safeguard against accidental config loss

when running copyparty without any config, it defaults to sharing the current folder read-write for everyone. This makes sense for quick one-off instances, but not in more permanent deployments especially for docker, where the config can get lost by accident in too many ways (compose typos, failed upgrade, selinux, ...) the default should be to reject all access add a safeguard which disables read-access if one or more config-files were specified, but no volumes are defined should prevent issues such as filebrowser/filebrowser#3719
2025-08-17 09:02:15 -06:00 · 2025-02-08 20:37:30 +00:00 · 2025-02-08 20:37:30 +00:00 · cd71b505a9
parent c7db08ed3e
commit cd71b505a9
2 changed files with 22 additions and 0 deletions
--- a/copyparty/authsrv.py
+++ b/copyparty/authsrv.py
@ -1515,6 +1515,14 @@ class AuthSrv(object):
        if not mount and not self.args.idp_h_usr:
            # -h says our defaults are CWD at root and read/write for everyone
            axs = AXS(["*"], ["*"], None, None)
+            if os.path.exists("/z/initcfg"):
+                t = "Read-access has been disabled due to failsafe: Docker detected, but the config does not define any volumes. This failsafe is to prevent unintended access if this is due to accidental loss of config. You can override this safeguard and allow read/write to all of /w/ by adding the following arguments to the docker container:  -v .::rw"
+                self.log(t, 1)
+                axs = AXS()
+            elif self.args.c:
+                t = "Read-access has been disabled due to failsafe: No volumes were defined by the config-file. This failsafe is to prevent unintended access if this is due to accidental loss of config. You can override this safeguard and allow read/write to the working-directory by adding the following arguments:  -v .::rw"
+                self.log(t, 1)
+                axs = AXS()
            vfs = VFS(self.log_func, absreal("."), "", axs, {})
        elif "" not in mount:
            # there's volumes but no root; make root inaccessible
--- a/copyparty/httpcli.py
+++ b/copyparty/httpcli.py
@ -1233,6 +1233,20 @@ class HttpCli(object):
                else:
                    return self.tx_404(True)
            else:
+                vfs = self.asrv.vfs
+                if (
+                    not vfs.nodes
+                    and not vfs.axs.uread
+                    and not vfs.axs.uwrite
+                    and not vfs.axs.uget
+                    and not vfs.axs.uhtml
+                    and not vfs.axs.uadmin
+                ):
+                    t = "<h2>access denied due to failsafe; check server log</h2>"
+                    html = self.j2s("splash", this=self, msg=t)
+                    self.reply(html.encode("utf-8", "replace"), 500)
+                    return True
+
                if self.vpath:
                    ptn = self.args.nonsus_urls
                    if not ptn or not ptn.search(self.vpath):