487 commits

Author	SHA1	Message	Date
ed	490c16b01d	be even stricter with ?hc	2023-07-23 13:23:52 +00:00
ed	2437a4e864	the CVE-2023-37474 fix was overly strict; loosen	2023-07-23 11:31:11 +00:00
ed	007d948cb9	fix GHSA-f54q-j679-p9hh: reflected-XSS in cookie-setters; ... it was possible to set cookie values which contained newlines, thus terminating the http header and bleeding into the body. We now disallow control-characters in queries, but still allow them in paths, as copyparty supports filenames containing newlines and other mojibake. The changes in `set_k304` are not necessary in fixing the vulnerability, but makes the behavior more correct.	2023-07-23 10:55:08 +00:00
ed	9eaa9904e0	v1.8.6	2023-07-21 00:36:37 +00:00
ed	0778da6c4d	fix GHSA-cw7j-v52w-fp5r: reflected-XSS through /?hc	2023-07-21 00:35:43 +00:00
ed	1441ccee4f	v1.8.4	2023-07-18 07:46:22 +00:00
ed	f2f5e266b4	support listing uploader IPs in d2t volumes	2023-07-15 18:50:35 +00:00
ed	e17bf8f325	require the new admin permission for the admin-panel	2023-07-15 18:39:41 +00:00
ed	043e3c7dd6	fix traversal vulnerability GHSA-pxfv-7rr3-2qjg: ... the /.cpr endpoint allowed full access to server filesystem, unless mitigated by prisonparty	2023-07-14 15:55:49 +00:00
ed	22fc4bb938	add event-hook for banning users	2023-07-13 22:29:32 +00:00
ed	50c7bba6ea	volflag "nohtml" to never return html or rendered markdown from potentially unsafe volumes	2023-07-13 21:57:52 +00:00
ed	551d99b71b	add permission "a" to show uploader IPs (#45)	2023-07-12 21:36:55 +00:00
ed	5d8cb34885	404/403 can be handled with plugins	2023-07-07 21:33:40 +00:00
ed	e197895c10	support hashed passwords; closes #39	2023-06-25 21:50:33 +00:00
ed	cb75efa05d	md-editor: index file and trigger upload hooks	2023-06-20 18:11:35 +00:00
ed	8b0cf2c982	volflags to limit volume size / num files; closes #40	2023-06-19 00:42:45 +00:00
ed	9c28ba417e	option to regex-exclude files in browser listings	2023-06-02 21:54:25 +00:00
ed	025a537413	add option to show thumbs by default; closes #31	2023-06-02 18:41:21 +00:00
ed	d979c47f50	optimize clearTimeout + always shrink upload panes after completion + fix GET alignment	2023-05-12 20:46:45 +00:00
ed	04c86e8a89	webdav: support write-only folders + force auth option	2023-05-06 20:33:29 +00:00
ed	bc0cb43ef9	include usernames in request logs	2023-05-06 20:17:56 +00:00
ed	4ee81af8f6	support ';' in passwords	2023-05-06 18:54:55 +00:00
ed	544e0549bc	make xvol and xdev apply at runtime (closes #24): ... * when accessing files inside an xdev volume, verify that the file exists on the same device/filesystem as the volume root * when accessing files inside an xvol volume, verify that the file exists within any volume where the user has read access	2023-04-29 21:10:02 +00:00
ed	83178d0836	preserve empty folders (closes #23): ... * when deleting files, do not cascade upwards through empty folders * when moving folders, also move any empty folders inside the only remaining action which autoremoves empty folders is files getting deleted as they expire volume lifetimes also prevents accidentally moving parent folders into subfolders (even though that actually worked surprisingly well)	2023-04-29 11:30:43 +00:00
ed	cb6de0387d	a bit faster	2023-04-26 19:56:27 +00:00
ed	55c74ad164	30% faster folder listings (wtf...)	2023-04-26 18:55:53 +00:00
ed	673b4f7e23	option to show symlink's lastmod instead of deref; ... mainly motivated by u2cli's folder syncing in turbo mode which would un-turbo on most dupes due to wrong lastmod disabled by default for regular http listings (to avoid confusion in most regular usecases), enable per-request with urlparam lt enabled by default for single-level webdav listings (because rclone hits the same issue as u2cli), can be disabled with arg --dav-rt or volflag davrt impossible to enable for recursive webdav listings	2023-04-26 18:54:21 +00:00
ed	03193de6d0	socket read/write timeout	2023-04-24 20:04:22 +00:00
ed	fdd6f3b4a6	tar/zip: use volume name as toplevel fallback	2023-04-23 20:55:34 +00:00
ed	42099baeff	v1.6.12	2023-04-20 21:41:47 +00:00
ed	6acf436573	u2idx pool instead of per-socket; ... prevents running out of FDs thanks to thousands of sqlite3 sessions and neatly sidesteps what could possibly be a race in python's sqlite3 bindings where it sometimes forgets to close the fd	2023-04-20 20:36:13 +00:00
ed	f217e1ce71	correctly ignore multirange requests	2023-04-20 19:14:38 +00:00
ed	c8938fc033	fix ipv4 location header on dualstack	2023-04-14 14:06:44 +02:00
ed	e2bc573e61	webdav correctness: ... * generally respond without body (rclone likes this) * don't connection:close on most mkcol errors	2023-03-23 23:25:00 +00:00
ed	5ac2c20959	basic support for rclone sync	2023-03-20 21:17:53 +00:00
ed	bb72e6bf30	support propfind of files (not just dirs)	2023-03-20 20:58:51 +00:00
ed	d8142e866a	accept last-modified from owncloud webdav extension	2023-03-20 20:28:26 +00:00
ed	8a09601be8	url-param ?v disables index.html	2023-03-16 20:52:43 +00:00
ed	bba8a3c6bc	fix truncated search results	2023-03-16 20:12:13 +00:00
ed	be7bb71bbc	add option to show index.html instead of listing	2023-03-16 19:41:33 +00:00
ed	b0cc396bca	v1.6.8	2023-03-12 16:10:07 +00:00
ed	2be2e9a0d8	index folder thumbs in db	2023-03-11 11:43:29 +00:00
ed	9270c2df19	evict basic-browser from crawlers	2023-03-09 21:35:07 +00:00
ed	c98fff1647	fix chunkpost-handshake race (affects --no-dedup only); ... a handshake arriving in the middle of the final chunk could cause dupes to become empty -- worst case leading to loss of data	2023-03-05 19:45:50 +00:00
ed	43ff2e531a	add deadline for filling data into a reserved filename	2023-02-26 19:13:35 +00:00
ed	7ea183baef	let http thread handle upload verification plugins	2023-02-26 19:07:49 +00:00
ed	4de028fc3b	let controlpanel rescan button override lack of e2dsa	2023-02-26 18:27:10 +00:00
ed	604e5dfaaf	improve error handling / messages	2023-02-26 18:26:13 +00:00
ed	05e0c2ec9e	add xiu (batching hook; runs on idle after uploads) + ... bunch of tweaks/fixes for hooks	2023-02-26 18:23:32 +00:00
ed	6deaf5c268	add jitter simlation	2023-02-20 21:34:30 +00:00