mirrors/copyparty
1
0
Fork 0
mirror of https://github.com/9001/copyparty.git synced 2025-08-18 09:22:31 -06:00
Code Issues Actions Packages Projects Releases Wiki Activity
2605 commits 4 branches 344 tags 55 MiB
Commit graph

497 commits

Author SHA1 Message Date
ed fc0405c8f3 add prometheus metrics; closes #49 2023-08-20 17:58:06 +00:00
ed 1b7634932d tar/zip-download: add opus transcoding filter 2023-08-19 19:40:46 +00:00
ed 474d5a155b android's got hella strict filename rules 2023-08-15 06:46:57 +02:00
ed 4f80e44ff7 option to exactly specify browser title prefix 2023-08-15 03:17:01 +02:00
ed bee26e853b show server hostname in html titles: 
* --doctitle defines most titles, prefixed with "--name: " by default
* the file browser is only prefixed with the --name itself
* --nth ("no-title-hostname") removes it
* also removed by --nih ("no-info-hostname")
 2023-08-14 23:50:13 +02:00
ed 999ee2e7bc v1.8.8 2023-07-25 15:50:48 +00:00
ed 3966266207 remember ?edit and trailing-slash during login redirect 2023-07-25 15:14:47 +00:00
ed d03e96a392 html5 strips the first leading LF in textareas; stop it 2023-07-25 14:16:54 +00:00
ed 4c843c6df9 fix md-editor lastmod cmp when browsercache is belligerent 2023-07-25 14:06:53 +00:00
ed 8d376b854c this is the wrong way around 2023-07-23 14:10:23 +00:00
ed 490c16b01d be even stricter with ?hc 2023-07-23 13:23:52 +00:00
ed 2437a4e864 the CVE-2023-37474 fix was overly strict; loosen 2023-07-23 11:31:11 +00:00
ed 007d948cb9 fix GHSA-f54q-j679-p9hh: reflected-XSS in cookie-setters; 
it was possible to set cookie values which contained newlines,
thus terminating the http header and bleeding into the body.

We now disallow control-characters in queries,
but still allow them in paths, as copyparty supports
filenames containing newlines and other mojibake.

The changes in `set_k304` are not necessary in fixing the vulnerability,
but makes the behavior more correct.
 2023-07-23 10:55:08 +00:00
ed 9eaa9904e0 v1.8.6 2023-07-21 00:36:37 +00:00
ed 0778da6c4d fix GHSA-cw7j-v52w-fp5r: reflected-XSS through /?hc 2023-07-21 00:35:43 +00:00
ed 1441ccee4f v1.8.4 2023-07-18 07:46:22 +00:00
ed f2f5e266b4 support listing uploader IPs in d2t volumes 2023-07-15 18:50:35 +00:00
ed e17bf8f325 require the new admin permission for the admin-panel 2023-07-15 18:39:41 +00:00
ed 043e3c7dd6 fix traversal vulnerability GHSA-pxfv-7rr3-2qjg: 
the /.cpr endpoint allowed full access to server filesystem,
unless mitigated by prisonparty
 2023-07-14 15:55:49 +00:00
ed 22fc4bb938 add event-hook for banning users 2023-07-13 22:29:32 +00:00
ed 50c7bba6ea volflag "nohtml" to never return html or rendered markdown from potentially unsafe volumes 2023-07-13 21:57:52 +00:00
ed 551d99b71b add permission "a" to show uploader IPs (#45) 2023-07-12 21:36:55 +00:00
ed 5d8cb34885 404/403 can be handled with plugins 2023-07-07 21:33:40 +00:00
ed e197895c10 support hashed passwords; closes #39 2023-06-25 21:50:33 +00:00
ed cb75efa05d md-editor: index file and trigger upload hooks 2023-06-20 18:11:35 +00:00
ed 8b0cf2c982 volflags to limit volume size / num files; closes #40 2023-06-19 00:42:45 +00:00
ed 9c28ba417e option to regex-exclude files in browser listings 2023-06-02 21:54:25 +00:00
ed 025a537413 add option to show thumbs by default; closes #31 2023-06-02 18:41:21 +00:00
ed d979c47f50 optimize clearTimeout + always shrink upload panes after completion + fix GET alignment 2023-05-12 20:46:45 +00:00
ed 04c86e8a89 webdav: support write-only folders + force auth option 2023-05-06 20:33:29 +00:00
ed bc0cb43ef9 include usernames in request logs 2023-05-06 20:17:56 +00:00
ed 4ee81af8f6 support ';' in passwords 2023-05-06 18:54:55 +00:00
ed 544e0549bc make xvol and xdev apply at runtime (closes #24): 
* when accessing files inside an xdev volume, verify that the file
   exists on the same device/filesystem as the volume root

* when accessing files inside an xvol volume, verify that the file
   exists within any volume where the user has read access
 2023-04-29 21:10:02 +00:00
ed 83178d0836 preserve empty folders (closes #23): 
* when deleting files, do not cascade upwards through empty folders
* when moving folders, also move any empty folders inside

the only remaining action which autoremoves empty folders is
files getting deleted as they expire volume lifetimes

also prevents accidentally moving parent folders into subfolders
(even though that actually worked surprisingly well)
 2023-04-29 11:30:43 +00:00
ed cb6de0387d a bit faster 2023-04-26 19:56:27 +00:00
ed 55c74ad164 30% faster folder listings (wtf...) 2023-04-26 18:55:53 +00:00
ed 673b4f7e23 option to show symlink's lastmod instead of deref; 
mainly motivated by u2cli's folder syncing in turbo mode
which would un-turbo on most dupes due to wrong lastmod

disabled by default for regular http listings
(to avoid confusion in most regular usecases),
enable per-request with urlparam lt

enabled by default for single-level webdav listings
(because rclone hits the same issue as u2cli),
can be disabled with arg --dav-rt or volflag davrt

impossible to enable for recursive webdav listings
 2023-04-26 18:54:21 +00:00
ed 03193de6d0 socket read/write timeout 2023-04-24 20:04:22 +00:00
ed fdd6f3b4a6 tar/zip: use volume name as toplevel fallback 2023-04-23 20:55:34 +00:00
ed 42099baeff v1.6.12 2023-04-20 21:41:47 +00:00
ed 6acf436573 u2idx pool instead of per-socket; 
prevents running out of FDs thanks to thousands of sqlite3 sessions
and neatly sidesteps what could possibly be a race in python's
sqlite3 bindings where it sometimes forgets to close the fd
 2023-04-20 20:36:13 +00:00
ed f217e1ce71 correctly ignore multirange requests 2023-04-20 19:14:38 +00:00
ed c8938fc033 fix ipv4 location header on dualstack 2023-04-14 14:06:44 +02:00
ed e2bc573e61 webdav correctness: 
* generally respond without body
   (rclone likes this)
* don't connection:close on most mkcol errors
 2023-03-23 23:25:00 +00:00
ed 5ac2c20959 basic support for rclone sync 2023-03-20 21:17:53 +00:00
ed bb72e6bf30 support propfind of files (not just dirs) 2023-03-20 20:58:51 +00:00
ed d8142e866a accept last-modified from owncloud webdav extension 2023-03-20 20:28:26 +00:00
ed 8a09601be8 url-param ?v disables index.html 2023-03-16 20:52:43 +00:00
ed bba8a3c6bc fix truncated search results 2023-03-16 20:12:13 +00:00
ed be7bb71bbc add option to show index.html instead of listing 2023-03-16 19:41:33 +00:00