Releases: 9001/copyparty
ie11 fix
- read-only demo server at https://a.ocv.me/pub/demo/
- docker image ╱ similar software ╱ client testbed
there is a discord server with an @everyone
in case of future important updates, such as vulnerabilities (most recently 2023-07-23)
new features
- new option
--bauth-last
for when you're hosting other basic-auth services on the same domain 7b94e4e- makes it possible to log into copyparty as intended, but it still sees the passwords from the other service until you do
- alternatively, the other new option
--no-bauth
entirely disables basic-auth support, but that also kills the android app
bugfixes
- internet explorer isn't working?! FIX IT!!! 9e5253e
- audio transcoding was buggy with filekeys enabled b873365
- on windows, theoretical chance that antivirus could interrupt renaming files, so preemptively guard against that c8e3ed3
other changes
- add a "password" placeholder on the login page since you might think it's asking for a username da26ec3
- config buttons were jank on iOS b772a4f
- readme: making your homeserver accessible from the internet
⚠️ not the latest version!
scrolling stuff
- read-only demo server at https://a.ocv.me/pub/demo/
- docker image ╱ similar software ╱ client testbed
there is a discord server with an @everyone
in case of future important updates, such as vulnerabilities (most recently 2023-07-23)
new features
- while viewing pictures/videos, the scrollwheel can be used to view the prev/next file 844d16b
bugfixes
- #81 (scrolling suddenly getting disabled) properly fixed after @icxes found another way to reproduce it (thx) 4f0cad5
- and fixed at least one javascript glitch introduced in v1.12.0 while adding dirkeys 989cc61
- directory tree sidebar could fail to render when popping browser history into the lightbox
other changes
⚠️ not the latest version!
locksmith
- read-only demo server at https://a.ocv.me/pub/demo/
- docker image ╱ similar software ╱ client testbed
there is a discord server with an @everyone
in case of future important updates, such as vulnerabilities (most recently 2023-07-23)
new features
- #64 dirkeys; option to auto-generate passwords for folders, so you can give someone a link to a specific folder inside a volume without sharing the rest of the volume 10bc2d9 32c912b ef52e2c 0ae1286
- enabled by volflag
dk
(exact folder only) and/or volflagdks
(also subfolders); see readme
- enabled by volflag
- audio transcoding to mp3 if browser doesn't support opus a080759
- recursively transcode and download a folder using
?tar&mp3
- accidentally adds support for playing just about any audio format in ie11
- recursively transcode and download a folder using
- audio equalizer also applies to videos 7744226
bugfixes
- #81 scrolling could break after viewing an image in the lightbox 9c42cbe
- on phones, audio playback could stop if network is slow/unreliable 59f815f b88cc7b 59a53ba
- fixes the issue on android, but ios/safari appears to be impossible d94b5b3
other changes
- updated dompurify to 3.0.11
- copyparty.exe: updated to python 3.11.9
- support for building with pyoxidizer was removed 5ab5476
⚠️ not the latest version!
public idp volumes
- read-only demo server at https://a.ocv.me/pub/demo/
- docker image ╱ similar software ╱ client testbed
there is a discord server with an @everyone
in case of future important updates, such as vulnerabilities (most recently 2023-07-23)
new features
-
global-option
--iobuf
to set a custom I/O buffersize 2b24c50- changes the default buffersize to 256 KiB everywhere (was a mix of 64 and 512)
- may improve performance of networked volumes (s3 etc.) if increased
- on gbit networks: download-as-tar is now up to 20% faster
- slightly faster FTP and TFTP too
-
global-option
--s-rd-sz
to set a custom read-size for sockets c6acd3a- changes the default from 32 to 256 KiB
- may improve performance of networked volumes (s3 etc.) if increased
- on 10gbit networks: uploading large files is now up to 17% faster
-
add url parameter
?replace
to overwrite any existing files with a multipart-post c6acd3a
bugfixes
- #79 idp volumes (introduced in v1.11.0) would only accept permissions for the user that owned the volume; was impossible to grant read/write-access to other users d30ae84
other changes
- mention the lack of persistence for idp volumes in the IdP docs 2f20d29
⚠️ not the latest version!
dont ban the pipes
the previous release had all the fun new features... this one's just bugfixes
- read-only demo server at https://a.ocv.me/pub/demo/
- docker image ╱ similar software ╱ client testbed
no vulnerabilities since 2023-07-23
- there is a discord server with an
@everyone
in case of future important updates - v1.8.7 (2023-07-23) - CVE-2023-38501 - reflected XSS
- v1.8.2 (2023-07-14) - CVE-2023-37474 - path traversal (first CVE)
bugfixes
- less aggressive rejection of requests from banned IPs 51d3158
- clients would get kicked before the header was parsed (which contains the xff header), meaning the server could become inaccessible to everyone if the reverse-proxy itself were to "somehow" get banned
- ...which can happen if a server behind cloudflare also accepts non-cloudflare connections, meaning the client IP would not be resolved, and it'll ban the LAN IP instead heh
- that part still happens, but now it won't affect legit clients through the intended route
- ...which can happen if a server behind cloudflare also accepts non-cloudflare connections, meaning the client IP would not be resolved, and it'll ban the LAN IP instead heh
- the old behavior can be restored with
--early-ban
to save some cycles, and/or avoid slowloris somewhat
- clients would get kicked before the header was parsed (which contains the xff header), meaning the server could become inaccessible to everyone if the reverse-proxy itself were to "somehow" get banned
- the unpost feature could appear to be disabled on servers where no volume was mapped to
/
0287c7b - python 3.12 support for compiling the dependencies necessary to detect bpm/key in audio files 32553e4
other changes
- mention real-ip configuration in the readme ee80cdb
⚠️ not the latest version!
You Can (Not) Proceed
this release was made possible by stoltzekleiven, kvikklunsj, and tako
- read-only demo server at https://a.ocv.me/pub/demo/
- docker image ╱ similar software ╱ client testbed
no vulnerabilities since 2023-07-23
- there is a discord server with an
@everyone
in case of future important updates - v1.8.7 (2023-07-23) - CVE-2023-38501 - reflected XSS
- v1.8.2 (2023-07-14) - CVE-2023-37474 - path traversal (first CVE)
new features
- #62 support for identity providers and automatically creating volumes for each user/group ("home folders")
- login with passkeys / fido2 / webauthn / yubikey / ldap / active directory / oauth / many other single-sign-on contraptions
- documentation and examples could still use some help (I did my best)
- #77 UI to cancel unfinished uploads (available in the 🧯 unpost tab) 3f05b66
- the user's IP and username must match the upload by default; can be changed with global-option / volflag
u2abort
- the user's IP and username must match the upload by default; can be changed with global-option / volflag
- new volflag
sparse
to pretend sparse files are supported even if the filesystem doesn't 8785d2f- gives drastically better performance when writing to s3 buckets through juicefs/geesefs
- only for when you know the filesystem can deal with it (so juicefs/geesefs is OK, but definitely not fat32)
--xff-src
and--ipa
now support CIDR notation (but the old syntax still works) b377791- ux:
- #74 option to use custom fonts 263adec 6cc7101 8016e67
- option to disable autoplay when page url contains a song hash 8413ed6
- good if you're using copyparty to listen to music at the office and the office policy is to have the webbrowser automatically restart to install updates, meaning your coworkers are suddenly and involuntarily enjoying some loud af jcore while you're asleep at home
bugfixes
- don't panic if cloudflare (or another reverse-proxy) decides to hijack json responses and replace them with html 7741870
- #73 the fancy markdown editor was incompatible with caddy (a reverse-proxy) ac96fd9
- media player could get confused if neighboring folders had songs with the same filenames 206af8f
- benign race condition in the config reloader (could only be triggered by admins and/or SIGUSR1) 096de50
- running tftp with optimizations enabled would cause issues for
--ipa
b377791 - cosmetic tftp bugs 115020b
- ux:
other changes
- add a sharex v12.1 config example 2527e90
- make it easier to discover/diagnose issues with docker and/or reverse-proxy config d744f3f
- stop recommending the use of
--xff-src=any
in the log messages 7f08f10 - ux:
- docs e78af02
- how to use copyparty with amazon aws s3
- faq: http/https confusion caused by incorrectly configured cloudflare
- #76 docker: ftp-server howto
- copyparty.exe: updated pyinstaller to 6.5.0 bdbcbbb
⚠️ not the latest version!
tall thumbs
- read-only demo server at https://a.ocv.me/pub/demo/
- docker image ╱ similar software ╱ client testbed
no vulnerabilities since 2023-07-23
- there is a discord server with an
@everyone
in case of future important updates - v1.8.7 (2023-07-23) - CVE-2023-38501 - reflected XSS
- v1.8.2 (2023-07-14) - CVE-2023-37474 - path traversal (first CVE)
new features
- thumbnails can be way taller when centercrop is disabled in the browser UI 5026b21
- good for folders with lots of portrait pics (no more letterboxing)
- more thumbnail stuff:
bugfixes
- tftp fixes d07859e
- server could crash if a nic disappeared / got restarted mid-transfer
- tiny resource leak if dualstack causes ipv4 bind to fail
- thumbnails:
- trailing newline in html responses d39a99c
other changes
- webdeps: update dompurify 13e7777
- copyparty.exe: update jinja2, markupsafe, pyinstaller, upx 13e7777
⚠️ not the latest version!
big thumbs
- read-only demo server at https://a.ocv.me/pub/demo/
- docker image ╱ similar software ╱ client testbed
no vulnerabilities since 2023-07-23
- there is a discord server with an
@everyone
in case of future important updates - v1.8.7 (2023-07-23) - CVE-2023-38501 - reflected XSS
- v1.8.2 (2023-07-14) - CVE-2023-37474 - path traversal (first CVE)
new features
- button to enable hi-res thumbnails 33f41f3 58ae38c
- enable with the
3x
button in the gridview - can be force-enabled/disabled serverside with
--th-x3
or volflagth3x
- enable with the
- tftp: IPv6 support and UTF-8 filenames + optimizations 0504b01
- ux:
bugfixes
- #72 impossible to delete recently uploaded zerobyte files if database was disabled 6bd087d
- tftp now works in
copyparty.exe
,copyparty32.exe
,copyparty-winpe64.exe
- the sharex config example was still using cookie-auth 8ff7094
- ux:
other changes
- thumbnail center-cropping can be force-enabled/disabled serverside with
--th-crop
or volflagcrop
- replaces
--th-no-crop
which is now deprecated (but will continue to work)
- replaces
this release contains a build of copyparty-winpe64.exe
which is almost entirely useless, except for in extremely specific scenarios, namely the kind where a TFTP server could also be useful -- the previous build was from version 1.8.7 (2023-07-23)
⚠️ not the latest version!
tftp
- read-only demo server at https://a.ocv.me/pub/demo/
- docker image ╱ similar software ╱ client testbed
no vulnerabilities since 2023-07-23
- there is a discord server with an
@everyone
in case of future important updates - v1.8.7 (2023-07-23) - CVE-2023-38501 - reflected XSS
- v1.8.2 (2023-07-14) - CVE-2023-37474 - path traversal (first CVE)
new features
- TFTP server d636316 8796c09 acbb826 0287971
- detect some (un)common configuration mistakes
- buggy reverse-proxy which strips away all URL parameters 136c0fd
- could cause the browser to get stuck in a refresh-loop
- a volume on an sqlite-incompatible filesystem (a remote cifs server or such) and an up2k volume inside d4da386
- sqlite could deadlock or randomly throw exceptions; serverlog will now explain how to fix it
- buggy reverse-proxy which strips away all URL parameters 136c0fd
- ie11: file selection with shift-up/down 64ad585
bugfixes
- prevent music playback from stopping at the end of a folder f262aee
- preloader will now proactively hunt for the next file to play as the last song is ending
- in very specific scenarios, clients could be told their upload had finished processing a tiny bit too early, while the HDD was still busy taking in the last couple bytes 6f8a588
- so if you expected to find the complete file on the server HDD immediately as the final chunk got confirmed, that was not necessarily the case if your server HDD was severely overloaded to the point where closing a file takes half a minute
- huge thx to friend with said overloaded server for finding all the crazy edge cases
- so if you expected to find the complete file on the server HDD immediately as the final chunk got confirmed, that was not necessarily the case if your server HDD was severely overloaded to the point where closing a file takes half a minute
- ignore harmless javascript errors from easymde 879e83e
other changes
- the "copy currently playing song info to clipboard" button now excludes the uploader IP ed524d8
- mention that enabling
-j0
can improve HDD load during uploads 5d92f4d - mention a debian-specific docker bug which prevents starting most containers (not just copyparty) 4e797a7
⚠️ not the latest version!
eject
- read-only demo server at https://a.ocv.me/pub/demo/
- docker image ╱ similar software ╱ client testbed
no vulnerabilities since 2023-07-23
- there is a discord server with an
@everyone
in case of future important updates - v1.8.7 (2023-07-23) - CVE-2023-38501 - reflected XSS
- v1.8.2 (2023-07-14) - CVE-2023-37474 - path traversal (first CVE)
new features
- disable mkdir / new-doc buttons until a name is provided d3db6d2
- warning about browsers limiting the number of connections c354a38
bugfixes
- #71 stop videos from buffering in the background a17c267
- improve up2k ETA on slow networks / many connections c1180d6
- u2c: exclude-filter didn't apply to file deletions b2e2334
--touch
/re📅
didn't apply to zerobyte files 945170e
other changes
- notes on hardlink/symlink conversion 6c2c609
- lore b1cf588