From ca6d0b8d5e243ef9e1af962fa01f842631797967 Mon Sep 17 00:00:00 2001 From: ed Date: Sun, 27 Jul 2025 18:18:49 +0000 Subject: [PATCH 01/32] SameSite=Strict as default; closes #189 --- copyparty/__main__.py | 1 + copyparty/httpcli.py | 16 ++++++++++++---- copyparty/util.py | 16 +++++++++++++--- tests/util.py | 2 +- 4 files changed, 27 insertions(+), 8 deletions(-) diff --git a/copyparty/__main__.py b/copyparty/__main__.py index e69c8d14..be5c3b98 100644 --- a/copyparty/__main__.py +++ b/copyparty/__main__.py @@ -1288,6 +1288,7 @@ def add_stats(ap): def add_yolo(ap): ap2 = ap.add_argument_group('yolo options') ap2.add_argument("--allow-csrf", action="store_true", help="disable csrf protections; let other domains/sites impersonate you through cross-site requests") + ap2.add_argument("--cookie-lax", action="store_true", help="allow cookies from other domains (if you follow a link from another website into your server, you will arrive logged-in); this reduces protection against CSRF") ap2.add_argument("--getmod", action="store_true", help="permit ?move=[...] and ?delete as GET") ap2.add_argument("--wo-up-readme", action="store_true", help="allow users with write-only access to upload logues and readmes without adding the _wo_ filename prefix (volflag=wo_up_readme)") diff --git a/copyparty/httpcli.py b/copyparty/httpcli.py index e2a74bcd..2aa6a059 100644 --- a/copyparty/httpcli.py +++ b/copyparty/httpcli.py @@ -2995,12 +2995,20 @@ class HttpCli(object): # reset both plaintext and tls # (only affects active tls cookies when tls) for k in ("cppwd", "cppws") if self.is_https else ("cppwd",): - ck = gencookie(k, pwd, self.args.R, False) + ck = gencookie(k, pwd, self.args.R, self.args.cookie_lax, False) self.out_headerlist.append(("Set-Cookie", ck)) self.out_headers.pop("Set-Cookie", None) # drop keepalive else: k = "cppws" if self.is_https else "cppwd" - ck = gencookie(k, pwd, self.args.R, self.is_https, dur, "; HttpOnly") + ck = gencookie( + k, + pwd, + self.args.R, + self.args.cookie_lax, + self.is_https, + dur, + "; HttpOnly", + ) self.out_headers["Set-Cookie"] = ck return dur > 0, msg @@ -5041,7 +5049,7 @@ class HttpCli(object): def setck(self) -> bool: k, v = self.uparam["setck"].split("=", 1) t = 0 if v in ("", "x") else 86400 * 299 - ck = gencookie(k, v, self.args.R, False, t) + ck = gencookie(k, v, self.args.R, self.args.cookie_lax, False, t) self.out_headerlist.append(("Set-Cookie", ck)) if "cc" in self.ouparam: self.redirect("", "?h#cc") @@ -5053,7 +5061,7 @@ class HttpCli(object): for k in ALL_COOKIES: if k not in self.cookies: continue - cookie = gencookie(k, "x", self.args.R, False) + cookie = gencookie(k, "x", self.args.R, self.args.cookie_lax, False) self.out_headerlist.append(("Set-Cookie", cookie)) self.redirect("", "?h#cc") diff --git a/copyparty/util.py b/copyparty/util.py index 4bc74a0a..0b2dbcc4 100644 --- a/copyparty/util.py +++ b/copyparty/util.py @@ -2037,15 +2037,25 @@ def formatdate(ts: Optional[float] = None) -> str: return RFC2822 % (WKDAYS[wd], d, MONTHS[mo - 1], y, h, mi, s) -def gencookie(k: str, v: str, r: str, tls: bool, dur: int = 0, txt: str = "") -> str: +def gencookie( + k: str, v: str, r: str, lax: bool, tls: bool, dur: int = 0, txt: str = "" +) -> str: v = v.replace("%", "%25").replace(";", "%3B") if dur: exp = formatdate(time.time() + dur) else: exp = "Fri, 15 Aug 1997 01:00:00 GMT" - t = "%s=%s; Path=/%s; Expires=%s%s%s; SameSite=Lax" - return t % (k, v, r, exp, "; Secure" if tls else "", txt) + t = "%s=%s; Path=/%s; Expires=%s%s%s; SameSite=%s" + return t % ( + k, + v, + r, + exp, + "; Secure" if tls else "", + txt, + "Lax" if lax else "Strict", + ) def humansize(sz: float, terse: bool = False) -> str: diff --git a/tests/util.py b/tests/util.py index 2b3d4b52..147c3b64 100644 --- a/tests/util.py +++ b/tests/util.py @@ -143,7 +143,7 @@ class Cfg(Namespace): def __init__(self, a=None, v=None, c=None, **ka0): ka = {} - ex = "chpw daw dav_auth dav_mac dav_rt e2d e2ds e2dsa e2t e2ts e2tsr e2v e2vu e2vp early_ban ed emp exp force_js getmod grid gsel hardlink hardlink_only ih ihead magic nid nih no_acode no_athumb no_bauth no_clone no_cp no_dav no_db_ip no_del no_dirsz no_dupe no_lifetime no_logues no_mv no_pipe no_poll no_readme no_robots no_sb_md no_sb_lg no_scandir no_tail no_tarcmp no_thumb no_vthumb no_zip nrand nsort nw og og_no_head og_s_title ohead q rand re_dirsz rmagic rss smb srch_dbg srch_excl stats uqe vague_403 vc ver wo_up_readme write_uplog xdev xlink xvol zipmaxu zs" + ex = "chpw cookie_lax daw dav_auth dav_mac dav_rt e2d e2ds e2dsa e2t e2ts e2tsr e2v e2vu e2vp early_ban ed emp exp force_js getmod grid gsel hardlink hardlink_only ih ihead magic nid nih no_acode no_athumb no_bauth no_clone no_cp no_dav no_db_ip no_del no_dirsz no_dupe no_lifetime no_logues no_mv no_pipe no_poll no_readme no_robots no_sb_md no_sb_lg no_scandir no_tail no_tarcmp no_thumb no_vthumb no_zip nrand nsort nw og og_no_head og_s_title ohead q rand re_dirsz rmagic rss smb srch_dbg srch_excl stats uqe vague_403 vc ver wo_up_readme write_uplog xdev xlink xvol zipmaxu zs" ka.update(**{k: False for k in ex.split()}) ex = "dav_inf dedup dotpart dotsrch hook_v no_dhash no_fastboot no_fpool no_htp no_rescan no_sendfile no_ses no_snap no_up_list no_voldump re_dhash see_dots plain_ip" From e2c2dd18cfc2be7f4cf2480e773f81b04452ead2 Mon Sep 17 00:00:00 2001 From: Masked Date: Sun, 27 Jul 2025 15:30:56 -0400 Subject: [PATCH 02/32] Improve host IP address handling in HttpCli Added logic to detect if the user provided an IP address or hostname using the ipaddress module. This ensures correct resolution and mapping behavior based on the input type, improving reliability and correctness in network operations. --- copyparty/httpcli.py | 21 ++++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/copyparty/httpcli.py b/copyparty/httpcli.py index 2aa6a059..9b43225b 100644 --- a/copyparty/httpcli.py +++ b/copyparty/httpcli.py @@ -4875,11 +4875,22 @@ class HttpCli(object): ep = self.host host = ep.split(":")[0] hport = ep[ep.find(":") :] if ":" in ep else "" - rip = ( - host - if self.args.rclone_mdns or not self.args.zm - else self.conn.hsrv.nm.map(self.ip) or host - ) + + import ipaddress + try: + ipaddress.ip_address(host) + user_used_ip = True + except ValueError: + user_used_ip = False + + if user_used_ip or self.args.rclone_mdns or not self.args.zm: + rip = ( + host + if self.args.rclone_mdns or not self.args.zm + else self.conn.hsrv.nm.map(self.ip) or host + ) + else: + rip = host # safer than html_escape/quotep since this avoids both XSS and shell-stuff pw = re.sub(r"[<>&$?`\"']", "_", self.pw or "hunter2") vp = re.sub(r"[<>&$?`\"']", "_", self.uparam["hc"] or "").lstrip("/") From b0dec83aada2326d5eb04a643b041303ac732983 Mon Sep 17 00:00:00 2001 From: ed Date: Sun, 27 Jul 2025 20:32:45 +0000 Subject: [PATCH 03/32] connect: fix ipv6 and resolve .local only; closes #202 --- copyparty/httpcli.py | 29 +++++++++++++---------------- 1 file changed, 13 insertions(+), 16 deletions(-) diff --git a/copyparty/httpcli.py b/copyparty/httpcli.py index 9b43225b..9d12facb 100644 --- a/copyparty/httpcli.py +++ b/copyparty/httpcli.py @@ -4873,24 +4873,21 @@ class HttpCli(object): def tx_svcs(self) -> bool: aname = re.sub("[^0-9a-zA-Z]+", "", self.args.vname) or "a" ep = self.host - host = ep.split(":")[0] - hport = ep[ep.find(":") :] if ":" in ep else "" - - import ipaddress - try: - ipaddress.ip_address(host) - user_used_ip = True - except ValueError: - user_used_ip = False - - if user_used_ip or self.args.rclone_mdns or not self.args.zm: - rip = ( - host - if self.args.rclone_mdns or not self.args.zm - else self.conn.hsrv.nm.map(self.ip) or host - ) + sep = "]:" if "]" in ep else ":" + if sep in ep: + host, hport = ep.rsplit(":", 1) + hport = ":" + hport + else: + host = ep + hport = "" + + if host.endswith(".local") and self.args.zm and not self.args.rclone_mdns: + rip = self.conn.hsrv.nm.map(self.ip) or host + if ":" in rip and "[" not in rip: + rip = "[%s]" % (rip,) else: rip = host + # safer than html_escape/quotep since this avoids both XSS and shell-stuff pw = re.sub(r"[<>&$?`\"']", "_", self.pw or "hunter2") vp = re.sub(r"[<>&$?`\"']", "_", self.uparam["hc"] or "").lstrip("/") From d197e754b9691f9c4277278396b230c98c3bd228 Mon Sep 17 00:00:00 2001 From: ed Date: Sun, 27 Jul 2025 21:17:44 +0000 Subject: [PATCH 04/32] fix scroll after logtail (thx @Bevinsky) if file was closed without using the [X] button, for example with the browser back button, the tail would not abort --- copyparty/web/browser.js | 1 + 1 file changed, 1 insertion(+) diff --git a/copyparty/web/browser.js b/copyparty/web/browser.js index d423a92a..5fd44540 100644 --- a/copyparty/web/browser.js +++ b/copyparty/web/browser.js @@ -8269,6 +8269,7 @@ var treectl = (function () { }; r.gentab = function (top, res) { + showfile.untail(); var nodes = res.dirs.concat(res.files), html = mk_files_header(res.taglist), sel = msel.hist[top], From 6bb27e60910063109b930f7addd32bfbb5f16bc0 Mon Sep 17 00:00:00 2001 From: ed Date: Sun, 27 Jul 2025 22:14:16 +0000 Subject: [PATCH 05/32] audioplayer: stop at end-of-(song/folder); closes #214 --- copyparty/web/browser.js | 30 ++++++++++++++++++++++++++---- scripts/tl.js | 2 ++ 2 files changed, 28 insertions(+), 4 deletions(-) diff --git a/copyparty/web/browser.js b/copyparty/web/browser.js index 5fd44540..51c19d2f 100644 --- a/copyparty/web/browser.js +++ b/copyparty/web/browser.js @@ -278,6 +278,7 @@ var Ls = { "ml_drc": "dynamic range compressor", "mt_loop": "loop/repeat one song\">๐Ÿ”", + "mt_one": "stop after one song\">1๏ธโƒฃ", "mt_shuf": "shuffle the songs in each folder\">๐Ÿ”€", "mt_aplay": "autoplay if there is a song-ID in the link you clicked to access the server$N$Ndisabling this will also stop the page URL from being updated with song-IDs when playing music, to prevent autoplay if these settings are lost but the URL remains\">aโ–ถ", "mt_preload": "start loading the next song near the end for gapless playback\">preload", @@ -295,6 +296,7 @@ var Ls = { "mt_uncache": "clear cache  (try this if your browser cached$Na broken copy of a song so it refuses to play)\">uncache", "mt_mloop": "loop the open folder\">๐Ÿ” loop", "mt_mnext": "load the next folder and continue\">๐Ÿ“‚ next", + "mt_mstop": "stop playback\">โธ stop", "mt_cflac": "convert flac / wav to opus\">flac", "mt_caac": "convert aac / m4a to opus\">aac", "mt_coth": "convert all others (not mp3) to opus\">oth", @@ -903,6 +905,7 @@ var Ls = { "ml_drc": "compressor (volum-utjevning)", "mt_loop": "spill den samme sangen om og om igjen\">๐Ÿ”", + "mt_one": "spill kun รฉn sang\">1๏ธโƒฃ", "mt_shuf": "sangene i hver mappe$Nspilles i tilfeldig rekkefรธlge\">๐Ÿ”€", "mt_aplay": "forsรธk รฅ starte avspilling hvis linken du klikket pรฅ for รฅ รฅpne nettsiden inneholder en sang-ID$N$Nhvis denne deaktiveres sรฅ vil heller ikke nettside-URLen bli oppdatert med sang-ID'er nรฅr musikk spilles, i tilfelle innstillingene skulle gรฅ tapt og nettsiden lastes pรฅ ny\">aโ–ถ", "mt_preload": "hent ned litt av neste sang i forkant,$Nslik at pausen i overgangen blir mindre\">forles", @@ -920,6 +923,7 @@ var Ls = { "mt_uncache": "prรธv denne hvis en sang ikke spiller riktig\">oppfrisk", "mt_mloop": "repeter hele mappen\">๐Ÿ” gjenta", "mt_mnext": "hopp til neste mappe og fortsett\">๐Ÿ“‚ neste", + "mt_mstop": "stopp avspilling\">โธ stopp", "mt_cflac": "konverter flac / wav-filer til opus\">flac", "mt_caac": "konverter aac / m4a-filer til to opus\">aac", "mt_coth": "konverter alt annet (men ikke mp3) til opus\">andre", @@ -1528,6 +1532,7 @@ var Ls = { "ml_drc": "ๅŠจๆ€่Œƒๅ›ดๅŽ‹็ผฉๅ™จ", "mt_loop": "ๅพช็Žฏๆ’ญๆ”พๅฝ“ๅ‰็š„ๆญŒๆ›ฒ\">๐Ÿ”", //m + "mt_one": "ๅชๆ’ญๆ”พไธ€้ฆ–ๆญŒๅŽๅœๆญข\">1๏ธโƒฃ", //m "mt_shuf": "ๅœจๆฏไธชๆ–‡ไปถๅคนไธญ้šๆœบๆ’ญๆ”พๆญŒๆ›ฒ\">๐Ÿ”€", "mt_aplay": "ๅฆ‚ๆžœ้“พๆŽฅไธญๆœ‰ๆญŒๆ›ฒ ID๏ผŒๅˆ™่‡ชๅŠจๆ’ญๆ”พ,็ฆ็”จๆญค้€‰้กนๅฐ†ๅœๆญขๅœจๆ’ญๆ”พ้Ÿณไนๆ—ถๆ›ดๆ–ฐ้กต้ข URL ไธญ็š„ๆญŒๆ›ฒ ID๏ผŒไปฅ้˜ฒๆญขๅœจ่ฎพ็ฝฎไธขๅคฑไฝ† URL ไฟ็•™ๆ—ถ่‡ชๅŠจๆ’ญๆ”พ\">่‡ชๅŠจๆ’ญๆ”พโ–ถ", "mt_preload": "ๅœจๆญŒๆ›ฒๅฟซ็ป“ๆŸๆ—ถๅผ€ๅง‹ๅŠ ่ฝฝไธ‹ไธ€้ฆ–ๆญŒ๏ผŒไปฅๅฎž็Žฐๆ— ็ผๆ’ญๆ”พ\">้ข„ๅŠ ่ฝฝ", @@ -1545,6 +1550,7 @@ var Ls = { "mt_uncache": "ๆธ…้™ค็ผ“ๅญ˜ $N๏ผˆๅฆ‚ๆžœไฝ ็š„ๆต่งˆๅ™จ็ผ“ๅญ˜ไบ†ไธ€ไธชๆŸๅ็š„ๆญŒๆ›ฒๅ‰ฏๆœฌ่€Œๆ‹’็ปๆ’ญๆ”พ๏ผŒ่ฏทๅฐ่ฏ•ๆญคๆ“ไฝœ๏ผ‰\">uncache", "mt_mloop": "ๅพช็Žฏๆ‰“ๅผ€็š„ๆ–‡ไปถๅคน\">๐Ÿ” ๅพช็Žฏ", "mt_mnext": "ๅŠ ่ฝฝไธ‹ไธ€ไธชๆ–‡ไปถๅคนๅนถ็ปง็ปญ\">๐Ÿ“‚ ไธ‹ไธ€้ฆ–", + "mt_mstop": "ๅœๆญขๆ’ญๆ”พ\">โธ ๅœๆญข", //m "mt_cflac": "ๅฐ† flac / wav ่ฝฌๆขไธบ opus\">flac", "mt_caac": "ๅฐ† aac / m4a ่ฝฌๆขไธบ opus\">aac", "mt_coth": "ๅฐ†ๆ‰€ๆœ‰ๅ…ถไป–๏ผˆไธๆ˜ฏ mp3๏ผ‰่ฝฌๆขไธบ opus\">oth", @@ -2366,6 +2372,7 @@ var mpl = (function () { ebi('op_player').innerHTML = ( '

' + L.cl_opts + '

' + '' + ' 1 ? len - pos : 999, full = null; @@ -3687,7 +3699,12 @@ var mpui = (function () { var oi = mp.order.indexOf(mp.au.tid) + 1, evp = get_evpath(); - if (mpl.pb_mode == 'loop' || mp.au.evp != evp || ebi('unsearch')) + if (oi >= mp.order.length && ( + mpl.one || + mpl.pb_mode != 'next' || + mp.au.evp != evp || + ebi('unsearch')) + ) oi = 0; if (oi >= mp.order.length) { @@ -4173,6 +4190,9 @@ function play(tid, is_ev, seek) { } if (tn >= mp.order.length) { + if (mpl.pb_mode == 'stop') + return; + if (mpl.pb_mode == 'loop' || ebi('unsearch')) { tn = 0; } @@ -4257,7 +4277,7 @@ function play(tid, is_ev, seek) { try { mp.nopause(); - mp.au.loop = mpl.loop; + mp.au.loop = mpl.loop && !mpl.one; if (mpl.aplay || is_ev !== -1) mp.au.play(); @@ -4303,6 +4323,8 @@ function scroll2playing() { function evau_end(e) { + if (mpl.one) + return; if (!mpl.loop) return next_song(e); ev(e); diff --git a/scripts/tl.js b/scripts/tl.js index c2e13faf..40ffe8a4 100644 --- a/scripts/tl.js +++ b/scripts/tl.js @@ -364,6 +364,7 @@ var tl_browser = { "ml_drc": "dynamic range compressor", "mt_loop": "loop/repeat one song\">๐Ÿ”", + "mt_one": "stop after one song\">1๏ธโƒฃ", "mt_shuf": "shuffle the songs in each folder\">๐Ÿ”€", "mt_aplay": "autoplay if there is a song-ID in the link you clicked to access the server$N$Ndisabling this will also stop the page URL from being updated with song-IDs when playing music, to prevent autoplay if these settings are lost but the URL remains\">aโ–ถ", "mt_preload": "start loading the next song near the end for gapless playback\">preload", @@ -381,6 +382,7 @@ var tl_browser = { "mt_uncache": "clear cache  (try this if your browser cached$Na broken copy of a song so it refuses to play)\">uncache", "mt_mloop": "loop the open folder\">๐Ÿ” loop", "mt_mnext": "load the next folder and continue\">๐Ÿ“‚ next", + "mt_mstop": "stop playback\">โธ stop", "mt_cflac": "convert flac / wav to opus\">flac", "mt_caac": "convert aac / m4a to opus\">aac", "mt_coth": "convert all others (not mp3) to opus\">oth", From 895880aeb0be0813ddf732487596633f8f9fc3a6 Mon Sep 17 00:00:00 2001 From: ed Date: Sun, 27 Jul 2025 22:56:38 +0000 Subject: [PATCH 06/32] fix GHSA-9q4r-x2hj-jmvr ; this fixes a DOM-Based XSS when rendering multimedia metadata assuming the media-indexing option is enabled, a malicious media file could be uploaded to the server by a privileged user, executing arbitrary javascript on anyone visiting and viewing the directory the same vulnerability could also be triggered through an externally-hosted m3u file, by tricking a user into clicking a link to load and play this m3u file huge thanks to @altperfect for finding and reporting this! --- copyparty/web/browser.js | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/copyparty/web/browser.js b/copyparty/web/browser.js index 51c19d2f..8820e3aa 100644 --- a/copyparty/web/browser.js +++ b/copyparty/web/browser.js @@ -7464,7 +7464,7 @@ var search_ui = (function () { nodes = ['-
' + links + '
', sz]; for (var b = 0; b < tagord.length; b++) { - var k = tagord[b], + var k = esc(tagord[b]), v = r.tags[k] || ""; if (k == ".dur") { @@ -7473,7 +7473,7 @@ var search_ui = (function () { continue; } - nodes.push(v); + nodes.push(esc('' + v)); } nodes = nodes.concat([ext, unix2iso(ts)]); @@ -8362,7 +8362,7 @@ var treectl = (function () { top + tn.href + '" id="' + id + '">' + hname + '', tn.sz]; for (var b = 0; b < res.taglist.length; b++) { - var k = res.taglist[b], + var k = esc(res.taglist[b]), v = (tn.tags || {})[k] || "", sv = null; @@ -8371,7 +8371,7 @@ var treectl = (function () { else if (k == ".up_at") sv = v ? unix2iso(v) : ""; else { - ln.push(v); + ln.push(esc('' + v)); continue; } ln[ln.length - 1] += '' + sv; From 2228f81f949bf05c943221381f46f1e66fb94c5e Mon Sep 17 00:00:00 2001 From: ed Date: Sun, 27 Jul 2025 22:59:16 +0000 Subject: [PATCH 07/32] block externally-hosted m3u files; pointless security risk; made GHSA-9q4r-x2hj-jmvr much worse --- copyparty/web/browser.js | 2 ++ copyparty/web/util.js | 12 ++++++++++++ 2 files changed, 14 insertions(+) diff --git a/copyparty/web/browser.js b/copyparty/web/browser.js index 8820e3aa..ce204757 100644 --- a/copyparty/web/browser.js +++ b/copyparty/web/browser.js @@ -6046,6 +6046,7 @@ var showfile = (function () { m = /[?&](k=[^&#]+)/.exec(url); url = url.split('?')[0] + (m ? '?' + m[1] : ''); + assert_vp(url); if (r.taildoc) return r.tail(url, no_push); @@ -7540,6 +7541,7 @@ function ev_load_m3u(e) { return false; } function load_m3u(url) { + assert_vp(url); var xhr = new XHR(); xhr.open('GET', url, true); xhr.onload = render_m3u; diff --git a/copyparty/web/util.js b/copyparty/web/util.js index e5c3ff07..b246e145 100644 --- a/copyparty/web/util.js +++ b/copyparty/web/util.js @@ -383,8 +383,10 @@ if (!String.prototype.format) }); }; +var have_URL = false; try { new URL('/a/', 'https://a.com/'); + have_URL = true; } catch (ex) { console.log('ie11 shim URL()'); @@ -732,6 +734,16 @@ function makeSortable(table, cb) { } +function assert_vp(path) { + if (path.indexOf('//') + 1) + throw 'nonlocal1: ' + path; + + var o = window.location.origin; + if (have_URL && (new URL(path, o)).origin != o) + throw 'nonlocal2: ' + path; +} + + function linksplit(rp, id) { var ret = [], apath = '/', From cdfceb483e43b4e12737be79971eb4494077cd96 Mon Sep 17 00:00:00 2001 From: ed Date: Sun, 27 Jul 2025 23:05:44 +0000 Subject: [PATCH 08/32] v1.18.5 --- copyparty/__version__.py | 4 ++-- docs/changelog.md | 18 ++++++++++++++++++ 2 files changed, 20 insertions(+), 2 deletions(-) diff --git a/copyparty/__version__.py b/copyparty/__version__.py index f3957db7..43b182e8 100644 --- a/copyparty/__version__.py +++ b/copyparty/__version__.py @@ -1,8 +1,8 @@ # coding: utf-8 -VERSION = (1, 18, 4) +VERSION = (1, 18, 5) CODENAME = "logtail" -BUILD_DT = (2025, 7, 25) +BUILD_DT = (2025, 7, 28) S_VERSION = ".".join(map(str, VERSION)) S_BUILD_DT = "{0:04d}-{1:02d}-{2:02d}".format(*BUILD_DT) diff --git a/docs/changelog.md b/docs/changelog.md index d59b2b95..175bc791 100644 --- a/docs/changelog.md +++ b/docs/changelog.md @@ -1,3 +1,21 @@ +โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€ +# 2025-0725-1841 `v1.18.4` Landmarks + +## ๐Ÿงช new features + +* #182 [Landmarks](https://github.com/9001/copyparty#database-location) edba7fff + * detects that a storage backend is glitching out and disengage the up2k-database as a precaution +* #183 quickdelete 21a96bcf + * new togglebutton `qdel` in the UI which reduces the number of deletion confirmations by one + * global-option `--qdel=0` which can bring it all the way to zero (good luck) + +## ๐Ÿฉน bugfixes + +* fix unpost in recently created shares 2d322dd4 +* fix filekeys on windows df6d4df4 + + + โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€ # 2025-0721-2307 `v1.18.3` drop the umask From cbdbaf193896dc83392f65f67a18744d898efd7e Mon Sep 17 00:00:00 2001 From: ed Date: Sun, 27 Jul 2025 23:38:32 +0000 Subject: [PATCH 09/32] update pkgs to 1.18.5 --- contrib/package/arch/PKGBUILD | 4 ++-- contrib/package/nix/copyparty/pin.json | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/contrib/package/arch/PKGBUILD b/contrib/package/arch/PKGBUILD index 76f38e9c..236fc0f8 100644 --- a/contrib/package/arch/PKGBUILD +++ b/contrib/package/arch/PKGBUILD @@ -1,6 +1,6 @@ # Maintainer: icxes pkgname=copyparty -pkgver="1.18.4" +pkgver="1.18.5" pkgrel=1 pkgdesc="File server with accelerated resumable uploads, dedup, WebDAV, FTP, TFTP, zeroconf, media indexer, thumbnails++" arch=("any") @@ -22,7 +22,7 @@ optdepends=("ffmpeg: thumbnails for videos, images (slower) and audio, music tag ) source=("https://github.com/9001/${pkgname}/releases/download/v${pkgver}/${pkgname}-${pkgver}.tar.gz") backup=("etc/${pkgname}.d/init" ) -sha256sums=("ce903db06d2f1889fd600e8f47e0514d4cce66d8d06f726a8db2ab56ba3c164f") +sha256sums=("30dd1bbb479187a44f3e44c8322856873c0022485237d457fadfeb5a6af51f7a") build() { cd "${srcdir}/${pkgname}-${pkgver}" diff --git a/contrib/package/nix/copyparty/pin.json b/contrib/package/nix/copyparty/pin.json index 64281889..fdfcacd8 100644 --- a/contrib/package/nix/copyparty/pin.json +++ b/contrib/package/nix/copyparty/pin.json @@ -1,5 +1,5 @@ { - "url": "https://github.com/9001/copyparty/releases/download/v1.18.4/copyparty-sfx.py", - "version": "1.18.4", - "hash": "sha256-rTX2yQne7i91vXJaUolLZYSjCNKVdQlvgv1x+N2UsDE=" + "url": "https://github.com/9001/copyparty/releases/download/v1.18.5/copyparty-sfx.py", + "version": "1.18.5", + "hash": "sha256-rEYjxJwzTzN+upo5UQ8hdYonQiNK1c+SfduS6M/QXw0=" } \ No newline at end of file From 7c9c962b79228a9438125a3b8290500812579304 Mon Sep 17 00:00:00 2001 From: Chinpo Nya Date: Mon, 28 Jul 2025 20:30:20 +0200 Subject: [PATCH 10/32] nix: add /etc/group to systemd sandbox allows specifying groups by name in the unix socket --- contrib/nixos/modules/copyparty.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/contrib/nixos/modules/copyparty.nix b/contrib/nixos/modules/copyparty.nix index 3725f8e4..2f13f07b 100644 --- a/contrib/nixos/modules/copyparty.nix +++ b/contrib/nixos/modules/copyparty.nix @@ -279,6 +279,7 @@ in { "/nix/store" "-/etc/resolv.conf" "-/etc/nsswitch.conf" + "-/etc/group" "-/etc/hosts" "-/etc/localtime" ] From 161bbc7d269a6417ca333e11044a14dc5211dca6 Mon Sep 17 00:00:00 2001 From: Toast <39011842+toast003@users.noreply.github.com> Date: Mon, 28 Jul 2025 21:14:26 +0200 Subject: [PATCH 11/32] connect-page: disable use real password button when there's no accounts --- copyparty/web/svcs.html | 2 +- copyparty/web/svcs.js | 28 +++++++++++++++------------- 2 files changed, 16 insertions(+), 14 deletions(-) diff --git a/copyparty/web/svcs.html b/copyparty/web/svcs.html index 0c3ec858..c47d8403 100644 --- a/copyparty/web/svcs.html +++ b/copyparty/web/svcs.html @@ -36,7 +36,7 @@ {% if accs %}{{ pw }}=password, {% endif %}mp=mountpoint - use real password + {% if accs %}use real password{% endif %}

diff --git a/copyparty/web/svcs.js b/copyparty/web/svcs.js index 10513fd2..33eb5713 100644 --- a/copyparty/web/svcs.js +++ b/copyparty/web/svcs.js @@ -49,19 +49,21 @@ function setos(os) { setos(WINDOWS ? 'win' : LINUX ? 'lin' : MACOS ? 'mac' : 'idk'); -ebi('setpw').onclick = function (e) { - ev(e); - modal.prompt('password:', '', function (v) { - if (!v) - return; +pwbutton = ebi('setpw') +if (pwbutton != null) + pwbutton.onclick = function (e) { + ev(e); + modal.prompt('password:', '', function (v) { + if (!v) + return; - var pw0 = ebi('pw0').innerHTML, - oa = QSA('b'); + var pw0 = ebi('pw0').innerHTML, + oa = QSA('b'); - for (var a = 0; a < oa.length; a++) - if (oa[a].innerHTML == pw0) - oa[a].textContent = v; + for (var a = 0; a < oa.length; a++) + if (oa[a].innerHTML == pw0) + oa[a].textContent = v; - add_dls(); - }); -} + add_dls(); + }); + } From 510100c86b24cbb0a070e71f55027978e25b4277 Mon Sep 17 00:00:00 2001 From: ed Date: Mon, 28 Jul 2025 19:31:37 +0000 Subject: [PATCH 12/32] Update svcs.js Signed-off-by: ed --- copyparty/web/svcs.js | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/copyparty/web/svcs.js b/copyparty/web/svcs.js index 33eb5713..dc9b07dc 100644 --- a/copyparty/web/svcs.js +++ b/copyparty/web/svcs.js @@ -49,21 +49,21 @@ function setos(os) { setos(WINDOWS ? 'win' : LINUX ? 'lin' : MACOS ? 'mac' : 'idk'); -pwbutton = ebi('setpw') -if (pwbutton != null) - pwbutton.onclick = function (e) { - ev(e); - modal.prompt('password:', '', function (v) { - if (!v) - return; +function setpw() { + ev(e); + modal.prompt('password:', '', function (v) { + if (!v) + return; - var pw0 = ebi('pw0').innerHTML, - oa = QSA('b'); - - for (var a = 0; a < oa.length; a++) - if (oa[a].innerHTML == pw0) - oa[a].textContent = v; + var pw0 = ebi('pw0').innerHTML, + oa = QSA('b'); + + for (var a = 0; a < oa.length; a++) + if (oa[a].innerHTML == pw0) + oa[a].textContent = v; - add_dls(); - }); - } + add_dls(); + }); +} +if (ebi('setpw')) + ebi('setpw').onclick = setpw; From a2601fd6ad45423544e457e9ab215c298f7ce138 Mon Sep 17 00:00:00 2001 From: ed Date: Mon, 28 Jul 2025 17:15:19 +0000 Subject: [PATCH 13/32] chpw ratelimit --- copyparty/__main__.py | 1 + copyparty/httpcli.py | 1 + copyparty/httpsrv.py | 1 + copyparty/svchub.py | 1 + tests/util.py | 2 +- 5 files changed, 5 insertions(+), 1 deletion(-) diff --git a/copyparty/__main__.py b/copyparty/__main__.py index be5c3b98..c86f6c30 100644 --- a/copyparty/__main__.py +++ b/copyparty/__main__.py @@ -1336,6 +1336,7 @@ def add_safety(ap): ap2.add_argument("--no-robots", action="store_true", help="adds http and html headers asking search engines to not index anything (volflag=norobots)") ap2.add_argument("--logout", metavar="H", type=float, default=8086.0, help="logout clients after \033[33mH\033[0m hours of inactivity; [\033[32m0.0028\033[0m]=10sec, [\033[32m0.1\033[0m]=6min, [\033[32m24\033[0m]=day, [\033[32m168\033[0m]=week, [\033[32m720\033[0m]=month, [\033[32m8760\033[0m]=year)") ap2.add_argument("--ban-pw", metavar="N,W,B", type=u, default="9,60,1440", help="more than \033[33mN\033[0m wrong passwords in \033[33mW\033[0m minutes = ban for \033[33mB\033[0m minutes; disable with [\033[32mno\033[0m]") + ap2.add_argument("--ban-pwc", metavar="N,W,B", type=u, default="5,60,1440", help="more than \033[33mN\033[0m password-changes in \033[33mW\033[0m minutes = ban for \033[33mB\033[0m minutes; disable with [\033[32mno\033[0m]") ap2.add_argument("--ban-404", metavar="N,W,B", type=u, default="50,60,1440", help="hitting more than \033[33mN\033[0m 404's in \033[33mW\033[0m minutes = ban for \033[33mB\033[0m minutes; only affects users who cannot see directory listings because their access is either g/G/h") ap2.add_argument("--ban-403", metavar="N,W,B", type=u, default="9,2,1440", help="hitting more than \033[33mN\033[0m 403's in \033[33mW\033[0m minutes = ban for \033[33mB\033[0m minutes; [\033[32m1440\033[0m]=day, [\033[32m10080\033[0m]=week, [\033[32m43200\033[0m]=month") ap2.add_argument("--ban-422", metavar="N,W,B", type=u, default="9,2,1440", help="hitting more than \033[33mN\033[0m 422's in \033[33mW\033[0m minutes = ban for \033[33mB\033[0m minutes (invalid requests, attempted exploits ++)") diff --git a/copyparty/httpcli.py b/copyparty/httpcli.py index 9d12facb..02e56a22 100644 --- a/copyparty/httpcli.py +++ b/copyparty/httpcli.py @@ -2912,6 +2912,7 @@ class HttpCli(object): ok, msg = self.asrv.chpw(self.conn.hsrv.broker, self.uname, pwd) if ok: + self.cbonk(self.conn.hsrv.gpwc, pwd, "pw", "too many password changes") ok, msg = self.get_pwd_cookie(pwd) if ok: msg = "new password OK" diff --git a/copyparty/httpsrv.py b/copyparty/httpsrv.py index 2e5cc69e..56638003 100644 --- a/copyparty/httpsrv.py +++ b/copyparty/httpsrv.py @@ -123,6 +123,7 @@ class HttpSrv(object): self.nm = NetMap([], []) self.ssdp: Optional["SSDPr"] = None self.gpwd = Garda(self.args.ban_pw) + self.gpwc = Garda(self.args.ban_pwc) self.g404 = Garda(self.args.ban_404) self.g403 = Garda(self.args.ban_403) self.g422 = Garda(self.args.ban_422, False) diff --git a/copyparty/svchub.py b/copyparty/svchub.py index e7c293cc..751fd566 100644 --- a/copyparty/svchub.py +++ b/copyparty/svchub.py @@ -168,6 +168,7 @@ class SvcHub(object): # for non-http clients (ftp, tftp) self.bans: dict[str, int] = {} self.gpwd = Garda(self.args.ban_pw) + self.gpwc = Garda(self.args.ban_pwc) self.g404 = Garda(self.args.ban_404) self.g403 = Garda(self.args.ban_403) self.g422 = Garda(self.args.ban_422, False) diff --git a/tests/util.py b/tests/util.py index 147c3b64..1f732920 100644 --- a/tests/util.py +++ b/tests/util.py @@ -164,7 +164,7 @@ class Cfg(Namespace): ex = "ah_alg bname chmod_f chpw_db doctitle df exit favico idp_h_usr ipa html_head lg_sba lg_sbf log_fk md_sba md_sbf name og_desc og_site og_th og_title og_title_a og_title_v og_title_i shr tcolor textfiles unlist vname xff_src zipmaxt R RS SR" ka.update(**{k: "" for k in ex.split()}) - ex = "ban_403 ban_404 ban_422 ban_pw ban_url spinner" + ex = "ban_403 ban_404 ban_422 ban_pw ban_pwc ban_url spinner" ka.update(**{k: "no" for k in ex.split()}) ex = "ext_th grp on403 on404 xac xad xar xau xban xbc xbd xbr xbu xiu xm" From 674fc1fe08bad1f4431f39f76f47a353537c0a5e Mon Sep 17 00:00:00 2001 From: ed Date: Mon, 28 Jul 2025 17:28:51 +0000 Subject: [PATCH 14/32] make nginx example less confusing --- contrib/nginx/copyparty.conf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/contrib/nginx/copyparty.conf b/contrib/nginx/copyparty.conf index 3c59a6f5..121e52ab 100644 --- a/contrib/nginx/copyparty.conf +++ b/contrib/nginx/copyparty.conf @@ -85,13 +85,13 @@ server { proxy_buffer_size 16k; proxy_busy_buffers_size 24k; + proxy_set_header Connection "Keep-Alive"; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - # NOTE: with cloudflare you want this instead: - #proxy_set_header X-Forwarded-For $http_cf_connecting_ip; proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header Connection "Keep-Alive"; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + # NOTE: with cloudflare you want this X-Forwarded-For instead: + #proxy_set_header X-Forwarded-For $http_cf_connecting_ip; } } From df9feabcf8b8196a6f10e11311143e794e9c9975 Mon Sep 17 00:00:00 2001 From: ed Date: Mon, 28 Jul 2025 19:41:03 +0000 Subject: [PATCH 15/32] add reflink-based dedup; closes #201 --- README.md | 7 ++++++- copyparty/__main__.py | 1 + copyparty/authsrv.py | 11 +++++++++++ copyparty/cfg.py | 2 ++ copyparty/up2k.py | 5 ++++- tests/util.py | 2 +- 6 files changed, 25 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 48c5f6fa..f106ef80 100644 --- a/README.md +++ b/README.md @@ -1439,12 +1439,17 @@ if you enable deduplication with `--dedup` then it'll create a symlink instead o **warning:** when enabling dedup, you should also: * enable indexing with `-e2dsa` or volflag `e2dsa` (see [file indexing](#file-indexing) section below); strongly recommended * ...and/or `--hardlink-only` to use hardlink-based deduplication instead of symlinks; see explanation below +* ...and/or `--reflink` to use CoW/reflink-based dedup (much safer than hardlink, but OS/FS-dependent) it will not be safe to rename/delete files if you only enable dedup and none of the above; if you enable indexing then it is not *necessary* to also do hardlinks (but you may still want to) by default, deduplication is done based on symlinks (symbolic links); these are tiny files which are pointers to the nearest full copy of the file -you can choose to use hardlinks instead of softlinks, globally with `--hardlink-only` or volflag `hardlinkonly`; +you can choose to use hardlinks instead of softlinks, globally with `--hardlink-only` or volflag `hardlinkonly`, and you can choose to use reflinks with `--reflink` or volflag `reflink` + +advantages of using reflinks (CoW, copy-on-write): +* entirely safe (when your filesystem supports it correctly); either file can be edited or deleted without affecting other copies +* only linux 5.3 or newer, only python 3.14 or newer, only some filesystems (btrfs probably ok, maybe xfs too, but zfs had bugs) advantages of using hardlinks: * hardlinks are more compatible with other software; they behave entirely like regular files diff --git a/copyparty/__main__.py b/copyparty/__main__.py index c86f6c30..8aef06df 100644 --- a/copyparty/__main__.py +++ b/copyparty/__main__.py @@ -1056,6 +1056,7 @@ def add_upload(ap): ap2.add_argument("--safe-dedup", metavar="N", type=int, default=50, help="how careful to be when deduplicating files; [\033[32m1\033[0m] = just verify the filesize, [\033[32m50\033[0m] = verify file contents have not been altered (volflag=safededup)") ap2.add_argument("--hardlink", action="store_true", help="enable hardlink-based dedup; will fallback on symlinks when that is impossible (across filesystems) (volflag=hardlink)") ap2.add_argument("--hardlink-only", action="store_true", help="do not fallback to symlinks when a hardlink cannot be made (volflag=hardlinkonly)") + ap2.add_argument("--reflink", action="store_true", help="enable reflink-based dedup; will fallback on full copies when that is impossible (non-CoW filesystem) (volflag=reflink)") ap2.add_argument("--no-dupe", action="store_true", help="reject duplicate files during upload; only matches within the same volume (volflag=nodupe)") ap2.add_argument("--no-clone", action="store_true", help="do not use existing data on disk to satisfy dupe uploads; reduces server HDD reads in exchange for much more network load (volflag=noclone)") ap2.add_argument("--no-snap", action="store_true", help="disable snapshots -- forget unfinished uploads on shutdown; don't create .hist/up2k.snap files -- abandoned/interrupted uploads must be cleaned up manually") diff --git a/copyparty/authsrv.py b/copyparty/authsrv.py index 7feedc64..bdc65640 100644 --- a/copyparty/authsrv.py +++ b/copyparty/authsrv.py @@ -2124,6 +2124,7 @@ class AuthSrv(object): all_mte = {} errors = False free_umask = False + have_reflink = False for vol in vfs.all_nodes.values(): if (self.args.e2ds and vol.axs.uwrite) or self.args.e2dsa: vol.flags["e2ds"] = True @@ -2207,6 +2208,9 @@ class AuthSrv(object): if "unlistcr" in vol.flags or "unlistcw" in vol.flags: self.args.have_unlistc = True + if "reflink" in vol.flags: + have_reflink = True + zs = str(vol.flags.get("tcolor", "")).lstrip("#") if len(zs) == 3: # fc5 => ffcc55 vol.flags["tcolor"] = "".join([x * 2 for x in zs]) @@ -2571,6 +2575,13 @@ class AuthSrv(object): t = "WARNING! The following IdP volumes are mounted below another volume where other users can read and/or write files. This is a SECURITY HAZARD!! When copyparty is restarted, it will not know about these IdP volumes yet. These volumes will then be accessible by an unexpected set of permissions UNTIL one of the users associated with their volume sends a request to the server. RECOMMENDATION: You should create a restricted volume where nobody can read/write files, and make sure that all IdP volumes are configured to appear somewhere below that volume." self.log(t + "".join(self.idp_err), 1) + if have_reflink: + t = "WARNING: Reflink-based dedup was requested, but %s. This will not work; files will be full copies instead." + if sys.version_info < (3, 14): + self.log(t % "your python version is not new enough", 1) + if not sys.platform.startswith("linux"): + self.log(t % "your OS is not Linux", 1) + self.vfs = vfs self.acct = acct self.defpw = defpw diff --git a/copyparty/cfg.py b/copyparty/cfg.py index 640259ed..cee8214b 100644 --- a/copyparty/cfg.py +++ b/copyparty/cfg.py @@ -52,6 +52,7 @@ def vf_bmap() -> dict[str, str]: "og_no_head", "og_s_title", "rand", + "reflink", "rmagic", "rss", "wo_up_readme", @@ -168,6 +169,7 @@ flagcats = { "dedup": "enable symlink-based file deduplication", "hardlink": "enable hardlink-based file deduplication,\nwith fallback on symlinks when that is impossible", "hardlinkonly": "dedup with hardlink only, never symlink;\nmake a full copy if hardlink is impossible", + "reflink": "enable reflink-based file deduplication,\nwith fallback on full copy when that is impossible", "safededup": "verify on-disk data before using it for dedup", "noclone": "take dupe data from clients, even if available on HDD", "nodupe": "rejects existing files (instead of linking/cloning them)", diff --git a/copyparty/up2k.py b/copyparty/up2k.py index 42b44f79..907347f5 100644 --- a/copyparty/up2k.py +++ b/copyparty/up2k.py @@ -3476,6 +3476,8 @@ class Up2k(object): linked = False try: + if "reflink" in flags: + raise Exception("reflink") if not is_mv and not flags.get("dedup"): raise Exception("dedup is disabled in config") @@ -3532,7 +3534,8 @@ class Up2k(object): linked = True except Exception as ex: - self.log("cannot link; creating copy: " + repr(ex)) + if str(ex) != "reflink": + self.log("cannot link; creating copy: " + repr(ex)) if bos.path.isfile(src): csrc = src elif fsrc and bos.path.isfile(fsrc): diff --git a/tests/util.py b/tests/util.py index 1f732920..17c1d06d 100644 --- a/tests/util.py +++ b/tests/util.py @@ -143,7 +143,7 @@ class Cfg(Namespace): def __init__(self, a=None, v=None, c=None, **ka0): ka = {} - ex = "chpw cookie_lax daw dav_auth dav_mac dav_rt e2d e2ds e2dsa e2t e2ts e2tsr e2v e2vu e2vp early_ban ed emp exp force_js getmod grid gsel hardlink hardlink_only ih ihead magic nid nih no_acode no_athumb no_bauth no_clone no_cp no_dav no_db_ip no_del no_dirsz no_dupe no_lifetime no_logues no_mv no_pipe no_poll no_readme no_robots no_sb_md no_sb_lg no_scandir no_tail no_tarcmp no_thumb no_vthumb no_zip nrand nsort nw og og_no_head og_s_title ohead q rand re_dirsz rmagic rss smb srch_dbg srch_excl stats uqe vague_403 vc ver wo_up_readme write_uplog xdev xlink xvol zipmaxu zs" + ex = "chpw cookie_lax daw dav_auth dav_mac dav_rt e2d e2ds e2dsa e2t e2ts e2tsr e2v e2vu e2vp early_ban ed emp exp force_js getmod grid gsel hardlink hardlink_only ih ihead magic nid nih no_acode no_athumb no_bauth no_clone no_cp no_dav no_db_ip no_del no_dirsz no_dupe no_lifetime no_logues no_mv no_pipe no_poll no_readme no_robots no_sb_md no_sb_lg no_scandir no_tail no_tarcmp no_thumb no_vthumb no_zip nrand nsort nw og og_no_head og_s_title ohead q rand re_dirsz reflink rmagic rss smb srch_dbg srch_excl stats uqe vague_403 vc ver wo_up_readme write_uplog xdev xlink xvol zipmaxu zs" ka.update(**{k: False for k in ex.split()}) ex = "dav_inf dedup dotpart dotsrch hook_v no_dhash no_fastboot no_fpool no_htp no_rescan no_sendfile no_ses no_snap no_up_list no_voldump re_dhash see_dots plain_ip" From 5b98e104f28e5f61155e661050340bccf4585832 Mon Sep 17 00:00:00 2001 From: ptweezy Date: Sun, 27 Jul 2025 16:21:34 -0400 Subject: [PATCH 16/32] Update docker-compose.yml The version attribute is deprecated, resolves error "the attribute `version` is obsolete, it will be ignored, please remove it to avoid potential confusion" when building with Docker Signed-off-by: ptweezy --- docs/examples/docker/basic-docker-compose/docker-compose.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/examples/docker/basic-docker-compose/docker-compose.yml b/docs/examples/docker/basic-docker-compose/docker-compose.yml index ba5e74d8..cfac59b6 100644 --- a/docs/examples/docker/basic-docker-compose/docker-compose.yml +++ b/docs/examples/docker/basic-docker-compose/docker-compose.yml @@ -1,4 +1,3 @@ -version: '3' services: copyparty: From cb019afecf46bad03dac47487689be30a94f63de Mon Sep 17 00:00:00 2001 From: ed Date: Mon, 28 Jul 2025 20:29:40 +0000 Subject: [PATCH 17/32] standardize on /dev/shm/party.sock; closes #229 --- README.md | 2 +- copyparty/__main__.py | 13 +++++++------ 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index f106ef80..eee9ec9c 100644 --- a/README.md +++ b/README.md @@ -2027,7 +2027,7 @@ some reverse proxies (such as [Caddy](https://caddyserver.com/)) can automatical * **warning:** nginx-QUIC (HTTP/3) is still experimental and can make uploads much slower, so HTTP/1.1 is recommended for now * depending on server/client, HTTP/1.1 can also be 5x faster than HTTP/2 -for improved security (and a 10% performance boost) consider listening on a unix-socket with `-i unix:770:www:/tmp/party.sock` (permission `770` means only members of group `www` can access it) +for improved security (and a 10% performance boost) consider listening on a unix-socket with `-i unix:770:www:/dev/shm/party.sock` (permission `770` means only members of group `www` can access it) example webserver / reverse-proxy configs: diff --git a/copyparty/__main__.py b/copyparty/__main__.py index 8aef06df..03e01883 100644 --- a/copyparty/__main__.py +++ b/copyparty/__main__.py @@ -547,14 +547,15 @@ def get_sects(): when running behind a reverse-proxy, it's recommended to use unix-sockets for improved performance and security; - \033[32m-i unix:770:www:\033[33m/tmp/a.sock\033[0m listens on \033[33m/tmp/a.sock\033[0m with - permissions \033[33m0770\033[0m; only accessible to members of the \033[33mwww\033[0m - group. This is the best approach. Alternatively, + \033[32m-i unix:770:www:\033[33m/dev/shm/party.sock\033[0m listens on + \033[33m/dev/shm/party.sock\033[0m with permissions \033[33m0770\033[0m; + only accessible to members of the \033[33mwww\033[0m group. + This is the best approach. Alternatively, - \033[32m-i unix:777:\033[33m/tmp/a.sock\033[0m sets perms \033[33m0777\033[0m so anyone can - access it; bad unless it's inside a restricted folder + \033[32m-i unix:777:\033[33m/dev/shm/party.sock\033[0m sets perms \033[33m0777\033[0m so anyone + can access it; bad unless it's inside a restricted folder - \033[32m-i unix:\033[33m/tmp/a.sock\033[0m keeps umask-defined permissions + \033[32m-i unix:\033[33m/dev/shm/party.sock\033[0m keeps umask-defined permission (usually \033[33m0600\033[0m) and the same user/group as copyparty \033[33m-p\033[0m (tcp ports) is ignored for unix sockets From 03d23daecbf78694d4bcf55b8572563d00eb73bb Mon Sep 17 00:00:00 2001 From: ed Date: Mon, 28 Jul 2025 20:43:34 +0000 Subject: [PATCH 18/32] improve chmod helptext --- copyparty/__main__.py | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/copyparty/__main__.py b/copyparty/__main__.py index 03e01883..dcfa2138 100644 --- a/copyparty/__main__.py +++ b/copyparty/__main__.py @@ -873,31 +873,31 @@ def get_sects(): similarly, \033[33m--chmod-d\033[0m and \033[33mchmod_d\033[0m sets the directory/folder perm - the value is a three-digit octal number such as 755, 750, 644, etc. + the value is a three-digit octal number such as \033[32m755\033[0m, \033[32m750\033[0m, \033[32m644\033[0m, etc. first digit = "User"; permission for the unix-user second digit = "Group"; permission for the unix-group third digit = "Other"; permission for all other users/groups for files: - 0 = --- = no access - 1 = --x = can execute the file as a program - 2 = -w- = can write - 3 = -wx = can write and execute - 4 = r-- = can read - 5 = r-x = can read and execute - 6 = rw- = can read and write - 7 = rwx = can read, write, execute + \033[32m0\033[0m = \033[35m---\033[0m = no access + \033[32m1\033[0m = \033[35m--x\033[0m = can execute the file as a program + \033[32m2\033[0m = \033[35m-w-\033[0m = can write + \033[32m3\033[0m = \033[35m-wx\033[0m = can write and execute + \033[32m4\033[0m = \033[35mr--\033[0m = can read + \033[32m5\033[0m = \033[35mr-x\033[0m = can read and execute + \033[32m6\033[0m = \033[35mrw-\033[0m = can read and write + \033[32m7\033[0m = \033[35mrwx\033[0m = can read, write, execute for directories/folders: - 0 = --- = no access - 1 = --x = can read files in folder but not list contents - 2 = -w- = n/a - 3 = -wx = can create files but not list - 4 = r-- = can list, but not read/write - 5 = r-x = can list and read files - 6 = rw- = n/a - 7 = rwx = can read, write, list + \033[32m0\033[0m = \033[35m---\033[0m = no access + \033[32m1\033[0m = \033[35m--x\033[0m = can read files in folder but not list contents + \033[32m2\033[0m = \033[35m-w-\033[0m = n/a + \033[32m3\033[0m = \033[35m-wx\033[0m = can create files but not list + \033[32m4\033[0m = \033[35mr--\033[0m = can list, but not read/write + \033[32m5\033[0m = \033[35mr-x\033[0m = can list and read files + \033[32m6\033[0m = \033[35mrw-\033[0m = n/a + \033[32m7\033[0m = \033[35mrwx\033[0m = can read, write, list """ ), ], From 542a1de1baf228742a91b0c8546e10e78f46ff60 Mon Sep 17 00:00:00 2001 From: AppleTheGolden Date: Mon, 28 Jul 2025 23:42:23 +0200 Subject: [PATCH 19/32] cbz thumbnails: sort alphabetically Comic readers will sort alphabetically, but that isn't always the order in which the files are stored in the zip. --- copyparty/mtag.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/copyparty/mtag.py b/copyparty/mtag.py index a972ef33..cacfda39 100644 --- a/copyparty/mtag.py +++ b/copyparty/mtag.py @@ -166,12 +166,13 @@ def au_unpk( znil = [x for x in znil if "cover" in x[0]] or znil znil = [x for x in znil if CBZ_01.search(x[0])] or znil t = "cbz: %d files, %d hits" % (nf, len(znil)) + using = sorted(znil)[0][1].filename if znil: - t += ", using " + znil[0][1].filename + t += ", using " + using log(t) if not znil: raise Exception("no images inside cbz") - fi = zf.open(znil[0][1]) + fi = zf.open(using) else: raise Exception("unknown compression %s" % (pk,)) From 43e6da3454c0d5207ce3e27a5c919d487c001d40 Mon Sep 17 00:00:00 2001 From: Adam <134429563+RustoMCSpit@users.noreply.github.com> Date: Mon, 28 Jul 2025 23:19:01 +0100 Subject: [PATCH 20/32] add demo video link (#190) * add feature showcase video Signed-off-by: Adam <134429563+RustoMCSpit@users.noreply.github.com> * add youtube link too Signed-off-by: ed --------- Signed-off-by: Adam <134429563+RustoMCSpit@users.noreply.github.com> Signed-off-by: ed Co-authored-by: ed --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index eee9ec9c..50f944af 100644 --- a/README.md +++ b/README.md @@ -12,7 +12,7 @@ turn almost any device into a file server with resumable uploads/downloads using ๐Ÿ“ท **screenshots:** [browser](#the-browser) // [upload](#uploading) // [unpost](#unpost) // [thumbnails](#thumbnails) // [search](#searching) // [fsearch](#file-search) // [zip-DL](#zip-downloads) // [md-viewer](#markdown-viewer) -๐ŸŽฌ **videos:** [upload](https://a.ocv.me/pub/demo/pics-vids/up2k.webm) // [cli-upload](https://a.ocv.me/pub/demo/pics-vids/u2cli.webm) // [race-the-beam](https://a.ocv.me/pub/g/nerd-stuff/cpp/2024-0418-race-the-beam.webm) +๐ŸŽฌ **videos:** [upload](https://a.ocv.me/pub/demo/pics-vids/up2k.webm) // [cli-upload](https://a.ocv.me/pub/demo/pics-vids/u2cli.webm) // [race-the-beam](https://a.ocv.me/pub/g/nerd-stuff/cpp/2024-0418-race-the-beam.webm) // ๐Ÿ‘‰ **[feature-showcase](https://a.ocv.me/pub/demo/showcase-hq.mp4)** ([youtube](https://www.youtube.com/watch?v=15_-hgsX2V0)) made in Norway ๐Ÿ‡ณ๐Ÿ‡ด From a9d1310296dc053998e8a67ef46f7445e20137e0 Mon Sep 17 00:00:00 2001 From: ed Date: Mon, 28 Jul 2025 22:20:50 +0000 Subject: [PATCH 21/32] wait lol --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 50f944af..c6f766f6 100644 --- a/README.md +++ b/README.md @@ -12,7 +12,7 @@ turn almost any device into a file server with resumable uploads/downloads using ๐Ÿ“ท **screenshots:** [browser](#the-browser) // [upload](#uploading) // [unpost](#unpost) // [thumbnails](#thumbnails) // [search](#searching) // [fsearch](#file-search) // [zip-DL](#zip-downloads) // [md-viewer](#markdown-viewer) -๐ŸŽฌ **videos:** [upload](https://a.ocv.me/pub/demo/pics-vids/up2k.webm) // [cli-upload](https://a.ocv.me/pub/demo/pics-vids/u2cli.webm) // [race-the-beam](https://a.ocv.me/pub/g/nerd-stuff/cpp/2024-0418-race-the-beam.webm) // ๐Ÿ‘‰ **[feature-showcase](https://a.ocv.me/pub/demo/showcase-hq.mp4)** ([youtube](https://www.youtube.com/watch?v=15_-hgsX2V0)) +๐ŸŽฌ **videos:** [upload](https://a.ocv.me/pub/demo/pics-vids/up2k.webm) // [cli-upload](https://a.ocv.me/pub/demo/pics-vids/u2cli.webm) // [race-the-beam](https://a.ocv.me/pub/g/nerd-stuff/cpp/2024-0418-race-the-beam.webm) // ๐Ÿ‘‰ **[feature-showcase](https://a.ocv.me/pub/demo/showcase-hq.webm)** ([youtube](https://www.youtube.com/watch?v=15_-hgsX2V0)) made in Norway ๐Ÿ‡ณ๐Ÿ‡ด From 4f013f64feed984ead7508fd36ef2dd10acd762a Mon Sep 17 00:00:00 2001 From: ed Date: Mon, 28 Jul 2025 22:24:14 +0000 Subject: [PATCH 22/32] fix helptext typo; closes #244 --- copyparty/__main__.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/copyparty/__main__.py b/copyparty/__main__.py index dcfa2138..f6c20b8c 100644 --- a/copyparty/__main__.py +++ b/copyparty/__main__.py @@ -1569,7 +1569,7 @@ def add_ui(ap, retry): ap2.add_argument("--txt-max", metavar="KiB", type=int, default=64, help="max size of embedded textfiles on ?doc= (anything bigger will be lazy-loaded by JS)") ap2.add_argument("--doctitle", metavar="TXT", type=u, default="copyparty @ --name", help="title / service-name to show in html documents") ap2.add_argument("--bname", metavar="TXT", type=u, default="--name", help="server name (displayed in filebrowser document title)") - ap2.add_argument("--pb-url", metavar="URL", type=u, default=URL_PRJ, help="powered-by link; disable with \033[33m-np\033[0m") + ap2.add_argument("--pb-url", metavar="URL", type=u, default=URL_PRJ, help="powered-by link; disable with \033[33m-nb\033[0m") ap2.add_argument("--ver", action="store_true", help="show version on the control panel (incompatible with \033[33m-nb\033[0m)") ap2.add_argument("--k304", metavar="NUM", type=int, default=0, help="configure the option to enable/disable k304 on the controlpanel (workaround for buggy reverse-proxies); [\033[32m0\033[0m] = hidden and default-off, [\033[32m1\033[0m] = visible and default-off, [\033[32m2\033[0m] = visible and default-on") ap2.add_argument("--no304", metavar="NUM", type=int, default=0, help="configure the option to enable/disable no304 on the controlpanel (workaround for buggy caching in browsers); [\033[32m0\033[0m] = hidden and default-off, [\033[32m1\033[0m] = visible and default-off, [\033[32m2\033[0m] = visible and default-on") From 4adbe1b517bc9c664e71589f0336b5efda5784a9 Mon Sep 17 00:00:00 2001 From: ed Date: Mon, 28 Jul 2025 22:36:05 +0000 Subject: [PATCH 23/32] readme: fedora package is happening --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index c6f766f6..05661ed4 100644 --- a/README.md +++ b/README.md @@ -2248,7 +2248,7 @@ NOTE: there used to be an aur package; this evaporated when copyparty was adopte ## fedora package -does not exist yet; using the [copr-pypi](https://copr.fedorainfracloud.org/coprs/g/copr/PyPI/) builds is **NOT recommended** because updates can be delayed by [several months](https://github.com/fedora-copr/copr/issues/3056) +does not exist yet; there are rumours that it is being packaged! keep an eye on this space... ## nix package From 0f2c623599b17d030d2eb853e80707ecefb14aea Mon Sep 17 00:00:00 2001 From: ed Date: Mon, 28 Jul 2025 23:08:41 +0000 Subject: [PATCH 24/32] nosub should prevent mkdir --- copyparty/httpcli.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/copyparty/httpcli.py b/copyparty/httpcli.py index 02e56a22..2976a7c1 100644 --- a/copyparty/httpcli.py +++ b/copyparty/httpcli.py @@ -3026,6 +3026,9 @@ class HttpCli(object): self.gctx = vpath vpath = undot(vpath) vfs, rem = self.asrv.vfs.get(vpath, self.uname, False, True) + if "nosub" in vfs.flags: + raise Pebkac(403, "mkdir is forbidden below this folder") + rem = sanitize_vpath(rem, "/") fn = vfs.canonical(rem) From cd40adccdb496a87da53b822c1ad9d46405ad443 Mon Sep 17 00:00:00 2001 From: ed Date: Mon, 28 Jul 2025 23:20:07 +0000 Subject: [PATCH 25/32] v1.18.6 --- copyparty/__version__.py | 2 +- copyparty/web/svcs.js | 2 +- docs/changelog.md | 36 ++++++++++++++++++++++++++++++++++++ 3 files changed, 38 insertions(+), 2 deletions(-) diff --git a/copyparty/__version__.py b/copyparty/__version__.py index 43b182e8..3cbb3b4a 100644 --- a/copyparty/__version__.py +++ b/copyparty/__version__.py @@ -1,6 +1,6 @@ # coding: utf-8 -VERSION = (1, 18, 5) +VERSION = (1, 18, 6) CODENAME = "logtail" BUILD_DT = (2025, 7, 28) diff --git a/copyparty/web/svcs.js b/copyparty/web/svcs.js index dc9b07dc..0de94523 100644 --- a/copyparty/web/svcs.js +++ b/copyparty/web/svcs.js @@ -49,7 +49,7 @@ function setos(os) { setos(WINDOWS ? 'win' : LINUX ? 'lin' : MACOS ? 'mac' : 'idk'); -function setpw() { +function setpw(e) { ev(e); modal.prompt('password:', '', function (v) { if (!v) diff --git a/docs/changelog.md b/docs/changelog.md index 175bc791..7a9571f1 100644 --- a/docs/changelog.md +++ b/docs/changelog.md @@ -1,3 +1,39 @@ +โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€ +# 2025-0727-2305 `v1.18.5` SECURITY: fix XSS in media tags + +## โš ๏ธ ATTN: this release fixes an XSS vulnerability + +[GHSA-9q4r-x2hj-jmvr](https://github.com/9001/copyparty/security/advisories/GHSA-9q4r-x2hj-jmvr), exploitable in two different ways, could let an attacker execute arbitrary javascript on other users: +* either: tricking someone into clicking a malicious URL to load and execute javascript +* or: uploading a malicious audio file to the server, affecting any successive visitors + +so, with new and curious eyes on the project, we are starting off with a bang. Huge thanks to @altperfect for finding and reporting this earlier today. + +## recent important news + +* [v1.18.5 (2025-07-28)](https://github.com/9001/copyparty/releases/tag/v1.18.5) fixed XSS in display of media tags +* [v1.15.0 (2024-09-08)](https://github.com/9001/copyparty/releases/tag/v1.15.0) changed upload deduplication to be default-disabled +* [v1.14.3 (2024-08-30)](https://github.com/9001/copyparty/releases/tag/v1.14.3) fixed a bug that was introduced in v1.13.8 (2024-08-13); this bug could lead to **data loss** -- see the v1.14.3 release-notes for details + +## ๐Ÿงช new features + +* #214 option to stop playback after one song, and/or at end of folder 6bb27e60 + +## ๐Ÿฉน bugfixes + +* GHSA-9q4r-x2hj-jmvr 895880ae +* block external m3u files 2228f81f +* #202 the connect-page could show IP-address when it should have used hostnames/domains b0dec83a +* scrolling locked after tailing a file and closing it creatively d197e754 + +## ๐Ÿ”ง other changes + +* #189 the `SameSite` cookie parameter now defaults to `Strict`, increasing CSRF protection ca6d0b8d + * new option `--cookie-lax` reverts to previous value `Lax` +* docker: add FTPS support b4199847 + + + โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€โ–€ # 2025-0725-1841 `v1.18.4` Landmarks From 735d9f9391270ebc5c69ea3bf0290bc94992bf11 Mon Sep 17 00:00:00 2001 From: ed Date: Mon, 28 Jul 2025 23:45:26 +0000 Subject: [PATCH 26/32] update pkgs to 1.18.6 --- contrib/package/arch/PKGBUILD | 4 ++-- contrib/package/nix/copyparty/pin.json | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/contrib/package/arch/PKGBUILD b/contrib/package/arch/PKGBUILD index 236fc0f8..959a9821 100644 --- a/contrib/package/arch/PKGBUILD +++ b/contrib/package/arch/PKGBUILD @@ -1,6 +1,6 @@ # Maintainer: icxes pkgname=copyparty -pkgver="1.18.5" +pkgver="1.18.6" pkgrel=1 pkgdesc="File server with accelerated resumable uploads, dedup, WebDAV, FTP, TFTP, zeroconf, media indexer, thumbnails++" arch=("any") @@ -22,7 +22,7 @@ optdepends=("ffmpeg: thumbnails for videos, images (slower) and audio, music tag ) source=("https://github.com/9001/${pkgname}/releases/download/v${pkgver}/${pkgname}-${pkgver}.tar.gz") backup=("etc/${pkgname}.d/init" ) -sha256sums=("30dd1bbb479187a44f3e44c8322856873c0022485237d457fadfeb5a6af51f7a") +sha256sums=("80762d91ac88815e73d0ca2806c6391dcf8ccd521bc402cc312349f3bc8e8b28") build() { cd "${srcdir}/${pkgname}-${pkgver}" diff --git a/contrib/package/nix/copyparty/pin.json b/contrib/package/nix/copyparty/pin.json index fdfcacd8..eae921c7 100644 --- a/contrib/package/nix/copyparty/pin.json +++ b/contrib/package/nix/copyparty/pin.json @@ -1,5 +1,5 @@ { - "url": "https://github.com/9001/copyparty/releases/download/v1.18.5/copyparty-sfx.py", - "version": "1.18.5", - "hash": "sha256-rEYjxJwzTzN+upo5UQ8hdYonQiNK1c+SfduS6M/QXw0=" + "url": "https://github.com/9001/copyparty/releases/download/v1.18.6/copyparty-sfx.py", + "version": "1.18.6", + "hash": "sha256-No89mzKHHZZH19ws9dqfvQO0pnZw7jKDMGhNa4LOFlY=" } \ No newline at end of file From 4915b14be191bca9a91f942073650fee27b3231b Mon Sep 17 00:00:00 2001 From: Tom van Dijk <18gatenmaker6@gmail.com> Date: Tue, 29 Jul 2025 00:16:30 +0000 Subject: [PATCH 27/32] various improvements to the nix files (#228) * nix: allow passing extra packages in PATH * nix: allow passing extra python packages I wanted to use https://github.com/9001/copyparty/blob/hovudstraum/bin/hooks/notify.py but that wasn't really possible without this under the nix package. * nix: format all nix files with nixfmt * nix: reduce redundancy in the package For readability * nix: remove unused pyftpdlib import * nix: put makeWrapper into the correct inputs * nix: fill out all of meta * nix: set formatter in flake for nix files This allows contributors to format their nix changes with the `nix fmt` command. * nix: add u2c * nix: add partyfuse One downside of the way the nix ecosystem works is that MacFUSE needs to be installed manually. Luckily the script tells you that already! * nix: add missing cfssl import * nix: add flake check that makes sure it builds with all flags Because sometimes an import might be missing, and if it is an optional then you'll only figure out that it's broken if you set the flag. * nix: use correct overlay argument names Or `nix flake check` will refuse to run the copyparty-full check --- contrib/nixos/modules/copyparty.nix | 397 +++++++++++----------- contrib/package/nix/copyparty/default.nix | 108 ++++-- contrib/package/nix/partyfuse/default.nix | 26 ++ contrib/package/nix/u2c/default.nix | 24 ++ flake.nix | 55 ++- 5 files changed, 373 insertions(+), 237 deletions(-) create mode 100644 contrib/package/nix/partyfuse/default.nix create mode 100644 contrib/package/nix/u2c/default.nix diff --git a/contrib/nixos/modules/copyparty.nix b/contrib/nixos/modules/copyparty.nix index 2f13f07b..cd4fef40 100644 --- a/contrib/nixos/modules/copyparty.nix +++ b/contrib/nixos/modules/copyparty.nix @@ -4,28 +4,31 @@ lib, ... }: -with lib; let - mkKeyValue = key: value: - if value == true - then +with lib; +let + mkKeyValue = + key: value: + if value == true then # sets with a true boolean value are coerced to just the key name key - else if value == false - then + else if value == false then # or omitted completely when false "" - else (generators.mkKeyValueDefault {inherit mkValueString;} ": " key value); + else + (generators.mkKeyValueDefault { inherit mkValueString; } ": " key value); - mkAttrsString = value: (generators.toKeyValue {inherit mkKeyValue;} value); + mkAttrsString = value: (generators.toKeyValue { inherit mkKeyValue; } value); - mkValueString = value: - if isList value - then (concatStringsSep ", " (map mkValueString value)) - else if isAttrs value - then "\n" + (mkAttrsString value) - else (generators.mkValueStringDefault {} value); + mkValueString = + value: + if isList value then + (concatStringsSep ", " (map mkValueString value)) + else if isAttrs value then + "\n" + (mkAttrsString value) + else + (generators.mkValueStringDefault { } value); - mkSectionName = value: "[" + (escape ["[" "]"] value) + "]"; + mkSectionName = value: "[" + (escape [ "[" "]" ] value) + "]"; mkSection = name: attrs: '' ${mkSectionName name} @@ -57,7 +60,8 @@ with lib; let externalCacheDir = "/var/cache/copyparty"; externalStateDir = "/var/lib/copyparty"; defaultShareDir = "${externalStateDir}/data"; -in { +in +{ options.services.copyparty = { enable = mkEnableOption "web-based file manager"; @@ -128,22 +132,27 @@ in { }; accounts = mkOption { - type = types.attrsOf (types.submodule ({...}: { - options = { - passwordFile = mkOption { - type = types.str; - description = '' - Runtime file path to a file containing the user password. - Must be readable by the copyparty user. - ''; - example = "/run/keys/copyparty/ed"; - }; - }; - })); + type = types.attrsOf ( + types.submodule ( + { ... }: + { + options = { + passwordFile = mkOption { + type = types.str; + description = '' + Runtime file path to a file containing the user password. + Must be readable by the copyparty user. + ''; + example = "/run/keys/copyparty/ed"; + }; + }; + } + ) + ); description = '' A set of copyparty accounts to create. ''; - default = {}; + default = { }; example = literalExpression '' { ed.passwordFile = "/run/keys/copyparty/ed"; @@ -152,74 +161,81 @@ in { }; volumes = mkOption { - type = types.attrsOf (types.submodule ({...}: { - options = { - path = mkOption { - type = types.path; - description = '' - Path of a directory to share. - ''; - }; - access = mkOption { - type = types.attrs; - description = '' - Attribute list of permissions and the users to apply them to. - - The key must be a string containing any combination of allowed permission: - "r" (read): list folder contents, download files - "w" (write): upload files; need "r" to see the uploads - "m" (move): move files and folders; need "w" at destination - "d" (delete): permanently delete files and folders - "g" (get): download files, but cannot see folder contents - "G" (upget): "get", but can see filekeys of their own uploads - "h" (html): "get", but folders return their index.html - "a" (admin): can see uploader IPs, config-reload - - For example: "rwmd" - - The value must be one of: - an account name, defined in `accounts` - a list of account names - "*", which means "any account" - ''; - example = literalExpression '' - { - # wG = write-upget = see your own uploads only - wG = "*"; - # read-write-modify-delete for users "ed" and "k" - rwmd = ["ed" "k"]; + type = types.attrsOf ( + types.submodule ( + { ... }: + { + options = { + path = mkOption { + type = types.path; + description = '' + Path of a directory to share. + ''; }; - ''; - }; - flags = mkOption { - type = types.attrs; - description = '' - Attribute list of volume flags to apply. - See `${getExe cfg.package} --help-flags` for more details. - ''; - example = literalExpression '' - { - # "fk" enables filekeys (necessary for upget permission) (4 chars long) - fk = 4; - # scan for new files every 60sec - scan = 60; - # volflag "e2d" enables the uploads database - e2d = true; - # "d2t" disables multimedia parsers (in case the uploads are malicious) - d2t = true; - # skips hashing file contents if path matches *.iso - nohash = "\.iso$"; + access = mkOption { + type = types.attrs; + description = '' + Attribute list of permissions and the users to apply them to. + + The key must be a string containing any combination of allowed permission: + "r" (read): list folder contents, download files + "w" (write): upload files; need "r" to see the uploads + "m" (move): move files and folders; need "w" at destination + "d" (delete): permanently delete files and folders + "g" (get): download files, but cannot see folder contents + "G" (upget): "get", but can see filekeys of their own uploads + "h" (html): "get", but folders return their index.html + "a" (admin): can see uploader IPs, config-reload + + For example: "rwmd" + + The value must be one of: + an account name, defined in `accounts` + a list of account names + "*", which means "any account" + ''; + example = literalExpression '' + { + # wG = write-upget = see your own uploads only + wG = "*"; + # read-write-modify-delete for users "ed" and "k" + rwmd = ["ed" "k"]; + }; + ''; }; - ''; - default = {}; - }; - }; - })); + flags = mkOption { + type = types.attrs; + description = '' + Attribute list of volume flags to apply. + See `${getExe cfg.package} --help-flags` for more details. + ''; + example = literalExpression '' + { + # "fk" enables filekeys (necessary for upget permission) (4 chars long) + fk = 4; + # scan for new files every 60sec + scan = 60; + # volflag "e2d" enables the uploads database + e2d = true; + # "d2t" disables multimedia parsers (in case the uploads are malicious) + d2t = true; + # skips hashing file contents if path matches *.iso + nohash = "\.iso$"; + }; + ''; + default = { }; + }; + }; + } + ) + ); description = "A set of copyparty volumes to create"; default = { "/" = { path = defaultShareDir; - access = {r = "*";}; + access = { + r = "*"; + }; }; }; example = literalExpression '' @@ -238,93 +254,90 @@ in { }; }; - config = mkIf cfg.enable (let - command = "${getExe cfg.package} -c ${runtimeConfigPath}"; - in { - systemd.services.copyparty = { - description = "http file sharing hub"; - wantedBy = ["multi-user.target"]; + config = mkIf cfg.enable ( + let + command = "${getExe cfg.package} -c ${runtimeConfigPath}"; + in + { + systemd.services.copyparty = { + description = "http file sharing hub"; + wantedBy = [ "multi-user.target" ]; - environment = { - PYTHONUNBUFFERED = "true"; - XDG_CONFIG_HOME = externalStateDir; - }; + environment = { + PYTHONUNBUFFERED = "true"; + XDG_CONFIG_HOME = externalStateDir; + }; - preStart = let - replaceSecretCommand = name: attrs: "${getExe pkgs.replace-secret} '${ - passwordPlaceholder name - }' '${attrs.passwordFile}' ${runtimeConfigPath}"; - in '' - set -euo pipefail - install -m 600 ${configFile} ${runtimeConfigPath} - ${concatStringsSep "\n" - (mapAttrsToList replaceSecretCommand cfg.accounts)} - ''; + preStart = + let + replaceSecretCommand = + name: attrs: + "${getExe pkgs.replace-secret} '${passwordPlaceholder name}' '${attrs.passwordFile}' ${runtimeConfigPath}"; + in + '' + set -euo pipefail + install -m 600 ${configFile} ${runtimeConfigPath} + ${concatStringsSep "\n" (mapAttrsToList replaceSecretCommand cfg.accounts)} + ''; - serviceConfig = { - Type = "simple"; - ExecStart = command; - # Hardening options - User = cfg.user; - Group = cfg.group; - RuntimeDirectory = ["copyparty"]; - RuntimeDirectoryMode = "0700"; - StateDirectory = ["copyparty"]; - StateDirectoryMode = "0700"; - CacheDirectory = lib.mkIf (cfg.settings ? hist) ["copyparty"]; - CacheDirectoryMode = lib.mkIf (cfg.settings ? hist) "0700"; - WorkingDirectory = externalStateDir; - BindReadOnlyPaths = - [ + serviceConfig = { + Type = "simple"; + ExecStart = command; + # Hardening options + User = cfg.user; + Group = cfg.group; + RuntimeDirectory = [ "copyparty" ]; + RuntimeDirectoryMode = "0700"; + StateDirectory = [ "copyparty" ]; + StateDirectoryMode = "0700"; + CacheDirectory = lib.mkIf (cfg.settings ? hist) [ "copyparty" ]; + CacheDirectoryMode = lib.mkIf (cfg.settings ? hist) "0700"; + WorkingDirectory = externalStateDir; + BindReadOnlyPaths = [ "/nix/store" "-/etc/resolv.conf" "-/etc/nsswitch.conf" "-/etc/group" "-/etc/hosts" "-/etc/localtime" - ] - ++ (mapAttrsToList (k: v: "-${v.passwordFile}") cfg.accounts); - BindPaths = - ( - if cfg.settings ? hist - then [cfg.settings.hist] - else [] - ) - ++ [externalStateDir] - ++ (mapAttrsToList (k: v: v.path) cfg.volumes); - # ProtectSystem = "strict"; - # Note that unlike what 'ro' implies, - # this actually makes it impossible to read anything in the root FS, - # except for things explicitly mounted via `RuntimeDirectory`, `StateDirectory`, `CacheDirectory`, and `BindReadOnlyPaths`. - # This is because TemporaryFileSystem creates a *new* *empty* filesystem for the process, so only bindmounts are visible. - TemporaryFileSystem = "/:ro"; - PrivateTmp = true; - PrivateDevices = true; - ProtectKernelTunables = true; - ProtectControlGroups = true; - RestrictSUIDSGID = true; - PrivateMounts = true; - ProtectKernelModules = true; - ProtectKernelLogs = true; - ProtectHostname = true; - ProtectClock = true; - ProtectProc = "invisible"; - ProcSubset = "pid"; - RestrictNamespaces = true; - RemoveIPC = true; - UMask = "0077"; - LimitNOFILE = cfg.openFilesLimit; - NoNewPrivileges = true; - LockPersonality = true; - RestrictRealtime = true; - MemoryDenyWriteExecute = true; + ] ++ (mapAttrsToList (k: v: "-${v.passwordFile}") cfg.accounts); + BindPaths = + (if cfg.settings ? hist then [ cfg.settings.hist ] else [ ]) + ++ [ externalStateDir ] + ++ (mapAttrsToList (k: v: v.path) cfg.volumes); + # ProtectSystem = "strict"; + # Note that unlike what 'ro' implies, + # this actually makes it impossible to read anything in the root FS, + # except for things explicitly mounted via `RuntimeDirectory`, `StateDirectory`, `CacheDirectory`, and `BindReadOnlyPaths`. + # This is because TemporaryFileSystem creates a *new* *empty* filesystem for the process, so only bindmounts are visible. + TemporaryFileSystem = "/:ro"; + PrivateTmp = true; + PrivateDevices = true; + ProtectKernelTunables = true; + ProtectControlGroups = true; + RestrictSUIDSGID = true; + PrivateMounts = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectHostname = true; + ProtectClock = true; + ProtectProc = "invisible"; + ProcSubset = "pid"; + RestrictNamespaces = true; + RemoveIPC = true; + UMask = "0077"; + LimitNOFILE = cfg.openFilesLimit; + NoNewPrivileges = true; + LockPersonality = true; + RestrictRealtime = true; + MemoryDenyWriteExecute = true; + }; }; - }; - # ensure volumes exist: - systemd.tmpfiles.settings."copyparty" = ( - lib.attrsets.mapAttrs' ( - name: value: + # ensure volumes exist: + systemd.tmpfiles.settings."copyparty" = ( + lib.attrsets.mapAttrs' ( + name: value: lib.attrsets.nameValuePair (value.path) { d = { #: in front of things means it wont change it if the directory already exists. @@ -333,32 +346,30 @@ in { mode = ":755"; }; } - ) - cfg.volumes - ); + ) cfg.volumes + ); - users.groups.copyparty = lib.mkIf (cfg.user == "copyparty" && cfg.group == "copyparty") {}; - users.users.copyparty = lib.mkIf (cfg.user == "copyparty" && cfg.group == "copyparty") { - description = "Service user for copyparty"; - group = "copyparty"; - home = externalStateDir; - isSystemUser = true; - }; - environment.systemPackages = lib.mkIf cfg.mkHashWrapper [ - (pkgs.writeShellScriptBin - "copyparty-hash" - '' - set -a # automatically export variables - # set same environment variables as the systemd service - ${lib.pipe config.systemd.services.copyparty.environment [ - (lib.filterAttrs (n: v: v != null && n != "PATH")) - (lib.mapAttrs (_: v: "${v}")) - (lib.toShellVars) - ]} - PATH=${config.systemd.services.copyparty.environment.PATH}:$PATH + users.groups.copyparty = lib.mkIf (cfg.user == "copyparty" && cfg.group == "copyparty") { }; + users.users.copyparty = lib.mkIf (cfg.user == "copyparty" && cfg.group == "copyparty") { + description = "Service user for copyparty"; + group = "copyparty"; + home = externalStateDir; + isSystemUser = true; + }; + environment.systemPackages = lib.mkIf cfg.mkHashWrapper [ + (pkgs.writeShellScriptBin "copyparty-hash" '' + set -a # automatically export variables + # set same environment variables as the systemd service + ${lib.pipe config.systemd.services.copyparty.environment [ + (lib.filterAttrs (n: v: v != null && n != "PATH")) + (lib.mapAttrs (_: v: "${v}")) + (lib.toShellVars) + ]} + PATH=${config.systemd.services.copyparty.environment.PATH}:$PATH - exec ${command} --ah-cli - '') - ]; - }); + exec ${command} --ah-cli + '') + ]; + } + ); } diff --git a/contrib/package/nix/copyparty/default.nix b/contrib/package/nix/copyparty/default.nix index d34f9ae7..28d733ab 100644 --- a/contrib/package/nix/copyparty/default.nix +++ b/contrib/package/nix/copyparty/default.nix @@ -1,41 +1,67 @@ -{ lib, stdenv, makeWrapper, fetchurl, util-linux, python, jinja2, impacket, pyftpdlib, pyopenssl, argon2-cffi, pillow, pyvips, pyzmq, ffmpeg, mutagen, +{ + lib, + stdenv, + makeWrapper, + fetchurl, + util-linux, + python, + jinja2, + impacket, + pyopenssl, + cfssl, + argon2-cffi, + pillow, + pyvips, + pyzmq, + ffmpeg, + mutagen, -# use argon2id-hashed passwords in config files (sha2 is always available) -withHashedPasswords ? true, + # use argon2id-hashed passwords in config files (sha2 is always available) + withHashedPasswords ? true, -# generate TLS certificates on startup (pointless when reverse-proxied) -withCertgen ? false, + # generate TLS certificates on startup (pointless when reverse-proxied) + withCertgen ? false, -# create thumbnails with Pillow; faster than FFmpeg / MediaProcessing -withThumbnails ? true, + # create thumbnails with Pillow; faster than FFmpeg / MediaProcessing + withThumbnails ? true, -# create thumbnails with PyVIPS; even faster, uses more memory -# -- can be combined with Pillow to support more filetypes -withFastThumbnails ? false, + # create thumbnails with PyVIPS; even faster, uses more memory + # -- can be combined with Pillow to support more filetypes + withFastThumbnails ? false, -# enable FFmpeg; thumbnails for most filetypes (also video and audio), extract audio metadata, transcode audio to opus -# -- possibly dangerous if you allow anonymous uploads, since FFmpeg has a huge attack surface -# -- can be combined with Thumbnails and/or FastThumbnails, since FFmpeg is slower than both -withMediaProcessing ? true, + # enable FFmpeg; thumbnails for most filetypes (also video and audio), extract audio metadata, transcode audio to opus + # -- possibly dangerous if you allow anonymous uploads, since FFmpeg has a huge attack surface + # -- can be combined with Thumbnails and/or FastThumbnails, since FFmpeg is slower than both + withMediaProcessing ? true, -# if MediaProcessing is not enabled, you probably want this instead (less accurate, but much safer and faster) -withBasicAudioMetadata ? false, + # if MediaProcessing is not enabled, you probably want this instead (less accurate, but much safer and faster) + withBasicAudioMetadata ? false, -# send ZeroMQ messages from event-hooks -withZeroMQ ? true, + # send ZeroMQ messages from event-hooks + withZeroMQ ? true, -# enable FTPS support in the FTP server -withFTPS ? false, + # enable FTPS support in the FTP server + withFTPS ? false, -# samba/cifs server; dangerous and buggy, enable if you really need it -withSMB ? false, + # samba/cifs server; dangerous and buggy, enable if you really need it + withSMB ? false, + + # extra packages to add to the PATH + extraPackages ? [ ], + + # function that accepts a python packageset and returns a list of packages to + # be added to the python venv. useful for scripts and such that require + # additional dependencies + extraPythonPackages ? (_p: [ ]), }: let pinData = lib.importJSON ./pin.json; - pyEnv = python.withPackages (ps: - with ps; [ + pyEnv = python.withPackages ( + ps: + with ps; + [ jinja2 ] ++ lib.optional withSMB impacket @@ -47,22 +73,36 @@ let ++ lib.optional withBasicAudioMetadata mutagen ++ lib.optional withHashedPasswords argon2-cffi ++ lib.optional withZeroMQ pyzmq - ); -in stdenv.mkDerivation { + ++ (extraPythonPackages ps) + ); + + runtimeDeps = ([ util-linux ] ++ extraPackages ++ lib.optional withMediaProcessing ffmpeg); +in +stdenv.mkDerivation { pname = "copyparty"; - version = pinData.version; + inherit (pinData) version; src = fetchurl { - url = pinData.url; - hash = pinData.hash; + inherit (pinData) url hash; }; - buildInputs = [ makeWrapper ]; + nativeBuildInputs = [ makeWrapper ]; dontUnpack = true; - dontBuild = true; installPhase = '' install -Dm755 $src $out/share/copyparty-sfx.py makeWrapper ${pyEnv.interpreter} $out/bin/copyparty \ - --set PATH '${lib.makeBinPath ([ util-linux ] ++ lib.optional withMediaProcessing ffmpeg)}:$PATH' \ - --add-flags "$out/share/copyparty-sfx.py" + --prefix PATH : ${lib.makeBinPath runtimeDeps} \ + --add-flag $out/share/copyparty-sfx.py ''; - meta.mainProgram = "copyparty"; + meta = { + description = "Turn almost any device into a file server"; + longDescription = '' + Portable file server with accelerated resumable uploads, dedup, WebDAV, + FTP, TFTP, zeroconf, media indexer, thumbnails++ all in one file, no deps + ''; + homepage = "https://github.com/9001/copyparty"; + changelog = "https://github.com/9001/copyparty/releases/tag/v${pinData.version}"; + license = lib.licenses.mit; + inherit (python.meta) platforms; + mainProgram = "copyparty"; + sourceProvenance = [ lib.sourceTypes.binaryBytecode ]; + }; } diff --git a/contrib/package/nix/partyfuse/default.nix b/contrib/package/nix/partyfuse/default.nix new file mode 100644 index 00000000..59faa914 --- /dev/null +++ b/contrib/package/nix/partyfuse/default.nix @@ -0,0 +1,26 @@ +{ + stdenvNoCC, + copyparty, + python3, + makeBinaryWrapper, +}: +let + python = python3.withPackages (p: [ p.fusepy ]); +in +stdenvNoCC.mkDerivation { + pname = "partyfuse"; + inherit (copyparty) version meta; + src = ../../../..; + + nativeBuildInputs = [ makeBinaryWrapper ]; + + installPhase = '' + runHook preInstall + + install -Dm444 bin/partyfuse.py -t $out/share/copyparty + makeWrapper ${python.interpreter} $out/bin/partyfuse \ + --add-flag $out/share/copyparty/partyfuse.py + + runHook postInstall + ''; +} diff --git a/contrib/package/nix/u2c/default.nix b/contrib/package/nix/u2c/default.nix new file mode 100644 index 00000000..dc1e4c56 --- /dev/null +++ b/contrib/package/nix/u2c/default.nix @@ -0,0 +1,24 @@ +{ + stdenvNoCC, + copyparty, + python312, + makeBinaryWrapper, +}: +stdenvNoCC.mkDerivation { + pname = "u2c"; + inherit (copyparty) version meta; + src = ../../../..; + + nativeBuildInputs = [ makeBinaryWrapper ]; + + installPhase = '' + runHook preInstall + + install -Dm444 bin/u2c.py -t $out/share/copyparty + mkdir $out/bin + makeWrapper ${python312.interpreter} $out/bin/u2c \ + --add-flag $out/share/copyparty/u2c.py + + runHook postInstall + ''; +} diff --git a/flake.nix b/flake.nix index be9d0678..5f39d605 100644 --- a/flake.nix +++ b/flake.nix @@ -4,16 +4,30 @@ flake-utils.url = "github:numtide/flake-utils"; }; - outputs = { self, nixpkgs, flake-utils }: + outputs = + { + self, + nixpkgs, + flake-utils, + }: { nixosModules.default = ./contrib/nixos/modules/copyparty.nix; - overlays.default = self: super: { - copyparty = - self.python3.pkgs.callPackage ./contrib/package/nix/copyparty { - ffmpeg = self.ffmpeg-full; - }; + overlays.default = final: prev: rec { + copyparty = final.python3.pkgs.callPackage ./contrib/package/nix/copyparty { + ffmpeg = final.ffmpeg-full; + }; + + partyfuse = prev.callPackage ./contrib/package/nix/partyfuse { + inherit copyparty; + }; + + u2c = prev.callPackage ./contrib/package/nix/u2c { + inherit copyparty; + }; }; - } // flake-utils.lib.eachDefaultSystem (system: + } + // flake-utils.lib.eachDefaultSystem ( + system: let pkgs = import nixpkgs { inherit system; @@ -22,10 +36,31 @@ }; overlays = [ self.overlays.default ]; }; - in { + in + { + # check that copyparty builds with all optionals turned on + checks.copyparty-full = self.packages.${system}.copyparty.override { + withHashedPasswords = true; + withCertgen = true; + withThumbnails = true; + withFastThumbnails = true; + withMediaProcessing = true; + withBasicAudioMetadata = true; + withZeroMQ = true; + withFTPS = true; + withSMB = true; + }; + packages = { - inherit (pkgs) copyparty; + inherit (pkgs) + copyparty + partyfuse + u2c + ; default = self.packages.${system}.copyparty; }; - }); + + formatter = pkgs.nixfmt-tree; + } + ); } From 3cde1f3be205f4a6fe333191d19910678c78f866 Mon Sep 17 00:00:00 2001 From: ed Date: Tue, 29 Jul 2025 17:13:34 +0000 Subject: [PATCH 28/32] docker-compose: PYTHONUNBUFFERED=1 almost zero performance impact with podman in kitty --- docs/examples/docker/basic-docker-compose/docker-compose.yml | 5 ++++- docs/examples/docker/idp-authelia-traefik/docker-compose.yml | 3 +++ .../examples/docker/idp-authentik-traefik/docker-compose.yml | 3 +++ 3 files changed, 10 insertions(+), 1 deletion(-) diff --git a/docs/examples/docker/basic-docker-compose/docker-compose.yml b/docs/examples/docker/basic-docker-compose/docker-compose.yml index cfac59b6..dd3c1f9a 100644 --- a/docs/examples/docker/basic-docker-compose/docker-compose.yml +++ b/docs/examples/docker/basic-docker-compose/docker-compose.yml @@ -10,9 +10,12 @@ services: - ./:/cfg:z - /path/to/your/fileshare/top/folder:/w:z - # enabling mimalloc by replacing "NOPE" with "2" will make some stuff twice as fast, but everything will use twice as much ram: environment: LD_PRELOAD: /usr/lib/libmimalloc-secure.so.NOPE + # enable mimalloc by replacing "NOPE" with "2" for a nice speed-boost (will use twice as much ram) + + PYTHONUNBUFFERED: 1 + # ensures log-messages are not delayed (but can reduce speed a tiny bit) stop_grace_period: 15s # thumbnailer is allowed to continue finishing up for 10s after the shutdown signal healthcheck: diff --git a/docs/examples/docker/idp-authelia-traefik/docker-compose.yml b/docs/examples/docker/idp-authelia-traefik/docker-compose.yml index 5fe25a15..9ebd73ba 100644 --- a/docs/examples/docker/idp-authelia-traefik/docker-compose.yml +++ b/docs/examples/docker/idp-authelia-traefik/docker-compose.yml @@ -27,6 +27,9 @@ services: LD_PRELOAD: /usr/lib/libmimalloc-secure.so.NOPE # enable mimalloc by replacing "NOPE" with "2" for a nice speed-boost (will use twice as much ram) + PYTHONUNBUFFERED: 1 + # ensures log-messages are not delayed (but can reduce speed a tiny bit) + authelia: image: authelia/authelia:v4.38.0-beta3 # the config files in the authelia folder use the new syntax container_name: idp_authelia diff --git a/docs/examples/docker/idp-authentik-traefik/docker-compose.yml b/docs/examples/docker/idp-authentik-traefik/docker-compose.yml index ee10f0f9..7ddf1a9d 100644 --- a/docs/examples/docker/idp-authentik-traefik/docker-compose.yml +++ b/docs/examples/docker/idp-authentik-traefik/docker-compose.yml @@ -27,6 +27,9 @@ services: LD_PRELOAD: /usr/lib/libmimalloc-secure.so.NOPE # enable mimalloc by replacing "NOPE" with "2" for a nice speed-boost (will use twice as much ram) + PYTHONUNBUFFERED: 1 + # ensures log-messages are not delayed (but can reduce speed a tiny bit) + traefik: image: traefik:v2.11 container_name: traefik From fbf17be203c9d260996de7d6bd3d196554e89ab7 Mon Sep 17 00:00:00 2001 From: ed Date: Tue, 29 Jul 2025 18:14:51 +0000 Subject: [PATCH 29/32] apply unlist to navpane too --- copyparty/web/browser.js | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/copyparty/web/browser.js b/copyparty/web/browser.js index ce204757..f1368912 100644 --- a/copyparty/web/browser.js +++ b/copyparty/web/browser.js @@ -7946,6 +7946,17 @@ var treectl = (function () { return toast.err(30, "bad ?tree reply;\nexpected json, got this:\n\n" + esc(this.responseText + '')); } r.rendertree(res, this.ts, this.top, this.dst, this.rst); + + if (r.lsc && r.lsc.unlist) + r.prunetree(r.lsc); + }; + + r.prunetree = function (res) { + var ptn = new RegExp(res.unlist); + var els = QSA('#treeul li>a+a'); + for (var a = els.length - 1; a >= 0; a--) + if (ptn.exec(els[a].textContent) && !els[a].className) + els[a].closest('ul').removeChild(els[a].closest('li')); }; r.rendertree = function (res, ts, top0, dst, rst) { @@ -8233,6 +8244,8 @@ var treectl = (function () { } r.rendertree({ "a": dirs }, this.ts, ".", get_evpath() + (dk ? '?k=' + dk : '')); + if (res.unlist) + r.prunetree(res); } r.gentab(this.top, res); @@ -8314,7 +8327,7 @@ var treectl = (function () { if (res.unlist) { var ptn = new RegExp(res.unlist); for (var a = nodes.length - 1; a >= 0; a--) - if (ptn.exec(nodes[a].href.split('?')[0])) + if (ptn.exec(uricom_dec(nodes[a].href.split('?')[0]))) nodes.splice(a, 1); } nodes = sortfiles(nodes); From 5c6341e99fb11b7bf272beed5d2a56ce0639be65 Mon Sep 17 00:00:00 2001 From: ed Date: Tue, 29 Jul 2025 20:03:42 +0000 Subject: [PATCH 30/32] disk-info: both free+total on windows too (#272) --- copyparty/httpcli.py | 8 ++++---- copyparty/util.py | 13 +++++++++---- 2 files changed, 13 insertions(+), 8 deletions(-) diff --git a/copyparty/httpcli.py b/copyparty/httpcli.py index 2976a7c1..9052acc0 100644 --- a/copyparty/httpcli.py +++ b/copyparty/httpcli.py @@ -6157,13 +6157,13 @@ class HttpCli(object): self.log("#wow #whoa") if not self.args.nid: - free, total, _ = get_df(abspath, False) - if total is not None: + free, total, zs = get_df(abspath, False) + if total: h1 = humansize(free or 0) h2 = humansize(total) srv_info.append("{} free of {}".format(h1, h2)) - elif free is not None: - srv_info.append(humansize(free, True) + " free") + elif zs: + self.log("diskfree(%r): %s" % (abspath, zs), 3) srv_infot = " // ".join(srv_info) diff --git a/copyparty/util.py b/copyparty/util.py index 0b2dbcc4..86cf046b 100644 --- a/copyparty/util.py +++ b/copyparty/util.py @@ -2662,7 +2662,7 @@ def wunlink(log: "NamedLogger", abspath: str, flags: dict[str, Any]) -> bool: return _fs_mvrm(log, abspath, "", False, flags) -def get_df(abspath: str, prune: bool) -> tuple[Optional[int], Optional[int], str]: +def get_df(abspath: str, prune: bool) -> tuple[int, int, str]: try: ap = fsenc(abspath) while prune and not os.path.isdir(ap) and BOS_SEP in ap: @@ -2673,17 +2673,22 @@ def get_df(abspath: str, prune: bool) -> tuple[Optional[int], Optional[int], str assert ctypes # type: ignore # !rm abspath = fsdec(ap) bfree = ctypes.c_ulonglong(0) + btotal = ctypes.c_ulonglong(0) + bavail = ctypes.c_ulonglong(0) ctypes.windll.kernel32.GetDiskFreeSpaceExW( # type: ignore - ctypes.c_wchar_p(abspath), None, None, ctypes.pointer(bfree) + ctypes.c_wchar_p(abspath), + ctypes.pointer(bavail), + ctypes.pointer(btotal), + ctypes.pointer(bfree), ) - return (bfree.value, None, "") + return (bavail.value, btotal.value, "") else: sv = os.statvfs(ap) free = sv.f_frsize * sv.f_bfree total = sv.f_frsize * sv.f_blocks return (free, total, "") except Exception as ex: - return (None, None, repr(ex)) + return (0, 0, repr(ex)) if not ANYWIN and not MACOS: From 4988a55ea58f1db7eff0dfbf2d5e53d783eb08f2 Mon Sep 17 00:00:00 2001 From: ed Date: Tue, 29 Jul 2025 20:07:11 +0000 Subject: [PATCH 31/32] webdav: send diskfree; closes #272 --- copyparty/httpcli.py | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/copyparty/httpcli.py b/copyparty/httpcli.py index 9052acc0..8bb12870 100644 --- a/copyparty/httpcli.py +++ b/copyparty/httpcli.py @@ -1575,6 +1575,18 @@ class HttpCli(object): self.log("inaccessible: %r" % ("/" + self.vpath,)) raise Pebkac(401, "authenticate") + if "quota-available-bytes" in props and not self.args.nid: + bfree, btot, _ = get_df(vn.realpath, False) + if btot: + df = { + "quota-available-bytes": str(bfree), + "quota-used-bytes": str(btot - bfree), + } + else: + df = {} + else: + df = {} + fgen = itertools.chain([topdir], fgen) vtop = vjoin(self.args.R, vjoin(vn.vpath, rem)) @@ -1617,6 +1629,9 @@ class HttpCli(object): ap = os.path.join(tap, x["vp"]) pvs["getcontenttype"] = html_escape(guess_mime(rp, ap)) pvs["getcontentlength"] = str(st.st_size) + elif df: + pvs.update(df) + df = {} for k, v in pvs.items(): if k not in props: From c3cc2ddeaea4d2c762bce0335b6637ce341861cd Mon Sep 17 00:00:00 2001 From: Jo <141064017+Arklaum@users.noreply.github.com> Date: Tue, 29 Jul 2025 21:24:17 +0100 Subject: [PATCH 32/32] diskfree without root-reserved space (#285) Signed-off-by: Jo <141064017+Arklaum@users.noreply.github.com> --- copyparty/util.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/copyparty/util.py b/copyparty/util.py index 86cf046b..14768e6e 100644 --- a/copyparty/util.py +++ b/copyparty/util.py @@ -2684,7 +2684,7 @@ def get_df(abspath: str, prune: bool) -> tuple[int, int, str]: return (bavail.value, btotal.value, "") else: sv = os.statvfs(ap) - free = sv.f_frsize * sv.f_bfree + free = sv.f_frsize * sv.f_bavail total = sv.f_frsize * sv.f_blocks return (free, total, "") except Exception as ex: