Skip to content

Releases: 9001/copyparty

shadow filter

19 Nov 12:49
@9001 9001
v1.9.19
9ccc238
Compare
Choose a tag to compare
shadow filter

no vulnerabilities since 2023-07-23

bugfixes

  • #61 Mk.II: filter search results to also handle this issue in volumes where reindexing is disabled, or (spoiler warning:) a bug in the directory indexer prevents shadowed files from being forgotten
  • filekeys didn't always get included in the up2k UI for world-readable folders

⚠️ not the latest version!

Assets 7
Loading

cache invalidation

18 Nov 21:25
@9001 9001
v1.9.18
deef323
Compare
Choose a tag to compare
cache invalidation

no vulnerabilities since 2023-07-23

bugfixes

  • #61 search results could contain stale records from overlapping volumes:
    • if volume /foo is indexed and then volume /foo/bar is later created, any files inside the bar subfolder would not become forgotten in /foo's database until something in /foo changes, which could be never
    • as a result, search results could show stale metadata from /foo's database regarding files in /foo/bar
    • fix this by dropping caches and reindexing if copyparty is started with a different list of volumes than last time
  • #60 client error when ctrl-clicking search results
  • icons for the close/more buttons in search results are now pillow-10.x compatible

other changes

  • u2c.exe: upgraded certifi to version 2023.11.17

⚠️ not the latest version!

Assets 8
Loading

11-11

11 Nov 18:24
@9001 9001
v1.9.17
ee33333
Compare
Choose a tag to compare
11-11

no vulnerabilities since 2023-07-23

  • there is a discord server with an @everyone in case of future important updates
  • v1.8.7 (2023-07-23) - CVE-2023-38501 - reflected XSS
  • v1.8.2 (2023-07-14) - CVE-2023-37474 - path traversal (first CVE)
    • all serverlogs reviewed so far (5 public servers) showed no signs of exploitation

new features

  • u2c.py / u2c.exe (the commandline uploader):
    • -x is now case-insensitive
    • if a file fails to upload after 30 attempts, give up (bitflips)
    • add 5 sec delay before reattempts (configurable with --cd)

bugfixes

  • clients could crash the file indexer by uploading and then instantly deleting files (as some webdav clients tend to do)
  • and fix some upload errorhandling which broke during a refactoring in v1.9.16

other changes

  • upgraded pyftpdlib to v1.5.9

⚠️ not the latest version!

Assets 8
Loading

windedup

04 Nov 23:34
@9001 9001
v1.9.16
dabdaae
Compare
Choose a tag to compare
windedup

no vulnerabilities since 2023-07-23

  • there is a discord server with an @everyone in case of future important updates
  • v1.8.7 (2023-07-23) - CVE-2023-38501 - reflected XSS
  • v1.8.2 (2023-07-14) - CVE-2023-37474 - path traversal (first CVE)
    • all serverlogs reviewed so far (5 public servers) showed no signs of exploitation

breaking changes

  • two of the prometheus metrics have changed slightly; see the breaking changes readme section
    • (i'm not familiar with prometheus so i'm not sure if this is a big deal)

new features

  • #58 versioned docker images! no longer just latest
  • browser: the mkdir feature now accepts foo/bar/qux and ../foo and /bar
  • add 14 more prometheus metrics; see readme for details
    • connections, requests, malicious requests, volume state, file hashing/analyzation queues
  • catch some more malicious requests in the autoban filters
    • some malicious requests are now answered with HTTP 422, so that they count against --ban-422

bugfixes

  • windows: fix symlink-based upload deduplication
    • MS decided to make symlinks relative to working-directory rather than destination-path...
  • --stats would produce invalid metrics if a volume was offline
  • minor improvements to password hashing ux:
    • properly warn if --ah-cli or --ah-gen is used without --ah-alg
    • support ^D during --ah-cli
  • browser-ux / cosmetics:
    • fix toast/tooltip colors on splashpage
    • easier to do partial text selection inside links (search results, breadcrumbs, uploads)
    • more rclone-related hints on the connect-page

other changes

  • malformed http headers from clients are no longer included in the client error-message
    • just in case there are deployments with a reverse-proxy inserting interesting stuff on the way in
    • the serverlog still contains all the necessary info to debug your own clients
  • updated example nginx config to recover faster from brief server outages
    • the default value of fail_timeout (10sec) makes nginx cache the outage for longer than necessary

⚠️ not the latest version!

Assets 7
Loading

expand placeholder

24 Oct 17:06
@9001 9001
v1.9.15
c07e011
Compare
Choose a tag to compare
expand placeholder

made it just in time! (EDIT: nevermind, three of the containers didn't finish uploading to ghcr before takeoff ;_; all up now)

no vulnerabilities since 2023-07-23

  • there is a discord server with an @everyone in case of future important updates
  • v1.8.7 (2023-07-23) - CVE-2023-38501 - reflected XSS
  • v1.8.2 (2023-07-14) - CVE-2023-37474 - path traversal (first CVE)
    • all serverlogs reviewed so far (5 public servers) showed no signs of exploitation

new features

  • #56 placeholder variables in markdown documents and prologue/epilogue html files
    • default-disabled; must be enabled globally with --exp or per-volume with volflag exp
    • {{self.ip}} becomes the client IP; see /srv/expand/README.md for more examples
  • dynamic-range-compressor: reduced volume jumps between songs when enabled

bugfixes

  • v1.9.14 broke the scan volflag, causing volume rescans to happen every 10sec if enabled
    • its global counterpart --re-maxage was not affected

⚠️ not the latest version!

Assets 7
Loading

uptime

21 Oct 14:56
@9001 9001
v1.9.14
cea7463
Compare
Choose a tag to compare
uptime

no vulnerabilities since 2023-07-23

  • there is a discord server with an @everyone in case of future important updates
  • v1.8.7 (2023-07-23) - CVE-2023-38501 - reflected XSS
  • v1.8.2 (2023-07-14) - CVE-2023-37474 - path traversal (first CVE)
    • all serverlogs reviewed so far (5 public servers) showed no signs of exploitation

new features

  • search for files by upload time
  • option to display upload time in directory listings
    • enable globally with -e2d -mte +.up_at or per-volume with volflags e2d,mte=+.up_at
    • has a ~17% performance impact on directory listings
  • dynamic range compressor in the audioplayer settings
  • --ban-404 is now default-enabled
    • the turbo-uploader will now un-turbo when necessary to avoid banning itself
    • this only affects accounts with permissions g, G, or h
      • accounts with read-access (which are able to see directory listings anyways) and accounts with write-only access are no longer affected by --ban-404 or --ban-url

bugfixes

  • #55 clients could hit the --url-ban filter when uploading over webdav
    • fixed by limiting --ban-404 and --ban-url to accounts with permission g, G, or h
  • fixed 20% performance drop in python 3.12 due to utcfromtimestamp deprecation
    • but 3.12.0 is still 5% slower than 3.11.6 for some reason
  • volume listing on startup would display some redundant info

other changes

  • timeout for unfinished uploads increased from 6 to 24 hours
    • and is now configurable with --snap-drop

⚠️ not the latest version!

Assets 7
Loading

more buttons

15 Oct 20:29
@9001 9001
v1.9.12
ac40dcc
Compare
Choose a tag to compare
more buttons

just adding requested features, nothing important

no vulnerabilities since 2023-07-23

  • there is a discord server with an @everyone in case of future important updates
  • v1.8.7 (2023-07-23) - CVE-2023-38501 - reflected XSS
  • v1.8.2 (2023-07-14) - CVE-2023-37474 - path traversal (first CVE)
    • all serverlogs reviewed so far (5 public servers) showed no signs of exploitation

new features

  • button 📅 in the uploader (default-enabled) sends your local last-modified timestamps to the server
    • when deselected, the files on the server will have the upload time as their timestamps instead
    • --u2ts specifies the default setting, c client-last-modified or u upload-time, or fc and fu to force
  • button full in the gridview decides if thumbnails should be center-cropped or not
    • --no-crop and the nocrop volflag now sets the default value of this instead of forcing the setting
    • thumbnail cleanup is now more granular, cleaning full-jpg separately from cropped-webp for example
  • set default sort order with --sort or volflag sort
    • one or more comma-separated values; tags/Cirle,tags/.tn,tags/Artist,tags/Title,href
      • see the column header tooltips in the browser to know what names (id) to use
    • prefix a column name with - for descending sort
    • specifying a sort order in the client will override all server-defined ones
  • when visiting a read-only folder, the upload-or-filesearch toggle will remember its previous state and restore it when leaving the folder
    • much more intuitive, if anything about this UI can be called that...

bugfixes

  • iPhone: rare javascript panic when switching between safari and another app
  • ie9: file-rename ui was borked

other changes

  • copyparty.exe: upgrade to pillow 10.1 (which adds a new font for thumbnails in chrome)
    • still based on python 3.11.6 because 3.12 is currently slower than 3.11

⚠️ not the latest version!

Assets 7
Loading

bustin'

09 Oct 00:57
@9001 9001
v1.9.11
e400155
Compare
Choose a tag to compare
bustin'

okay, i swear this is the last version for weeks! probably

no vulnerabilities since 2023-07-23

  • there is a discord server with an @everyone in case of future important updates
  • v1.8.7 (2023-07-23) - CVE-2023-38501 - reflected XSS
  • v1.8.2 (2023-07-14) - CVE-2023-37474 - path traversal (first CVE)
    • all serverlogs reviewed so far (5 public servers) showed no signs of exploitation

bugfixes

  • cachebuster didn't apply to dynamically loaded javascript files
    • READMEs could fail to render with ReferenceError: DOMPurify is not defined after upgrading from a copyparty older than v1.9.2

⚠️ not the latest version!

Assets 7
Loading

badpwd

08 Oct 21:17
@9001 9001
v1.9.10
acc3631
Compare
Choose a tag to compare
badpwd

no vulnerabilities since 2023-07-23

  • there is a discord server with an @everyone in case of future important updates
  • v1.8.7 (2023-07-23) - CVE-2023-38501 - reflected XSS
  • v1.8.2 (2023-07-14) - CVE-2023-37474 - path traversal (first CVE)
    • all serverlogs reviewed so far (5 public servers) showed no signs of exploitation

new features

  • argument --log-badpwd specifies how to log invalid login attempts;
    • 0 = just a warning with no further information
    • 1 = log incorrect password in plaintext (default)
    • 2 = log sha512 hash of the incorrect password
    • 1 and 2 are convenient for stuff like setting up autoban triggers for common passwords using fail2ban or similar

bugfixes

  • none!
    • the formerly mentioned caching-directives bug turned out to be unreachable... oh well, better safe than sorry

⚠️ not the latest version!

Assets 7
Loading

fix cross-volume dedup moves

07 Oct 23:01
@9001 9001
v1.9.9
e7fff77
Compare
Choose a tag to compare
fix cross-volume dedup moves

no vulnerabilities since 2023-07-23

  • there is a discord server with an @everyone in case of future important updates
  • v1.8.7 (2023-07-23) - CVE-2023-38501 - reflected XSS
  • v1.8.2 (2023-07-14) - CVE-2023-37474 - path traversal (first CVE)
    • all serverlogs reviewed so far (5 public servers) showed no signs of exploitation

bugfixes

  • v1.6.2 introduced a bug which, when moving files between volumes, could cause the move operation to abort when it encounters a deduplicated file

⚠️ not the latest version!

Assets 7
Loading