diff --git a/copyparty/authsrv.py b/copyparty/authsrv.py index 7313c39b..c1274f2d 100644 --- a/copyparty/authsrv.py +++ b/copyparty/authsrv.py @@ -1515,6 +1515,14 @@ class AuthSrv(object): if not mount and not self.args.idp_h_usr: # -h says our defaults are CWD at root and read/write for everyone axs = AXS(["*"], ["*"], None, None) + if os.path.exists("/z/initcfg"): + t = "Read-access has been disabled due to failsafe: Docker detected, but the config does not define any volumes. This failsafe is to prevent unintended access if this is due to accidental loss of config. You can override this safeguard and allow read/write to all of /w/ by adding the following arguments to the docker container: -v .::rw" + self.log(t, 1) + axs = AXS() + elif self.args.c: + t = "Read-access has been disabled due to failsafe: No volumes were defined by the config-file. This failsafe is to prevent unintended access if this is due to accidental loss of config. You can override this safeguard and allow read/write to the working-directory by adding the following arguments: -v .::rw" + self.log(t, 1) + axs = AXS() vfs = VFS(self.log_func, absreal("."), "", axs, {}) elif "" not in mount: # there's volumes but no root; make root inaccessible diff --git a/copyparty/httpcli.py b/copyparty/httpcli.py index 2c531ac2..0645e441 100644 --- a/copyparty/httpcli.py +++ b/copyparty/httpcli.py @@ -1233,6 +1233,20 @@ class HttpCli(object): else: return self.tx_404(True) else: + vfs = self.asrv.vfs + if ( + not vfs.nodes + and not vfs.axs.uread + and not vfs.axs.uwrite + and not vfs.axs.uget + and not vfs.axs.uhtml + and not vfs.axs.uadmin + ): + t = "

access denied due to failsafe; check server log

" + html = self.j2s("splash", this=self, msg=t) + self.reply(html.encode("utf-8", "replace"), 500) + return True + if self.vpath: ptn = self.args.nonsus_urls if not ptn or not ptn.search(self.vpath):