From 49ce67e9cd76529928224355342d3ff94f9b5e80 Mon Sep 17 00:00:00 2001
From: ed <s@ocv.me>
Date: Mon, 15 Sep 2025 00:19:24 +0000
Subject: [PATCH] v1.19.9

---
 README.md                      |   4 +++
 copyparty/__version__.py       |   4 +--
 docs/changelog.md              |  57 +++++++++++++++++++++++++++++++++
 scripts/pyinstaller/build.sh   |   2 +-
 scripts/pyinstaller/loader.ico | Bin 0 -> 554 bytes
 5 files changed, 64 insertions(+), 3 deletions(-)
 create mode 100644 scripts/pyinstaller/loader.ico

diff --git a/README.md b/README.md
index e93e4282..5a31b7b4 100644
--- a/README.md
+++ b/README.md
@@ -2705,6 +2705,10 @@ below are some tweaks roughly ordered by usefulness:
 * using [pypy](https://www.pypy.org/) instead of [cpython](https://www.python.org/) *can* be 70% faster for some workloads, but slower for many others
   * and pypy can sometimes crash on startup with `-j0` (TODO make issue)
 
+* if you are running the copyparty server **on Windows or Macos:**
+  * `--casechk=y` makes it much faster, but also awakens [the usual surprises](https://github.com/9001/copyparty/issues/781) you expect from a case-insensitive filesystem
+    * this is the same as `casechk: n` in a config-file
+
 
 ## client-side
 
diff --git a/copyparty/__version__.py b/copyparty/__version__.py
index eb605668..83cdfa37 100644
--- a/copyparty/__version__.py
+++ b/copyparty/__version__.py
@@ -1,8 +1,8 @@
 # coding: utf-8
 
-VERSION = (1, 19, 8)
+VERSION = (1, 19, 9)
 CODENAME = "usernames"
-BUILD_DT = (2025, 9, 7)
+BUILD_DT = (2025, 9, 15)
 
 S_VERSION = ".".join(map(str, VERSION))
 S_BUILD_DT = "{0:04d}-{1:02d}-{2:02d}".format(*BUILD_DT)
diff --git a/docs/changelog.md b/docs/changelog.md
index ac773418..7747ccc7 100644
--- a/docs/changelog.md
+++ b/docs/changelog.md
@@ -1,3 +1,60 @@
+▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀  
+# 2025-0907-2300  `v1.19.8`  SECURITY: fix single-file shares
+
+## ⚠️ ATTN: this release fixes [CVE-2025-58753](https://github.com/9001/copyparty/security/advisories/GHSA-pxvw-4w88-6x95), an issue with shares
+
+* when a share is created for just one or more files inside a folder, it was possible to access the other files inside that folder by guessing the filenames
+* it was not possible to descend into subdirectories in this manner; only the sibling files were accessible
+* NOTE: this does NOT affect filekeys; this is specifically regarding the `shr` global-option
+
+## recent important news
+
+* [v1.19.8 (2025-09-07)](https://github.com/9001/copyparty/releases/tag/v1.19.8) fixed [CVE-2025-58753](https://github.com/9001/copyparty/security/advisories/GHSA-pxvw-4w88-6x95) (a missing permission-check inside single-file shares)
+* [v1.15.0 (2024-09-08)](https://github.com/9001/copyparty/releases/tag/v1.15.0) changed upload deduplication to be default-disabled
+* [v1.14.3 (2024-08-30)](https://github.com/9001/copyparty/releases/tag/v1.14.3) fixed a bug that was introduced in v1.13.8 (2024-08-13); this bug could lead to **data loss** -- see the v1.14.3 release-notes for details
+
+## 🧪 new features
+
+* #761 IdP: option to replace the login/logout links and buttons with redirects into an IdP UI 09f22993
+* #726 disk-usage and server-version can be selectively hidden according to user permissions 19a4c453
+* option `--shr-who` / volflag `shr_who` decides who is able to create a share of that volume edafa158
+* #751 nixos: add globalExtraConfig to specify repeatable config parameters (thx @xvrqt!) 09e3018b
+* some very small speedups (mainly u2c and ancient python versions) 74821a38
+* #759 #393 total folder size now decreases when files inside are deleted 96b109b0
+  * would previously require a reindex to get back on track
+
+## 🩹 bugfixes
+
+* fix [GHSA-pxvw-4w88-6x95](https://github.com/9001/copyparty/security/advisories/GHSA-pxvw-4w88-6x95) by fencing fileshares to just the shared files e0a92ba7
+* #397 prevent hinting at valid passwords, even if they cannot be used to authenticate with 7a4ee4db
+* #747 disable some features if `/tmp` must be used for runtime config e6755aa8
+  * the config-folder will now also be created with chmod 700 (accessible by owner only)
+* #733 #298 fix hotkeys on non-qwerty keyboard layouts (dvorak etc.) e798a9a5
+* #539 ftp-server: support clients which never does a CWD b0496311
+* ignore the plaintext session-cookie on https; fixes some confusing behavior when switching from https to http c71128fd
+* `og-ua` would prevent clients matching the pattern from accessing fullsize files
+* `og-ua` was only possible to set globally; the `og_ua` volflag was ignored 422f8f62
+* uds / unix-domain-sockets got wrong permissions when `rm-sck` was used e270fe60
+* #727 macos: support running from config-files 230a1462
+* #539 avoid issues if someone uploads a file with a last-modified timestamp from year -9999999999999 eeb7738b
+* using the spacebar to pause a video was jank on chrome bfcb6eac
+* block the next-song hotkey while a folder is loading f7e08ed0
+* #748 fix rare js-panic when an action is aborted aaeec11f
+* #738 bubbleparty: use /bin/bash (thx @ckastner!) 0469b5a2
+
+## 🔧 other changes
+
+* partyfuse: nice speedup by caching `readdir` too 06d2654b
+* partyfuse: explain usage with usernames 1cdb3880
+* connect-page: better examples when usernames enabled 3bdef75e
+* docker: fix image annotations ab562382
+
+## 🌠 fun facts
+
+* konami's biggest legacy lives on f0caf881 bd6d1f96
+
+
+
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀  
 # 2025-0828-2014  `v1.19.7`  chdir
 
diff --git a/scripts/pyinstaller/build.sh b/scripts/pyinstaller/build.sh
index a444ff94..7f10d7ac 100644
--- a/scripts/pyinstaller/build.sh
+++ b/scripts/pyinstaller/build.sh
@@ -128,7 +128,7 @@ dist/copyparty.exe --version
 
 csum=$(sha512sum <dist/copyparty.exe | cut -c-56)
 
-curl -fkT dist/copyparty.exe -b cppwd=wark https://192.168.123.1:3923/copyparty$esuf.exe >uplod.log
+curl -fkT dist/copyparty.exe -HPW:wark https://192.168.123.1:3923/copyparty$esuf.exe >uplod.log
 cat uplod.log
 
 grep -q $csum uplod.log && echo upload OK || {
diff --git a/scripts/pyinstaller/loader.ico b/scripts/pyinstaller/loader.ico
new file mode 100644
index 0000000000000000000000000000000000000000..88d358e4d4e09de9766af96e43bc34689d51a010
GIT binary patch
literal 554
zcmV+_0@eKh0096205C8B0000W02KlN02TlM0EtjeM+zDW0000DNk~Le0000m0000m
z2m=5B0ASn+wEzGBV^B;~MK(4zGcz-Db8{{*Gylv7|Ia}G%p(7e0RNQ$|G)q#EHVGR
z0M5?N|Fi)7i2zwcDgUSd|H%OV#sHmzL;u47{+<AKc6P&!4?8(FK0ZEZOeJb+YE@NL
zudlC)WF426m+7ho4(<|g00001bW%=J*H}@X5dZ)IU`a$lRCt`7m5XwNAP_|t=p$XJ
zu}#&bfad?dvdAMEjTyJcnLL(zSR^t5!35X>GJy*dcxA#D-k9)(7bbk+iwS%)fgdLD
z!2~KMOJRT7rSO@ls%yW?wW>-k3h~=O;o(&e2xS^#rYb_rqp{Md?TJxNT7$#fp^4W8
zo!44-8$)%W>>c(w2u%||{E8{B^}2_0vFyb;geD-qHmyhldRz-*syop(OQA=p^HeKR
zV=b{SLL088SN3rSkvmuwg|>k<K_(4!c%R2E)eYrf5r#D4X?+jm(>%jUs0pq2quFk&
z8NIhibrDXPo=}NLKQ*FINPU}gH{nzdzq<_eEj9}Wfp;c+p=JVSCh+LUJcIual;0^~
zHc;VCFg74}v2q%xg<w0`b^Agf1kz!Q0zH|1R_xrt9LR@-5mS)y*`EaEp0B^Gi7mK)
s3)8M1!Iqmow5u|26HFY-OF3o#02;(jxPWF>B>(^b07*qoM6N<$f~2A2K>z>%

literal 0
HcmV?d00001