URGENT: fix path traversal vulnerability

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

Starting with the bad and important news; this release fixes GHSA-pxfv-7rr3-2qjg / CVE-2023-37474 -- so please upgrade!

Every version until now had a path traversal vulnerability which allowed read-access to any file on the server's filesystem.

The logs from 5 public servers have been reviewed so far, with no signs of exploitation.

To summarize,

• Every file that the copyparty process had the OS-level permissions to read, could be retrieved over HTTP without password authentication
• However, an attacker would need to know the full (or copyparty-module-relative) path to the file; it was luckily impossible to list directory contents to discover files on the server
• You may have been running copyparty with some mitigations against this:
  • prisonparty limited the scope of access to files which were intentionally given to copyparty for sharing; meaning all volumes, as well as the following read-only filesystem locations: /bin, /lib, /lib32, /lib64, /sbin, /usr, /etc/alternatives
  • the nix package has a similar mitigation implemented using systemd concepts
  • docker containers would only expose the files which were intentionally mounted into the container, so even better
• More conventional setups, such as just running the sfx (python or exe editions), would unfortunately expose all files readable by the current user
• The following configurations would have made the impact much worse:
  • running copyparty as root

So, three years, and finally a CVE -- which has been there since day one... Not great huh. There is a list of all the copyparty alternatives that I know of in the similar software link above.

Thanks for flying copyparty! And especially if you decide to continue doing so :-)

new features

• #43 volflags to specify thumbnailer behavior per-volume;
  • --th-no-crop / volflag nocrop to specify whether autocrop should be disabled
  • --th-size / volflag thsize to set a custom thumbnail resolution
  • --th-convt / volflag convt to specify conversion timeout
• #45 resulted in a handful of opportunities to tighten security in intentionally-dangerous setups (public folders with anonymous uploads enabled):
  • a new permission, a (in addition to the existing rwmdgG), to show the uploader-IP and upload-time for each file in the file listing
    • accidentally incompatible with the d2t volflag (will be fixed in the next ver)
  • volflag nohtml is a good defense against (un)intentional XSS; it returns HTML-files and markdown-files as plaintext instead of rendering them, meaning any malicious <script> won't run -- bad idea for regular use since it breaks fundamental functionality, but good when you really need it
    • the README-previews below the file-listing still renders as usual, as this is fine thanks to the sandbox
  • a new eventhook --xban to run a plugin when copyparty decides to ban someone (for password bruteforcing or excessive 404's), for example to blackhole the IP using fail2ban or similar

bugfixes

• fixes a path traversal vulnerability, GHSA-pxfv-7rr3-2qjg / CVE-2023-37474
  • HUGE thanks to @TheHackyDog for reporting this !!
  • if you use a reverse proxy, you can check if you have been exploited like so:
    • nginx: grep your logs for URLs containing both .cpr/ and %2[^0], for example using the following command:

      (gzip -dc access.log*.gz; cat access.log) | sed -r 's/" [0-9]+ .*//' | grep -E 'cpr/.*%2[^0]' | grep -vF data:image/svg

• 77f1e51 fixes an extremely unlikely race-condition (see the commit for details)
• 8f59afb fixes another race-condition which is a bit worse:
  • the unpost feature could collide with other database activity, with the worst-case outcome being aborted batch operations, for example a directory move or a batch-rename which stops halfways

---

⚠️ not the latest version!