bigger hammer

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

recent security / vulnerability fixes

• there is a discord server with an @everyone in case of future important updates
• v1.8.7 (2023-07-23) - CVE-2023-38501 - reflected XSS
• v1.8.2 (2023-07-14) - CVE-2023-37474 - path traversal (first CVE)
  • all serverlogs reviewed so far (5 public servers) showed no signs of exploitation

new features

• more ways to automatically ban users! three new sensors, all default-enabled, giving a 1 day ban after 9 hits in 2 minutes:
  • --ban-403: trying to access volumes that dont exist or require authentication
  • --ban-422: invalid POST messages (from brutefocing POST parameters and such)
  • --ban-url: URLs which 404 and also match --sus-urls (scanners/crawlers)
  • if you want to run a vulnerability scan on copyparty, please just download the server and do it locally! takes less than 30 seconds to set up, you get lower latency, and you won't be filling up the logfiles on the demo server with junk, thank you 🙏
• more ban-related stuff,
  • new global option --nonsus-urls specifies regex of URLs which are OK to 404 and shouldn't ban people
  • --turbo now accepts the value -1 which makes it impossible for clients to enable it, making --ban-404 safe to use
• range-selecting files in the list-view by shift-pgup/pgdn
• volumes which are currently unavailable (dead nfs share, external HDD which is off, ...) are marked with a ❌ in the directory tree sidebar
• the toggle-button to see dotfiles is now persisted as a cookie so it also applies on the initial page load
• more effort is made to prevent <script>s inside markdown documents from running in the markdown editor and the fullpage viewer
  • anyone who wanted to use markdown files for malicious stuff can still just upload an html file instead, so this doesn't make anything more secure, just less confusing
  • the safest approach is still the nohtml volflag which disables markdown rendering outside sandboxes entirely, or only giving out write-access to trustworthy people
  • enabling markdown plugins with -emp now has the side-effect of cancelling this band-aid too

bugfixes

• textfile navigation hotkeys broke in the previous version

other changes

• example nginx config was not compatible with cloudflare (suggest $http_cf_connecting_ip instead of $proxy_add_x_forwarded_for)
• copyparty.exe is now built with python 3.11.5 which fixes CVE-2023-40217
  • copyparty32.exe is not, because python understandably ended win7 support
• similar software:
  • copyparty appears to be 30x faster than nextcloud and seafile at receiving uploads of many small files
  • seafile has a size limit when zip-downloading folders

---

⚠️ not the latest version!

prometheable

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

recent security / vulnerability fixes

• there is a discord server with an @everyone in case of future important updates
• v1.8.7 (2023-07-23) - CVE-2023-38501 - reflected XSS
• v1.8.2 (2023-07-14) - CVE-2023-37474 - path traversal (first CVE)
  • all serverlogs reviewed so far (5 public servers) showed no signs of exploitation

new features

• #49 prometheus / grafana / openmetrics integration (see readme)
  • read metrics from http://127.0.0.1:3923/.cpr/metrics after enabling with --stats
• download a folder with all music transcoded to opus by adding ?tar=opus or ?zip&opus to the URL
  • can also be used to download thumbnails instead of full images; ?tar=w for webp, ?tar=j for jpg
    • so i guess the long-time requested feature of pre-generating thumbnails kind of happened after all, if you schedule a curl http://127.0.0.1:3923/?tar=w >/dev/null after server startup
• u2c (commandline uploader): argument -x to exclude files by regex (compares absolute filesystem paths)
• --zm-spam 30 can be used to improve zeroconf / mDNS reliability on crazy networks
  • only necessary if there are clients with multiple IPs and some of the IPs are outside the subnets that copyparty are in -- not spec-compliant, not really recommended, but shouldn't cause any issues either
  • and --mc-hop wasn't actually implemented until now
• dragging an image from another browser window onto the upload button is now possible
  • only works on chrome, and only on windows or linux (not macos)
• server hostname is prefixed in all window titles
  • can be adjusted with --bname (the file explorer) and --doctitle (all other documents)
  • can be disabled with --nth (just window title) or --nih (title + header)

bugfixes

• docker: the autogenerated seeds for filekeys and account passwords now get persisted to the config volume (thx noktuas)
• uploading files with fancy filenames could fail if the copyparty server is running on android
• improve workarounds for some apple/iphone/ios jank (thx noktuas and spiky)
  • some ui elements had their font-size selected by fair dice roll
  • the volume control does nothing because apple disabled it, so add a warning
  • the image gallery cannot be fullscreened as apple intended so add a warning

other changes

• file table columns are now limited to browser window width
• readme: mention that nginx-QUIC is currently very slow (thx noktuas)
• #50 add a safeguard to the wget plugin in case wget at some point adds support for file:// or similar
• show a suggestion on startup to enable the database

---

⚠️ not the latest version!

just boring bugfixes

final release until late august unless something bad happens and i end up building this thing on a shinkansen

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

recent security / vulnerability fixes

• there is a discord server with an @everyone in case of future important updates
• v1.8.7 (2023-07-23) - CVE-2023-38501 - reflected XSS
• v1.8.2 (2023-07-14) - CVE-2023-37474 - path traversal (first CVE)
  • all serverlogs reviewed so far (5 public servers) showed no signs of exploitation

bugfixes

• range-select with shiftclick:
  • don't crash when entering another folder and shift-clicking some more
  • remember selection origin when lazy-loading more stuff into the viewport
• markdown editor:
  • fix confusing warnings when the browser cache decides it really wants to cache
  • and when a document starts with a newline
• remember intended actions such as ?edit on login prompts
• Windows: TLS-cert generation (triggered by network changes) could occasionally fail

---

⚠️ not the latest version!

XSS for days

at the lack of better ideas, there is now a discord server with an @everyone for all future important updates such as this one

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

IMPORTANT - recent security / vulnerability fixes

• v1.8.7 (this release) - GHSA-f54q-j679-p9hh - reflected XSS
• v1.8.6 (2023-07-21) - GHSA-cw7j-v52w-fp5r - reflected XSS
• v1.8.2 (2023-07-14) - CVE-2023-37474 - path traversal
  • all serverlogs reviewed so far (5 public servers) showed no signs of exploitation

bugfixes

• reflected XSS through /?k304 and /?setck
  • if someone tricked you into clicking a URL containing a chain of %0d and %0a they could potentially have moved/deleted existing files on the server, or uploaded new files, using your account
  • if you use a reverse proxy, you can check if you have been exploited like so (also checks for GHSA-cw7j-v52w-fp5r):
    • nginx: grep your logs for URLs containing %0d%0a%0d%0a, for example using the following command:

      (gzip -dc access.log*.gz; cat access.log) | sed -r 's/" [0-9]+ .*//' | grep -iE '%0[da]%0[da]%0[da]%0[da]|[?&](hc|pw)=.*[<>]'

  • if you find any traces of exploitation (or just want to be on the safe side) it's recommended to change the passwords of your copyparty accounts
  • huge thanks again to @TheHackyDog !
• the original fix for CVE-2023-37474 broke the download links for u2c.py and partyfuse.py
• fix mediaplayer spinlock if the server only has a single audio file

---

⚠️ not the latest version!

fix reflected XSS

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

IMPORTANT - recent security / vulnerability fixes

• v1.8.6 (this release) - GHSA-cw7j-v52w-fp5r - reflected XSS
• v1.8.2 (2023-07-14) - CVE-2023-37474 - path traversal
  • all serverlogs reviewed so far (5 public servers) showed no signs of exploitation

bugfixes

• reflected XSS through /?hc (the optional subfolder parameter to the connect page)
  • if someone tricked you into clicking http://127.0.0.1:3923/?hc=<script>alert(1)</script> they could potentially have moved/deleted existing files on the server, or uploaded new files, using your account
  • if you use a reverse proxy, you can check if you have been exploited like so:
    • nginx: grep your logs for URLs containing ?hc= with < somewhere in its value, for example using the following command:

      (gzip -dc access.log*.gz; cat access.log) | sed -r 's/" [0-9]+ .*//' | grep -E '[?&](hc|pw)=.*[<>]'

  • if you find any traces of exploitation (or just want to be on the safe side) it's recommended to change the passwords of your copyparty accounts
  • thanks again to @TheHackyDog !

---

⚠️ not the latest version!

range-select v2

IMPORTANT: v1.8.2 (previous release) fixed CVE-2023-37474 ; please see the 1.8.2 release notes (all serverlogs reviewed so far showed no signs of exploitation)

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

new features

• #47 file selection by shift-clicking
  • in list-view: click a table row to select it, then shift-click another to select all files in-between
  • in grid-view: either enable the multiselect button (mainly for phones/tablets), or the new sel button in the [⚙️] settings tab (better for mouse+keyboard), then shift-click two files
• volflag fat32 avoids a bug in android's sdcardfs causing excessive reindexing on startup if any files were modified on the sdcard since last reboot

bugfixes

• minor corrections to the new features from #45
  • uploader IPs are now visible for admin accounts in d2t volumes as well

other changes

• the admin-panel is only accessible for accounts which have the a (admin) permission-level in one or more volumes; so instead of giving your user rwmd access, you'll want rwmda instead:

  python3 copyparty-sfx.py -a joe:hunter2 -v /mnt/nas/pub:pub:rwmda,joe

  or in a settings file,

  [/pub]
    /mnt/nas/pub
    accs:
      rwmda: joe

  • until now, rw was enough, however most readwrite users don't need access to those features
  • grabbing a stacktrace with ?stack is permitted for both rw and a

---

⚠️ not the latest version!

range-select

⚠️ not the latest version!

(the v2 of this release permits stacktrace for either a or rw accounts, and requires a for other admin-panel operations)

URGENT: fix path traversal vulnerability

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

Starting with the bad and important news; this release fixes GHSA-pxfv-7rr3-2qjg / CVE-2023-37474 -- so please upgrade!

Every version until now had a path traversal vulnerability which allowed read-access to any file on the server's filesystem.

The logs from 5 public servers have been reviewed so far, with no signs of exploitation.

To summarize,

• Every file that the copyparty process had the OS-level permissions to read, could be retrieved over HTTP without password authentication
• However, an attacker would need to know the full (or copyparty-module-relative) path to the file; it was luckily impossible to list directory contents to discover files on the server
• You may have been running copyparty with some mitigations against this:
  • prisonparty limited the scope of access to files which were intentionally given to copyparty for sharing; meaning all volumes, as well as the following read-only filesystem locations: /bin, /lib, /lib32, /lib64, /sbin, /usr, /etc/alternatives
  • the nix package has a similar mitigation implemented using systemd concepts
  • docker containers would only expose the files which were intentionally mounted into the container, so even better
• More conventional setups, such as just running the sfx (python or exe editions), would unfortunately expose all files readable by the current user
• The following configurations would have made the impact much worse:
  • running copyparty as root

So, three years, and finally a CVE -- which has been there since day one... Not great huh. There is a list of all the copyparty alternatives that I know of in the similar software link above.

Thanks for flying copyparty! And especially if you decide to continue doing so :-)

new features

• #43 volflags to specify thumbnailer behavior per-volume;
  • --th-no-crop / volflag nocrop to specify whether autocrop should be disabled
  • --th-size / volflag thsize to set a custom thumbnail resolution
  • --th-convt / volflag convt to specify conversion timeout
• #45 resulted in a handful of opportunities to tighten security in intentionally-dangerous setups (public folders with anonymous uploads enabled):
  • a new permission, a (in addition to the existing rwmdgG), to show the uploader-IP and upload-time for each file in the file listing
    • accidentally incompatible with the d2t volflag (will be fixed in the next ver)
  • volflag nohtml is a good defense against (un)intentional XSS; it returns HTML-files and markdown-files as plaintext instead of rendering them, meaning any malicious <script> won't run -- bad idea for regular use since it breaks fundamental functionality, but good when you really need it
    • the README-previews below the file-listing still renders as usual, as this is fine thanks to the sandbox
  • a new eventhook --xban to run a plugin when copyparty decides to ban someone (for password bruteforcing or excessive 404's), for example to blackhole the IP using fail2ban or similar

bugfixes

• fixes a path traversal vulnerability, GHSA-pxfv-7rr3-2qjg / CVE-2023-37474
  • HUGE thanks to @TheHackyDog for reporting this !!
  • if you use a reverse proxy, you can check if you have been exploited like so:
    • nginx: grep your logs for URLs containing both .cpr/ and %2[^0], for example using the following command:

      (gzip -dc access.log*.gz; cat access.log) | sed -r 's/" [0-9]+ .*//' | grep -E 'cpr/.*%2[^0]' | grep -vF data:image/svg

• 77f1e51 fixes an extremely unlikely race-condition (see the commit for details)
• 8f59afb fixes another race-condition which is a bit worse:
  • the unpost feature could collide with other database activity, with the worst-case outcome being aborted batch operations, for example a directory move or a batch-rename which stops halfways

---

⚠️ not the latest version!

in case of 404

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

new features

• handlers; change the behavior of 404 / 403 with plugins
  • makes it possible to use copyparty as a caching proxy
• #42 add mpv + streamlink support to very-bad-idea
• add support for Pillow 10
  • also improved text rendering in icons
• mention the fedora package in the readme

bugfixes

• theme 6 (hacker) didn't show the state of some toggle-switches
• windows: keep quickedit enabled when hashing passwords interactively

---

⚠️ not the latest version!

argon

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

News: if you use rclone as a copyparty webdav client, upgrading to rclone v1.63 (just released) will give you a huge speed boost for small files

new features

• #39 hashed passwords
  • instead of keeping plaintext account passwords in config files, you can now store hashed ones instead
  • --ah-alg specifies algorithm; best to worst: argon2, scrypt, sha2, or the default none
  • the default settings of each algorithm takes 0.4 sec to hash a password, and argon2 eats 256 MiB RAM
    • can be adjusted with optional comma-separated args after the algorithm name; see --help-pwhash
  • --ah-salt is the static salt for all passwords, and is autogenerated-and-persisted if not specified
  • --ah-cli switches copyparty into a shell where you can hash passwords interactively
    • but copyparty will also autoconvert any unhashed passwords on startup and give you the values to insert into the config anyways
• #40 volume size limit
  • volflag vmaxb specifies max size of a volume
  • volflag vmaxn specifies max number of files in a volume
  • example: -v [...]:c,vmaxb=900g:c,vmaxn=20k blocks uploads if the volume reaches 900 GiB or a total of 20480 files
  • good alternative to --df since it works per-volume

bugfixes

• autogenerated TLS certs didn't include the mDNS name

other changes

• improved cloudflare challenge detection
• markdown edits will now trigger upload hooks

---

⚠️ not the latest version!