mirrors/copyparty
1
0
Fork 0
mirror of https://github.com/9001/copyparty.git synced 2025-08-17 09:02:15 -06:00
Code Issues Actions Packages Projects Releases Wiki Activity
2577 commits 4 branches 342 tags 55 MiB
Commit graph

2577 commits

This branch
This branch
All branches
Author SHA1 Message Date
ed 1a658dedb7 fix infinite playback spin on servers with one single file 2023-07-23 14:52:42 +00:00
ed 8d376b854c this is the wrong way around 2023-07-23 14:10:23 +00:00
ed 490c16b01d be even stricter with ?hc 2023-07-23 13:23:52 +00:00
ed 2437a4e864 the CVE-2023-37474 fix was overly strict; loosen 2023-07-23 11:31:11 +00:00
ed 007d948cb9 fix GHSA-f54q-j679-p9hh: reflected-XSS in cookie-setters; 
it was possible to set cookie values which contained newlines,
thus terminating the http header and bleeding into the body.

We now disallow control-characters in queries,
but still allow them in paths, as copyparty supports
filenames containing newlines and other mojibake.

The changes in `set_k304` are not necessary in fixing the vulnerability,
but makes the behavior more correct.
 2023-07-23 10:55:08 +00:00
ed 335fcc8535 update pkgs to 1.8.6 2023-07-21 01:12:55 +00:00
ed 9eaa9904e0 v1.8.6 2023-07-21 00:36:37 +00:00
ed 0778da6c4d fix GHSA-cw7j-v52w-fp5r: reflected-XSS through /?hc 2023-07-21 00:35:43 +00:00
ed a1bb10012d update pkgs to 1.8.4 2023-07-18 08:26:39 +00:00
ed 1441ccee4f v1.8.4 2023-07-18 07:46:22 +00:00
ed 491803d8b7 update pkgs to 1.8.3 2023-07-16 23:03:30 +00:00
ed 3dcc386b6f v1.8.3 2023-07-16 22:00:04 +00:00
ed 5aa54d1217 shift/ctrl-click improvements: 
* always enable shift-click selection in list-view
* shift-clicking thumbnails opens in new window by default as expected
* enable shift-select in grid-view when multiselect is on
* invert select when the same shift-select is made repeatedly
 2023-07-16 18:15:56 +00:00
ed 88b876027c option to range-select files with shift-click; closes #47 
also restores the browser-default behavior of
opening links in a new tab with CTRL / new window with SHIFT
 2023-07-16 14:05:09 +00:00
ed fcc3aa98fd add path-traversal scanners 2023-07-16 13:09:31 +00:00
ed f2f5e266b4 support listing uploader IPs in d2t volumes 2023-07-15 18:50:35 +00:00
ed e17bf8f325 require the new admin permission for the admin-panel 2023-07-15 18:39:41 +00:00
ed d19cb32bf3 update pkgs to 1.8.2 2023-07-14 16:05:57 +00:00
ed 85a637af09 v1.8.2 2023-07-14 15:58:39 +00:00
ed 043e3c7dd6 fix traversal vulnerability GHSA-pxfv-7rr3-2qjg: 
the /.cpr endpoint allowed full access to server filesystem,
unless mitigated by prisonparty
 2023-07-14 15:55:49 +00:00
ed 8f59afb159 fix another race (unpost): 
unposting could collide with most other database-related activities,
causing one or the other to fail.
luckily the unprotected query performed by the unpost API happens to be
very cheap, so also the most likely to fail, and would succeed upon a
manual reattempt from the UI.
even in the worst case scenario, there would be no unrecoverable damage
as the next rescan would auto-repair any resulting inconsistencies.
 2023-07-14 15:21:14 +00:00
ed 77f1e51444 fix unlikely race (e2tsr): 
if someone with admin rights refreshes the homepage exactly as the
directory indexer decides to `_drop_caches`, the indexer thread would
die and the up2k instance would become inoperable...
luckily the probability of hitting this by chance is absolutely minimal,
and the worst case scenario is having to restart copyparty if this
happens immediately after startup; there is no risk of database damage
 2023-07-14 15:20:25 +00:00
ed 22fc4bb938 add event-hook for banning users 2023-07-13 22:29:32 +00:00
ed 50c7bba6ea volflag "nohtml" to never return html or rendered markdown from potentially unsafe volumes 2023-07-13 21:57:52 +00:00
ed 551d99b71b add permission "a" to show uploader IPs (#45) 2023-07-12 21:36:55 +00:00
ed b54b7213a7 more thumbnailer configs available as volflags: 
--th-convt = convt
--th-no-crop = nocrop
--th-size = thsize
 2023-07-11 22:15:37 +00:00
ed a14943c8de update pkgs to 1.8.1 2023-07-07 23:58:16 +00:00
ed a10cad54fc v1.8.1 2023-07-07 22:20:01 +00:00
ed 8568b7702a add pillow10 support + improve text rendering 2023-07-07 22:13:04 +00:00
ed 5d8cb34885 404/403 can be handled with plugins 2023-07-07 21:33:40 +00:00
ed 8d248333e8 dont disable quickedit when hashing passwords interactively 2023-07-07 18:29:30 +00:00
ed 99e2ef7f33 ux: fix tabs clipping in fedora-ff, hackertheme up2k flags 2023-07-07 18:24:58 +00:00
ed e767230383 very-bad-idea: prefer mpv / streamlink; closes #42 2023-06-28 21:25:40 +00:00
ed 90601314d6 better explain why very-bad-idea is a very bad idea 2023-06-27 22:30:14 +00:00
ed 9c5eac1274 add fedora package 2023-06-27 22:22:42 +00:00
ed 50905439e4 update pkgs to 1.8.0 2023-06-26 00:46:55 +00:00
ed a0c1239246 v1.8.0 2023-06-26 00:05:12 +00:00
ed b8e851c332 cloudflare update + cosmetics: 
* toastb padding fixes scrollbar on norwegian 403 in firefox
* fix text aspect ratio in seekbaron compact toggle
* crashpage had link overlaps on homepage
 2023-06-25 23:09:29 +00:00
ed baaf2eb24d include mdns names in tls cert 2023-06-25 22:06:35 +00:00
ed e197895c10 support hashed passwords; closes #39 2023-06-25 21:50:33 +00:00
ed cb75efa05d md-editor: index file and trigger upload hooks 2023-06-20 18:11:35 +00:00
ed 8b0cf2c982 volflags to limit volume size / num files; closes #40 2023-06-19 00:42:45 +00:00
ed fc7d9e1f9c update pkgs to 1.7.6 2023-06-11 09:13:58 +00:00
ed 10caafa34c v1.7.6 2023-06-11 08:14:45 +00:00
ed 22cc22225a v1.7.5 2023-06-11 01:32:56 +00:00
ed 22dff4b0e5 update pkgs to 1.7.4 2023-06-11 01:26:25 +00:00
ed a00ff2b086 v1.7.4 2023-06-11 00:07:38 +00:00
ed e4acddc23b v1.7.3 2023-06-11 00:03:03 +00:00
ed 2b2d8e4e02 tls / gencert fixes 2023-06-10 23:34:34 +00:00
ed 5501d49032 prefer urandom for fk-salt unless cert.pem exists 2023-06-10 22:47:39 +00:00