033[0m ---\n name: \033[1;35m%f\033[0m\n target: \033[1;31m%l\033[0m\n created: \033[36m%TY-%Tm-%Td, %TH:%TM:%TS\033[0m\n\n'

    • to repair a broken link, first cd into the folder with the broken link, then remove it and replace it: rm thelink.opus; ln -s /mnt/music/realfile.opus thelink.opus

    • if you have a mystery link and want to know what it used to be, you can grep the copyparty logs for the filename and the folder, replacing cat copyparty.log with something appropriate for your setup, maybe journalctl -a or xz -dkc <cpp.xz:

      cat copyparty.log | grep -aiF 'ghost.opus' | grep -aiF 'stellar'

      you'll find the following line; purl is the folder/URL it was uploaded to, and wark is the file ID we can use to find duplicates:

      {"name": "04. GHOST.opus", "purl": "/mu/vt/suisei/still-still-stellar/", "size": 4520986, "lmod": 1697091772, "sprs": true, "hash": [], "wark": "SJMASMtWOa0UZnc002nn5unO5iCBMa-krt2CDcq8eJe9"}

      now, either do another grep for the wark, or you can ask the database (which tells you the correct path in case the file was moved since being uploaded):

      sqlite3 -separator / -readonly .hist/up2k.db "select rd,fn from up where w='SJMASMtWOa0UZnc002nn5unO5iCBMa-krt2CDcq8eJe9'"
# vt/suisei/still-still-stellar/04. GHOST.opus

  • the server would throw an error if you tried to delete a broken symlink

  • prevent warnings about duplicate file entries in the database by preventing that from happening in the first place

  • u2c.py (commandline uploader) would fail to delete files from the server if there's more than ~10'000 files to be deleted

    • and forgot to bump the version number... 1.11 (2nd season)

other changes

  • --help was slightly improved
  • docker images are now based on alpine v3.19
  • copyparty.exe is now based on python v3.11.7

⚠️ not the latest version!

Loading

focus

01 Dec 23:53
@9001 9001
v1.9.25
c777090
Compare
Choose a tag to compare
focus

no vulnerabilities since 2023-07-23

new features

  • remember and restore scroll position when leaving the textfile viewer

bugfixes

  • the request-smuggling detetcor was too strict, blocking access to textfiles with newlines / control-codes in the filename
  • focus and text selection in messageboxes was still jank, mainly in firefox and especially phones

other changes

  • the banhammer now applies on attempts at request-smuggling and path traversals
    • these were merely detected and rejected before, might as well bonk them
  • reject bad requests with a terse 500 instead of abruptly disconnecting in some cases
    • stops firefox from rapidly spamming additional attempts

⚠️ not the latest version!

Loading

header auth

01 Dec 02:23
@9001 9001
v1.9.24
900cc46
Compare
Choose a tag to compare
header auth

no vulnerabilities since 2023-07-23

new features

  • initial work on #62 (support identity providers, oauth/SSO/...); see readme
    • only authentication so far; no authorization yet, and users must exist in the copyparty config with bogus passwords
  • new option --ipa rejects connections from clients outside of a given allowlist of IP prefixes
  • environment variables can be used almost everywhere that takes a filesystem path; should make it way more comfy to write configs for docker / systemd
  • #59 added a basic docker-compose yaml and an example config
    • probably much room for improvement on everything docker still

bugfixes

  • the nftables-based port-forwarding in the systemd example was buggy; replaced with CAP_NET_BIND_SERVICE
  • palemoon-specific js crash if a text selection was dragged
  • text selection in messageboxes was jank

other changes

  • improved systemd example with hardening and a better example config
  • logfiles are flushed for every line written; can be disabled with --no-logflush for ~3% more performance best-case
  • iphones probably won't broadcast cover-art to car stereos over bluetooth anymore since the thingamajig in iOS that's in charge of that doesn't have cookie-access, and strapping in the auth is too funky so let's stop doing that b7723ac
    • can be remedied by enabling filekeys and granting unauthenticated people access that way, but that's too much effort for anyone to bother with I'm sure

⚠️ not the latest version!

Loading

in a bind

25 Nov 14:57
@9001 9001
v1.9.21
c4ba123
Compare
Choose a tag to compare
in a bind

no vulnerabilities since 2023-07-23

new features

  • #63 the grid-view will open textfiles in the textfile viewer
  • prisonparty now accepts user/group names (in addition to IDs)

bugfixes

  • the Y hotkey (which turns all links into download links) didn't affect the grid-view
  • on some servers with unusual filesystem layouts (especially ubuntu-zfs), prisonparty would make an unholy mess of recursive bind-mounts, quickly running out of inodes and requiring a server reboot
    • added several safeguards to avoid anything like this in the future
      • mutex around jail setup/teardown to prevent racing other instances
      • verify jail status by inspecting /proc/mounts between each folder to bind

⚠️ not the latest version!

Loading

nice

21 Nov 23:45
@9001 9001
v1.9.20
eddce00
Compare
Choose a tag to compare
nice

no vulnerabilities since 2023-07-23

new features

  • expensive subprocesses (ffmpeg, parsers, hooks) will run with nice to reduce cpu priority
    • ...so listening to flacs won't grind everything else to a halt

bugfixes

  • the "load more" search results button didn't disappear if you hit the serverside limit
  • the "show all" button for huge folders didn't disappear when navigating into a smaller folder
  • trying to play the previous track when you're already playing the first track in a folder would send you on a wild adventure

⚠️ not the latest version!

Loading

shadow filter

19 Nov 12:49
@9001 9001
v1.9.19
9ccc238
Compare
Choose a tag to compare
shadow filter

no vulnerabilities since 2023-07-23

bugfixes

  • #61 Mk.II: filter search results to also handle this issue in volumes where reindexing is disabled, or (spoiler warning:) a bug in the directory indexer prevents shadowed files from being forgotten
  • filekeys didn't always get included in the up2k UI for world-readable folders

⚠️ not the latest version!

Loading

cache invalidation

18 Nov 21:25
@9001 9001
v1.9.18
deef323
Compare
Choose a tag to compare
cache invalidation

no vulnerabilities since 2023-07-23

bugfixes

  • #61 search results could contain stale records from overlapping volumes:
    • if volume /foo is indexed and then volume /foo/bar is later created, any files inside the bar subfolder would not become forgotten in /foo's database until something in /foo changes, which could be never
    • as a result, search results could show stale metadata from /foo's database regarding files in /foo/bar
    • fix this by dropping caches and reindexing if copyparty is started with a different list of volumes than last time
  • #60 client error when ctrl-clicking search results
  • icons for the close/more buttons in search results are now pillow-10.x compatible

other changes

  • u2c.exe: upgraded certifi to version 2023.11.17

⚠️ not the latest version!

Loading