mirrors/copyparty
1
0
Fork 0
mirror of https://github.com/9001/copyparty.git synced 2025-08-17 09:02:15 -06:00
Code Issues Actions Packages Projects Releases Wiki Activity
3856 commits 4 branches 342 tags 55 MiB
Commit graph

3856 commits

This branch
This branch
All branches
Author SHA1 Message Date
ed 674fc1fe08 make nginx example less confusing 2025-07-28 19:46:15 +00:00
ed a2601fd6ad chpw ratelimit 2025-07-28 19:46:15 +00:00
ed 025942a7d6
connect: hide "use real pw" when no accs (#242) 
Disable the "use the real password" button on the connect page when there's no accounts
 2025-07-28 19:33:16 +00:00
ed 510100c86b
Update svcs.js 
Signed-off-by: ed <s@ocv.me>
 2025-07-28 19:31:37 +00:00
Toast 161bbc7d26 connect-page: disable use real password button when there's no accounts 2025-07-28 21:14:26 +02:00
Chinpo Nya 7c9c962b79 nix: add /etc/group to systemd sandbox 
allows specifying groups by name in the unix socket
 2025-07-28 18:32:55 +00:00
ed cbdbaf1938 update pkgs to 1.18.5 2025-07-27 23:38:32 +00:00
ed cdfceb483e v1.18.5 2025-07-27 23:05:44 +00:00
ed 2228f81f94 block externally-hosted m3u files; 
pointless security risk; made GHSA-9q4r-x2hj-jmvr much worse
 2025-07-27 22:59:16 +00:00
ed 895880aeb0 fix GHSA-9q4r-x2hj-jmvr ; 
this fixes a DOM-Based XSS when rendering multimedia metadata

assuming the media-indexing option is enabled, a malicious media file
could be uploaded to the server by a privileged user, executing
arbitrary javascript on anyone visiting and viewing the directory

the same vulnerability could also be triggered through an
externally-hosted m3u file, by tricking a user into
clicking a link to load and play this m3u file

huge thanks to @altperfect for finding and reporting this!
 2025-07-27 22:56:38 +00:00
ed 6bb27e6091 audioplayer: stop at end-of-(song/folder); closes #214 2025-07-27 22:14:16 +00:00
ed d197e754b9 fix scroll after logtail (thx @Bevinsky) 
if file was closed without using the [X] button, for example
with the browser back button, the tail would not abort
 2025-07-27 21:17:44 +00:00
ed b0dec83aad connect: fix ipv6 and resolve .local only; closes #202 2025-07-27 20:32:45 +00:00
Masked e2c2dd18cf Improve host IP address handling in HttpCli 
Added logic to detect if the user provided an IP address or hostname using the ipaddress module. This ensures correct resolution and mapping behavior based on the input type, improving reliability and correctness in network operations.
 2025-07-27 19:51:40 +00:00
ed ca6d0b8d5e SameSite=Strict as default; closes #189 2025-07-27 18:18:49 +00:00
ed 48705a74c6 versus: nextcloud does chunked uploads 2025-07-26 18:22:51 +00:00
ed b419984709 docker: add ftps support 2025-07-26 10:50:38 +00:00
ed e00b97eee0 update pkgs to 1.18.4 2025-07-25 18:56:12 +00:00
ed 4dca1cf8f4 v1.18.4 2025-07-25 18:41:05 +00:00
ed edba7fffd3 add landmarks (#182) 2025-07-25 18:35:28 +00:00
ed 21a96bcfe8 add quickdelete option; closes #183 
togglebutton in the ui switches between 2 (off/default) and
1 (on/quick) confirmations; global-option `--qdel` sets the default

setting `--qdel=0` changes the togglebutton to switch
between 1 (off/default) confirmations and 0 (on)

in other words, when the ui-button is enabled, it
always reduces the number of confirmations by one
 2025-07-25 18:31:49 +00:00
ed 2d322dd48e fix unpost in new shares 2025-07-25 15:12:05 +00:00
ed df6d4df4f8 fix filekeys on windows 2025-07-24 23:07:04 +00:00
ed 5aa893973c update pkgs to 1.18.3 2025-07-21 23:30:16 +00:00
ed be0dd555a6 v1.18.3 2025-07-21 23:07:00 +00:00
ed 9921c43e3a add options to set default chmod (#181) 
the unix-permissions of new files/folders can now be changed

* global-option --chmod-f, volflag chmod_f for files
* global-option --chmod-d, volflag chmod_d for directories

the expected value is a standard three-digit octal value
(User/Group/Other) such as 755, 750, 644, 640, etc
 2025-07-21 22:46:28 +00:00
ed 14fa369fae macos fixes 2025-07-21 00:04:38 +02:00
ed 0f0f8d90c1 support --shr with --xvol; closes #179 2025-07-20 23:49:36 +02:00
ed 1afbff7335 fix some error-messages failing to render 
would show a jinja-panic instead of explaining what went wrong
 2025-07-20 23:39:08 +02:00
ed 8c32b0e7bb bbox: hide buttons fully; closes #180 2025-07-20 23:31:38 +02:00
ed 9bc4c5d2e6 mediaplayer: stay within search-results 2025-07-20 23:30:27 +02:00
ed 1534b7cb55 fix hotkey-help on macos 2025-07-20 23:27:44 +02:00
ed 56d3bcf515 rss: fix --rp-loc; 
some rss links were malformed when combined with rp-loc
 2025-07-14 03:48:27 +02:00
ed 78605d9a79 ios: force video embed 
default on all other platforms, but apple thinks different
 2025-07-09 14:11:45 +00:00
ed d46a40fed8 update pkgs to 1.18.2 2025-07-07 14:29:38 +00:00
ed ce4e489802 v1.18.2 2025-07-07 14:19:56 +00:00
ed fd7c71d6a3 add volflag to hide volume from controlpanel listing 2025-07-07 14:15:58 +00:00
ed fad2268566 update pkgs to 1.18.1 2025-07-07 13:39:55 +00:00
ed a95ea03cd0 v1.18.1 2025-07-07 13:20:59 +00:00
ed f6be390579 avoid pillow warning 2025-07-07 12:58:03 +00:00
ed 4f264a0a9c add idp-cache editor ui 2025-07-07 12:52:31 +00:00
ed d27144340f ie11 fix 2025-07-07 11:09:46 +00:00
ed 299cff3ff7 copyparty.exe: update pillow 2025-07-07 11:05:49 +00:00
ed 42c199e78e api for rescanning multiple volumes; 
`?scan=/foo,/bar` will perform a filesystem reindexing of volumes
`/foo` and `/bar` even if they only have `e2d` and not `e2ds`
 2025-07-07 09:53:03 +00:00
ed 1b2d39857b reset x-forwarded-for before next req; 
assume the following stack: cpp <- rproxyA <- rproxyB <- WAN

if A also accepts WAN requests, and A muxes both B and WAN
onto a single connection to cpp, then WAN requests may get
tagged with the IP-address of the most recent B request

aside from the confusing logs, this could break
unpost on servers with shared accounts
 2025-07-07 08:47:24 +00:00
ed ed908b9868 usb-eject: support non-alphanumeric volume names 
until now, volumes with whitespace and such would fail to unmount

also adds a sanchk that the directory to unmount is still below the
expected parent after absreal; the path was already passed to gio in
a safe manner (assuming gio doesn't have any vulns) but why risk it
 2025-07-07 08:35:41 +00:00
ed d162502c38 add idp-volume persistence (optional); 
it keeps track of all seen users/groups by default,
but nothing takes effect unless --idp-store=3 or 2
 2025-07-07 01:05:57 +02:00
ed bf11b2a421 drop corrupted sockets; 
socket.accept() can fail silently --
this would crash the worker-pool and also produce
a confusing useless error-message while doing so

reported by someone on a mac with Little Snitch:
uv python install cpython-3.13.3-macos-aarch64-none
uv python pin cpython-3.13.3-macos-aarch64-none
uv sync
uv run copyparty

...but was also observed on x86_64 linux with
python 2.7 in 2018 (no longer reproduces)

fix this to log what's going on and also don't crash
 2025-07-01 18:32:27 +00:00
morganamilo 77274e9d59 Add python-magic to iv and dj docker files 2025-06-29 11:14:02 +00:00
ed 8306e3d9de docker: disarm unmaintained images 2025-06-29 11:13:29 +00:00