Releases: 9001/copyparty
bigger hammer
- read-only demo server at https://a.ocv.me/pub/demo/
- docker image ╱ similar software ╱ client testbed
recent security / vulnerability fixes
- there is a discord server with an
@everyone
in case of future important updates - v1.8.7 (2023-07-23) - CVE-2023-38501 - reflected XSS
- v1.8.2 (2023-07-14) - CVE-2023-37474 - path traversal (first CVE)
- all serverlogs reviewed so far (5 public servers) showed no signs of exploitation
new features
- more ways to automatically ban users! three new sensors, all default-enabled, giving a 1 day ban after 9 hits in 2 minutes:
--ban-403
: trying to access volumes that dont exist or require authentication--ban-422
: invalid POST messages (from brutefocing POST parameters and such)--ban-url
: URLs which 404 and also match--sus-urls
(scanners/crawlers)- if you want to run a vulnerability scan on copyparty, please just download the server and do it locally! takes less than 30 seconds to set up, you get lower latency, and you won't be filling up the logfiles on the demo server with junk, thank you 🙏
- more ban-related stuff,
- new global option
--nonsus-urls
specifies regex of URLs which are OK to 404 and shouldn't ban people --turbo
now accepts the value-1
which makes it impossible for clients to enable it, making--ban-404
safe to use
- new global option
- range-selecting files in the list-view by shift-pgup/pgdn
- volumes which are currently unavailable (dead nfs share, external HDD which is off, ...) are marked with a ❌ in the directory tree sidebar
- the toggle-button to see dotfiles is now persisted as a cookie so it also applies on the initial page load
- more effort is made to prevent
<script>
s inside markdown documents from running in the markdown editor and the fullpage viewer- anyone who wanted to use markdown files for malicious stuff can still just upload an html file instead, so this doesn't make anything more secure, just less confusing
- the safest approach is still the
nohtml
volflag which disables markdown rendering outside sandboxes entirely, or only giving out write-access to trustworthy people - enabling markdown plugins with
-emp
now has the side-effect of cancelling this band-aid too
bugfixes
- textfile navigation hotkeys broke in the previous version
other changes
- example nginx config was not compatible with cloudflare (suggest
$http_cf_connecting_ip
instead of$proxy_add_x_forwarded_for
) copyparty.exe
is now built with python 3.11.5 which fixes CVE-2023-40217copyparty32.exe
is not, because python understandably ended win7 support
- similar software:
- copyparty appears to be 30x faster than nextcloud and seafile at receiving uploads of many small files
- seafile has a size limit when zip-downloading folders
⚠️ not the latest version!
prometheable
- read-only demo server at https://a.ocv.me/pub/demo/
- docker image ╱ similar software ╱ client testbed
recent security / vulnerability fixes
- there is a discord server with an
@everyone
in case of future important updates - v1.8.7 (2023-07-23) - CVE-2023-38501 - reflected XSS
- v1.8.2 (2023-07-14) - CVE-2023-37474 - path traversal (first CVE)
- all serverlogs reviewed so far (5 public servers) showed no signs of exploitation
new features
- #49 prometheus / grafana / openmetrics integration (see readme)
- read metrics from http://127.0.0.1:3923/.cpr/metrics after enabling with
--stats
- read metrics from http://127.0.0.1:3923/.cpr/metrics after enabling with
- download a folder with all music transcoded to opus by adding
?tar=opus
or?zip&opus
to the URL- can also be used to download thumbnails instead of full images;
?tar=w
for webp,?tar=j
for jpg- so i guess the long-time requested feature of pre-generating thumbnails kind of happened after all, if you schedule a
curl http://127.0.0.1:3923/?tar=w >/dev/null
after server startup
- so i guess the long-time requested feature of pre-generating thumbnails kind of happened after all, if you schedule a
- can also be used to download thumbnails instead of full images;
- u2c (commandline uploader): argument
-x
to exclude files by regex (compares absolute filesystem paths) --zm-spam 30
can be used to improve zeroconf / mDNS reliability on crazy networks- only necessary if there are clients with multiple IPs and some of the IPs are outside the subnets that copyparty are in -- not spec-compliant, not really recommended, but shouldn't cause any issues either
- and
--mc-hop
wasn't actually implemented until now
- dragging an image from another browser window onto the upload button is now possible
- only works on chrome, and only on windows or linux (not macos)
- server hostname is prefixed in all window titles
- can be adjusted with
--bname
(the file explorer) and--doctitle
(all other documents) - can be disabled with
--nth
(just window title) or--nih
(title + header)
- can be adjusted with
bugfixes
- docker: the autogenerated seeds for filekeys and account passwords now get persisted to the config volume (thx noktuas)
- uploading files with fancy filenames could fail if the copyparty server is running on android
- improve workarounds for some apple/iphone/ios jank (thx noktuas and spiky)
- some ui elements had their font-size selected by fair dice roll
- the volume control does nothing because apple disabled it, so add a warning
- the image gallery cannot be fullscreened as apple intended so add a warning
other changes
- file table columns are now limited to browser window width
- readme: mention that nginx-QUIC is currently very slow (thx noktuas)
- #50 add a safeguard to the wget plugin in case wget at some point adds support for
file://
or similar - show a suggestion on startup to enable the database
⚠️ not the latest version!
just boring bugfixes
final release until late august unless something bad happens and i end up building this thing on a shinkansen
- read-only demo server at https://a.ocv.me/pub/demo/
- docker image ╱ similar software ╱ client testbed
recent security / vulnerability fixes
- there is a discord server with an
@everyone
in case of future important updates - v1.8.7 (2023-07-23) - CVE-2023-38501 - reflected XSS
- v1.8.2 (2023-07-14) - CVE-2023-37474 - path traversal (first CVE)
- all serverlogs reviewed so far (5 public servers) showed no signs of exploitation
bugfixes
- range-select with shiftclick:
- don't crash when entering another folder and shift-clicking some more
- remember selection origin when lazy-loading more stuff into the viewport
- markdown editor:
- fix confusing warnings when the browser cache decides it really wants to cache
- and when a document starts with a newline
- remember intended actions such as
?edit
on login prompts - Windows: TLS-cert generation (triggered by network changes) could occasionally fail
⚠️ not the latest version!
XSS for days
at the lack of better ideas, there is now a discord server with an @everyone
for all future important updates such as this one
- read-only demo server at https://a.ocv.me/pub/demo/
- docker image ╱ similar software ╱ client testbed
IMPORTANT - recent security / vulnerability fixes
- v1.8.7 (this release) - GHSA-f54q-j679-p9hh - reflected XSS
- v1.8.6 (2023-07-21) - GHSA-cw7j-v52w-fp5r - reflected XSS
- v1.8.2 (2023-07-14) - CVE-2023-37474 - path traversal
- all serverlogs reviewed so far (5 public servers) showed no signs of exploitation
bugfixes
- reflected XSS through
/?k304
and/?setck
- if someone tricked you into clicking a URL containing a chain of
%0d
and%0a
they could potentially have moved/deleted existing files on the server, or uploaded new files, using your account - if you use a reverse proxy, you can check if you have been exploited like so (also checks for GHSA-cw7j-v52w-fp5r):
- nginx: grep your logs for URLs containing
%0d%0a%0d%0a
, for example using the following command:(gzip -dc access.log*.gz; cat access.log) | sed -r 's/" [0-9]+ .*//' | grep -iE '%0[da]%0[da]%0[da]%0[da]|[?&](hc|pw)=.*[<>]'
- nginx: grep your logs for URLs containing
- if you find any traces of exploitation (or just want to be on the safe side) it's recommended to change the passwords of your copyparty accounts
- huge thanks again to @TheHackyDog !
- if someone tricked you into clicking a URL containing a chain of
- the original fix for CVE-2023-37474 broke the download links for u2c.py and partyfuse.py
- fix mediaplayer spinlock if the server only has a single audio file
⚠️ not the latest version!
fix reflected XSS
- read-only demo server at https://a.ocv.me/pub/demo/
- docker image ╱ similar software ╱ client testbed
IMPORTANT - recent security / vulnerability fixes
- v1.8.6 (this release) - GHSA-cw7j-v52w-fp5r - reflected XSS
- v1.8.2 (2023-07-14) - CVE-2023-37474 - path traversal
- all serverlogs reviewed so far (5 public servers) showed no signs of exploitation
bugfixes
- reflected XSS through
/?hc
(the optional subfolder parameter to the connect page)- if someone tricked you into clicking
http://127.0.0.1:3923/?hc=<script>alert(1)</script>
they could potentially have moved/deleted existing files on the server, or uploaded new files, using your account - if you use a reverse proxy, you can check if you have been exploited like so:
- nginx: grep your logs for URLs containing
?hc=
with<
somewhere in its value, for example using the following command:(gzip -dc access.log*.gz; cat access.log) | sed -r 's/" [0-9]+ .*//' | grep -E '[?&](hc|pw)=.*[<>]'
- nginx: grep your logs for URLs containing
- if you find any traces of exploitation (or just want to be on the safe side) it's recommended to change the passwords of your copyparty accounts
- thanks again to @TheHackyDog !
- if someone tricked you into clicking
⚠️ not the latest version!
range-select v2
IMPORTANT: v1.8.2
(previous release) fixed CVE-2023-37474 ; please see the 1.8.2 release notes (all serverlogs reviewed so far showed no signs of exploitation)
- read-only demo server at https://a.ocv.me/pub/demo/
- docker image ╱ similar software ╱ client testbed
new features
- #47 file selection by shift-clicking
- in list-view: click a table row to select it, then shift-click another to select all files in-between
- in grid-view: either enable the
multiselect
button (mainly for phones/tablets), or the newsel
button in the[⚙️] settings
tab (better for mouse+keyboard), then shift-click two files
- volflag
fat32
avoids a bug in android's sdcardfs causing excessive reindexing on startup if any files were modified on the sdcard since last reboot
bugfixes
- minor corrections to the new features from #45
- uploader IPs are now visible for
a
dmin accounts ind2t
volumes as well
- uploader IPs are now visible for
other changes
- the admin-panel is only accessible for accounts which have the
a
(admin) permission-level in one or more volumes; so instead of giving your userrwmd
access, you'll wantrwmda
instead:or in a settings file,python3 copyparty-sfx.py -a joe:hunter2 -v /mnt/nas/pub:pub:rwmda,joe
[/pub] /mnt/nas/pub accs: rwmda: joe
- until now,
rw
was enough, however most readwrite users don't need access to those features - grabbing a stacktrace with
?stack
is permitted for bothrw
anda
- until now,
⚠️ not the latest version!
range-select
⚠️ not the latest version!
(the v2 of this release permits stacktrace for either a
or rw
accounts, and requires a
for other admin-panel operations)
URGENT: fix path traversal vulnerability
- read-only demo server at https://a.ocv.me/pub/demo/
- docker image ╱ similar software ╱ client testbed
Starting with the bad and important news; this release fixes GHSA-pxfv-7rr3-2qjg / CVE-2023-37474 -- so please upgrade!
Every version until now had a path traversal vulnerability which allowed read-access to any file on the server's filesystem.
The logs from 5 public servers have been reviewed so far, with no signs of exploitation.
To summarize,
- Every file that the copyparty process had the OS-level permissions to read, could be retrieved over HTTP without password authentication
- However, an attacker would need to know the full (or copyparty-module-relative) path to the file; it was luckily impossible to list directory contents to discover files on the server
- You may have been running copyparty with some mitigations against this:
- prisonparty limited the scope of access to files which were intentionally given to copyparty for sharing; meaning all volumes, as well as the following read-only filesystem locations:
/bin
,/lib
,/lib32
,/lib64
,/sbin
,/usr
,/etc/alternatives
- the nix package has a similar mitigation implemented using systemd concepts
- docker containers would only expose the files which were intentionally mounted into the container, so even better
- prisonparty limited the scope of access to files which were intentionally given to copyparty for sharing; meaning all volumes, as well as the following read-only filesystem locations:
- More conventional setups, such as just running the sfx (python or exe editions), would unfortunately expose all files readable by the current user
- The following configurations would have made the impact much worse:
- running copyparty as root
So, three years, and finally a CVE -- which has been there since day one... Not great huh. There is a list of all the copyparty alternatives that I know of in the similar software
link above.
Thanks for flying copyparty! And especially if you decide to continue doing so :-)
new features
- #43 volflags to specify thumbnailer behavior per-volume;
--th-no-crop
/ volflagnocrop
to specify whether autocrop should be disabled--th-size
/ volflagthsize
to set a custom thumbnail resolution--th-convt
/ volflagconvt
to specify conversion timeout
- #45 resulted in a handful of opportunities to tighten security in intentionally-dangerous setups (public folders with anonymous uploads enabled):
- a new permission,
a
(in addition to the existingrwmdgG
), to show the uploader-IP and upload-time for each file in the file listing- accidentally incompatible with the
d2t
volflag (will be fixed in the next ver)
- accidentally incompatible with the
- volflag
nohtml
is a good defense against (un)intentional XSS; it returns HTML-files and markdown-files as plaintext instead of rendering them, meaning any malicious<script>
won't run -- bad idea for regular use since it breaks fundamental functionality, but good when you really need it- the README-previews below the file-listing still renders as usual, as this is fine thanks to the sandbox
- a new eventhook
--xban
to run a plugin when copyparty decides to ban someone (for password bruteforcing or excessive 404's), for example to blackhole the IP using fail2ban or similar
- a new permission,
bugfixes
- fixes a path traversal vulnerability, GHSA-pxfv-7rr3-2qjg / CVE-2023-37474
- HUGE thanks to @TheHackyDog for reporting this !!
- if you use a reverse proxy, you can check if you have been exploited like so:
- nginx: grep your logs for URLs containing both
.cpr/
and%2[^0]
, for example using the following command:(gzip -dc access.log*.gz; cat access.log) | sed -r 's/" [0-9]+ .*//' | grep -E 'cpr/.*%2[^0]' | grep -vF data:image/svg
- nginx: grep your logs for URLs containing both
- 77f1e51 fixes an extremely unlikely race-condition (see the commit for details)
- 8f59afb fixes another race-condition which is a bit worse:
- the unpost feature could collide with other database activity, with the worst-case outcome being aborted batch operations, for example a directory move or a batch-rename which stops halfways
⚠️ not the latest version!
in case of 404
- read-only demo server at https://a.ocv.me/pub/demo/
- docker image ╱ similar software ╱ client testbed
new features
- handlers; change the behavior of 404 / 403 with plugins
- makes it possible to use copyparty as a caching proxy
- #42 add mpv + streamlink support to very-bad-idea
- add support for Pillow 10
- also improved text rendering in icons
- mention the fedora package in the readme
bugfixes
- theme 6 (hacker) didn't show the state of some toggle-switches
- windows: keep quickedit enabled when hashing passwords interactively
⚠️ not the latest version!
argon
- read-only demo server at https://a.ocv.me/pub/demo/
- docker image ╱ similar software ╱ client testbed
News: if you use rclone as a copyparty webdav client, upgrading to rclone v1.63 (just released) will give you a huge speed boost for small files
new features
- #39 hashed passwords
- instead of keeping plaintext account passwords in config files, you can now store hashed ones instead
--ah-alg
specifies algorithm; best to worst:argon2
,scrypt
,sha2
, or the defaultnone
- the default settings of each algorithm takes
0.4 sec
to hash a password, and argon2 eats256 MiB
RAM- can be adjusted with optional comma-separated args after the algorithm name; see
--help-pwhash
- can be adjusted with optional comma-separated args after the algorithm name; see
--ah-salt
is the static salt for all passwords, and is autogenerated-and-persisted if not specified--ah-cli
switches copyparty into a shell where you can hash passwords interactively- but copyparty will also autoconvert any unhashed passwords on startup and give you the values to insert into the config anyways
- #40 volume size limit
- volflag
vmaxb
specifies max size of a volume - volflag
vmaxn
specifies max number of files in a volume - example:
-v [...]:c,vmaxb=900g:c,vmaxn=20k
blocks uploads if the volume reaches 900 GiB or a total of 20480 files - good alternative to
--df
since it works per-volume
- volflag
bugfixes
- autogenerated TLS certs didn't include the mDNS name
other changes
- improved cloudflare challenge detection
- markdown edits will now trigger upload hooks