diff --git a/README.md b/README.md index 48c5f6fa..05661ed4 100644 --- a/README.md +++ b/README.md @@ -12,7 +12,7 @@ turn almost any device into a file server with resumable uploads/downloads using 📷 **screenshots:** [browser](#the-browser) // [upload](#uploading) // [unpost](#unpost) // [thumbnails](#thumbnails) // [search](#searching) // [fsearch](#file-search) // [zip-DL](#zip-downloads) // [md-viewer](#markdown-viewer) -🎬 **videos:** [upload](https://a.ocv.me/pub/demo/pics-vids/up2k.webm) // [cli-upload](https://a.ocv.me/pub/demo/pics-vids/u2cli.webm) // [race-the-beam](https://a.ocv.me/pub/g/nerd-stuff/cpp/2024-0418-race-the-beam.webm) +🎬 **videos:** [upload](https://a.ocv.me/pub/demo/pics-vids/up2k.webm) // [cli-upload](https://a.ocv.me/pub/demo/pics-vids/u2cli.webm) // [race-the-beam](https://a.ocv.me/pub/g/nerd-stuff/cpp/2024-0418-race-the-beam.webm) // 👉 **[feature-showcase](https://a.ocv.me/pub/demo/showcase-hq.webm)** ([youtube](https://www.youtube.com/watch?v=15_-hgsX2V0)) made in Norway 🇳🇴 @@ -1439,12 +1439,17 @@ if you enable deduplication with `--dedup` then it'll create a symlink instead o **warning:** when enabling dedup, you should also: * enable indexing with `-e2dsa` or volflag `e2dsa` (see [file indexing](#file-indexing) section below); strongly recommended * ...and/or `--hardlink-only` to use hardlink-based deduplication instead of symlinks; see explanation below +* ...and/or `--reflink` to use CoW/reflink-based dedup (much safer than hardlink, but OS/FS-dependent) it will not be safe to rename/delete files if you only enable dedup and none of the above; if you enable indexing then it is not *necessary* to also do hardlinks (but you may still want to) by default, deduplication is done based on symlinks (symbolic links); these are tiny files which are pointers to the nearest full copy of the file -you can choose to use hardlinks instead of softlinks, globally with `--hardlink-only` or volflag `hardlinkonly`; +you can choose to use hardlinks instead of softlinks, globally with `--hardlink-only` or volflag `hardlinkonly`, and you can choose to use reflinks with `--reflink` or volflag `reflink` + +advantages of using reflinks (CoW, copy-on-write): +* entirely safe (when your filesystem supports it correctly); either file can be edited or deleted without affecting other copies +* only linux 5.3 or newer, only python 3.14 or newer, only some filesystems (btrfs probably ok, maybe xfs too, but zfs had bugs) advantages of using hardlinks: * hardlinks are more compatible with other software; they behave entirely like regular files @@ -2022,7 +2027,7 @@ some reverse proxies (such as [Caddy](https://caddyserver.com/)) can automatical * **warning:** nginx-QUIC (HTTP/3) is still experimental and can make uploads much slower, so HTTP/1.1 is recommended for now * depending on server/client, HTTP/1.1 can also be 5x faster than HTTP/2 -for improved security (and a 10% performance boost) consider listening on a unix-socket with `-i unix:770:www:/tmp/party.sock` (permission `770` means only members of group `www` can access it) +for improved security (and a 10% performance boost) consider listening on a unix-socket with `-i unix:770:www:/dev/shm/party.sock` (permission `770` means only members of group `www` can access it) example webserver / reverse-proxy configs: @@ -2243,7 +2248,7 @@ NOTE: there used to be an aur package; this evaporated when copyparty was adopte ## fedora package -does not exist yet; using the [copr-pypi](https://copr.fedorainfracloud.org/coprs/g/copr/PyPI/) builds is **NOT recommended** because updates can be delayed by [several months](https://github.com/fedora-copr/copr/issues/3056) +does not exist yet; there are rumours that it is being packaged! keep an eye on this space... ## nix package diff --git a/contrib/nginx/copyparty.conf b/contrib/nginx/copyparty.conf index 3c59a6f5..121e52ab 100644 --- a/contrib/nginx/copyparty.conf +++ b/contrib/nginx/copyparty.conf @@ -85,13 +85,13 @@ server { proxy_buffer_size 16k; proxy_busy_buffers_size 24k; + proxy_set_header Connection "Keep-Alive"; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - # NOTE: with cloudflare you want this instead: - #proxy_set_header X-Forwarded-For $http_cf_connecting_ip; proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header Connection "Keep-Alive"; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + # NOTE: with cloudflare you want this X-Forwarded-For instead: + #proxy_set_header X-Forwarded-For $http_cf_connecting_ip; } } diff --git a/contrib/nixos/modules/copyparty.nix b/contrib/nixos/modules/copyparty.nix index 3725f8e4..cd4fef40 100644 --- a/contrib/nixos/modules/copyparty.nix +++ b/contrib/nixos/modules/copyparty.nix @@ -4,28 +4,31 @@ lib, ... }: -with lib; let - mkKeyValue = key: value: - if value == true - then +with lib; +let + mkKeyValue = + key: value: + if value == true then # sets with a true boolean value are coerced to just the key name key - else if value == false - then + else if value == false then # or omitted completely when false "" - else (generators.mkKeyValueDefault {inherit mkValueString;} ": " key value); + else + (generators.mkKeyValueDefault { inherit mkValueString; } ": " key value); - mkAttrsString = value: (generators.toKeyValue {inherit mkKeyValue;} value); + mkAttrsString = value: (generators.toKeyValue { inherit mkKeyValue; } value); - mkValueString = value: - if isList value - then (concatStringsSep ", " (map mkValueString value)) - else if isAttrs value - then "\n" + (mkAttrsString value) - else (generators.mkValueStringDefault {} value); + mkValueString = + value: + if isList value then + (concatStringsSep ", " (map mkValueString value)) + else if isAttrs value then + "\n" + (mkAttrsString value) + else + (generators.mkValueStringDefault { } value); - mkSectionName = value: "[" + (escape ["[" "]"] value) + "]"; + mkSectionName = value: "[" + (escape [ "[" "]" ] value) + "]"; mkSection = name: attrs: '' ${mkSectionName name} @@ -57,7 +60,8 @@ with lib; let externalCacheDir = "/var/cache/copyparty"; externalStateDir = "/var/lib/copyparty"; defaultShareDir = "${externalStateDir}/data"; -in { +in +{ options.services.copyparty = { enable = mkEnableOption "web-based file manager"; @@ -128,22 +132,27 @@ in { }; accounts = mkOption { - type = types.attrsOf (types.submodule ({...}: { - options = { - passwordFile = mkOption { - type = types.str; - description = '' - Runtime file path to a file containing the user password. - Must be readable by the copyparty user. - ''; - example = "/run/keys/copyparty/ed"; - }; - }; - })); + type = types.attrsOf ( + types.submodule ( + { ... }: + { + options = { + passwordFile = mkOption { + type = types.str; + description = '' + Runtime file path to a file containing the user password. + Must be readable by the copyparty user. + ''; + example = "/run/keys/copyparty/ed"; + }; + }; + } + ) + ); description = '' A set of copyparty accounts to create. ''; - default = {}; + default = { }; example = literalExpression '' { ed.passwordFile = "/run/keys/copyparty/ed"; @@ -152,74 +161,81 @@ in { }; volumes = mkOption { - type = types.attrsOf (types.submodule ({...}: { - options = { - path = mkOption { - type = types.path; - description = '' - Path of a directory to share. - ''; - }; - access = mkOption { - type = types.attrs; - description = '' - Attribute list of permissions and the users to apply them to. - - The key must be a string containing any combination of allowed permission: - "r" (read): list folder contents, download files - "w" (write): upload files; need "r" to see the uploads - "m" (move): move files and folders; need "w" at destination - "d" (delete): permanently delete files and folders - "g" (get): download files, but cannot see folder contents - "G" (upget): "get", but can see filekeys of their own uploads - "h" (html): "get", but folders return their index.html - "a" (admin): can see uploader IPs, config-reload - - For example: "rwmd" - - The value must be one of: - an account name, defined in `accounts` - a list of account names - "*", which means "any account" - ''; - example = literalExpression '' - { - # wG = write-upget = see your own uploads only - wG = "*"; - # read-write-modify-delete for users "ed" and "k" - rwmd = ["ed" "k"]; + type = types.attrsOf ( + types.submodule ( + { ... }: + { + options = { + path = mkOption { + type = types.path; + description = '' + Path of a directory to share. + ''; }; - ''; - }; - flags = mkOption { - type = types.attrs; - description = '' - Attribute list of volume flags to apply. - See `${getExe cfg.package} --help-flags` for more details. - ''; - example = literalExpression '' - { - # "fk" enables filekeys (necessary for upget permission) (4 chars long) - fk = 4; - # scan for new files every 60sec - scan = 60; - # volflag "e2d" enables the uploads database - e2d = true; - # "d2t" disables multimedia parsers (in case the uploads are malicious) - d2t = true; - # skips hashing file contents if path matches *.iso - nohash = "\.iso$"; + access = mkOption { + type = types.attrs; + description = '' + Attribute list of permissions and the users to apply them to. + + The key must be a string containing any combination of allowed permission: + "r" (read): list folder contents, download files + "w" (write): upload files; need "r" to see the uploads + "m" (move): move files and folders; need "w" at destination + "d" (delete): permanently delete files and folders + "g" (get): download files, but cannot see folder contents + "G" (upget): "get", but can see filekeys of their own uploads + "h" (html): "get", but folders return their index.html + "a" (admin): can see uploader IPs, config-reload + + For example: "rwmd" + + The value must be one of: + an account name, defined in `accounts` + a list of account names + "*", which means "any account" + ''; + example = literalExpression '' + { + # wG = write-upget = see your own uploads only + wG = "*"; + # read-write-modify-delete for users "ed" and "k" + rwmd = ["ed" "k"]; + }; + ''; }; - ''; - default = {}; - }; - }; - })); + flags = mkOption { + type = types.attrs; + description = '' + Attribute list of volume flags to apply. + See `${getExe cfg.package} --help-flags` for more details. + ''; + example = literalExpression '' + { + # "fk" enables filekeys (necessary for upget permission) (4 chars long) + fk = 4; + # scan for new files every 60sec + scan = 60; + # volflag "e2d" enables the uploads database + e2d = true; + # "d2t" disables multimedia parsers (in case the uploads are malicious) + d2t = true; + # skips hashing file contents if path matches *.iso + nohash = "\.iso$"; + }; + ''; + default = { }; + }; + }; + } + ) + ); description = "A set of copyparty volumes to create"; default = { "/" = { path = defaultShareDir; - access = {r = "*";}; + access = { + r = "*"; + }; }; }; example = literalExpression '' @@ -238,92 +254,90 @@ in { }; }; - config = mkIf cfg.enable (let - command = "${getExe cfg.package} -c ${runtimeConfigPath}"; - in { - systemd.services.copyparty = { - description = "http file sharing hub"; - wantedBy = ["multi-user.target"]; + config = mkIf cfg.enable ( + let + command = "${getExe cfg.package} -c ${runtimeConfigPath}"; + in + { + systemd.services.copyparty = { + description = "http file sharing hub"; + wantedBy = [ "multi-user.target" ]; - environment = { - PYTHONUNBUFFERED = "true"; - XDG_CONFIG_HOME = externalStateDir; - }; + environment = { + PYTHONUNBUFFERED = "true"; + XDG_CONFIG_HOME = externalStateDir; + }; - preStart = let - replaceSecretCommand = name: attrs: "${getExe pkgs.replace-secret} '${ - passwordPlaceholder name - }' '${attrs.passwordFile}' ${runtimeConfigPath}"; - in '' - set -euo pipefail - install -m 600 ${configFile} ${runtimeConfigPath} - ${concatStringsSep "\n" - (mapAttrsToList replaceSecretCommand cfg.accounts)} - ''; + preStart = + let + replaceSecretCommand = + name: attrs: + "${getExe pkgs.replace-secret} '${passwordPlaceholder name}' '${attrs.passwordFile}' ${runtimeConfigPath}"; + in + '' + set -euo pipefail + install -m 600 ${configFile} ${runtimeConfigPath} + ${concatStringsSep "\n" (mapAttrsToList replaceSecretCommand cfg.accounts)} + ''; - serviceConfig = { - Type = "simple"; - ExecStart = command; - # Hardening options - User = cfg.user; - Group = cfg.group; - RuntimeDirectory = ["copyparty"]; - RuntimeDirectoryMode = "0700"; - StateDirectory = ["copyparty"]; - StateDirectoryMode = "0700"; - CacheDirectory = lib.mkIf (cfg.settings ? hist) ["copyparty"]; - CacheDirectoryMode = lib.mkIf (cfg.settings ? hist) "0700"; - WorkingDirectory = externalStateDir; - BindReadOnlyPaths = - [ + serviceConfig = { + Type = "simple"; + ExecStart = command; + # Hardening options + User = cfg.user; + Group = cfg.group; + RuntimeDirectory = [ "copyparty" ]; + RuntimeDirectoryMode = "0700"; + StateDirectory = [ "copyparty" ]; + StateDirectoryMode = "0700"; + CacheDirectory = lib.mkIf (cfg.settings ? hist) [ "copyparty" ]; + CacheDirectoryMode = lib.mkIf (cfg.settings ? hist) "0700"; + WorkingDirectory = externalStateDir; + BindReadOnlyPaths = [ "/nix/store" "-/etc/resolv.conf" "-/etc/nsswitch.conf" + "-/etc/group" "-/etc/hosts" "-/etc/localtime" - ] - ++ (mapAttrsToList (k: v: "-${v.passwordFile}") cfg.accounts); - BindPaths = - ( - if cfg.settings ? hist - then [cfg.settings.hist] - else [] - ) - ++ [externalStateDir] - ++ (mapAttrsToList (k: v: v.path) cfg.volumes); - # ProtectSystem = "strict"; - # Note that unlike what 'ro' implies, - # this actually makes it impossible to read anything in the root FS, - # except for things explicitly mounted via `RuntimeDirectory`, `StateDirectory`, `CacheDirectory`, and `BindReadOnlyPaths`. - # This is because TemporaryFileSystem creates a *new* *empty* filesystem for the process, so only bindmounts are visible. - TemporaryFileSystem = "/:ro"; - PrivateTmp = true; - PrivateDevices = true; - ProtectKernelTunables = true; - ProtectControlGroups = true; - RestrictSUIDSGID = true; - PrivateMounts = true; - ProtectKernelModules = true; - ProtectKernelLogs = true; - ProtectHostname = true; - ProtectClock = true; - ProtectProc = "invisible"; - ProcSubset = "pid"; - RestrictNamespaces = true; - RemoveIPC = true; - UMask = "0077"; - LimitNOFILE = cfg.openFilesLimit; - NoNewPrivileges = true; - LockPersonality = true; - RestrictRealtime = true; - MemoryDenyWriteExecute = true; + ] ++ (mapAttrsToList (k: v: "-${v.passwordFile}") cfg.accounts); + BindPaths = + (if cfg.settings ? hist then [ cfg.settings.hist ] else [ ]) + ++ [ externalStateDir ] + ++ (mapAttrsToList (k: v: v.path) cfg.volumes); + # ProtectSystem = "strict"; + # Note that unlike what 'ro' implies, + # this actually makes it impossible to read anything in the root FS, + # except for things explicitly mounted via `RuntimeDirectory`, `StateDirectory`, `CacheDirectory`, and `BindReadOnlyPaths`. + # This is because TemporaryFileSystem creates a *new* *empty* filesystem for the process, so only bindmounts are visible. + TemporaryFileSystem = "/:ro"; + PrivateTmp = true; + PrivateDevices = true; + ProtectKernelTunables = true; + ProtectControlGroups = true; + RestrictSUIDSGID = true; + PrivateMounts = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectHostname = true; + ProtectClock = true; + ProtectProc = "invisible"; + ProcSubset = "pid"; + RestrictNamespaces = true; + RemoveIPC = true; + UMask = "0077"; + LimitNOFILE = cfg.openFilesLimit; + NoNewPrivileges = true; + LockPersonality = true; + RestrictRealtime = true; + MemoryDenyWriteExecute = true; + }; }; - }; - # ensure volumes exist: - systemd.tmpfiles.settings."copyparty" = ( - lib.attrsets.mapAttrs' ( - name: value: + # ensure volumes exist: + systemd.tmpfiles.settings."copyparty" = ( + lib.attrsets.mapAttrs' ( + name: value: lib.attrsets.nameValuePair (value.path) { d = { #: in front of things means it wont change it if the directory already exists. @@ -332,32 +346,30 @@ in { mode = ":755"; }; } - ) - cfg.volumes - ); + ) cfg.volumes + ); - users.groups.copyparty = lib.mkIf (cfg.user == "copyparty" && cfg.group == "copyparty") {}; - users.users.copyparty = lib.mkIf (cfg.user == "copyparty" && cfg.group == "copyparty") { - description = "Service user for copyparty"; - group = "copyparty"; - home = externalStateDir; - isSystemUser = true; - }; - environment.systemPackages = lib.mkIf cfg.mkHashWrapper [ - (pkgs.writeShellScriptBin - "copyparty-hash" - '' - set -a # automatically export variables - # set same environment variables as the systemd service - ${lib.pipe config.systemd.services.copyparty.environment [ - (lib.filterAttrs (n: v: v != null && n != "PATH")) - (lib.mapAttrs (_: v: "${v}")) - (lib.toShellVars) - ]} - PATH=${config.systemd.services.copyparty.environment.PATH}:$PATH + users.groups.copyparty = lib.mkIf (cfg.user == "copyparty" && cfg.group == "copyparty") { }; + users.users.copyparty = lib.mkIf (cfg.user == "copyparty" && cfg.group == "copyparty") { + description = "Service user for copyparty"; + group = "copyparty"; + home = externalStateDir; + isSystemUser = true; + }; + environment.systemPackages = lib.mkIf cfg.mkHashWrapper [ + (pkgs.writeShellScriptBin "copyparty-hash" '' + set -a # automatically export variables + # set same environment variables as the systemd service + ${lib.pipe config.systemd.services.copyparty.environment [ + (lib.filterAttrs (n: v: v != null && n != "PATH")) + (lib.mapAttrs (_: v: "${v}")) + (lib.toShellVars) + ]} + PATH=${config.systemd.services.copyparty.environment.PATH}:$PATH - exec ${command} --ah-cli - '') - ]; - }); + exec ${command} --ah-cli + '') + ]; + } + ); } diff --git a/contrib/package/arch/PKGBUILD b/contrib/package/arch/PKGBUILD index 76f38e9c..959a9821 100644 --- a/contrib/package/arch/PKGBUILD +++ b/contrib/package/arch/PKGBUILD @@ -1,6 +1,6 @@ # Maintainer: icxes pkgname=copyparty -pkgver="1.18.4" +pkgver="1.18.6" pkgrel=1 pkgdesc="File server with accelerated resumable uploads, dedup, WebDAV, FTP, TFTP, zeroconf, media indexer, thumbnails++" arch=("any") @@ -22,7 +22,7 @@ optdepends=("ffmpeg: thumbnails for videos, images (slower) and audio, music tag ) source=("https://github.com/9001/${pkgname}/releases/download/v${pkgver}/${pkgname}-${pkgver}.tar.gz") backup=("etc/${pkgname}.d/init" ) -sha256sums=("ce903db06d2f1889fd600e8f47e0514d4cce66d8d06f726a8db2ab56ba3c164f") +sha256sums=("80762d91ac88815e73d0ca2806c6391dcf8ccd521bc402cc312349f3bc8e8b28") build() { cd "${srcdir}/${pkgname}-${pkgver}" diff --git a/contrib/package/nix/copyparty/default.nix b/contrib/package/nix/copyparty/default.nix index d34f9ae7..28d733ab 100644 --- a/contrib/package/nix/copyparty/default.nix +++ b/contrib/package/nix/copyparty/default.nix @@ -1,41 +1,67 @@ -{ lib, stdenv, makeWrapper, fetchurl, util-linux, python, jinja2, impacket, pyftpdlib, pyopenssl, argon2-cffi, pillow, pyvips, pyzmq, ffmpeg, mutagen, +{ + lib, + stdenv, + makeWrapper, + fetchurl, + util-linux, + python, + jinja2, + impacket, + pyopenssl, + cfssl, + argon2-cffi, + pillow, + pyvips, + pyzmq, + ffmpeg, + mutagen, -# use argon2id-hashed passwords in config files (sha2 is always available) -withHashedPasswords ? true, + # use argon2id-hashed passwords in config files (sha2 is always available) + withHashedPasswords ? true, -# generate TLS certificates on startup (pointless when reverse-proxied) -withCertgen ? false, + # generate TLS certificates on startup (pointless when reverse-proxied) + withCertgen ? false, -# create thumbnails with Pillow; faster than FFmpeg / MediaProcessing -withThumbnails ? true, + # create thumbnails with Pillow; faster than FFmpeg / MediaProcessing + withThumbnails ? true, -# create thumbnails with PyVIPS; even faster, uses more memory -# -- can be combined with Pillow to support more filetypes -withFastThumbnails ? false, + # create thumbnails with PyVIPS; even faster, uses more memory + # -- can be combined with Pillow to support more filetypes + withFastThumbnails ? false, -# enable FFmpeg; thumbnails for most filetypes (also video and audio), extract audio metadata, transcode audio to opus -# -- possibly dangerous if you allow anonymous uploads, since FFmpeg has a huge attack surface -# -- can be combined with Thumbnails and/or FastThumbnails, since FFmpeg is slower than both -withMediaProcessing ? true, + # enable FFmpeg; thumbnails for most filetypes (also video and audio), extract audio metadata, transcode audio to opus + # -- possibly dangerous if you allow anonymous uploads, since FFmpeg has a huge attack surface + # -- can be combined with Thumbnails and/or FastThumbnails, since FFmpeg is slower than both + withMediaProcessing ? true, -# if MediaProcessing is not enabled, you probably want this instead (less accurate, but much safer and faster) -withBasicAudioMetadata ? false, + # if MediaProcessing is not enabled, you probably want this instead (less accurate, but much safer and faster) + withBasicAudioMetadata ? false, -# send ZeroMQ messages from event-hooks -withZeroMQ ? true, + # send ZeroMQ messages from event-hooks + withZeroMQ ? true, -# enable FTPS support in the FTP server -withFTPS ? false, + # enable FTPS support in the FTP server + withFTPS ? false, -# samba/cifs server; dangerous and buggy, enable if you really need it -withSMB ? false, + # samba/cifs server; dangerous and buggy, enable if you really need it + withSMB ? false, + + # extra packages to add to the PATH + extraPackages ? [ ], + + # function that accepts a python packageset and returns a list of packages to + # be added to the python venv. useful for scripts and such that require + # additional dependencies + extraPythonPackages ? (_p: [ ]), }: let pinData = lib.importJSON ./pin.json; - pyEnv = python.withPackages (ps: - with ps; [ + pyEnv = python.withPackages ( + ps: + with ps; + [ jinja2 ] ++ lib.optional withSMB impacket @@ -47,22 +73,36 @@ let ++ lib.optional withBasicAudioMetadata mutagen ++ lib.optional withHashedPasswords argon2-cffi ++ lib.optional withZeroMQ pyzmq - ); -in stdenv.mkDerivation { + ++ (extraPythonPackages ps) + ); + + runtimeDeps = ([ util-linux ] ++ extraPackages ++ lib.optional withMediaProcessing ffmpeg); +in +stdenv.mkDerivation { pname = "copyparty"; - version = pinData.version; + inherit (pinData) version; src = fetchurl { - url = pinData.url; - hash = pinData.hash; + inherit (pinData) url hash; }; - buildInputs = [ makeWrapper ]; + nativeBuildInputs = [ makeWrapper ]; dontUnpack = true; - dontBuild = true; installPhase = '' install -Dm755 $src $out/share/copyparty-sfx.py makeWrapper ${pyEnv.interpreter} $out/bin/copyparty \ - --set PATH '${lib.makeBinPath ([ util-linux ] ++ lib.optional withMediaProcessing ffmpeg)}:$PATH' \ - --add-flags "$out/share/copyparty-sfx.py" + --prefix PATH : ${lib.makeBinPath runtimeDeps} \ + --add-flag $out/share/copyparty-sfx.py ''; - meta.mainProgram = "copyparty"; + meta = { + description = "Turn almost any device into a file server"; + longDescription = '' + Portable file server with accelerated resumable uploads, dedup, WebDAV, + FTP, TFTP, zeroconf, media indexer, thumbnails++ all in one file, no deps + ''; + homepage = "https://github.com/9001/copyparty"; + changelog = "https://github.com/9001/copyparty/releases/tag/v${pinData.version}"; + license = lib.licenses.mit; + inherit (python.meta) platforms; + mainProgram = "copyparty"; + sourceProvenance = [ lib.sourceTypes.binaryBytecode ]; + }; } diff --git a/contrib/package/nix/copyparty/pin.json b/contrib/package/nix/copyparty/pin.json index 64281889..eae921c7 100644 --- a/contrib/package/nix/copyparty/pin.json +++ b/contrib/package/nix/copyparty/pin.json @@ -1,5 +1,5 @@ { - "url": "https://github.com/9001/copyparty/releases/download/v1.18.4/copyparty-sfx.py", - "version": "1.18.4", - "hash": "sha256-rTX2yQne7i91vXJaUolLZYSjCNKVdQlvgv1x+N2UsDE=" + "url": "https://github.com/9001/copyparty/releases/download/v1.18.6/copyparty-sfx.py", + "version": "1.18.6", + "hash": "sha256-No89mzKHHZZH19ws9dqfvQO0pnZw7jKDMGhNa4LOFlY=" } \ No newline at end of file diff --git a/contrib/package/nix/partyfuse/default.nix b/contrib/package/nix/partyfuse/default.nix new file mode 100644 index 00000000..59faa914 --- /dev/null +++ b/contrib/package/nix/partyfuse/default.nix @@ -0,0 +1,26 @@ +{ + stdenvNoCC, + copyparty, + python3, + makeBinaryWrapper, +}: +let + python = python3.withPackages (p: [ p.fusepy ]); +in +stdenvNoCC.mkDerivation { + pname = "partyfuse"; + inherit (copyparty) version meta; + src = ../../../..; + + nativeBuildInputs = [ makeBinaryWrapper ]; + + installPhase = '' + runHook preInstall + + install -Dm444 bin/partyfuse.py -t $out/share/copyparty + makeWrapper ${python.interpreter} $out/bin/partyfuse \ + --add-flag $out/share/copyparty/partyfuse.py + + runHook postInstall + ''; +} diff --git a/contrib/package/nix/u2c/default.nix b/contrib/package/nix/u2c/default.nix new file mode 100644 index 00000000..dc1e4c56 --- /dev/null +++ b/contrib/package/nix/u2c/default.nix @@ -0,0 +1,24 @@ +{ + stdenvNoCC, + copyparty, + python312, + makeBinaryWrapper, +}: +stdenvNoCC.mkDerivation { + pname = "u2c"; + inherit (copyparty) version meta; + src = ../../../..; + + nativeBuildInputs = [ makeBinaryWrapper ]; + + installPhase = '' + runHook preInstall + + install -Dm444 bin/u2c.py -t $out/share/copyparty + mkdir $out/bin + makeWrapper ${python312.interpreter} $out/bin/u2c \ + --add-flag $out/share/copyparty/u2c.py + + runHook postInstall + ''; +} diff --git a/copyparty/__main__.py b/copyparty/__main__.py index e69c8d14..f6c20b8c 100644 --- a/copyparty/__main__.py +++ b/copyparty/__main__.py @@ -547,14 +547,15 @@ def get_sects(): when running behind a reverse-proxy, it's recommended to use unix-sockets for improved performance and security; - \033[32m-i unix:770:www:\033[33m/tmp/a.sock\033[0m listens on \033[33m/tmp/a.sock\033[0m with - permissions \033[33m0770\033[0m; only accessible to members of the \033[33mwww\033[0m - group. This is the best approach. Alternatively, + \033[32m-i unix:770:www:\033[33m/dev/shm/party.sock\033[0m listens on + \033[33m/dev/shm/party.sock\033[0m with permissions \033[33m0770\033[0m; + only accessible to members of the \033[33mwww\033[0m group. + This is the best approach. Alternatively, - \033[32m-i unix:777:\033[33m/tmp/a.sock\033[0m sets perms \033[33m0777\033[0m so anyone can - access it; bad unless it's inside a restricted folder + \033[32m-i unix:777:\033[33m/dev/shm/party.sock\033[0m sets perms \033[33m0777\033[0m so anyone + can access it; bad unless it's inside a restricted folder - \033[32m-i unix:\033[33m/tmp/a.sock\033[0m keeps umask-defined permissions + \033[32m-i unix:\033[33m/dev/shm/party.sock\033[0m keeps umask-defined permission (usually \033[33m0600\033[0m) and the same user/group as copyparty \033[33m-p\033[0m (tcp ports) is ignored for unix sockets @@ -872,31 +873,31 @@ def get_sects(): similarly, \033[33m--chmod-d\033[0m and \033[33mchmod_d\033[0m sets the directory/folder perm - the value is a three-digit octal number such as 755, 750, 644, etc. + the value is a three-digit octal number such as \033[32m755\033[0m, \033[32m750\033[0m, \033[32m644\033[0m, etc. first digit = "User"; permission for the unix-user second digit = "Group"; permission for the unix-group third digit = "Other"; permission for all other users/groups for files: - 0 = --- = no access - 1 = --x = can execute the file as a program - 2 = -w- = can write - 3 = -wx = can write and execute - 4 = r-- = can read - 5 = r-x = can read and execute - 6 = rw- = can read and write - 7 = rwx = can read, write, execute + \033[32m0\033[0m = \033[35m---\033[0m = no access + \033[32m1\033[0m = \033[35m--x\033[0m = can execute the file as a program + \033[32m2\033[0m = \033[35m-w-\033[0m = can write + \033[32m3\033[0m = \033[35m-wx\033[0m = can write and execute + \033[32m4\033[0m = \033[35mr--\033[0m = can read + \033[32m5\033[0m = \033[35mr-x\033[0m = can read and execute + \033[32m6\033[0m = \033[35mrw-\033[0m = can read and write + \033[32m7\033[0m = \033[35mrwx\033[0m = can read, write, execute for directories/folders: - 0 = --- = no access - 1 = --x = can read files in folder but not list contents - 2 = -w- = n/a - 3 = -wx = can create files but not list - 4 = r-- = can list, but not read/write - 5 = r-x = can list and read files - 6 = rw- = n/a - 7 = rwx = can read, write, list + \033[32m0\033[0m = \033[35m---\033[0m = no access + \033[32m1\033[0m = \033[35m--x\033[0m = can read files in folder but not list contents + \033[32m2\033[0m = \033[35m-w-\033[0m = n/a + \033[32m3\033[0m = \033[35m-wx\033[0m = can create files but not list + \033[32m4\033[0m = \033[35mr--\033[0m = can list, but not read/write + \033[32m5\033[0m = \033[35mr-x\033[0m = can list and read files + \033[32m6\033[0m = \033[35mrw-\033[0m = n/a + \033[32m7\033[0m = \033[35mrwx\033[0m = can read, write, list """ ), ], @@ -1056,6 +1057,7 @@ def add_upload(ap): ap2.add_argument("--safe-dedup", metavar="N", type=int, default=50, help="how careful to be when deduplicating files; [\033[32m1\033[0m] = just verify the filesize, [\033[32m50\033[0m] = verify file contents have not been altered (volflag=safededup)") ap2.add_argument("--hardlink", action="store_true", help="enable hardlink-based dedup; will fallback on symlinks when that is impossible (across filesystems) (volflag=hardlink)") ap2.add_argument("--hardlink-only", action="store_true", help="do not fallback to symlinks when a hardlink cannot be made (volflag=hardlinkonly)") + ap2.add_argument("--reflink", action="store_true", help="enable reflink-based dedup; will fallback on full copies when that is impossible (non-CoW filesystem) (volflag=reflink)") ap2.add_argument("--no-dupe", action="store_true", help="reject duplicate files during upload; only matches within the same volume (volflag=nodupe)") ap2.add_argument("--no-clone", action="store_true", help="do not use existing data on disk to satisfy dupe uploads; reduces server HDD reads in exchange for much more network load (volflag=noclone)") ap2.add_argument("--no-snap", action="store_true", help="disable snapshots -- forget unfinished uploads on shutdown; don't create .hist/up2k.snap files -- abandoned/interrupted uploads must be cleaned up manually") @@ -1288,6 +1290,7 @@ def add_stats(ap): def add_yolo(ap): ap2 = ap.add_argument_group('yolo options') ap2.add_argument("--allow-csrf", action="store_true", help="disable csrf protections; let other domains/sites impersonate you through cross-site requests") + ap2.add_argument("--cookie-lax", action="store_true", help="allow cookies from other domains (if you follow a link from another website into your server, you will arrive logged-in); this reduces protection against CSRF") ap2.add_argument("--getmod", action="store_true", help="permit ?move=[...] and ?delete as GET") ap2.add_argument("--wo-up-readme", action="store_true", help="allow users with write-only access to upload logues and readmes without adding the _wo_ filename prefix (volflag=wo_up_readme)") @@ -1335,6 +1338,7 @@ def add_safety(ap): ap2.add_argument("--no-robots", action="store_true", help="adds http and html headers asking search engines to not index anything (volflag=norobots)") ap2.add_argument("--logout", metavar="H", type=float, default=8086.0, help="logout clients after \033[33mH\033[0m hours of inactivity; [\033[32m0.0028\033[0m]=10sec, [\033[32m0.1\033[0m]=6min, [\033[32m24\033[0m]=day, [\033[32m168\033[0m]=week, [\033[32m720\033[0m]=month, [\033[32m8760\033[0m]=year)") ap2.add_argument("--ban-pw", metavar="N,W,B", type=u, default="9,60,1440", help="more than \033[33mN\033[0m wrong passwords in \033[33mW\033[0m minutes = ban for \033[33mB\033[0m minutes; disable with [\033[32mno\033[0m]") + ap2.add_argument("--ban-pwc", metavar="N,W,B", type=u, default="5,60,1440", help="more than \033[33mN\033[0m password-changes in \033[33mW\033[0m minutes = ban for \033[33mB\033[0m minutes; disable with [\033[32mno\033[0m]") ap2.add_argument("--ban-404", metavar="N,W,B", type=u, default="50,60,1440", help="hitting more than \033[33mN\033[0m 404's in \033[33mW\033[0m minutes = ban for \033[33mB\033[0m minutes; only affects users who cannot see directory listings because their access is either g/G/h") ap2.add_argument("--ban-403", metavar="N,W,B", type=u, default="9,2,1440", help="hitting more than \033[33mN\033[0m 403's in \033[33mW\033[0m minutes = ban for \033[33mB\033[0m minutes; [\033[32m1440\033[0m]=day, [\033[32m10080\033[0m]=week, [\033[32m43200\033[0m]=month") ap2.add_argument("--ban-422", metavar="N,W,B", type=u, default="9,2,1440", help="hitting more than \033[33mN\033[0m 422's in \033[33mW\033[0m minutes = ban for \033[33mB\033[0m minutes (invalid requests, attempted exploits ++)") @@ -1565,7 +1569,7 @@ def add_ui(ap, retry): ap2.add_argument("--txt-max", metavar="KiB", type=int, default=64, help="max size of embedded textfiles on ?doc= (anything bigger will be lazy-loaded by JS)") ap2.add_argument("--doctitle", metavar="TXT", type=u, default="copyparty @ --name", help="title / service-name to show in html documents") ap2.add_argument("--bname", metavar="TXT", type=u, default="--name", help="server name (displayed in filebrowser document title)") - ap2.add_argument("--pb-url", metavar="URL", type=u, default=URL_PRJ, help="powered-by link; disable with \033[33m-np\033[0m") + ap2.add_argument("--pb-url", metavar="URL", type=u, default=URL_PRJ, help="powered-by link; disable with \033[33m-nb\033[0m") ap2.add_argument("--ver", action="store_true", help="show version on the control panel (incompatible with \033[33m-nb\033[0m)") ap2.add_argument("--k304", metavar="NUM", type=int, default=0, help="configure the option to enable/disable k304 on the controlpanel (workaround for buggy reverse-proxies); [\033[32m0\033[0m] = hidden and default-off, [\033[32m1\033[0m] = visible and default-off, [\033[32m2\033[0m] = visible and default-on") ap2.add_argument("--no304", metavar="NUM", type=int, default=0, help="configure the option to enable/disable no304 on the controlpanel (workaround for buggy caching in browsers); [\033[32m0\033[0m] = hidden and default-off, [\033[32m1\033[0m] = visible and default-off, [\033[32m2\033[0m] = visible and default-on") diff --git a/copyparty/__version__.py b/copyparty/__version__.py index f3957db7..3cbb3b4a 100644 --- a/copyparty/__version__.py +++ b/copyparty/__version__.py @@ -1,8 +1,8 @@ # coding: utf-8 -VERSION = (1, 18, 4) +VERSION = (1, 18, 6) CODENAME = "logtail" -BUILD_DT = (2025, 7, 25) +BUILD_DT = (2025, 7, 28) S_VERSION = ".".join(map(str, VERSION)) S_BUILD_DT = "{0:04d}-{1:02d}-{2:02d}".format(*BUILD_DT) diff --git a/copyparty/authsrv.py b/copyparty/authsrv.py index 7feedc64..bdc65640 100644 --- a/copyparty/authsrv.py +++ b/copyparty/authsrv.py @@ -2124,6 +2124,7 @@ class AuthSrv(object): all_mte = {} errors = False free_umask = False + have_reflink = False for vol in vfs.all_nodes.values(): if (self.args.e2ds and vol.axs.uwrite) or self.args.e2dsa: vol.flags["e2ds"] = True @@ -2207,6 +2208,9 @@ class AuthSrv(object): if "unlistcr" in vol.flags or "unlistcw" in vol.flags: self.args.have_unlistc = True + if "reflink" in vol.flags: + have_reflink = True + zs = str(vol.flags.get("tcolor", "")).lstrip("#") if len(zs) == 3: # fc5 => ffcc55 vol.flags["tcolor"] = "".join([x * 2 for x in zs]) @@ -2571,6 +2575,13 @@ class AuthSrv(object): t = "WARNING! The following IdP volumes are mounted below another volume where other users can read and/or write files. This is a SECURITY HAZARD!! When copyparty is restarted, it will not know about these IdP volumes yet. These volumes will then be accessible by an unexpected set of permissions UNTIL one of the users associated with their volume sends a request to the server. RECOMMENDATION: You should create a restricted volume where nobody can read/write files, and make sure that all IdP volumes are configured to appear somewhere below that volume." self.log(t + "".join(self.idp_err), 1) + if have_reflink: + t = "WARNING: Reflink-based dedup was requested, but %s. This will not work; files will be full copies instead." + if sys.version_info < (3, 14): + self.log(t % "your python version is not new enough", 1) + if not sys.platform.startswith("linux"): + self.log(t % "your OS is not Linux", 1) + self.vfs = vfs self.acct = acct self.defpw = defpw diff --git a/copyparty/cfg.py b/copyparty/cfg.py index 640259ed..cee8214b 100644 --- a/copyparty/cfg.py +++ b/copyparty/cfg.py @@ -52,6 +52,7 @@ def vf_bmap() -> dict[str, str]: "og_no_head", "og_s_title", "rand", + "reflink", "rmagic", "rss", "wo_up_readme", @@ -168,6 +169,7 @@ flagcats = { "dedup": "enable symlink-based file deduplication", "hardlink": "enable hardlink-based file deduplication,\nwith fallback on symlinks when that is impossible", "hardlinkonly": "dedup with hardlink only, never symlink;\nmake a full copy if hardlink is impossible", + "reflink": "enable reflink-based file deduplication,\nwith fallback on full copy when that is impossible", "safededup": "verify on-disk data before using it for dedup", "noclone": "take dupe data from clients, even if available on HDD", "nodupe": "rejects existing files (instead of linking/cloning them)", diff --git a/copyparty/httpcli.py b/copyparty/httpcli.py index e2a74bcd..8bb12870 100644 --- a/copyparty/httpcli.py +++ b/copyparty/httpcli.py @@ -1575,6 +1575,18 @@ class HttpCli(object): self.log("inaccessible: %r" % ("/" + self.vpath,)) raise Pebkac(401, "authenticate") + if "quota-available-bytes" in props and not self.args.nid: + bfree, btot, _ = get_df(vn.realpath, False) + if btot: + df = { + "quota-available-bytes": str(bfree), + "quota-used-bytes": str(btot - bfree), + } + else: + df = {} + else: + df = {} + fgen = itertools.chain([topdir], fgen) vtop = vjoin(self.args.R, vjoin(vn.vpath, rem)) @@ -1617,6 +1629,9 @@ class HttpCli(object): ap = os.path.join(tap, x["vp"]) pvs["getcontenttype"] = html_escape(guess_mime(rp, ap)) pvs["getcontentlength"] = str(st.st_size) + elif df: + pvs.update(df) + df = {} for k, v in pvs.items(): if k not in props: @@ -2912,6 +2927,7 @@ class HttpCli(object): ok, msg = self.asrv.chpw(self.conn.hsrv.broker, self.uname, pwd) if ok: + self.cbonk(self.conn.hsrv.gpwc, pwd, "pw", "too many password changes") ok, msg = self.get_pwd_cookie(pwd) if ok: msg = "new password OK" @@ -2995,12 +3011,20 @@ class HttpCli(object): # reset both plaintext and tls # (only affects active tls cookies when tls) for k in ("cppwd", "cppws") if self.is_https else ("cppwd",): - ck = gencookie(k, pwd, self.args.R, False) + ck = gencookie(k, pwd, self.args.R, self.args.cookie_lax, False) self.out_headerlist.append(("Set-Cookie", ck)) self.out_headers.pop("Set-Cookie", None) # drop keepalive else: k = "cppws" if self.is_https else "cppwd" - ck = gencookie(k, pwd, self.args.R, self.is_https, dur, "; HttpOnly") + ck = gencookie( + k, + pwd, + self.args.R, + self.args.cookie_lax, + self.is_https, + dur, + "; HttpOnly", + ) self.out_headers["Set-Cookie"] = ck return dur > 0, msg @@ -3017,6 +3041,9 @@ class HttpCli(object): self.gctx = vpath vpath = undot(vpath) vfs, rem = self.asrv.vfs.get(vpath, self.uname, False, True) + if "nosub" in vfs.flags: + raise Pebkac(403, "mkdir is forbidden below this folder") + rem = sanitize_vpath(rem, "/") fn = vfs.canonical(rem) @@ -4865,13 +4892,21 @@ class HttpCli(object): def tx_svcs(self) -> bool: aname = re.sub("[^0-9a-zA-Z]+", "", self.args.vname) or "a" ep = self.host - host = ep.split(":")[0] - hport = ep[ep.find(":") :] if ":" in ep else "" - rip = ( - host - if self.args.rclone_mdns or not self.args.zm - else self.conn.hsrv.nm.map(self.ip) or host - ) + sep = "]:" if "]" in ep else ":" + if sep in ep: + host, hport = ep.rsplit(":", 1) + hport = ":" + hport + else: + host = ep + hport = "" + + if host.endswith(".local") and self.args.zm and not self.args.rclone_mdns: + rip = self.conn.hsrv.nm.map(self.ip) or host + if ":" in rip and "[" not in rip: + rip = "[%s]" % (rip,) + else: + rip = host + # safer than html_escape/quotep since this avoids both XSS and shell-stuff pw = re.sub(r"[<>&$?`\"']", "_", self.pw or "hunter2") vp = re.sub(r"[<>&$?`\"']", "_", self.uparam["hc"] or "").lstrip("/") @@ -5041,7 +5076,7 @@ class HttpCli(object): def setck(self) -> bool: k, v = self.uparam["setck"].split("=", 1) t = 0 if v in ("", "x") else 86400 * 299 - ck = gencookie(k, v, self.args.R, False, t) + ck = gencookie(k, v, self.args.R, self.args.cookie_lax, False, t) self.out_headerlist.append(("Set-Cookie", ck)) if "cc" in self.ouparam: self.redirect("", "?h#cc") @@ -5053,7 +5088,7 @@ class HttpCli(object): for k in ALL_COOKIES: if k not in self.cookies: continue - cookie = gencookie(k, "x", self.args.R, False) + cookie = gencookie(k, "x", self.args.R, self.args.cookie_lax, False) self.out_headerlist.append(("Set-Cookie", cookie)) self.redirect("", "?h#cc") @@ -6137,13 +6172,13 @@ class HttpCli(object): self.log("#wow #whoa") if not self.args.nid: - free, total, _ = get_df(abspath, False) - if total is not None: + free, total, zs = get_df(abspath, False) + if total: h1 = humansize(free or 0) h2 = humansize(total) srv_info.append("{} free of {}".format(h1, h2)) - elif free is not None: - srv_info.append(humansize(free, True) + " free") + elif zs: + self.log("diskfree(%r): %s" % (abspath, zs), 3) srv_infot = " // ".join(srv_info) diff --git a/copyparty/httpsrv.py b/copyparty/httpsrv.py index 2e5cc69e..56638003 100644 --- a/copyparty/httpsrv.py +++ b/copyparty/httpsrv.py @@ -123,6 +123,7 @@ class HttpSrv(object): self.nm = NetMap([], []) self.ssdp: Optional["SSDPr"] = None self.gpwd = Garda(self.args.ban_pw) + self.gpwc = Garda(self.args.ban_pwc) self.g404 = Garda(self.args.ban_404) self.g403 = Garda(self.args.ban_403) self.g422 = Garda(self.args.ban_422, False) diff --git a/copyparty/mtag.py b/copyparty/mtag.py index a972ef33..cacfda39 100644 --- a/copyparty/mtag.py +++ b/copyparty/mtag.py @@ -166,12 +166,13 @@ def au_unpk( znil = [x for x in znil if "cover" in x[0]] or znil znil = [x for x in znil if CBZ_01.search(x[0])] or znil t = "cbz: %d files, %d hits" % (nf, len(znil)) + using = sorted(znil)[0][1].filename if znil: - t += ", using " + znil[0][1].filename + t += ", using " + using log(t) if not znil: raise Exception("no images inside cbz") - fi = zf.open(znil[0][1]) + fi = zf.open(using) else: raise Exception("unknown compression %s" % (pk,)) diff --git a/copyparty/svchub.py b/copyparty/svchub.py index e7c293cc..751fd566 100644 --- a/copyparty/svchub.py +++ b/copyparty/svchub.py @@ -168,6 +168,7 @@ class SvcHub(object): # for non-http clients (ftp, tftp) self.bans: dict[str, int] = {} self.gpwd = Garda(self.args.ban_pw) + self.gpwc = Garda(self.args.ban_pwc) self.g404 = Garda(self.args.ban_404) self.g403 = Garda(self.args.ban_403) self.g422 = Garda(self.args.ban_422, False) diff --git a/copyparty/up2k.py b/copyparty/up2k.py index 42b44f79..907347f5 100644 --- a/copyparty/up2k.py +++ b/copyparty/up2k.py @@ -3476,6 +3476,8 @@ class Up2k(object): linked = False try: + if "reflink" in flags: + raise Exception("reflink") if not is_mv and not flags.get("dedup"): raise Exception("dedup is disabled in config") @@ -3532,7 +3534,8 @@ class Up2k(object): linked = True except Exception as ex: - self.log("cannot link; creating copy: " + repr(ex)) + if str(ex) != "reflink": + self.log("cannot link; creating copy: " + repr(ex)) if bos.path.isfile(src): csrc = src elif fsrc and bos.path.isfile(fsrc): diff --git a/copyparty/util.py b/copyparty/util.py index 4bc74a0a..14768e6e 100644 --- a/copyparty/util.py +++ b/copyparty/util.py @@ -2037,15 +2037,25 @@ def formatdate(ts: Optional[float] = None) -> str: return RFC2822 % (WKDAYS[wd], d, MONTHS[mo - 1], y, h, mi, s) -def gencookie(k: str, v: str, r: str, tls: bool, dur: int = 0, txt: str = "") -> str: +def gencookie( + k: str, v: str, r: str, lax: bool, tls: bool, dur: int = 0, txt: str = "" +) -> str: v = v.replace("%", "%25").replace(";", "%3B") if dur: exp = formatdate(time.time() + dur) else: exp = "Fri, 15 Aug 1997 01:00:00 GMT" - t = "%s=%s; Path=/%s; Expires=%s%s%s; SameSite=Lax" - return t % (k, v, r, exp, "; Secure" if tls else "", txt) + t = "%s=%s; Path=/%s; Expires=%s%s%s; SameSite=%s" + return t % ( + k, + v, + r, + exp, + "; Secure" if tls else "", + txt, + "Lax" if lax else "Strict", + ) def humansize(sz: float, terse: bool = False) -> str: @@ -2652,7 +2662,7 @@ def wunlink(log: "NamedLogger", abspath: str, flags: dict[str, Any]) -> bool: return _fs_mvrm(log, abspath, "", False, flags) -def get_df(abspath: str, prune: bool) -> tuple[Optional[int], Optional[int], str]: +def get_df(abspath: str, prune: bool) -> tuple[int, int, str]: try: ap = fsenc(abspath) while prune and not os.path.isdir(ap) and BOS_SEP in ap: @@ -2663,17 +2673,22 @@ def get_df(abspath: str, prune: bool) -> tuple[Optional[int], Optional[int], str assert ctypes # type: ignore # !rm abspath = fsdec(ap) bfree = ctypes.c_ulonglong(0) + btotal = ctypes.c_ulonglong(0) + bavail = ctypes.c_ulonglong(0) ctypes.windll.kernel32.GetDiskFreeSpaceExW( # type: ignore - ctypes.c_wchar_p(abspath), None, None, ctypes.pointer(bfree) + ctypes.c_wchar_p(abspath), + ctypes.pointer(bavail), + ctypes.pointer(btotal), + ctypes.pointer(bfree), ) - return (bfree.value, None, "") + return (bavail.value, btotal.value, "") else: sv = os.statvfs(ap) - free = sv.f_frsize * sv.f_bfree + free = sv.f_frsize * sv.f_bavail total = sv.f_frsize * sv.f_blocks return (free, total, "") except Exception as ex: - return (None, None, repr(ex)) + return (0, 0, repr(ex)) if not ANYWIN and not MACOS: diff --git a/copyparty/web/browser.js b/copyparty/web/browser.js index 9c6140aa..fc63bf9f 100644 --- a/copyparty/web/browser.js +++ b/copyparty/web/browser.js @@ -278,6 +278,7 @@ var Ls = { "ml_drc": "dynamic range compressor", "mt_loop": "loop/repeat one song\">🔁", + "mt_one": "stop after one song\">1️⃣", "mt_shuf": "shuffle the songs in each folder\">🔀", "mt_aplay": "autoplay if there is a song-ID in the link you clicked to access the server$N$Ndisabling this will also stop the page URL from being updated with song-IDs when playing music, to prevent autoplay if these settings are lost but the URL remains\">a▶", "mt_preload": "start loading the next song near the end for gapless playback\">preload", @@ -295,6 +296,7 @@ var Ls = { "mt_uncache": "clear cache  (try this if your browser cached$Na broken copy of a song so it refuses to play)\">uncache", "mt_mloop": "loop the open folder\">🔁 loop", "mt_mnext": "load the next folder and continue\">📂 next", + "mt_mstop": "stop playback\">⏸ stop", "mt_cflac": "convert flac / wav to opus\">flac", "mt_caac": "convert aac / m4a to opus\">aac", "mt_coth": "convert all others (not mp3) to opus\">oth", @@ -527,20 +529,20 @@ var Ls = { "un_fclr": "clear filter", "un_derr": 'unpost-delete failed:\n', "un_f5": 'something broke, please try a refresh or hit F5', - "un_uf5": "Sorry, aber du musst die Seite neuladen (z.B. in dem du F5 oder STRG-R drückst) bevor zu diesen Upload abbrechen kannst", - "un_nou": 'Warnung: Der Server ist grade zu beschäftigt, um unvollständige Uploads anzuzeigen; Drücke den "Neu laden"-Link in ein paar Sekunden', - "un_noc": 'Warnung: unpost von vollständig hochgeladenen Dateien ist über die Serverkonfiguration gesperrt', - "un_max": "Zeige die ersten 2000 Dateien (benutze Filter, um die gewünschten Dateien zu finden)", - "un_avail": "{0} zuletzt hochgeladene Dateien können gelöscht werden
{1} Unvollständige können abgebrochen werden", - "un_m2": "Sortiert nach Upload-Zeitpunkt; neuste zuerst:", + "un_uf5": "sorry but you have to refresh the page (for example by pressing F5 or CTRL-R) before this upload can be aborted", + "un_nou": 'warning: server too busy to show unfinished uploads; click the "refresh" link in a bit', + "un_noc": 'warning: unpost of fully uploaded files is not enabled/permitted in server config', + "un_max": "showing first 2000 files (use the filter)", + "un_avail": "{0} recent uploads can be deleted
{1} unfinished ones can be aborted", + "un_m2": "sorted by upload time; most recent first:", "un_no1": "sike! no uploads are sufficiently recent", "un_no2": "sike! no uploads matching that filter are sufficiently recent", - "un_next": "Lösche die nächsten {0} Dateien", - "un_abrt": "Abbrechen", - "un_del": "Löschen", - "un_m3": "Deine letzten Uploads werden geladen ...", - "un_busy": "Lösche {0} Dateien ...", - "un_clip": "{0} Links in die Zwischenablage kopiert", + "un_next": "delete the next {0} files below", + "un_abrt": "abort", + "un_del": "delete", + "un_m3": "loading your recent uploads...", + "un_busy": "deleting {0} files...", + "un_clip": "{0} links copied to clipboard", "u_https1": "you should", "u_https2": "switch to https", @@ -903,6 +905,7 @@ var Ls = { "ml_drc": "compressor (volum-utjevning)", "mt_loop": "spill den samme sangen om og om igjen\">🔁", + "mt_one": "spill kun én sang\">1️⃣", "mt_shuf": "sangene i hver mappe$Nspilles i tilfeldig rekkefølge\">🔀", "mt_aplay": "forsøk å starte avspilling hvis linken du klikket på for å åpne nettsiden inneholder en sang-ID$N$Nhvis denne deaktiveres så vil heller ikke nettside-URLen bli oppdatert med sang-ID'er når musikk spilles, i tilfelle innstillingene skulle gå tapt og nettsiden lastes på ny\">a▶", "mt_preload": "hent ned litt av neste sang i forkant,$Nslik at pausen i overgangen blir mindre\">forles", @@ -920,6 +923,7 @@ var Ls = { "mt_uncache": "prøv denne hvis en sang ikke spiller riktig\">oppfrisk", "mt_mloop": "repeter hele mappen\">🔁 gjenta", "mt_mnext": "hopp til neste mappe og fortsett\">📂 neste", + "mt_mstop": "stopp avspilling\">⏸ stopp", "mt_cflac": "konverter flac / wav-filer til opus\">flac", "mt_caac": "konverter aac / m4a-filer til to opus\">aac", "mt_coth": "konverter alt annet (men ikke mp3) til opus\">andre", @@ -1528,6 +1532,7 @@ var Ls = { "ml_drc": "动态范围压缩器", "mt_loop": "循环播放当前的歌曲\">🔁", //m + "mt_one": "只播放一首歌后停止\">1️⃣", //m "mt_shuf": "在每个文件夹中随机播放歌曲\">🔀", "mt_aplay": "如果链接中有歌曲 ID,则自动播放,禁用此选项将停止在播放音乐时更新页面 URL 中的歌曲 ID,以防止在设置丢失但 URL 保留时自动播放\">自动播放▶", "mt_preload": "在歌曲快结束时开始加载下一首歌,以实现无缝播放\">预加载", @@ -1545,6 +1550,7 @@ var Ls = { "mt_uncache": "清除缓存 $N(如果你的浏览器缓存了一个损坏的歌曲副本而拒绝播放,请尝试此操作)\">uncache", "mt_mloop": "循环打开的文件夹\">🔁 循环", "mt_mnext": "加载下一个文件夹并继续\">📂 下一首", + "mt_mstop": "停止播放\">⏸ 停止", //m "mt_cflac": "将 flac / wav 转换为 opus\">flac", "mt_caac": "将 aac / m4a 转换为 opus\">aac", "mt_coth": "将所有其他(不是 mp3)转换为 opus\">oth", @@ -2992,6 +2998,7 @@ var mpl = (function () { ebi('op_player').innerHTML = ( '

' + L.cl_opts + '

' + '' + ' 1 ? len - pos : 999, full = null; @@ -4313,7 +4325,12 @@ var mpui = (function () { var oi = mp.order.indexOf(mp.au.tid) + 1, evp = get_evpath(); - if (mpl.pb_mode == 'loop' || mp.au.evp != evp || ebi('unsearch')) + if (oi >= mp.order.length && ( + mpl.one || + mpl.pb_mode != 'next' || + mp.au.evp != evp || + ebi('unsearch')) + ) oi = 0; if (oi >= mp.order.length) { @@ -4799,6 +4816,9 @@ function play(tid, is_ev, seek) { } if (tn >= mp.order.length) { + if (mpl.pb_mode == 'stop') + return; + if (mpl.pb_mode == 'loop' || ebi('unsearch')) { tn = 0; } @@ -4883,7 +4903,7 @@ function play(tid, is_ev, seek) { try { mp.nopause(); - mp.au.loop = mpl.loop; + mp.au.loop = mpl.loop && !mpl.one; if (mpl.aplay || is_ev !== -1) mp.au.play(); @@ -4929,6 +4949,8 @@ function scroll2playing() { function evau_end(e) { + if (mpl.one) + return; if (!mpl.loop) return next_song(e); ev(e); @@ -6650,6 +6672,7 @@ var showfile = (function () { m = /[?&](k=[^&#]+)/.exec(url); url = url.split('?')[0] + (m ? '?' + m[1] : ''); + assert_vp(url); if (r.taildoc) return r.tail(url, no_push); @@ -8068,7 +8091,7 @@ var search_ui = (function () { nodes = ['-
' + links + '
', sz]; for (var b = 0; b < tagord.length; b++) { - var k = tagord[b], + var k = esc(tagord[b]), v = r.tags[k] || ""; if (k == ".dur") { @@ -8077,7 +8100,7 @@ var search_ui = (function () { continue; } - nodes.push(v); + nodes.push(esc('' + v)); } nodes = nodes.concat([ext, unix2iso(ts)]); @@ -8144,6 +8167,7 @@ function ev_load_m3u(e) { return false; } function load_m3u(url) { + assert_vp(url); var xhr = new XHR(); xhr.open('GET', url, true); xhr.onload = render_m3u; @@ -8548,6 +8572,17 @@ var treectl = (function () { return toast.err(30, "bad ?tree reply;\nexpected json, got this:\n\n" + esc(this.responseText + '')); } r.rendertree(res, this.ts, this.top, this.dst, this.rst); + + if (r.lsc && r.lsc.unlist) + r.prunetree(r.lsc); + }; + + r.prunetree = function (res) { + var ptn = new RegExp(res.unlist); + var els = QSA('#treeul li>a+a'); + for (var a = els.length - 1; a >= 0; a--) + if (ptn.exec(els[a].textContent) && !els[a].className) + els[a].closest('ul').removeChild(els[a].closest('li')); }; r.rendertree = function (res, ts, top0, dst, rst) { @@ -8835,6 +8870,8 @@ var treectl = (function () { } r.rendertree({ "a": dirs }, this.ts, ".", get_evpath() + (dk ? '?k=' + dk : '')); + if (res.unlist) + r.prunetree(res); } r.gentab(this.top, res); @@ -8895,6 +8932,7 @@ var treectl = (function () { }; r.gentab = function (top, res) { + showfile.untail(); var nodes = res.dirs.concat(res.files), html = mk_files_header(res.taglist), sel = msel.hist[top], @@ -8915,7 +8953,7 @@ var treectl = (function () { if (res.unlist) { var ptn = new RegExp(res.unlist); for (var a = nodes.length - 1; a >= 0; a--) - if (ptn.exec(nodes[a].href.split('?')[0])) + if (ptn.exec(uricom_dec(nodes[a].href.split('?')[0]))) nodes.splice(a, 1); } nodes = sortfiles(nodes); @@ -8965,7 +9003,7 @@ var treectl = (function () { top + tn.href + '" id="' + id + '">' + hname + '', tn.sz]; for (var b = 0; b < res.taglist.length; b++) { - var k = res.taglist[b], + var k = esc(res.taglist[b]), v = (tn.tags || {})[k] || "", sv = null; @@ -8974,7 +9012,7 @@ var treectl = (function () { else if (k == ".up_at") sv = v ? unix2iso(v) : ""; else { - ln.push(v); + ln.push(esc('' + v)); continue; } ln[ln.length - 1] += '' + sv; diff --git a/copyparty/web/svcs.html b/copyparty/web/svcs.html index 0c3ec858..c47d8403 100644 --- a/copyparty/web/svcs.html +++ b/copyparty/web/svcs.html @@ -36,7 +36,7 @@ {% if accs %}{{ pw }}=password, {% endif %}mp=mountpoint - use real password + {% if accs %}use real password{% endif %}

diff --git a/copyparty/web/svcs.js b/copyparty/web/svcs.js index 10513fd2..0de94523 100644 --- a/copyparty/web/svcs.js +++ b/copyparty/web/svcs.js @@ -49,7 +49,7 @@ function setos(os) { setos(WINDOWS ? 'win' : LINUX ? 'lin' : MACOS ? 'mac' : 'idk'); -ebi('setpw').onclick = function (e) { +function setpw(e) { ev(e); modal.prompt('password:', '', function (v) { if (!v) @@ -57,7 +57,7 @@ ebi('setpw').onclick = function (e) { var pw0 = ebi('pw0').innerHTML, oa = QSA('b'); - + for (var a = 0; a < oa.length; a++) if (oa[a].innerHTML == pw0) oa[a].textContent = v; @@ -65,3 +65,5 @@ ebi('setpw').onclick = function (e) { add_dls(); }); } +if (ebi('setpw')) + ebi('setpw').onclick = setpw; diff --git a/copyparty/web/util.js b/copyparty/web/util.js index e5c3ff07..b246e145 100644 --- a/copyparty/web/util.js +++ b/copyparty/web/util.js @@ -383,8 +383,10 @@ if (!String.prototype.format) }); }; +var have_URL = false; try { new URL('/a/', 'https://a.com/'); + have_URL = true; } catch (ex) { console.log('ie11 shim URL()'); @@ -732,6 +734,16 @@ function makeSortable(table, cb) { } +function assert_vp(path) { + if (path.indexOf('//') + 1) + throw 'nonlocal1: ' + path; + + var o = window.location.origin; + if (have_URL && (new URL(path, o)).origin != o) + throw 'nonlocal2: ' + path; +} + + function linksplit(rp, id) { var ret = [], apath = '/', diff --git a/docs/changelog.md b/docs/changelog.md index d59b2b95..7a9571f1 100644 --- a/docs/changelog.md +++ b/docs/changelog.md @@ -1,3 +1,57 @@ +▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ +# 2025-0727-2305 `v1.18.5` SECURITY: fix XSS in media tags + +## ⚠️ ATTN: this release fixes an XSS vulnerability + +[GHSA-9q4r-x2hj-jmvr](https://github.com/9001/copyparty/security/advisories/GHSA-9q4r-x2hj-jmvr), exploitable in two different ways, could let an attacker execute arbitrary javascript on other users: +* either: tricking someone into clicking a malicious URL to load and execute javascript +* or: uploading a malicious audio file to the server, affecting any successive visitors + +so, with new and curious eyes on the project, we are starting off with a bang. Huge thanks to @altperfect for finding and reporting this earlier today. + +## recent important news + +* [v1.18.5 (2025-07-28)](https://github.com/9001/copyparty/releases/tag/v1.18.5) fixed XSS in display of media tags +* [v1.15.0 (2024-09-08)](https://github.com/9001/copyparty/releases/tag/v1.15.0) changed upload deduplication to be default-disabled +* [v1.14.3 (2024-08-30)](https://github.com/9001/copyparty/releases/tag/v1.14.3) fixed a bug that was introduced in v1.13.8 (2024-08-13); this bug could lead to **data loss** -- see the v1.14.3 release-notes for details + +## 🧪 new features + +* #214 option to stop playback after one song, and/or at end of folder 6bb27e60 + +## 🩹 bugfixes + +* GHSA-9q4r-x2hj-jmvr 895880ae +* block external m3u files 2228f81f +* #202 the connect-page could show IP-address when it should have used hostnames/domains b0dec83a +* scrolling locked after tailing a file and closing it creatively d197e754 + +## 🔧 other changes + +* #189 the `SameSite` cookie parameter now defaults to `Strict`, increasing CSRF protection ca6d0b8d + * new option `--cookie-lax` reverts to previous value `Lax` +* docker: add FTPS support b4199847 + + + +▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ +# 2025-0725-1841 `v1.18.4` Landmarks + +## 🧪 new features + +* #182 [Landmarks](https://github.com/9001/copyparty#database-location) edba7fff + * detects that a storage backend is glitching out and disengage the up2k-database as a precaution +* #183 quickdelete 21a96bcf + * new togglebutton `qdel` in the UI which reduces the number of deletion confirmations by one + * global-option `--qdel=0` which can bring it all the way to zero (good luck) + +## 🩹 bugfixes + +* fix unpost in recently created shares 2d322dd4 +* fix filekeys on windows df6d4df4 + + + ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ # 2025-0721-2307 `v1.18.3` drop the umask diff --git a/docs/examples/docker/basic-docker-compose/docker-compose.yml b/docs/examples/docker/basic-docker-compose/docker-compose.yml index ba5e74d8..dd3c1f9a 100644 --- a/docs/examples/docker/basic-docker-compose/docker-compose.yml +++ b/docs/examples/docker/basic-docker-compose/docker-compose.yml @@ -1,4 +1,3 @@ -version: '3' services: copyparty: @@ -11,9 +10,12 @@ services: - ./:/cfg:z - /path/to/your/fileshare/top/folder:/w:z - # enabling mimalloc by replacing "NOPE" with "2" will make some stuff twice as fast, but everything will use twice as much ram: environment: LD_PRELOAD: /usr/lib/libmimalloc-secure.so.NOPE + # enable mimalloc by replacing "NOPE" with "2" for a nice speed-boost (will use twice as much ram) + + PYTHONUNBUFFERED: 1 + # ensures log-messages are not delayed (but can reduce speed a tiny bit) stop_grace_period: 15s # thumbnailer is allowed to continue finishing up for 10s after the shutdown signal healthcheck: diff --git a/docs/examples/docker/idp-authelia-traefik/docker-compose.yml b/docs/examples/docker/idp-authelia-traefik/docker-compose.yml index 5fe25a15..9ebd73ba 100644 --- a/docs/examples/docker/idp-authelia-traefik/docker-compose.yml +++ b/docs/examples/docker/idp-authelia-traefik/docker-compose.yml @@ -27,6 +27,9 @@ services: LD_PRELOAD: /usr/lib/libmimalloc-secure.so.NOPE # enable mimalloc by replacing "NOPE" with "2" for a nice speed-boost (will use twice as much ram) + PYTHONUNBUFFERED: 1 + # ensures log-messages are not delayed (but can reduce speed a tiny bit) + authelia: image: authelia/authelia:v4.38.0-beta3 # the config files in the authelia folder use the new syntax container_name: idp_authelia diff --git a/docs/examples/docker/idp-authentik-traefik/docker-compose.yml b/docs/examples/docker/idp-authentik-traefik/docker-compose.yml index ee10f0f9..7ddf1a9d 100644 --- a/docs/examples/docker/idp-authentik-traefik/docker-compose.yml +++ b/docs/examples/docker/idp-authentik-traefik/docker-compose.yml @@ -27,6 +27,9 @@ services: LD_PRELOAD: /usr/lib/libmimalloc-secure.so.NOPE # enable mimalloc by replacing "NOPE" with "2" for a nice speed-boost (will use twice as much ram) + PYTHONUNBUFFERED: 1 + # ensures log-messages are not delayed (but can reduce speed a tiny bit) + traefik: image: traefik:v2.11 container_name: traefik diff --git a/flake.nix b/flake.nix index be9d0678..5f39d605 100644 --- a/flake.nix +++ b/flake.nix @@ -4,16 +4,30 @@ flake-utils.url = "github:numtide/flake-utils"; }; - outputs = { self, nixpkgs, flake-utils }: + outputs = + { + self, + nixpkgs, + flake-utils, + }: { nixosModules.default = ./contrib/nixos/modules/copyparty.nix; - overlays.default = self: super: { - copyparty = - self.python3.pkgs.callPackage ./contrib/package/nix/copyparty { - ffmpeg = self.ffmpeg-full; - }; + overlays.default = final: prev: rec { + copyparty = final.python3.pkgs.callPackage ./contrib/package/nix/copyparty { + ffmpeg = final.ffmpeg-full; + }; + + partyfuse = prev.callPackage ./contrib/package/nix/partyfuse { + inherit copyparty; + }; + + u2c = prev.callPackage ./contrib/package/nix/u2c { + inherit copyparty; + }; }; - } // flake-utils.lib.eachDefaultSystem (system: + } + // flake-utils.lib.eachDefaultSystem ( + system: let pkgs = import nixpkgs { inherit system; @@ -22,10 +36,31 @@ }; overlays = [ self.overlays.default ]; }; - in { + in + { + # check that copyparty builds with all optionals turned on + checks.copyparty-full = self.packages.${system}.copyparty.override { + withHashedPasswords = true; + withCertgen = true; + withThumbnails = true; + withFastThumbnails = true; + withMediaProcessing = true; + withBasicAudioMetadata = true; + withZeroMQ = true; + withFTPS = true; + withSMB = true; + }; + packages = { - inherit (pkgs) copyparty; + inherit (pkgs) + copyparty + partyfuse + u2c + ; default = self.packages.${system}.copyparty; }; - }); + + formatter = pkgs.nixfmt-tree; + } + ); } diff --git a/scripts/tl.js b/scripts/tl.js index c2e13faf..40ffe8a4 100644 --- a/scripts/tl.js +++ b/scripts/tl.js @@ -364,6 +364,7 @@ var tl_browser = { "ml_drc": "dynamic range compressor", "mt_loop": "loop/repeat one song\">🔁", + "mt_one": "stop after one song\">1️⃣", "mt_shuf": "shuffle the songs in each folder\">🔀", "mt_aplay": "autoplay if there is a song-ID in the link you clicked to access the server$N$Ndisabling this will also stop the page URL from being updated with song-IDs when playing music, to prevent autoplay if these settings are lost but the URL remains\">a▶", "mt_preload": "start loading the next song near the end for gapless playback\">preload", @@ -381,6 +382,7 @@ var tl_browser = { "mt_uncache": "clear cache  (try this if your browser cached$Na broken copy of a song so it refuses to play)\">uncache", "mt_mloop": "loop the open folder\">🔁 loop", "mt_mnext": "load the next folder and continue\">📂 next", + "mt_mstop": "stop playback\">⏸ stop", "mt_cflac": "convert flac / wav to opus\">flac", "mt_caac": "convert aac / m4a to opus\">aac", "mt_coth": "convert all others (not mp3) to opus\">oth", diff --git a/tests/util.py b/tests/util.py index 2b3d4b52..17c1d06d 100644 --- a/tests/util.py +++ b/tests/util.py @@ -143,7 +143,7 @@ class Cfg(Namespace): def __init__(self, a=None, v=None, c=None, **ka0): ka = {} - ex = "chpw daw dav_auth dav_mac dav_rt e2d e2ds e2dsa e2t e2ts e2tsr e2v e2vu e2vp early_ban ed emp exp force_js getmod grid gsel hardlink hardlink_only ih ihead magic nid nih no_acode no_athumb no_bauth no_clone no_cp no_dav no_db_ip no_del no_dirsz no_dupe no_lifetime no_logues no_mv no_pipe no_poll no_readme no_robots no_sb_md no_sb_lg no_scandir no_tail no_tarcmp no_thumb no_vthumb no_zip nrand nsort nw og og_no_head og_s_title ohead q rand re_dirsz rmagic rss smb srch_dbg srch_excl stats uqe vague_403 vc ver wo_up_readme write_uplog xdev xlink xvol zipmaxu zs" + ex = "chpw cookie_lax daw dav_auth dav_mac dav_rt e2d e2ds e2dsa e2t e2ts e2tsr e2v e2vu e2vp early_ban ed emp exp force_js getmod grid gsel hardlink hardlink_only ih ihead magic nid nih no_acode no_athumb no_bauth no_clone no_cp no_dav no_db_ip no_del no_dirsz no_dupe no_lifetime no_logues no_mv no_pipe no_poll no_readme no_robots no_sb_md no_sb_lg no_scandir no_tail no_tarcmp no_thumb no_vthumb no_zip nrand nsort nw og og_no_head og_s_title ohead q rand re_dirsz reflink rmagic rss smb srch_dbg srch_excl stats uqe vague_403 vc ver wo_up_readme write_uplog xdev xlink xvol zipmaxu zs" ka.update(**{k: False for k in ex.split()}) ex = "dav_inf dedup dotpart dotsrch hook_v no_dhash no_fastboot no_fpool no_htp no_rescan no_sendfile no_ses no_snap no_up_list no_voldump re_dhash see_dots plain_ip" @@ -164,7 +164,7 @@ class Cfg(Namespace): ex = "ah_alg bname chmod_f chpw_db doctitle df exit favico idp_h_usr ipa html_head lg_sba lg_sbf log_fk md_sba md_sbf name og_desc og_site og_th og_title og_title_a og_title_v og_title_i shr tcolor textfiles unlist vname xff_src zipmaxt R RS SR" ka.update(**{k: "" for k in ex.split()}) - ex = "ban_403 ban_404 ban_422 ban_pw ban_url spinner" + ex = "ban_403 ban_404 ban_422 ban_pw ban_pwc ban_url spinner" ka.update(**{k: "no" for k in ex.split()}) ex = "ext_th grp on403 on404 xac xad xar xau xban xbc xbd xbr xbu xiu xm"