misc tweaks

2025-08-17 09:02:15 -06:00 · 2022-06-19 16:05:48 +02:00 · 2022-06-19 16:05:48 +02:00 · 9ad3af1ef6
parent 715727b811
commit 9ad3af1ef6
4 changed files with 37 additions and 12 deletions
--- a/README.md
+++ b/README.md
@ -358,11 +358,13 @@ the browser has the following hotkeys  (always qwerty)
  * `U/O` skip 10sec back/forward
  * `0..9` jump to 0%..90%
  * `P` play/pause (also starts playing the folder)
+  * `Y` download file
 * when viewing images / playing videos:
  * `J/L, Left/Right` prev/next file
  * `Home/End` first/last file
  * `S` toggle selection
  * `R` rotate clockwise (shift=ccw)
+  * `Y` download file
  * `Esc` close viewer
  * videos:
    * `U/O` skip 10sec back/forward
@ -989,13 +991,25 @@ when uploading files,

 some notes on hardening

-on public copyparty instances with anonymous upload enabled:
+* option `-s` is a shortcut to set the following options:
+  * `--no-thumb` disables thumbnails and audio transcoding to stop copyparty from running `FFmpeg`/`Pillow`/`VIPS` on uploaded files, which is a [good idea](https://www.cvedetails.com/vulnerability-list.php?vendor_id=3611) if anonymous upload is enabled
+  * `--no-mtag-ff` uses `mutagen` to grab music tags instead of `FFmpeg`, which is safer and faster but less accurate
+  * `--dotpart` hides uploads from directory listings while they're still incoming
+  * `--no-robots` and `--force-js` makes life harder for crawlers, see [hiding from google](#hiding-from-google)

-* users can upload html/css/js which will evaluate for other visitors in a few ways,
-  * unless `--no-readme` is set: by uploading/modifying a file named `readme.md`
-  * if `move` access is granted AND none of `--no-logues`, `--no-dot-mv`, `--no-dot-ren` is set: by uploading some .html file and renaming it to `.epilogue.html` (uploading it directly is blocked)
+* option `-ss` is a shortcut for the above plus:
+  * `--no-logues` and `--no-readme` disables support for readme's and prologues / epilogues in directory listings, which otherwise lets people upload arbitrary `<script>` tags
+  * `--unpost 0`, `--no-del`, `--no-mv` disables all move/delete support
+  * `--hardlink` creates hardlinks instead of symlinks when deduplicating uploads, which is less maintenance
+    * however note if you edit one file it will also affect the other copies
+  * `--vague-403` returns a "404 not found" instead of "403 forbidden" which is a common enterprise meme
+  * `--nih` removes the server hostname from directory listings

-other misc:
+* option `-sss` is a shortcut for the above plus:
+  * `-lo cpp-%Y-%m%d-%H%M%S.txt.xz` enables logging to disk
+  * `-ls **,*,ln,p,r` does a scan on startup for any dangerous symlinks
+
+other misc notes:

 * you can disable directory listings by giving permission `g` instead of `r`, only accepting direct URLs to files
  * combine this with volume-flag `c,fk` to generate per-file accesskeys; users which have full read-access will then see URLs with `?k=...` appended to the end, and `g` users must provide that URL including the correct key to avoid a 404
--- a/bin/mtag/very-bad-idea.py
+++ b/bin/mtag/very-bad-idea.py
@ -63,7 +63,7 @@ set -e
 EOF
 chmod 755 /usr/local/bin/chromium-browser

-# start the server  (note: replace `-v.::rw:` with `-v.::r:` to disallow retrieving uploaded stuff)
+# start the server  (note: replace `-v.::rw:` with `-v.::w:` to disallow retrieving uploaded stuff)
 cd ~/Downloads; python3 copyparty-sfx.py --urlform save,get -v.::rw:c,e2d,e2t,mte=+a1:c,mtp=a1=ad,very-bad-idea.py

 """
--- a/copyparty/svchub.py
+++ b/copyparty/svchub.py
@ -64,8 +64,8 @@ class SvcHub(object):

        if args.ss or args.s >= 2:
            args.s = True
-            args.no_dot_mv = True
-            args.no_dot_ren = True
+            args.no_logues = True
+            args.no_readme = True
            args.unpost = 0
            args.no_del = True
            args.no_mv = True
--- a/copyparty/web/browser.css
+++ b/copyparty/web/browser.css
@ -371,7 +371,7 @@ html.dz {
 	--bg: #010;
 	--bgg: var(--bg);
 	--bg-d1: #000;
-	--bg-d2: #000;
+	--bg-d2: #020;
 	--bg-d3: #000;
 	--bg-max: #000;

@ -381,8 +381,8 @@ html.dz {
 	--scroll: #0f0;

 	--a: #9f9;
-	--a-b: #fff;
-	--a-hil: #fff;
+	--a-b: #cfc;
+	--a-hil: #cfc;
 	--a-dark: #afa;
 	--a-gray: #2a2;

@ -458,7 +458,7 @@ html.dz {
 	--f-sh1: 0.33;
 	--f-sh2: 0.02;
 	--f-sh3: 0.2;
-	--f-h-b1: rgba(128,128,128,0.7);
+	--f-h-b1: #3b3;

 	--f-play-bg: #fc5;
 	--f-play-fg: #000;
@ -2778,6 +2778,17 @@ html.cy #files tbody div a:last-child {



+
+html.dz * {
+	border-radius: 0 !important;
+}
+html.d #treepar {
+	border-bottom: .2em solid var(--f-h-b1);
+}
+
+
+
+
@media (min-width: 70em) {
 	#barpos,
 	#barbuf {