From cd71b505a95d75eea3ffb56a115e049128b5aaad Mon Sep 17 00:00:00 2001
From: ed <s@ocv.me>
Date: Sat, 8 Feb 2025 20:37:30 +0000
Subject: [PATCH] safeguard against accidental config loss

when running copyparty without any config, it defaults to sharing
the current folder read-write for everyone. This makes sense for
quick one-off instances, but not in more permanent deployments

especially for docker, where the config can get lost by accident
in too many ways (compose typos, failed upgrade, selinux, ...)
the default should be to reject all access

add a safeguard which disables read-access if one or more
config-files were specified, but no volumes are defined

should prevent issues such as filebrowser/filebrowser#3719
---
 copyparty/authsrv.py |  8 ++++++++
 copyparty/httpcli.py | 14 ++++++++++++++
 2 files changed, 22 insertions(+)

diff --git a/copyparty/authsrv.py b/copyparty/authsrv.py
index 7313c39b..c1274f2d 100644
--- a/copyparty/authsrv.py
+++ b/copyparty/authsrv.py
@@ -1515,6 +1515,14 @@ class AuthSrv(object):
         if not mount and not self.args.idp_h_usr:
             # -h says our defaults are CWD at root and read/write for everyone
             axs = AXS(["*"], ["*"], None, None)
+            if os.path.exists("/z/initcfg"):
+                t = "Read-access has been disabled due to failsafe: Docker detected, but the config does not define any volumes. This failsafe is to prevent unintended access if this is due to accidental loss of config. You can override this safeguard and allow read/write to all of /w/ by adding the following arguments to the docker container:  -v .::rw"
+                self.log(t, 1)
+                axs = AXS()
+            elif self.args.c:
+                t = "Read-access has been disabled due to failsafe: No volumes were defined by the config-file. This failsafe is to prevent unintended access if this is due to accidental loss of config. You can override this safeguard and allow read/write to the working-directory by adding the following arguments:  -v .::rw"
+                self.log(t, 1)
+                axs = AXS()
             vfs = VFS(self.log_func, absreal("."), "", axs, {})
         elif "" not in mount:
             # there's volumes but no root; make root inaccessible
diff --git a/copyparty/httpcli.py b/copyparty/httpcli.py
index 2c531ac2..0645e441 100644
--- a/copyparty/httpcli.py
+++ b/copyparty/httpcli.py
@@ -1233,6 +1233,20 @@ class HttpCli(object):
                 else:
                     return self.tx_404(True)
             else:
+                vfs = self.asrv.vfs
+                if (
+                    not vfs.nodes
+                    and not vfs.axs.uread
+                    and not vfs.axs.uwrite
+                    and not vfs.axs.uget
+                    and not vfs.axs.uhtml
+                    and not vfs.axs.uadmin
+                ):
+                    t = "<h2>access denied due to failsafe; check server log</h2>"
+                    html = self.j2s("splash", this=self, msg=t)
+                    self.reply(html.encode("utf-8", "replace"), 500)
+                    return True
+
                 if self.vpath:
                     ptn = self.args.nonsus_urls
                     if not ptn or not ptn.search(self.vpath):