static filekeys

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

no vulnerabilities since 2023-07-23

• there is a discord server with an @everyone in case of future important updates
• v1.8.7 (2023-07-23) - CVE-2023-38501 - reflected XSS
• v1.8.2 (2023-07-14) - CVE-2023-37474 - path traversal (first CVE)
  • all serverlogs reviewed so far (5 public servers) showed no signs of exploitation

new features

• #52 add alternative filekey generator:
  • volflag fka changes the calculation to ignore filesize and inode-number, only caring about the absolute-path on the filesystem and the --fk-salt
  • good for linking to markdown files which might be edited, but reduces security a tiny bit
• add warning on startup if --fk-salt is too weak (for example when it was upgraded from before v1.7.6)
  • removed the filekey upgrade feaure to ensure a weak fk-salt is not selected; a new filekey will be generated from scratch on startup if necessary

other changes

• pyftpdlib upgraded to 1.5.8
• copyparty.exe built on python 3.11.6
  • the exe in this release will be replaced with an 3.12.0 exe as soon as pillow adds 3.12 support

---

⚠️ not the latest version!

better column hider

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

no vulnerabilities since 2023-07-23

• there is a discord server with an @everyone in case of future important updates
• v1.8.7 (2023-07-23) - CVE-2023-38501 - reflected XSS
• v1.8.2 (2023-07-14) - CVE-2023-37474 - path traversal (first CVE)
  • all serverlogs reviewed so far (5 public servers) showed no signs of exploitation

new features

• column hiding on phones is much more intuitive
  • since you usually want to hide multiple columns, the hiding mode must now be manually disengaged
  • click-handler now covers the entire header cell, preventing a misclick from accidentally sorting the table instead

bugfixes

• #51 running copyparty with an invalid value for --lang made it crash with a confusing error message
  • also makes it more compatible with other localStorage-using webservices running on the same domain

other changes

• CVE-2023-5217, a vulnerability in libvpx, was fixed by alpine recently and no longer present in the docker images
  • unlike the fix in v1.9.6, this is irrelevant since it was impossible to reach in all conceivable setups, but still nice

---

⚠️ not the latest version!

configurable x-forwarded-for

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

no vulnerabilities since 2023-07-23

• there is a discord server with an @everyone in case of future important updates
• v1.8.7 (2023-07-23) - CVE-2023-38501 - reflected XSS
• v1.8.2 (2023-07-14) - CVE-2023-37474 - path traversal (first CVE)
  • all serverlogs reviewed so far (5 public servers) showed no signs of exploitation

new features

• rudimentary support for jython and graalpy, and directory tree sidebar in internet explorer 9 through 11, and firefox 10
  • all older browsers (ie4, ie6, ie8, Netscape) get basic html instead
• #35 adds a hook which extends the message-to-serverlog feature so it writes the message to a textfile on the server
  • could theoretically be extended into a full instant-messaging feature but that's silly, nobody would do that
    • r0c is much better than this joke

bugfixes

• 163e3fc the x-forwarded-for header was ignored if the nearest reverse-proxy is not asking from 127.0.0.1, which broke client IPs in containerized deployments
  • the serverlog will now explain how to trust the reverse-proxy to provide client IPs, but basically,
  • --xff-hdr specifies which header to read the client's real ip from
  • --xff-src is an allowlist of IP-addresses to trust that header from
• a62f744 if copyparty was started while an external HDD was not connected, and that volume's index was stored elsewhere, then the index would get wiped (since all the files are gone)
• 3b8f66c javascript could crash while uploading from a very unreliable internet connection

other changes

• copyparty.exe: updated pillow to 10.0.1 which fixes the webp cve
• alpine, which the docker images are based on, turns out to be fairly slow -- currently working on a new docker image (probably fedora-based) which will be 30% faster at analyzing multimedia files and in general 20% faster on average

---

⚠️ not the latest version!

webhotell

happy 9/9!

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

no vulnerabilities since 2023-07-23

• there is a discord server with an @everyone in case of future important updates
• v1.8.7 (2023-07-23) - CVE-2023-38501 - reflected XSS
• v1.8.2 (2023-07-14) - CVE-2023-37474 - path traversal (first CVE)
  • all serverlogs reviewed so far (5 public servers) showed no signs of exploitation

new features

• new permission h disables directory listing (so works like g) except it redirects to the folder's index.html instead of 404
  • index.html is accessible by anyone with h even if filekeys are enabled
  • well suited for running a shared-webhosting gig (thx kipu) especially now that the...
• markdown editor can now be used on non-markdown files if account has write and delete
  • hotkey e to edit a textfile while it's open in the textfile viewer
• SMB: account permissions now work fully as intended, thanks to impacket 0.11
  • but enabling --smb is still strongly discouraged as it's a massive security hazard
• download-as-zip can be 2.5x faster on tiny files, at least 15% faster in general
• download folders as pax-format tarfiles with ?tar=pax or ?tar=pax,xz:9

bugfixes

• 422-autoban accidentally triggered when uploading lots of duplicate files (thx hiem!)
• --css-browser and --js-browser now accepts URLs with cache directives
  • --css-browser=/the.css?cache=600 (seconds) or --js-browser=/.res/the.js?cache=i (7 days)
• SMB: avoid windows freaking out and disconnecting if it hits an offline volume
• hotkey shift-r to rotate pictures counter-clockwise didn't do anything
• hacker theme wasn't hacker enough (everything is monospace now)

---

⚠️ not the latest version!

yes symlink times

hello! it's been a while, an entire day even...

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

no vulnerabilities since 2023-07-23

• there is a discord server with an @everyone in case of future important updates
• v1.8.7 (2023-07-23) - CVE-2023-38501 - reflected XSS
• v1.8.2 (2023-07-14) - CVE-2023-37474 - path traversal (first CVE)
  • all serverlogs reviewed so far (5 public servers) showed no signs of exploitation

new features

• download folder as tar.gz, tar.bz2, tar.xz
  • single-threaded, so extremely slow, but nice for easily compressed data or challenged networks
  • append ?tar=gz, ?tar=bz2 or ?tar=xz to a folder URL to do it
  • default compression levels are gz:3, bz2:2, xz:1; override with ?tar=gz:9

bugfixes

• c1efd22 symlink-deduplicated files got indexed with the wrong last-modified timestamp
  • mostly inconsequential; would cause the dupe's uploader-ip to be forgotten on the next server restart since it would reindex to "fix" the timestamp
• when linking a search query it loads the results faster

other changes

• update readme to mention that iPhones and iPads dislike the preload feature and respond by glitching the audio a bit when a song is exactly 20 seconds away from ending and yet how it's probably a bad idea to disable preloading since i bet it's load-bearing against other iOS bugs
  • speaking of iPhones and iPads, the previous version should have fixed album playback on those

---

⚠️ not the latest version!

iOS and http fixes

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

no vulnerabilities since 2023-07-23

• there is a discord server with an @everyone in case of future important updates
• v1.8.7 (2023-07-23) - CVE-2023-38501 - reflected XSS
• v1.8.2 (2023-07-14) - CVE-2023-37474 - path traversal (first CVE)
  • all serverlogs reviewed so far (5 public servers) showed no signs of exploitation

new features

• iPhones and iPads are now able to...
  • 9986136 play entire albums while the screen is off without the music randomly stopping
    • apple keeps breaking AudioContext in new and interesting ways; time to give up (no more equalizer)
  • 1c0d978 perform search queries and execude js code
    • by translating smart-quotes into regular ' and " characters
• python 3.12 support
  • technically a bugfix since it was added a year ago way before the first py3.12 alpha was released but turns out i botched it, oh well
• filter error messages so they never include the filesystem path where copyparty's python files reside
• print more context in server logs if someone hits an unexpected permission-denied

bugfixes

found some iffy stuff combing over the code but, as far as I can tell, luckily none of these were dangerous:

• URL normalization was a bit funky, but it appears everything access-control-related was unaffected
• some url parameters were double-decoded, causing the unpost filtering and file renaming to fail if the values contained %
• clients could cause the server to return an invalid cache-control header, but newlines and control-characters got rejected correctly
• minor cosmetics / qol fixes:
  • reduced flickering on page load in chrome
  • fixed some console spam in search results
  • markdown documents now have the same line-height in directory listings and the editor

---

⚠️ not the latest version!

bigger hammer

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

recent security / vulnerability fixes

• there is a discord server with an @everyone in case of future important updates
• v1.8.7 (2023-07-23) - CVE-2023-38501 - reflected XSS
• v1.8.2 (2023-07-14) - CVE-2023-37474 - path traversal (first CVE)
  • all serverlogs reviewed so far (5 public servers) showed no signs of exploitation

new features

• more ways to automatically ban users! three new sensors, all default-enabled, giving a 1 day ban after 9 hits in 2 minutes:
  • --ban-403: trying to access volumes that dont exist or require authentication
  • --ban-422: invalid POST messages (from brutefocing POST parameters and such)
  • --ban-url: URLs which 404 and also match --sus-urls (scanners/crawlers)
  • if you want to run a vulnerability scan on copyparty, please just download the server and do it locally! takes less than 30 seconds to set up, you get lower latency, and you won't be filling up the logfiles on the demo server with junk, thank you 🙏
• more ban-related stuff,
  • new global option --nonsus-urls specifies regex of URLs which are OK to 404 and shouldn't ban people
  • --turbo now accepts the value -1 which makes it impossible for clients to enable it, making --ban-404 safe to use
• range-selecting files in the list-view by shift-pgup/pgdn
• volumes which are currently unavailable (dead nfs share, external HDD which is off, ...) are marked with a ❌ in the directory tree sidebar
• the toggle-button to see dotfiles is now persisted as a cookie so it also applies on the initial page load
• more effort is made to prevent <script>s inside markdown documents from running in the markdown editor and the fullpage viewer
  • anyone who wanted to use markdown files for malicious stuff can still just upload an html file instead, so this doesn't make anything more secure, just less confusing
  • the safest approach is still the nohtml volflag which disables markdown rendering outside sandboxes entirely, or only giving out write-access to trustworthy people
  • enabling markdown plugins with -emp now has the side-effect of cancelling this band-aid too

bugfixes

• textfile navigation hotkeys broke in the previous version

other changes

• example nginx config was not compatible with cloudflare (suggest $http_cf_connecting_ip instead of $proxy_add_x_forwarded_for)
• copyparty.exe is now built with python 3.11.5 which fixes CVE-2023-40217
  • copyparty32.exe is not, because python understandably ended win7 support
• similar software:
  • copyparty appears to be 30x faster than nextcloud and seafile at receiving uploads of many small files
  • seafile has a size limit when zip-downloading folders

---

⚠️ not the latest version!

prometheable

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

recent security / vulnerability fixes

• there is a discord server with an @everyone in case of future important updates
• v1.8.7 (2023-07-23) - CVE-2023-38501 - reflected XSS
• v1.8.2 (2023-07-14) - CVE-2023-37474 - path traversal (first CVE)
  • all serverlogs reviewed so far (5 public servers) showed no signs of exploitation

new features

• #49 prometheus / grafana / openmetrics integration (see readme)
  • read metrics from http://127.0.0.1:3923/.cpr/metrics after enabling with --stats
• download a folder with all music transcoded to opus by adding ?tar=opus or ?zip&opus to the URL
  • can also be used to download thumbnails instead of full images; ?tar=w for webp, ?tar=j for jpg
    • so i guess the long-time requested feature of pre-generating thumbnails kind of happened after all, if you schedule a curl http://127.0.0.1:3923/?tar=w >/dev/null after server startup
• u2c (commandline uploader): argument -x to exclude files by regex (compares absolute filesystem paths)
• --zm-spam 30 can be used to improve zeroconf / mDNS reliability on crazy networks
  • only necessary if there are clients with multiple IPs and some of the IPs are outside the subnets that copyparty are in -- not spec-compliant, not really recommended, but shouldn't cause any issues either
  • and --mc-hop wasn't actually implemented until now
• dragging an image from another browser window onto the upload button is now possible
  • only works on chrome, and only on windows or linux (not macos)
• server hostname is prefixed in all window titles
  • can be adjusted with --bname (the file explorer) and --doctitle (all other documents)
  • can be disabled with --nth (just window title) or --nih (title + header)

bugfixes

• docker: the autogenerated seeds for filekeys and account passwords now get persisted to the config volume (thx noktuas)
• uploading files with fancy filenames could fail if the copyparty server is running on android
• improve workarounds for some apple/iphone/ios jank (thx noktuas and spiky)
  • some ui elements had their font-size selected by fair dice roll
  • the volume control does nothing because apple disabled it, so add a warning
  • the image gallery cannot be fullscreened as apple intended so add a warning

other changes

• file table columns are now limited to browser window width
• readme: mention that nginx-QUIC is currently very slow (thx noktuas)
• #50 add a safeguard to the wget plugin in case wget at some point adds support for file:// or similar
• show a suggestion on startup to enable the database

---

⚠️ not the latest version!

just boring bugfixes

final release until late august unless something bad happens and i end up building this thing on a shinkansen

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

recent security / vulnerability fixes

• there is a discord server with an @everyone in case of future important updates
• v1.8.7 (2023-07-23) - CVE-2023-38501 - reflected XSS
• v1.8.2 (2023-07-14) - CVE-2023-37474 - path traversal (first CVE)
  • all serverlogs reviewed so far (5 public servers) showed no signs of exploitation

bugfixes

• range-select with shiftclick:
  • don't crash when entering another folder and shift-clicking some more
  • remember selection origin when lazy-loading more stuff into the viewport
• markdown editor:
  • fix confusing warnings when the browser cache decides it really wants to cache
  • and when a document starts with a newline
• remember intended actions such as ?edit on login prompts
• Windows: TLS-cert generation (triggered by network changes) could occasionally fail

---

⚠️ not the latest version!

XSS for days

at the lack of better ideas, there is now a discord server with an @everyone for all future important updates such as this one

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

IMPORTANT - recent security / vulnerability fixes

• v1.8.7 (this release) - GHSA-f54q-j679-p9hh - reflected XSS
• v1.8.6 (2023-07-21) - GHSA-cw7j-v52w-fp5r - reflected XSS
• v1.8.2 (2023-07-14) - CVE-2023-37474 - path traversal
  • all serverlogs reviewed so far (5 public servers) showed no signs of exploitation

bugfixes

• reflected XSS through /?k304 and /?setck
  • if someone tricked you into clicking a URL containing a chain of %0d and %0a they could potentially have moved/deleted existing files on the server, or uploaded new files, using your account
  • if you use a reverse proxy, you can check if you have been exploited like so (also checks for GHSA-cw7j-v52w-fp5r):
    • nginx: grep your logs for URLs containing %0d%0a%0d%0a, for example using the following command:

      (gzip -dc access.log*.gz; cat access.log) | sed -r 's/" [0-9]+ .*//' | grep -iE '%0[da]%0[da]%0[da]%0[da]|[?&](hc|pw)=.*[<>]'

  • if you find any traces of exploitation (or just want to be on the safe side) it's recommended to change the passwords of your copyparty accounts
  • huge thanks again to @TheHackyDog !
• the original fix for CVE-2023-37474 broke the download links for u2c.py and partyfuse.py
• fix mediaplayer spinlock if the server only has a single audio file

---

⚠️ not the latest version!