update pkgs to 1.19.2

v1.19.2
extend vips heif formats
2025-08-17 09:02:15 -06:00 · 2025-08-17 11:51:56 +00:00 · 2025-08-17 11:21:25 +00:00 · 2025-08-17 11:07:02 +00:00 · 2025-08-17 11:06:38 +00:00 · 2025-08-17 10:42:45 +00:00
91 changed files with 14586 additions and 785 deletions
--- a/.gitignore
+++ b/.gitignore
@ -43,3 +43,6 @@ scripts/docker/*.err
 # nix build output link
 result
 # IDEA config
 .idea/
--- a/README.md
+++ b/README.md
@ -90,7 +90,9 @@ made in Norway 🇳🇴
        * [upload events](#upload-events) - the older, more powerful approach ([examples](./bin/mtag/))
    * [handlers](#handlers) - redefine behavior with plugins ([examples](./bin/handlers/))
    * [ip auth](#ip-auth) - autologin based on IP range (CIDR)
        * [restrict to ip](#restrict-to-ip) - limit a user to certain IP ranges (CIDR)
    * [identity providers](#identity-providers) - replace copyparty passwords with oauth and such
        * [generic header auth](#generic-header-auth) - other ways to auth by header
    * [user-changeable passwords](#user-changeable-passwords) - if permitted, users can change their own passwords
    * [using the cloud as storage](#using-the-cloud-as-storage) - connecting to an aws s3 bucket and similar
    * [hiding from google](#hiding-from-google) - tell search engines you don't wanna be indexed
@ -147,11 +149,14 @@ made in Norway 🇳🇴
 just run **[copyparty-sfx.py](https://github.com/9001/copyparty/releases/latest/download/copyparty-sfx.py)** -- that's it! 🎉
 > ℹ️ the sfx is a [self-extractor](https://github.com/9001/copyparty/issues/270) which unpacks an embedded `tar.gz` into `$TEMP` -- if this looks too scary, you can use the [zipapp](#zipapp) which has slightly worse performance
 * or install through [pypi](https://pypi.org/project/copyparty/): `python3 -m pip install --user -U copyparty`
 * or if you cannot install python, you can use [copyparty.exe](#copypartyexe) instead
 * or install [on arch](#arch-package) ╱ [on NixOS](#nixos-module) ╱ [through nix](#nix-package)
 * or if you are on android, [install copyparty in termux](#install-on-android)
 * or maybe you have a [synology nas / dsm](./docs/synology-dsm.md)
 * or if you have [uv](https://docs.astral.sh/uv/) installed, run `uv tool run copyparty`
 * or if your computer is messed up and nothing else works, [try the pyz](#zipapp)
 * or if your OS is dead, give the [bootable flashdrive / cd-rom](https://a.ocv.me/pub/stuff/edcd001/enterprise-edition/) a spin
 * or if you don't trust copyparty yet and want to isolate it a little, then...
@ -263,6 +268,7 @@ also see [comparison to similar software](./docs/versus.md)
    * ☑ realtime streaming of growing files (logfiles and such)
  * ☑ [thumbnails](#thumbnails)
    * ☑ ...of images using Pillow, pyvips, or FFmpeg
    * ☑ ...of RAW images using rawpy
    * ☑ ...of videos using FFmpeg
    * ☑ ...of audio (spectrograms) using FFmpeg
    * ☑ cache eviction (max-age; maybe max-size eventually)
@ -434,6 +440,7 @@ upgrade notes
 * can I link someone to a password-protected volume/file by including the password in the URL?
  * yes, by adding `?pw=hunter2` to the end; replace `?` with `&` if there are parameters in the URL already, meaning it contains a `?` near the end
    * if you have enabled `--usernames` then do `?pw=username:password` instead
 * how do I stop `.hist` folders from appearing everywhere on my HDD?
  * by default, a `.hist` folder is created inside each volume for the filesystem index, thumbnails, audio transcodes, and markdown document history. Use the `--hist` global-option or the `hist` volflag to move it somewhere else; see [database location](#database-location)
@ -508,16 +515,23 @@ examples:
  * replacing the `g` permission with `wg` would let anonymous users upload files, but not see the required filekey to access it
  * replacing the `g` permission with `wG` would let anonymous users upload files, receiving a working direct link in return
 if you want to grant access to all users who are logged in, the group `acct` will always contain all known users, so for example `-v /mnt/music:music:r,@acct`
 anyone trying to bruteforce a password gets banned according to `--ban-pw`; default is 24h ban for 9 failed attempts in 1 hour
 and if you want to use config files instead of commandline args (good!) then here's the same examples as a configfile; save it as `foobar.conf` and use it like this: `python copyparty-sfx.py -c foobar.conf`
 * you can also `PRTY_CONFIG=foobar.conf python copyparty-sfx.py` (convenient in docker etc)
 ```yaml
 [accounts]
  u1: p1  # create account "u1" with password "p1"
  u2: p2  #  (note that comments must have
  u3: p3  #   two spaces before the # sign)
 [groups]
  g1: u1, u2  # create a group
 [/]     # this URL will be mapped to...
  /srv  # ...this folder on the server filesystem
  accs:
@ -527,6 +541,8 @@ and if you want to use config files instead of commandline args (good!) then her
  /mnt/music   # which is mapped to this folder
  accs:
    r: u1, u2  # only these accounts can read,
    r: @g1     # (exactly the same, just with a group instead)
    r: @acct   # (alternatively, ALL users who are logged in)
    rw: u3     # and only u3 can read-write
 [/inc]
@ -1007,6 +1023,7 @@ a feed example: https://cd.ocv.me/a/d2/d22/?rss&fext=mp3
 url parameters:
 * `pw=hunter2` for password auth
  * if you enabled `--usernames` then do `pw=username:password` instead
 * `recursive` to also include subfolders
 * `title=foo` changes the feed title (default: folder name)
 * `fext=mp3,opus` only include mp3 and opus files (default: all)
@ -1083,6 +1100,9 @@ open the `[🎺]` media-player-settings tab to configure it,
  * `[awo]` is `opus` in a `weba` file, good for iPhones (iOS 17.5 and newer) but Apple is still fixing some state-confusion bugs as of iOS 18.2.1
  * `[caf]` is `opus` in a `caf` file, good for iPhones (iOS 11 through 17), technically unsupported by Apple but works for the most part
  * `[mp3]` -- the myth, the legend, the undying master of mediocre sound quality that definitely works everywhere
  * `[flac]` -- lossless but compressed, for LAN and/or fiber playback on electrostatic headphones
  * `[wav]` -- lossless and uncompressed, for LAN and/or fiber playback on electrostatic headphones connected to very old equipment
    * `flac` and `wav` must be enabled with `--allow-flac` / `--allow-wav` to allow spending the disk space
 * "tint" reduces the contrast of the playback bar
@ -1217,7 +1237,7 @@ using arguments or config files, or a mix of both:
 **NB:** as humongous as this readme is, there is also a lot of undocumented features. Run copyparty with `--help` to see all available global options; all of those can be used in the `[global]` section of config files, and everything listed in `--help-flags` can be used in volumes as volflags.
 * if running in docker/podman, try this: `docker run --rm -it copyparty/ac --help`
-* or see this (probably outdated): https://ocv.me/copyparty/helptext.html
+* or see this: https://ocv.me/copyparty/helptext.html
 * or if you prefer plaintext, https://ocv.me/copyparty/helptext.txt
@ -1289,6 +1309,7 @@ an FTP server can be started using `--ftp 3921`,  and/or `--ftps` for explicit T
  * if you enable both `ftp` and `ftps`, the port-range will be divided in half
  * some older software (filezilla on debian-stable) cannot passive-mode with TLS
 * login with any username + your password, or put your password in the username field
  * unless you enabled `--usernames`
 some recommended FTP / FTPS clients; `wark` = example password:
 * https://winscp.net/eng/download.php
@ -1306,6 +1327,7 @@ click the [connect](http://127.0.0.1:3923/?hc) button in the control-panel to se
 general usage:
 * login with any username + your password, or put your password in the username field (password field can be empty/whatever)
  * unless you enabled `--usernames`
 on macos, connect from finder:
 * [Go] -> [Connect to Server...] -> http://192.168.123.1:3923/
@ -1321,6 +1343,7 @@ using the GUI  (winXP or later):
 * rightclick [my computer] -> [map network drive] -> Folder: `http://192.168.123.1:3923/`
  * on winXP only, click the `Sign up for online storage` hyperlink instead and put the URL there
  * providing your password as the username is recommended; the password field can be anything or empty
    * unless you enabled `--usernames`
 the webdav client that's built into windows has the following list of bugs; you can avoid all of these by connecting with rclone instead:
 * win7+ doesn't actually send the password to the server when reauthenticating after a reboot unless you first try to login with an incorrect password and then switch to the correct password
@ -1378,6 +1401,7 @@ some **BIG WARNINGS** specific to SMB/CIFS, in decreasing importance:
 * the smb backend is not fully integrated with vfs, meaning there could be security issues (path traversal). Please use `--smb-port` (see below) and [prisonparty](./bin/prisonparty.sh) or [bubbleparty](./bin/bubbleparty.sh)
  * account passwords work per-volume as expected, and so does account permissions (read/write/move/delete), but `--smbw` must be given to allow write-access from smb
  * [shadowing](#shadowing) probably works as expected but no guarantees
 * not compatible with pw-hashing or `--usernames`
 and some minor issues,
 * clients only see the first ~400 files in big folders;
@ -1424,6 +1448,8 @@ note that this disables hotlinking because the opengraph spec demands it; to sne
 you can also hotlink files regardless by appending `?raw` to the url
 > WARNING: if you plan to use WebDAV, then `--og-ua` / `og_ua` must be configured
 if you want to entirely replace the copyparty response with your own jinja2 template, give the template filepath to `--og-tpl` or volflag `og_tpl` (all members of `HttpCli` are available through the `this` object)
@ -1872,6 +1898,20 @@ repeat the option to map additional subnets
 **be careful with this one!** if you have a reverseproxy, then you definitely want to make sure you have [real-ip](#real-ip) configured correctly, and it's probably a good idea to nullmap the reverseproxy's IP just in case; so if your reverseproxy is sending requests from `172.24.27.9` then that would be `--ipu=172.24.27.9/32=`
 ### restrict to ip
 limit a user to certain IP ranges (CIDR)  , using the global-option `--ipr`
 for example, if the user `spartacus` should get rejected if they're not connecting from an IP that starts with `192.168.123` or `172.16`, then you can either specify `--ipr=192.168.123.0/24,172.16.0.0/16=spartacus` as a commandline option, or put this in a config file:
 ```yaml
 [global]
  ipr: 192.168.123.0/24,172.16.0.0/16=spartacus
 ```
 repeat the option to map additional users
 ## identity providers
 replace copyparty passwords with oauth and such
@ -1880,6 +1920,8 @@ you can disable the built-in password-based login system, and instead replace it
 * the regular config-defined users will be used as a fallback for requests which don't include a valid (trusted) IdP username header
 * if your IdP-server is slow, consider `--idp-cookie` and let requests with the cookie `cppws` bypass the IdP; experimental sessions-based feature added for a party
 some popular identity providers are [Authelia](https://www.authelia.com/) (config-file based) and [authentik](https://goauthentik.io/) (GUI-based, more complex)
 there is a [docker-compose example](./docs/examples/docker/idp-authelia-traefik) which is hopefully a good starting point (alternatively see [./docs/idp.md](./docs/idp.md) if you're the DIY type)
@ -1889,6 +1931,20 @@ a more complete example of the copyparty configuration options [look like this](
 but if you just want to let users change their own passwords, then you probably want [user-changeable passwords](#user-changeable-passwords) instead
 ### generic header auth
 other ways to auth by header
 if you have a middleware which adds a header with a user identifier, for example tailscale's `Tailscale-User-Login: alice.m@forest.net` then you can automatically auth as `alice` by defining that mapping with `--idp-hm-usr '^Tailscale-User-Login^alice.m@forest.net^alice'` or the following config file:
 ```yaml
 [global]
  idp-hm-usr: ^Tailscale-User-Login^alice.m@forest.net^alice
 ```
 repeat the whole `idp-hm-usr` option to add more mappings
 ## user-changeable passwords
 if permitted, users can change their own passwords  in the control-panel
@ -2042,7 +2098,11 @@ you can either:
 * or do location-based proxying, using `--rp-loc=/stuff` to tell copyparty where it is mounted -- has a slight performance cost and higher chance of bugs
  * if copyparty says `incorrect --rp-loc or webserver config; expected vpath starting with [...]` it's likely because the webserver is stripping away the proxy location from the request URLs -- see the `ProxyPass` in the apache example below
-when running behind a reverse-proxy (this includes services like cloudflare), it is important to configure real-ip correctly, as many features rely on knowing the client's IP. Look out for red and yellow log messages which explain how to do this. But basically, set `--xff-hdr` to the name of the http header to read the IP from (usually `x-forwarded-for`, but cloudflare uses `cf-connecting-ip`), and then `--xff-src` to the IP of the reverse-proxy so copyparty will trust the xff-hdr. Note that `--rp-loc` in particular will not work at all unless you do this
+when running behind a reverse-proxy (this includes services like cloudflare), it is important to configure real-ip correctly, as many features rely on knowing the client's IP. The best/safest approach is to configure your reverse-proxy so it gives copyparty a header which only contains the client's true/real IP-address, and then setting `--xff-hdr theHeaderName --rproxy 1` but alternatively, if you want/need to let copyparty handle this, look out for red and yellow log messages which explain how to do that. Basically, the log will say this:
 > set `--xff-hdr` to the name of the http-header to read the IP from (usually `x-forwarded-for`, but cloudflare uses `cf-connecting-ip`), and then `--xff-src` to the IP of the reverse-proxy so copyparty will trust the xff-hdr. You will also need to configure `--rproxy` to `1` if the header only contains one IP (the correct one) or to a *negative value* if it contains multiple; `-1` being the rightmost and most trusted IP (the nearest proxy, so usually not the correct one), `-2` being the second-closest hop, and so on
 Note that `--rp-loc` in particular will not work at all unless you configure the above correctly
 some reverse proxies (such as [Caddy](https://caddyserver.com/)) can automatically obtain a valid https/tls certificate for you, and some support HTTP/2 and QUIC which *could* be a nice speed boost, depending on a lot of factors
 * **warning:** nginx-QUIC (HTTP/3) is still experimental and can make uploads much slower, so HTTP/1.1 is recommended for now
@ -2261,11 +2321,9 @@ if your distro/OS is not mentioned below, there might be some hints in the [«on
 `pacman -S copyparty` (in [arch linux extra](https://archlinux.org/packages/extra/any/copyparty/))
-it comes with a [systemd service](./contrib/package/arch/copyparty.service) and expects to find one or more [config files](./docs/example.conf) in `/etc/copyparty.d/`
+it comes with a [systemd service](./contrib/systemd/copyparty@.service) as well as a [user service](./contrib/systemd/copyparty-user.service), and expects to find a [config file](./contrib/systemd/copyparty.example.conf) in `/etc/copyparty/copyparty.conf` or `~/.config/copyparty/copyparty.conf`
-after installing it, you may want to `cp /usr/lib/systemd/system/copyparty.service /etc/systemd/system/` and then `vim /etc/systemd/system/copyparty.service` to change what user/group it is running as (you only need to do this once)
+after installing, start either the system service or the user service and navigate to http://127.0.0.1:3923 for further instructions (unless you already edited the config files, in which case you are good to go, probably)
 NOTE: there used to be an aur package; this evaporated when copyparty was adopted by the official archlinux repos. If you're still using the aur package, please move
 ## fedora package
@ -2428,6 +2486,7 @@ quick summary of more eccentric web-browsers trying to view a directory index:
 | **SerenityOS** (7e98457)  | hits a page fault, works with `?b=u`, file upload not-impl |
 | **sony psp** 5.50         | can browse, upload/mkdir/msg (thx dwarf) [screenshot](https://github.com/user-attachments/assets/9d21f020-1110-4652-abeb-6fc09c533d4f) |
 | **nintendo 3ds**          | can browse, upload, view thumbnails (thx bnjmn) |
 | **Nintendo Wii (Opera 9.0 "Internet Channel")**          | can browse, can't upload or download (no local storage), can view images - works best with `?b=u`, default view broken |
 <p align="center"><img src="https://github.com/user-attachments/assets/88deab3d-6cad-4017-8841-2f041472b853" /></p>
@ -2487,6 +2546,8 @@ you can provide passwords using header `PW: hunter2`, cookie `cppwd=hunter2`, ur
 > for basic-authentication, all of the following are accepted: `password` / `whatever:password` / `password:whatever` (the username is ignored)
 * unless you've enabled `--usernames`, then it's `PW: usr:pwd`, cookie `cppwd=usr:pwd`, url-param `?pw=usr:pwd`
 NOTE: curl will not send the original filename if you use `-T` combined with url-params! Also, make sure to always leave a trailing slash in URLs unless you want to override the filename
@ -2598,7 +2659,7 @@ there is a [discord server](https://discord.gg/25J8CdTT6G)  with an `@everyone`
 some notes on hardening
-* set `--rproxy 0` if your copyparty is directly facing the internet (not through a reverse-proxy)
+* set `--rproxy 0` *if and only if* your copyparty is directly facing the internet (not through a reverse-proxy)
  * cors doesn't work right otherwise
 * if you allow anonymous uploads or otherwise don't trust the contents of a volume, you can prevent XSS with volflag `nohtml`
  * this returns html documents as plaintext, and also disables markdown rendering
@ -2698,6 +2759,12 @@ optionally also specify `--ah-cli` to enter an interactive mode where it will ha
 the default configs take about 0.4 sec and 256 MiB RAM to process a new password on a decent laptop
 when generating hashes using `--ah-cli` for docker or systemd services, make sure it is using the same `--ah-salt` by:
 * inspecting the generated salt using `--show-ah-salt` in copyparty service configuration
 * setting the same `--ah-salt` in both environments
 > ⚠️ if you have enabled `--usernames` then provide the password as `username:password` when hashing it, for example `ed:hunter2`
 ## https
@ -2759,9 +2826,10 @@ enable [music tags](#metadata-from-audio-files):
 enable [thumbnails](#thumbnails) of...
 * **images:** `Pillow` and/or `pyvips` and/or `ffmpeg` (requires py2.7 or py3.5+)
 * **videos/audio:** `ffmpeg` and `ffprobe` somewhere in `$PATH`
-* **HEIF pictures:** `pyvips` or `ffmpeg` or `pyheif-pillow-opener` (requires Linux or a C compiler)
+* **HEIF pictures:** `pyvips` or `ffmpeg` or `pillow-heif`
 * **AVIF pictures:** `pyvips` or `ffmpeg` or `pillow-avif-plugin` or pillow v11.3+
 * **JPEG XL pictures:** `pyvips` or `ffmpeg`
 * **RAW images:** `rawpy`, plus one of `pyvips` or `Pillow` (for some formats)
 enable sending [zeromq messages](#zeromq) from event-hooks: `pyzmq`
@ -2792,9 +2860,10 @@ set any of the following environment variables to disable its associated optiona
 | `PRTY_NO_PIL`        | disable all [Pillow](https://pypi.org/project/pillow/)-based thumbnail support; will fallback to libvips or ffmpeg |
 | `PRTY_NO_PILF`       | disable Pillow `ImageFont` text rendering, used for folder thumbnails |
 | `PRTY_NO_PIL_AVIF`   | disable Pillow avif support (internal and/or [plugin](https://pypi.org/project/pillow-avif-plugin/)) |
-| `PRTY_NO_PIL_HEIF`   | disable 3rd-party Pillow plugin for [HEIF support](https://pypi.org/project/pyheif-pillow-opener/) |
+| `PRTY_NO_PIL_HEIF`   | disable 3rd-party Pillow plugin for [HEIF support](https://pypi.org/project/pillow-heif/) |
 | `PRTY_NO_PIL_WEBP`   | disable use of native webp support in Pillow |
 | `PRTY_NO_PSUTIL`     | do not use [psutil](https://pypi.org/project/psutil/) for reaping stuck hooks and plugins on Windows |
 | `PRTY_NO_RAW`        | disable all [rawpy](https://pypi.org/project/rawpy/)-based thumbnail support for RAW images |
 | `PRTY_NO_VIPS`       | disable all [libvips](https://pypi.org/project/pyvips/)-based thumbnail support; will fallback to Pillow or ffmpeg |
 example: `PRTY_NO_PIL=1 python3 copyparty-sfx.py`
@ -2815,6 +2884,8 @@ these are standalone programs and will never be imported / evaluated by copypart
 the self-contained "binary" (recommended!)  [copyparty-sfx.py](https://github.com/9001/copyparty/releases/latest/download/copyparty-sfx.py) will unpack itself and run copyparty, assuming you have python installed of course
 if you only need english, [copyparty-en.py](https://github.com/9001/copyparty/releases/latest/download/copyparty-en.py) is the same thing but smaller
 you can reduce the sfx size by repacking it; see [./docs/devnotes.md#sfx-repack](./docs/devnotes.md#sfx-repack)
@ -2842,7 +2913,7 @@ then again, if you are already into downloading shady binaries from the internet
 ## zipapp
-another emergency alternative, [copyparty.pyz](https://github.com/9001/copyparty/releases/latest/download/copyparty.pyz)  has less features, is slow, requires python 3.7 or newer, worse compression, and more importantly is unable to benefit from more recent versions of jinja2 and such (which makes it less secure)... lots of drawbacks with this one really -- but it does not unpack any temporary files to disk, so it *may* just work if the regular sfx fails to start because the computer is messed up in certain funky ways, so it's worth a shot if all else fails
+another emergency alternative, [copyparty.pyz](https://github.com/9001/copyparty/releases/latest/download/copyparty.pyz)  has less features, is slow, requires python 3.7 or newer, worse compression, and more importantly is unable to benefit from more recent versions of jinja2 and such (which makes it less secure)... lots of drawbacks with this one really -- but, unlike the sfx, it is a completely normal zipfile which does not unpack any temporary files to disk, so it *may* just work if the regular sfx fails to start because the computer is messed up in certain funky ways, so it's worth a shot if all else fails
 run it by doubleclicking it, or try typing `python copyparty.pyz` in your terminal/console/commandline/telex if that fails
--- a/bin/u2c.py
+++ b/bin/u2c.py
@ -52,6 +52,7 @@ if PY2:
    sys.dont_write_bytecode = True
    bytes = str
    files_decoder = lambda s: unicode(s, "utf8")
 else:
    from urllib.parse import quote_from_bytes as quote
    from urllib.parse import unquote_to_bytes as unquote
@ -61,6 +62,7 @@ else:
    from queue import Queue
    unicode = str
    files_decoder = unicode
 WTF8 = "replace" if PY2 else "surrogateescape"
@ -1532,7 +1534,7 @@ source file/folder selection uses rsync syntax, meaning that:
 """)
    ap.add_argument("url", type=unicode, help="server url, including destination folder")
-    ap.add_argument("files", type=unicode, nargs="+", help="files and/or folders to process")
+    ap.add_argument("files", type=files_decoder, nargs="+", help="files and/or folders to process")
    ap.add_argument("-v", action="store_true", help="verbose")
    ap.add_argument("-a", metavar="PASSWD", help="password or $filepath")
    ap.add_argument("-s", action="store_true", help="file-search (disables upload)")
--- a/contrib/nixos/modules/copyparty.nix
+++ b/contrib/nixos/modules/copyparty.nix
@ -22,7 +22,7 @@ let
  mkValueString =
    value:
    if isList value then
-      (concatStringsSep ", " (map mkValueString value))
+      (concatStringsSep "," (map mkValueString value))
    else if isAttrs value then
      "\n" + (mkAttrsString value)
    else
--- a/contrib/package/arch/PKGBUILD
+++ b/contrib/package/arch/PKGBUILD
@ -1,57 +1,48 @@
 # Maintainer: icxes <dev.null@need.moe>
 # Contributor: Morgan Adamiec <morganamilo@archlinux.org>
 # NOTE: You generally shouldn't use this PKGBUILD on Arch, as it is mainly for testing purposes. Install copyparty using pacman instead.
 pkgname=copyparty
-pkgver="1.18.7"
+pkgver="1.19.2"
 pkgrel=1
 pkgdesc="File server with accelerated resumable uploads, dedup, WebDAV, FTP, TFTP, zeroconf, media indexer, thumbnails++"
 arch=("any")
 url="https://github.com/9001/${pkgname}"
 license=('MIT')
-depends=("python" "lsof" "python-jinja")
+depends=("bash" "python" "lsof" "python-jinja")
 makedepends=("python-wheel" "python-setuptools" "python-build" "python-installer" "make" "pigz")
 optdepends=("ffmpeg: thumbnails for videos, images (slower) and audio, music tags"
-            "cfssl: generate TLS certificates on startup (pointless when reverse-proxied)"
+            "cfssl: generate TLS certificates on startup"
-            "python-mutagen: music tags (alternative)" 
+            "python-mutagen: music tags (alternative)"
-            "python-pillow: thumbnails for images" 
+            "python-pillow: thumbnails for images"
-            "python-pyvips: thumbnails for images (higher quality, faster, uses more ram)" 
+            "python-pyvips: thumbnails for images (higher quality, faster, uses more ram)"
-            "libkeyfinder-git: detection of musical keys" 
+            "libkeyfinder: detection of musical keys"
-            "qm-vamp-plugins: BPM detection" 
+            "python-pyopenssl: ftps functionality"
-            "python-pyopenssl: ftps functionality" 
+            "python-pyzmq: send zeromq messages from event-hooks"
-            "python-pyzmq: send zeromq messages from event-hooks" 
+            "python-argon2-cffi: hashed passwords in config"
            "python-argon2-cffi: hashed passwords in config" 
            "python-impacket-git: smb support (bad idea)"
 )
 source=("https://github.com/9001/${pkgname}/releases/download/v${pkgver}/${pkgname}-${pkgver}.tar.gz")
-backup=("etc/${pkgname}.d/init" )
+backup=("etc/${pkgname}/copyparty.conf" )
-sha256sums=("6738f623905276e8664bd8791f1497d0c61f8816c6608e76c4d9097a12849170")
+sha256sums=("9f0dcd8124f260a0c72676b70d84c82388cfe5b47e7d0556f5190c88208580a2")
 build() {
    cd "${srcdir}/${pkgname}-${pkgver}/copyparty/web"
    make
    cd "${srcdir}/${pkgname}-${pkgver}"
-    
+    python -m build --wheel --no-isolation
    pushd copyparty/web
    make -j$(nproc)
    rm Makefile
    popd
    python3 -m build -wn
 }
 package() {
    cd "${srcdir}/${pkgname}-${pkgver}"
-    python3 -m installer -d "$pkgdir" dist/*.whl
+    python -m installer --destdir="$pkgdir" dist/*.whl
-    install -dm755 "${pkgdir}/etc/${pkgname}.d"
+    install -dm755 "${pkgdir}/etc/${pkgname}"
    install -Dm755 "bin/prisonparty.sh" "${pkgdir}/usr/bin/prisonparty"
-    install -Dm644 "contrib/package/arch/${pkgname}.conf" "${pkgdir}/etc/${pkgname}.d/init"
+    install -Dm644 "contrib/systemd/${pkgname}.conf" "${pkgdir}/etc/${pkgname}/copyparty.conf"
-    install -Dm644 "contrib/package/arch/${pkgname}.service" "${pkgdir}/usr/lib/systemd/system/${pkgname}.service"
+    install -Dm644 "contrib/systemd/${pkgname}@.service" "${pkgdir}/usr/lib/systemd/system/${pkgname}@.service"
-    install -Dm644 "contrib/package/arch/prisonparty.service" "${pkgdir}/usr/lib/systemd/system/prisonparty.service"
+    install -Dm644 "contrib/systemd/${pkgname}-user.service" "${pkgdir}/usr/lib/systemd/user/${pkgname}.service"
-    install -Dm644 "contrib/package/arch/index.md" "${pkgdir}/var/lib/${pkgname}-jail/README.md"
+    install -Dm644 "contrib/systemd/prisonparty@.service" "${pkgdir}/usr/lib/systemd/system/prisonparty@.service"
    install -Dm644 "contrib/systemd/index.md" "${pkgdir}/var/lib/${pkgname}-jail/README.md"
    install -Dm644 "LICENSE" "${pkgdir}/usr/share/licenses/${pkgname}/LICENSE"
    find /etc/${pkgname}.d -iname '*.conf' 2>/dev/null | grep -qE . && return
    echo "┏━━━━━━━━━━━━━━━──-"
    echo "┃ Configure ${pkgname} by adding .conf files into /etc/${pkgname}.d/"
    echo "┃ and maybe copy+edit one of the following to /etc/systemd/system/:"
    echo "┣━♦ /usr/lib/systemd/system/${pkgname}.service   (standard)"
    echo "┣━♦ /usr/lib/systemd/system/prisonparty.service (chroot)"
    echo "┗━━━━━━━━━━━━━━━──-"
 }
--- a/contrib/package/makedeb-mpr/PKGBUILD
+++ b/contrib/package/makedeb-mpr/PKGBUILD
@ -0,0 +1,44 @@
 # Contributor: Beethoven <beethovenisadog@protonmail.com>
 pkgname=copyparty
 pkgver=1.19.2
 pkgrel=1
 pkgdesc="File server with accelerated resumable uploads, dedup, WebDAV, FTP, TFTP, zeroconf, media indexer, thumbnails++"
 arch=("any")
 url="https://github.com/9001/${pkgname}"
 license=('MIT')
 depends=("bash" "python3" "lsof" "python3-jinja2")
 makedepends=("python3-wheel" "python3-setuptools" "python3-build" "python3-installer" "make" "pigz")
 optdepends=("ffmpeg: thumbnails for videos, images (slower) and audio, music tags"
            "golang-cfssl: generate TLS certificates on startup"
            "python3-mutagen: music tags (alternative)"
            "python3-pil: thumbnails for images"
            "python3-openssl: ftps functionality"
            "python3-zmq: send zeromq messages from event-hooks"
            "python3-argon2: hashed passwords in config"
 )
 source=("https://github.com/9001/${pkgname}/releases/download/v${pkgver}/${pkgname}-${pkgver}.tar.gz")
 backup=("/etc/${pkgname}.d/init" )
 sha256sums=("9f0dcd8124f260a0c72676b70d84c82388cfe5b47e7d0556f5190c88208580a2")
 build() {
    cd "${srcdir}/${pkgname}-${pkgver}/copyparty/web"
    make
    cd "${srcdir}/${pkgname}-${pkgver}"
    python -m build --wheel --no-isolation
 }
 package() {
    cd "${srcdir}/${pkgname}-${pkgver}"
    python -m installer --destdir="$pkgdir" dist/*.whl
    install -dm755 "${pkgdir}/etc/${pkgname}.d"
    install -Dm755 "bin/prisonparty.sh" "${pkgdir}/usr/bin/prisonparty"
    install -Dm644 "contrib/package/makedeb-mpr/${pkgname}.conf" "${pkgdir}/etc/${pkgname}.d/init"
    install -Dm644 "contrib/package/makedeb-mpr/${pkgname}.service" "${pkgdir}/usr/lib/systemd/system/${pkgname}.service"
    install -Dm644 "contrib/package/makedeb-mpr/prisonparty.service" "${pkgdir}/usr/lib/systemd/system/prisonparty.service"
    install -Dm644 "contrib/package/makedeb-mpr/index.md" "${pkgdir}/var/lib/${pkgname}-jail/README.md"
    install -Dm644 "LICENSE" "${pkgdir}/usr/share/licenses/${pkgname}/LICENSE"
 }
--- a/contrib/package/makedeb-mpr/copyparty.conf
+++ b/contrib/package/makedeb-mpr/copyparty.conf
--- a/contrib/package/makedeb-mpr/copyparty.service
+++ b/contrib/package/makedeb-mpr/copyparty.service
--- a/contrib/package/makedeb-mpr/index.md
+++ b/contrib/package/makedeb-mpr/index.md
--- a/contrib/package/makedeb-mpr/prisonparty.service
+++ b/contrib/package/makedeb-mpr/prisonparty.service
--- a/contrib/package/nix/copyparty/default.nix
+++ b/contrib/package/nix/copyparty/default.nix
@ -1,10 +1,10 @@
 {
  lib,
-  stdenv,
+  buildPythonApplication,
  makeWrapper,
  fetchurl,
  util-linux,
  python,
  setuptools,
  jinja2,
  impacket,
  pyopenssl,
@ -15,6 +15,10 @@
  pyzmq,
  ffmpeg,
  mutagen,
  pyftpdlib,
  magic,
  partftpy,
  fusepy, # for partyfuse
  # use argon2id-hashed passwords in config files (sha2 is always available)
  withHashedPasswords ? true,
@ -40,12 +44,21 @@
  # send ZeroMQ messages from event-hooks
  withZeroMQ ? true,
  # enable FTP server
  withFTP ? true,
  # enable FTPS support in the FTP server
  withFTPS ? false,
  # enable TFTP server
  withTFTP ? false,
  # samba/cifs server; dangerous and buggy, enable if you really need it
  withSMB ? false,
  # enables filetype detection for nameless uploads
  withMagic ? false,
  # extra packages to add to the PATH
  extraPackages ? [ ],
@ -58,14 +71,23 @@
 let
  pinData = lib.importJSON ./pin.json;
-  pyEnv = python.withPackages (
+  runtimeDeps = ([ util-linux ] ++ extraPackages ++ lib.optional withMediaProcessing ffmpeg);
-    ps:
+in
-    with ps;
+buildPythonApplication {
  pname = "copyparty";
  inherit (pinData) version;
  src = fetchurl {
    inherit (pinData) url hash;
  };
  dependencies =
    [
      jinja2
      fusepy
    ]
    ++ lib.optional withSMB impacket
    ++ lib.optional withFTP pyftpdlib
    ++ lib.optional withFTPS pyopenssl
    ++ lib.optional withTFTP partftpy
    ++ lib.optional withCertgen cfssl
    ++ lib.optional withThumbnails pillow
    ++ lib.optional withFastThumbnails pyvips
@ -73,25 +95,14 @@ let
    ++ lib.optional withBasicAudioMetadata mutagen
    ++ lib.optional withHashedPasswords argon2-cffi
    ++ lib.optional withZeroMQ pyzmq
-    ++ (extraPythonPackages ps)
+    ++ lib.optional withMagic magic
-  );
+    ++ (extraPythonPackages python.pkgs);
  makeWrapperArgs = [ "--prefix PATH : ${lib.makeBinPath runtimeDeps}" ];
-  runtimeDeps = ([ util-linux ] ++ extraPackages ++ lib.optional withMediaProcessing ffmpeg);
+  pyproject = true;
-in
+  build-system = [
-stdenv.mkDerivation {
+    setuptools
-  pname = "copyparty";
+  ];
  inherit (pinData) version;
  src = fetchurl {
    inherit (pinData) url hash;
  };
  nativeBuildInputs = [ makeWrapper ];
  dontUnpack = true;
  installPhase = ''
    install -Dm755 $src $out/share/copyparty-sfx.py
    makeWrapper ${pyEnv.interpreter} $out/bin/copyparty \
      --prefix PATH : ${lib.makeBinPath runtimeDeps} \
      --add-flag $out/share/copyparty-sfx.py
  '';
  meta = {
    description = "Turn almost any device into a file server";
    longDescription = ''
@ -101,8 +112,7 @@ stdenv.mkDerivation {
    homepage = "https://github.com/9001/copyparty";
    changelog = "https://github.com/9001/copyparty/releases/tag/v${pinData.version}";
    license = lib.licenses.mit;
    inherit (python.meta) platforms;
    mainProgram = "copyparty";
-    sourceProvenance = [ lib.sourceTypes.binaryBytecode ];
+    sourceProvenance = [ lib.sourceTypes.fromSource ];
  };
 }
--- a/contrib/package/nix/copyparty/pin.json
+++ b/contrib/package/nix/copyparty/pin.json
@ -1,5 +1,5 @@
 {
-    "url": "https://github.com/9001/copyparty/releases/download/v1.18.7/copyparty-sfx.py",
+    "url": "https://github.com/9001/copyparty/releases/download/v1.19.2/copyparty-1.19.2.tar.gz",
-    "version": "1.18.7",
+    "version": "1.19.2",
-    "hash": "sha256-GRoiNnYRWNcq5ITywPv7bK4pdgTey6Or1cZqyE2XDf4="
+    "hash": "sha256-nw3NgSTyYKDHJna3DYTII4jP5bR+fQVW9RkMiCCFgKI="
 }
--- a/contrib/package/nix/copyparty/update.py
+++ b/contrib/package/nix/copyparty/update.py
@ -11,14 +11,14 @@ import base64
 import json
 import hashlib
 import sys
-import re
+import tarfile
 from pathlib import Path
 OUTPUT_FILE = Path("pin.json")
-TARGET_ASSET = "copyparty-sfx.py"
+TARGET_ASSET = lambda version: f"copyparty-{version}.tar.gz"
 HASH_TYPE = "sha256"
 LATEST_RELEASE_URL = "https://api.github.com/repos/9001/copyparty/releases/latest"
-DOWNLOAD_URL = lambda version: f"https://github.com/9001/copyparty/releases/download/v{version}/{TARGET_ASSET}"
+DOWNLOAD_URL = lambda version: f"https://github.com/9001/copyparty/releases/download/v{version}/{TARGET_ASSET(version)}"
 def get_formatted_hash(binary):
@ -29,11 +29,13 @@ def get_formatted_hash(binary):
    return f"{HASH_TYPE}-{encoded_hash}"
-def version_from_sfx(binary):
+def version_from_tar_gz(path):
-    result = re.search(b'^VER = "(.*)"$', binary, re.MULTILINE)
+    with tarfile.open(path) as tarball:
-    if result:
+        release_name = tarball.getmembers()[0].name
-        return result.groups(1)[0].decode("ascii")
+        prefix = "copyparty-"
        if release_name.startswith(prefix):
            return release_name.replace(prefix, "")
    raise ValueError("version not found in provided file")
@ -42,7 +44,7 @@ def remote_release_pin():
    response = requests.get(LATEST_RELEASE_URL).json()
    version = response["tag_name"].lstrip("v")
-    asset_info = [a for a in response["assets"] if a["name"] == TARGET_ASSET][0]
+    asset_info = [a for a in response["assets"] if a["name"] == TARGET_ASSET(version)][0]
    download_url = asset_info["browser_download_url"]
    asset = requests.get(download_url)
    formatted_hash = get_formatted_hash(asset.content)
@ -52,10 +54,9 @@ def remote_release_pin():
 def local_release_pin(path):
-    asset = path.read_bytes()
+    version = version_from_tar_gz(path)
    version = version_from_sfx(asset)
    download_url = DOWNLOAD_URL(version)
-    formatted_hash = get_formatted_hash(asset)
+    formatted_hash = get_formatted_hash(path.read_bytes())
    result = {"url": download_url, "version": version, "hash": formatted_hash}
    return result
--- a/contrib/package/nix/partftpy/default.nix
+++ b/contrib/package/nix/partftpy/default.nix
@ -0,0 +1,30 @@
 {
  lib,
  buildPythonPackage,
  fetchurl,
  setuptools,
 }:
 let
  pinData = lib.importJSON ./pin.json;
 in
 buildPythonPackage rec {
  pname = "partftpy";
  inherit (pinData) version;
  pyproject = true;
  src = fetchurl {
    inherit (pinData) url hash;
  };
  build-system = [ setuptools ];
  pythonImportsCheck = [ "partftpy.TftpServer" ];
  meta = {
    description = "Pure Python TFTP library  (copyparty edition)";
    homepage = "https://github.com/9001/partftpy";
    changelog = "https://github.com/9001/partftpy/releases/tag/${version}";
    license = lib.licenses.mit;
  };
 }
--- a/contrib/package/nix/partftpy/pin.json
+++ b/contrib/package/nix/partftpy/pin.json
@ -0,0 +1,5 @@
 {
    "url": "https://github.com/9001/partftpy/releases/download/v0.4.0/partftpy-0.4.0.tar.gz",
    "version": "0.4.0",
    "hash": "sha256-5Q2zyuJ892PGZmb+YXg0ZPW/DK8RDL1uE0j5HPd4We0="
 }
--- a/contrib/package/nix/partftpy/update.py
+++ b/contrib/package/nix/partftpy/update.py
@ -0,0 +1,50 @@
 #!/usr/bin/env python3
 # Update the Nix package pin
 #
 # Usage: ./update.sh
 import base64
 import json
 import hashlib
 import sys
 from pathlib import Path
 OUTPUT_FILE = Path("pin.json")
 TARGET_ASSET = lambda version: f"partftpy-{version}.tar.gz"
 HASH_TYPE = "sha256"
 LATEST_RELEASE_URL = "https://api.github.com/repos/9001/partftpy/releases/latest"
 def get_formatted_hash(binary):
    hasher = hashlib.new("sha256")
    hasher.update(binary)
    asset_hash = hasher.digest()
    encoded_hash = base64.b64encode(asset_hash).decode("ascii")
    return f"{HASH_TYPE}-{encoded_hash}"
 def remote_release_pin():
    import requests
    response = requests.get(LATEST_RELEASE_URL).json()
    version = response["tag_name"].lstrip("v")
    asset_info = [a for a in response["assets"] if a["name"] == TARGET_ASSET(version)][0]
    download_url = asset_info["browser_download_url"]
    asset = requests.get(download_url)
    formatted_hash = get_formatted_hash(asset.content)
    result = {"url": download_url, "version": version, "hash": formatted_hash}
    return result
 def main():
    result = remote_release_pin()
    print(result)
    json_result = json.dumps(result, indent=4)
    OUTPUT_FILE.write_text(json_result)
 if __name__ == "__main__":
    main()
--- a/contrib/package/nix/partyfuse/default.nix
+++ b/contrib/package/nix/partyfuse/default.nix
@ -1,26 +0,0 @@
 {
  stdenvNoCC,
  copyparty,
  python3,
  makeBinaryWrapper,
 }:
 let
  python = python3.withPackages (p: [ p.fusepy ]);
 in
 stdenvNoCC.mkDerivation {
  pname = "partyfuse";
  inherit (copyparty) version meta;
  src = ../../../..;
  nativeBuildInputs = [ makeBinaryWrapper ];
  installPhase = ''
    runHook preInstall
    install -Dm444 bin/partyfuse.py -t $out/share/copyparty
    makeWrapper ${python.interpreter} $out/bin/partyfuse \
      --add-flag $out/share/copyparty/partyfuse.py
    runHook postInstall
  '';
 }
--- a/contrib/package/nix/u2c/default.nix
+++ b/contrib/package/nix/u2c/default.nix
@ -1,24 +0,0 @@
 {
  stdenvNoCC,
  copyparty,
  python312,
  makeBinaryWrapper,
 }:
 stdenvNoCC.mkDerivation {
  pname = "u2c";
  inherit (copyparty) version meta;
  src = ../../../..;
  nativeBuildInputs = [ makeBinaryWrapper ];
  installPhase = ''
    runHook preInstall
    install -Dm444 bin/u2c.py -t $out/share/copyparty
    mkdir $out/bin
    makeWrapper ${python312.interpreter} $out/bin/u2c \
      --add-flag $out/share/copyparty/u2c.py
    runHook postInstall
  '';
 }
--- a/contrib/package/rpm/copyparty.spec
+++ b/contrib/package/rpm/copyparty.spec
@ -0,0 +1,62 @@
 Name:           copyparty
 Version:        $pkgver
 Release:        $pkgrel
 License:        MIT
 Group:          Utilities
 URL:            https://github.com/9001/copyparty
 Source0:        copyparty-$pkgver.tar.gz
 Summary:        File server with accelerated resumable uploads, dedup, WebDAV, FTP, TFTP, zeroconf, media indexer, thumbnails++
 BuildArch:      noarch
 BuildRequires:  python3, python3-devel, pyproject-rpm-macros, python-setuptools, python-wheel, make
 Requires:       python3, (python3-jinja2 or python-jinja2), lsof
 Recommends:     ffmpeg, (golang-github-cloudflare-cfssl or cfssl), python-mutagen, python-pillow, python-pyvips
 Recommends:     qm-vamp-plugins, python-argon2-cffi, (python-pyopenssl or pyopenssl), python-impacket
 %description
 Portable file server with accelerated resumable uploads, dedup, WebDAV, FTP, TFTP, zeroconf, media indexer, thumbnails++ all in one file, no deps
 See release at https://github.com/9001/copyparty/releases
 %global debug_package %{nil}
 %generate_buildrequires
 %pyproject_buildrequires
 %prep
 %setup -q
 %build
 cd "copyparty/web"
 make
 cd -
 %pyproject_wheel
 %install
 mkdir -p %{buildroot}%{_bindir}
 mkdir -p %{buildroot}%{_libdir}/systemd/{system,user}
 mkdir -p %{buildroot}/etc/%{name}
 mkdir -p %{buildroot}/var/lib/%{name}-jail
 mkdir -p %{buildroot}%{_datadir}/licenses/%{name}
 %pyproject_install
 %pyproject_save_files copyparty
 install -m 0755 bin/prisonparty.sh                       %{buildroot}%{_bindir}/prisonpary.sh
 install -m 0644 contrib/systemd/%{name}.conf             %{buildroot}/etc/%{name}/%{name}.conf
 install -m 0644 contrib/systemd/%{name}@.service         %{buildroot}%{_libdir}/systemd/system/%{name}@.service
 install -m 0644 contrib/systemd/%{name}-user.service     %{buildroot}%{_libdir}/systemd/user/%{name}.service
 install -m 0644 contrib/systemd/prisonparty@.service     %{buildroot}%{_libdir}/systemd/system/prisonparty@.service
 install -m 0644 contrib/systemd/index.md                 %{buildroot}/var/lib/%{name}-jail/README.md
 install -m 0644 LICENSE                                  %{buildroot}%{_datadir}/licenses/%{name}/LICENSE
 %files -n copyparty -f %{pyproject_files}
 %license LICENSE
 %{_bindir}/copyparty
 %{_bindir}/partyfuse
 %{_bindir}/u2c
 %{_bindir}/prisonpary.sh
 /etc/%{name}/%{name}.conf
 %{_libdir}/systemd/system/%{name}@.service
 %{_libdir}/systemd/user/%{name}.service
 %{_libdir}/systemd/system/prisonparty@.service
 /var/lib/%{name}-jail/README.md
--- a/contrib/systemd/copyparty-user.service
+++ b/contrib/systemd/copyparty-user.service
@ -0,0 +1,26 @@
 # this will start `/usr/bin/copyparty`
 # and read config from `$HOME/.config/copyparty.conf`
 #
 # unless you add -q to disable logging, you may want to remove the
 #   following line to allow buffering (slightly better performance):
 #   Environment=PYTHONUNBUFFERED=x
 [Unit]
 Description=copyparty file server
 [Service]
 Type=notify
 SyslogIdentifier=copyparty
 WorkingDirectory=/var/lib/copyparty-jail
 Environment=PYTHONUNBUFFERED=x
 Environment=PRTY_CONFIG=%h/.config/copyparty/copyparty.conf
 ExecReload=/bin/kill -s USR1 $MAINPID
 # ensure there is a config
 ExecStartPre=/bin/bash -c 'if [[ ! -f %h/.config/copyparty/copyparty.conf ]]; then mkdir -p %h/.config/copyparty; cp /etc/copyparty/copyparty.conf %h/.config/copyparty/copyparty.conf; fi'
 # run copyparty
 ExecStart=/usr/bin/python3 /usr/bin/copyparty
 [Install]
 WantedBy=default.target
--- a/contrib/systemd/copyparty.conf
+++ b/contrib/systemd/copyparty.conf
@ -1,42 +1,13 @@
 # not actually YAML but lets pretend:
 # -*- mode: yaml -*-
 # vim: ft=yaml:
 # put this file in /etc/
 [global]
-  e2dsa  # enable file indexing and filesystem scanning
+  i: 127.0.0.1
  e2ts   # and enable multimedia indexing
  ansi   # and colors in log messages
  # disable logging to stdout/journalctl and log to a file instead;
  # $LOGS_DIRECTORY is usually /var/log/copyparty (comes from systemd)
  # and copyparty replaces %Y-%m%d with Year-MonthDay, so the
  # full path will be something like /var/log/copyparty/2023-1130.txt
  # (note: enable compression by adding .xz at the end)
  q, lo: $LOGS_DIRECTORY/%Y-%m%d.log
  # p: 80,443,3923   # listen on 80/443 as well (requires CAP_NET_BIND_SERVICE)
  # i: 127.0.0.1     # only allow connections from localhost (reverse-proxies)
  # ftp: 3921        # enable ftp server on port 3921
  # p: 3939          # listen on another port
  # df: 16           # stop accepting uploads if less than 16 GB free disk space
  # ver              # show copyparty version in the controlpanel
  # grid             # show thumbnails/grid-view by default
  # theme: 2         # monokai
  # name: datasaver  # change the server-name that's displayed in the browser
  # stats, nos-dup   # enable the prometheus endpoint, but disable the dupes counter (too slow)
  # no-robots, force-js  # make it harder for search engines to read your server
 [accounts]
-  ed: wark  # username: password
+  user: password
-
+[/]
-[/]            # create a volume at "/" (the webroot), which will
+  /var/lib/copyparty-jail
  /mnt         # share the contents of the "/mnt" folder
  accs:
-    rw: *      # everyone gets read-write access, but
+    r: *
-    rwmda: ed  # the user "ed" gets read-write-move-delete-admin
+    rwdma: user
  flags:
    grid
--- a/contrib/systemd/copyparty.example.conf
+++ b/contrib/systemd/copyparty.example.conf
@ -0,0 +1,42 @@
 # not actually YAML but lets pretend:
 # -*- mode: yaml -*-
 # vim: ft=yaml:
 # put this file in /etc/
 [global]
  e2dsa  # enable file indexing and filesystem scanning
  e2ts   # and enable multimedia indexing
  ansi   # and colors in log messages
  # disable logging to stdout/journalctl and log to a file instead;
  # $LOGS_DIRECTORY is usually /var/log/copyparty (comes from systemd)
  # and copyparty replaces %Y-%m%d with Year-MonthDay, so the
  # full path will be something like /var/log/copyparty/2023-1130.txt
  # (note: enable compression by adding .xz at the end)
  q, lo: $LOGS_DIRECTORY/%Y-%m%d.log
  # p: 80,443,3923   # listen on 80/443 as well (requires CAP_NET_BIND_SERVICE)
  # i: 127.0.0.1     # only allow connections from localhost (reverse-proxies)
  # ftp: 3921        # enable ftp server on port 3921
  # p: 3939          # listen on another port
  # df: 16           # stop accepting uploads if less than 16 GB free disk space
  # ver              # show copyparty version in the controlpanel
  # grid             # show thumbnails/grid-view by default
  # theme: 2         # monokai
  # name: datasaver  # change the server-name that's displayed in the browser
  # stats, nos-dup   # enable the prometheus endpoint, but disable the dupes counter (too slow)
  # no-robots, force-js  # make it harder for search engines to read your server
 [accounts]
  ed: wark  # username: password
 [/]            # create a volume at "/" (the webroot), which will
  /mnt         # share the contents of the "/mnt" folder
  accs:
    rw: *      # everyone gets read-write access, but
    rwmda: ed  # the user "ed" gets read-write-move-delete-admin
--- a/contrib/systemd/copyparty@.service
+++ b/contrib/systemd/copyparty@.service
@ -0,0 +1,30 @@
 # this will start `/usr/bin/copyparty`
 # and read config from `/etc/copyparty/copyparty.conf`
 #
 # the %i refers to whatever you put after the copyparty@
 #   so with copyparty@foo.service, %i == foo
 #
 # unless you add -q to disable logging, you may want to remove the
 #   following line to allow buffering (slightly better performance):
 #   Environment=PYTHONUNBUFFERED=x
 [Unit]
 Description=copyparty file server
 [Service]
 Type=notify
 SyslogIdentifier=copyparty
 WorkingDirectory=/var/lib/copyparty-jail
 Environment=PYTHONUNBUFFERED=x
 Environment=PRTY_CONFIG=/etc/copyparty/copyparty.conf
 ExecReload=/bin/kill -s USR1 $MAINPID
 # user to run as + where the TLS certificate is (if any)
 User=%i
 Environment=XDG_CONFIG_HOME=/home/%i/.config
 # run copyparty
 ExecStart=/usr/bin/python3 /usr/bin/copyparty
 [Install]
 WantedBy=multi-user.target
--- a/contrib/systemd/index.md
+++ b/contrib/systemd/index.md
@ -0,0 +1,10 @@
 this is `/var/lib/copyparty-jail`, the fallback webroot when copyparty has not yet been configured
 please edit `/etc/copyparty/copyparty.conf` (if running as a system service)
 or `$HOME/.config/copyparty/copyparty.conf` if running as a user service
 a basic configuration example is available at https://github.com/9001/copyparty/blob/hovudstraum/contrib/systemd/copyparty.example.conf
 a configuration example that explains most flags is available at https://github.com/9001/copyparty/blob/hovudstraum/docs/chungus.conf
 the full list of configuration options can be seen at https://ocv.me/copyparty/helptext.html 
 or by running `copyparty --help`
--- a/contrib/systemd/prisonparty@.service
+++ b/contrib/systemd/prisonparty@.service
@ -0,0 +1,38 @@
 # this will start `/usr/bin/copyparty`
 # in a chroot, preventing accidental access elsewhere,
 # and read copyparty config from `/etc/copyparty/copyparty.conf`
 #
 # expose additional filesystem locations to copyparty
 #   by listing them between the last `%i` and `--`
 #
 # `%i %i` = user/group to run copyparty as; can be IDs (1000 1000)
 #   the %i refers to whatever you put after the prisonparty@
 #   so with prisonparty@foo.service, %i == foo
 #
 # unless you add -q to disable logging, you may want to remove the
 #   following line to allow buffering (slightly better performance):
 #   Environment=PYTHONUNBUFFERED=x
 [Unit]
 Description=copyparty file server
 [Service]
 Type=notify
 SyslogIdentifier=prisonparty
 WorkingDirectory=/var/lib/copyparty-jail
 Environment=PYTHONUNBUFFERED=x
 Environment=PRTY_CONFIG=/etc/copyparty/copyparty.conf
 ExecReload=/bin/kill -s USR1 $MAINPID
 # user to run as + where the TLS certificate is (if any)
 User=%i
 Environment=XDG_CONFIG_HOME=/home/%i/.config
 # run copyparty
 ExecStart=/bin/bash /usr/bin/prisonparty /var/lib/copyparty-jail %i %i \
  /etc/copyparty \
  -- \
  /usr/bin/python3 /usr/bin/copyparty
 [Install]
 WantedBy=multi-user.target
--- a/copyparty/init.py
+++ b/copyparty/init.py
@ -63,10 +63,6 @@ web/browser.js
 web/browser2.html
 web/cf.html
 web/copyparty.gif
 web/dd/2.png
 web/dd/3.png
 web/dd/4.png
 web/dd/5.png
 web/deps/busy.mp3
 web/deps/easymde.css
 web/deps/easymde.js
--- a/copyparty/main.py
+++ b/copyparty/main.py
@ -93,6 +93,10 @@ u = unicode
 printed: list[str] = []
 zsid = uuid.uuid4().urn[4:]
 CFG_DEF = [os.environ.get("PRTY_CONFIG", "")]
 if not CFG_DEF[0]:
    CFG_DEF.pop()
 class RiceFormatter(argparse.HelpFormatter):
    def __init__(self, *args: Any, **kwargs: Any) -> None:
@ -432,6 +436,40 @@ def args_from_cfg(cfg_path: str) -> list[str]:
    return ret
 def expand_cfg(argv) -> list[str]:
    if CFG_DEF:
        supp = args_from_cfg(CFG_DEF[0])
        argv = supp + argv
    n = spins = 0
    while n < len(argv):
        if not n:
            if spins % 1000 == 999:
                t = "still expanding config files... giving up after %d more"
                print(t % (9999 - spins))
            if spins > 9999:
                t = "got stuck expanding config files; do you have a config-file which imports itself? this is where I gave up:\n%r"
                raise Exception(t % (argv[:1000]))
        v1 = argv[n]
        v1v = v1[2:].lstrip("=")
        try:
            v2 = argv[n + 1]
        except:
            v2 = ""
        if v1 == "-c" and v2 and os.path.isfile(v2):
            argv = argv[:n] + args_from_cfg(v2) + argv[n + 2 :]
            spins += 1
            n = 0
        elif v1.startswith("-c") and v1v and os.path.isfile(v1v):
            argv = argv[:n] + args_from_cfg(v1v) + argv[n + 1 :]
            spins += 1
            n = 0
        else:
            n += 1
    return argv
 def sighandler(sig: Optional[int] = None, frame: Optional[FrameType] = None) -> None:
    msg = [""] * 5
    for th in threading.enumerate():
@ -532,7 +570,7 @@ def get_sects():
            dedent(
                """
            \033[33m-i\033[0m takes a comma-separated list of interfaces to listen on;
-            IP-addresses and/or unix-sockets (Unix Domain Sockets)
+            IP-addresses, unix-sockets, and/or open file descriptors
            the default (\033[32m-i ::\033[0m) means all IPv4 and IPv6 addresses
@ -558,7 +596,9 @@ def get_sects():
            \033[32m-i unix:\033[33m/dev/shm/party.sock\033[0m keeps umask-defined permission
            (usually \033[33m0600\033[0m) and the same user/group as copyparty
-            \033[33m-p\033[0m (tcp ports) is ignored for unix sockets
+            \033[32m-i fd:\033[33m3\033[0m uses the socket passed to copyparty on file descriptor 3
            \033[33m-p\033[0m (tcp ports) is ignored for unix-sockets and FDs
            """
            ),
        ],
@ -574,7 +614,7 @@ def get_sects():
            --grp takes groupname:username1,username2,...
            and groupnames can be used instead of usernames in -v
-            by prefixing the groupname with %
+            by prefixing the groupname with @
            list of permissions:
              "r" (read):   list folder contents, download files
@ -603,8 +643,41 @@ def get_sects():
            if no accounts or volumes are configured,
            current folder will be read/write for everyone
            the group @acct will always have every user with an account
            (the name of that group can be changed with --grp-all)
            consider the config file for more flexible account/volume management,
            including dynamic reload at runtime (and being more readable w)
            see \033[32m--help-auth\033[0m for ways to provide the password in requests;
            see \033[32m--help-idp\033[0m for replacing it with SSO and auth-middlewares
            """
            ),
        ],
        [
            "auth",
            "how to login from a client",
            dedent(
                """
            different ways to provide the password so you become authenticated:
            login with the ui:
              go to \033[36mhttp://127.0.0.1:3923/?h\033[0m and login there
            send the password in the '\033[36mPW\033[0m' http-header:
              \033[36mPW: \033[35mhunter2\033[0m
            or if you have \033[33m--accounts\033[0m enabled,
              \033[36mPW: \033[35med:hunter2\033[0m
            send the password in the URL itself:
              \033[36mhttp://127.0.0.1:3923/\033[35m?pw=hunter2\033[0m
            or if you have \033[33m--accounts\033[0m enabled,
              \033[36mhttp://127.0.0.1:3923/\033[35m?pw=ed:hunter2\033[0m
            use basic-authentication:
              \033[36mhttp://\033[35med:hunter2\033[36m@127.0.0.1:3923/\033[0m
            which should be the same as this header:
              \033[36mAuthorization: Basic \033[35mZWQ6aHVudGVyMg==\033[0m
            """
            ),
        ],
@ -756,6 +829,36 @@ def get_sects():
            the upload speed can easily drop to 10% for small files)"""
            ),
        ],
        [
            "idp",
            "replacing the login system with fancy middleware",
            dedent(
                """
            if you already have a centralized service which handles
            user-authentication for other services already, you can
            integrate copyparty with that for automatic login
            if the middleware is providing the username in an http-header
            named '\033[35mtheUsername\033[0m' then do this: \033[36m--idp-h-usr theUsername\033[0m
            if the middleware is providing a list of groups in the header
            named '\033[35mtheGroups\033[0m' then do this: \033[36m--idp-h-grp theGroup\033[0m
            if the list of groups is separated by '\033[35m%\033[0m' then \033[36m--idp-gsep %\033[0m
            if the middleware is providing a header named '\033[35mAccount\033[0m'
            and the value is '\033[35malice@forest.net\033[0m' but the username is
            actually '\033[35mmarisa\033[0m' then do this for each user:
            \033[36m--idp-hm-usr ^Account^alice@forest.net^marisa\033[0m
            (the separator '\033[35m^\033[0m' can be any character)
            make ABSOLUTELY SURE that the header can only be set by your
            middleware and not by clients! and, as an extra precaution,
            send a header named '\033[36mfinalmasterspark\033[0m' (a secret keyword)
            and then \033[36m--idp-h-key finalmasterspark\033[0m to require that
            """
            ),
        ],
        [
            "urlform",
            "how to handle url-form POSTs",
@ -912,6 +1015,9 @@ def get_sects():
            copyparty will also hash and print any passwords that are non-hashed
            (password which do not start with '+') and then terminate afterwards
            if you have enabled --usernames then the password
            must be provided as username:password for hashing
            \033[36m--ah-alg\033[0m specifies the hashing algorithm and a
               list of optional comma-separated arguments:
@ -989,18 +1095,19 @@ def build_flags_desc():
 def add_general(ap, nc, srvname):
-    ap2 = ap.add_argument_group('general options')
+    ap2 = ap.add_argument_group("general options")
-    ap2.add_argument("-c", metavar="PATH", type=u, action="append", help="add config file")
+    ap2.add_argument("-c", metavar="PATH", type=u, default=CFG_DEF, action="append", help="\033[34mREPEATABLE:\033[0m add config file")
    ap2.add_argument("-nc", metavar="NUM", type=int, default=nc, help="max num clients")
    ap2.add_argument("-j", metavar="CORES", type=int, default=1, help="max num cpu cores, 0=all")
-    ap2.add_argument("-a", metavar="ACCT", type=u, action="append", help="add account, \033[33mUSER\033[0m:\033[33mPASS\033[0m; example [\033[32med:wark\033[0m]")
+    ap2.add_argument("-a", metavar="ACCT", type=u, action="append", help="\033[34mREPEATABLE:\033[0m add account, \033[33mUSER\033[0m:\033[33mPASS\033[0m; example [\033[32med:wark\033[0m]")
-    ap2.add_argument("-v", metavar="VOL", type=u, action="append", help="add volume, \033[33mSRC\033[0m:\033[33mDST\033[0m:\033[33mFLAG\033[0m; examples [\033[32m.::r\033[0m], [\033[32m/mnt/nas/music:/music:r:aed\033[0m], see --help-accounts")
+    ap2.add_argument("-v", metavar="VOL", type=u, action="append", help="\033[34mREPEATABLE:\033[0m add volume, \033[33mSRC\033[0m:\033[33mDST\033[0m:\033[33mFLAG\033[0m; examples [\033[32m.::r\033[0m], [\033[32m/mnt/nas/music:/music:r:aed\033[0m], see --help-accounts")
-    ap2.add_argument("--grp", metavar="G:N,N", type=u, action="append", help="add group, \033[33mNAME\033[0m:\033[33mUSER1\033[0m,\033[33mUSER2\033[0m,\033[33m...\033[0m; example [\033[32madmins:ed,foo,bar\033[0m]")
+    ap2.add_argument("--grp", metavar="G:N,N", type=u, action="append", help="\033[34mREPEATABLE:\033[0m add group, \033[33mNAME\033[0m:\033[33mUSER1\033[0m,\033[33mUSER2\033[0m,\033[33m...\033[0m; example [\033[32madmins:ed,foo,bar\033[0m]")
    ap2.add_argument("--usernames", action="store_true", help="require username and password for login; default is just password")
    ap2.add_argument("-ed", action="store_true", help="enable the ?dots url parameter / client option which allows clients to see dotfiles / hidden files (volflag=dots)")
    ap2.add_argument("--urlform", metavar="MODE", type=u, default="print,xm", help="how to handle url-form POSTs; see \033[33m--help-urlform\033[0m")
    ap2.add_argument("--wintitle", metavar="TXT", type=u, default="cpp @ $pub", help="server terminal title, for example [\033[32m$ip-10.1.2.\033[0m] or [\033[32m$ip-]")
    ap2.add_argument("--name", metavar="TXT", type=u, default=srvname, help="server name (displayed topleft in browser and in mDNS)")
-    ap2.add_argument("--mime", metavar="EXT=MIME", type=u, action="append", help="map file \033[33mEXT\033[0mension to \033[33mMIME\033[0mtype, for example [\033[32mjpg=image/jpeg\033[0m]")
+    ap2.add_argument("--mime", metavar="EXT=MIME", type=u, action="append", help="\033[34mREPEATABLE:\033[0m map file \033[33mEXT\033[0mension to \033[33mMIME\033[0mtype, for example [\033[32mjpg=image/jpeg\033[0m]")
    ap2.add_argument("--mimes", action="store_true", help="list default mimetype mapping and exit")
    ap2.add_argument("--rmagic", action="store_true", help="do expensive analysis to improve accuracy of returned mimetypes; will make file-downloads, rss, and webdav slower (volflag=rmagic)")
    ap2.add_argument("--license", action="store_true", help="show licenses and exit")
@ -1008,15 +1115,16 @@ def add_general(ap, nc, srvname):
 def add_qr(ap, tty):
-    ap2 = ap.add_argument_group('qr options')
+    ap2 = ap.add_argument_group("qr options")
-    ap2.add_argument("--qr", action="store_true", help="show http:// QR-code on startup")
+    ap2.add_argument("--qr", action="store_true", help="show QR-code on startup")
-    ap2.add_argument("--qrs", action="store_true", help="show https:// QR-code on startup")
+    ap2.add_argument("--qrs", action="store_true", help="change the QR-code URL to https://")
    ap2.add_argument("--qrl", metavar="PATH", type=u, default="", help="location to include in the url, for example [\033[32mpriv/?pw=hunter2\033[0m]")
    ap2.add_argument("--qri", metavar="PREFIX", type=u, default="", help="select IP which starts with \033[33mPREFIX\033[0m; [\033[32m.\033[0m] to force default IP when mDNS URL would have been used instead")
-    ap2.add_argument("--qr-fg", metavar="COLOR", type=int, default=0 if tty else 16, help="foreground; try [\033[32m0\033[0m] if the qr-code is unreadable")
+    ap2.add_argument("--qr-fg", metavar="COLOR", type=int, default=0 if tty else 16, help="foreground; try [\033[32m0\033[0m] or [\033[32m-1\033[0m] if the qr-code is unreadable")
    ap2.add_argument("--qr-bg", metavar="COLOR", type=int, default=229, help="background (white=255)")
    ap2.add_argument("--qrp", metavar="CELLS", type=int, default=4, help="padding (spec says 4 or more, but 1 is usually fine)")
    ap2.add_argument("--qrz", metavar="N", type=int, default=0, help="[\033[32m1\033[0m]=1x, [\033[32m2\033[0m]=2x, [\033[32m0\033[0m]=auto (try [\033[32m2\033[0m] on broken fonts)")
    ap2.add_argument("--qr-pin", metavar="N", type=int, default=0, help="sticky/pin the qr-code to always stay on-screen; [\033[32m0\033[0m]=disabled, [\033[32m1\033[0m]=with-url, [\033[32m2\033[0m]=just-qr")
 def add_fs(ap):
@ -1030,7 +1138,7 @@ def add_fs(ap):
 def add_share(ap):
    db_path = os.path.join(E.cfg, "shares.db")
-    ap2 = ap.add_argument_group('share-url options')
+    ap2 = ap.add_argument_group("share-url options")
    ap2.add_argument("--shr", metavar="DIR", type=u, default="", help="toplevel virtual folder for shared files/folders, for example [\033[32m/share\033[0m]")
    ap2.add_argument("--shr-db", metavar="FILE", type=u, default=db_path, help="database to store shares in")
    ap2.add_argument("--shr-adm", metavar="U,U", type=u, default="", help="comma-separated list of users allowed to view/delete any share")
@ -1039,13 +1147,14 @@ def add_share(ap):
 def add_upload(ap):
-    ap2 = ap.add_argument_group('upload options')
+    ap2 = ap.add_argument_group("upload options")
    ap2.add_argument("--dotpart", action="store_true", help="dotfile incomplete uploads, hiding them from clients unless \033[33m-ed\033[0m")
    ap2.add_argument("--plain-ip", action="store_true", help="when avoiding filename collisions by appending the uploader's ip to the filename: append the plaintext ip instead of salting and hashing the ip")
    ap2.add_argument("--put-name", metavar="TXT", type=u, default="put-{now.6f}-{cip}.bin", help="filename for nameless uploads (when uploader doesn't provide a name); default is [\033[32mput-UNIXTIME-IP.bin\033[0m] (the \033[32m.6f\033[0m means six decimal places) (volflag=put_name)")
    ap2.add_argument("--put-ck", metavar="ALG", type=u, default="sha512", help="default checksum-hasher for PUT/WebDAV uploads: no / md5 / sha1 / sha256 / sha512 / b2 / blake2 / b2s / blake2s (volflag=put_ck)")
    ap2.add_argument("--bup-ck", metavar="ALG", type=u, default="sha512", help="default checksum-hasher for bup/basic-uploader: no / md5 / sha1 / sha256 / sha512 / b2 / blake2 / b2s / blake2s (volflag=bup_ck)")
    ap2.add_argument("--unpost", metavar="SEC", type=int, default=3600*12, help="grace period where uploads can be deleted by the uploader, even without delete permissions; 0=disabled, default=12h")
    ap2.add_argument("--unp-who", metavar="NUM", type=int, default=1, help="clients can undo recent uploads by using the unpost tab (requires \033[33m-e2d\033[0m). [\033[32m0\033[0m] = never allowed (disable feature), [\033[32m1\033[0m] = allow if client has the same IP as the upload AND is using the same account, [\033[32m2\033[0m] = just check the IP, [\033[32m3\033[0m] = just check account-name (volflag=unp_who)")
    ap2.add_argument("--u2abort", metavar="NUM", type=int, default=1, help="clients can abort incomplete uploads by using the unpost tab (requires \033[33m-e2d\033[0m). [\033[32m0\033[0m] = never allowed (disable feature), [\033[32m1\033[0m] = allow if client has the same IP as the upload AND is using the same account, [\033[32m2\033[0m] = just check the IP, [\033[32m3\033[0m] = just check account-name (volflag=u2abort)")
    ap2.add_argument("--blank-wt", metavar="SEC", type=int, default=300, help="file write grace period (any client can write to a blank file last-modified more recently than \033[33mSEC\033[0m seconds ago)")
    ap2.add_argument("--reg-cap", metavar="N", type=int, default=38400, help="max number of uploads to keep in memory when running without \033[33m-e2d\033[0m; roughly 1 MiB RAM per 600")
@ -1081,14 +1190,14 @@ def add_upload(ap):
 def add_network(ap):
-    ap2 = ap.add_argument_group('network options')
+    ap2 = ap.add_argument_group("network options")
-    ap2.add_argument("-i", metavar="IP", type=u, default="::", help="IPs and/or unix-sockets to listen on (see \033[33m--help-bind\033[0m). Default: all IPv4 and IPv6")
+    ap2.add_argument("-i", metavar="IP", type=u, default="::", help="IPs and/or unix-sockets to listen on (comma-separated list; see \033[33m--help-bind\033[0m). Default: all IPv4 and IPv6")
    ap2.add_argument("-p", metavar="PORT", type=u, default="3923", help="ports to listen on (comma/range); ignored for unix-sockets")
    ap2.add_argument("--ll", action="store_true", help="include link-local IPv4/IPv6 in mDNS replies, even if the NIC has routable IPs (breaks some mDNS clients)")
-    ap2.add_argument("--rproxy", metavar="DEPTH", type=int, default=1, help="which ip to associate clients with; [\033[32m0\033[0m]=tcp, [\033[32m1\033[0m]=origin (first x-fwd, unsafe), [\033[32m2\033[0m]=outermost-proxy, [\033[32m3\033[0m]=second-proxy, [\033[32m-1\033[0m]=closest-proxy")
+    ap2.add_argument("--rproxy", metavar="DEPTH", type=int, default=9999999, help="which ip to associate clients with; [\033[32m0\033[0m]=tcp, [\033[32m1\033[0m]=origin (first x-fwd, unsafe), [\033[32m-1\033[0m]=closest-proxy, [\033[32m-2\033[0m]=second-hop, [\033[32m-3\033[0m]=third-hop")
    ap2.add_argument("--xff-hdr", metavar="NAME", type=u, default="x-forwarded-for", help="if reverse-proxied, which http header to read the client's real ip from")
-    ap2.add_argument("--xff-src", metavar="CIDR", type=u, default="127.0.0.0/8, ::1/128", help="comma-separated list of trusted reverse-proxy CIDRs; only accept the real-ip header (\033[33m--xff-hdr\033[0m) and IdP headers if the incoming connection is from an IP within either of these subnets. Specify [\033[32mlan\033[0m] to allow all LAN / private / non-internet IPs. Can be disabled with [\033[32many\033[0m] if you are behind cloudflare (or similar) and are using \033[32m--xff-hdr=cf-connecting-ip\033[0m (or similar)")
+    ap2.add_argument("--xff-src", metavar="CIDR", type=u, default="127.0.0.0/8, ::1/128", help="list of trusted reverse-proxy CIDRs (comma-separated); only accept the real-ip header (\033[33m--xff-hdr\033[0m) and IdP headers if the incoming connection is from an IP within either of these subnets. Specify [\033[32mlan\033[0m] to allow all LAN / private / non-internet IPs. Can be disabled with [\033[32many\033[0m] if you are behind cloudflare (or similar) and are using \033[32m--xff-hdr=cf-connecting-ip\033[0m (or similar)")
-    ap2.add_argument("--ipa", metavar="CIDR", type=u, default="", help="only accept connections from IP-addresses inside \033[33mCIDR\033[0m; examples: [\033[32mlan\033[0m] or [\033[32m10.89.0.0/16, 192.168.33.0/24\033[0m]")
+    ap2.add_argument("--ipa", metavar="CIDR", type=u, default="", help="only accept connections from IP-addresses inside \033[33mCIDR\033[0m (comma-separated); examples: [\033[32mlan\033[0m] or [\033[32m10.89.0.0/16, 192.168.33.0/24\033[0m]")
    ap2.add_argument("--rp-loc", metavar="PATH", type=u, default="", help="if reverse-proxying on a location instead of a dedicated domain/subdomain, provide the base location here; example: [\033[32m/foo/bar\033[0m]")
    if ANYWIN:
        ap2.add_argument("--reuseaddr", action="store_true", help="set reuseaddr on listening sockets on windows; allows rapid restart of copyparty at the expense of being able to accidentally start multiple instances")
@ -1106,10 +1215,10 @@ def add_network(ap):
 def add_tls(ap, cert_path):
-    ap2 = ap.add_argument_group('SSL/TLS options')
+    ap2 = ap.add_argument_group("SSL/TLS options")
    ap2.add_argument("--http-only", action="store_true", help="disable ssl/tls -- force plaintext")
    ap2.add_argument("--https-only", action="store_true", help="disable plaintext -- force tls")
-    ap2.add_argument("--cert", metavar="PATH", type=u, default=cert_path, help="path to TLS certificate")
+    ap2.add_argument("--cert", metavar="PATH", type=u, default=cert_path, help="path to file containing a concatenation of TLS key and certificate chain")
    ap2.add_argument("--ssl-ver", metavar="LIST", type=u, default="", help="set allowed ssl/tls versions; [\033[32mhelp\033[0m] shows available versions; default is what your python version considers safe")
    ap2.add_argument("--ciphers", metavar="LIST", type=u, default="", help="set allowed ssl/tls ciphers; [\033[32mhelp\033[0m] shows available ciphers")
    ap2.add_argument("--ssl-dbg", action="store_true", help="dump some tls info")
@ -1118,7 +1227,7 @@ def add_tls(ap, cert_path):
 def add_cert(ap, cert_path):
    cert_dir = os.path.dirname(cert_path)
-    ap2 = ap.add_argument_group('TLS certificate generator options')
+    ap2 = ap.add_argument_group("TLS certificate generator options")
    ap2.add_argument("--no-crt", action="store_true", help="disable automatic certificate creation")
    ap2.add_argument("--crt-ns", metavar="N,N", type=u, default="", help="comma-separated list of FQDNs (domains) to add into the certificate")
    ap2.add_argument("--crt-exact", action="store_true", help="do not add wildcard entries for each \033[33m--crt-ns\033[0m")
@ -1138,27 +1247,33 @@ def add_cert(ap, cert_path):
 def add_auth(ap):
    idp_db = os.path.join(E.cfg, "idp.db")
    ses_db = os.path.join(E.cfg, "sessions.db")
-    ap2 = ap.add_argument_group('IdP / identity provider / user authentication options')
+    ap2 = ap.add_argument_group("IdP / identity provider / user authentication options")
-    ap2.add_argument("--idp-h-usr", metavar="HN", type=u, default="", help="bypass the copyparty authentication checks if the request-header \033[33mHN\033[0m contains a username to associate the request with (for use with authentik/oauth/...)\n\033[1;31mWARNING:\033[0m if you enable this, make sure clients are unable to specify this header themselves; must be washed away and replaced by a reverse-proxy")
+    ap2.add_argument("--idp-h-usr", metavar="HN", type=u, action="append", help="\033[34mREPEATABLE:\033[0m bypass the copyparty authentication checks if the request-header \033[33mHN\033[0m contains a username to associate the request with (for use with authentik/oauth/...)\n\033[1;31mWARNING:\033[0m if you enable this, make sure clients are unable to specify this header themselves; must be washed away and replaced by a reverse-proxy")
    ap2.add_argument("--idp-hm-usr", metavar="TXT", type=u, action="append", help="\033[34mREPEATABLE:\033[0m bypass the copyparty authentication checks if the request-header \033[33mHN\033[0m is provided, and its value exists in a mapping defined by this option; see --help-idp")
    ap2.add_argument("--idp-h-grp", metavar="HN", type=u, default="", help="assume the request-header \033[33mHN\033[0m contains the groupname of the requesting user; can be referenced in config files for group-based access control")
    ap2.add_argument("--idp-h-key", metavar="HN", type=u, default="", help="optional but recommended safeguard; your reverse-proxy will insert a secret header named \033[33mHN\033[0m into all requests, and the other IdP headers will be ignored if this header is not present")
    ap2.add_argument("--idp-gsep", metavar="RE", type=u, default="|:;+,", help="if there are multiple groups in \033[33m--idp-h-grp\033[0m, they are separated by one of the characters in \033[33mRE\033[0m")
    ap2.add_argument("--idp-db", metavar="PATH", type=u, default=idp_db, help="where to store the known IdP users/groups (if you run multiple copyparty instances, make sure they use different DBs)")
    ap2.add_argument("--idp-store", metavar="N", type=int, default=1, help="how to use \033[33m--idp-db\033[0m; [\033[32m0\033[0m] = entirely disable, [\033[32m1\033[0m] = write-only (effectively disabled), [\033[32m2\033[0m] = remember users, [\033[32m3\033[0m] = remember users and groups.\nNOTE: Will remember and restore the IdP-volumes of all users for all eternity if set to 2 or 3, even when user is deleted from your IdP")
    ap2.add_argument("--idp-adm", metavar="U,U", type=u, default="", help="comma-separated list of users allowed to use /?idp (the cache management UI)")
    ap2.add_argument("--idp-cookie", metavar="S", type=int, default=0, help="generate a session-token for IdP users which is written to cookie \033[33mcppws\033[0m (or \033[33mcppwd\033[0m if plaintext), to reduce the load on the IdP server, lifetime \033[33mS\033[0m seconds.\n └─note: The expiration time is a client hint only; the actual lifetime of the session-token is infinite (until next restart with \033[33m--ses-db\033[0m wiped)")
    ap2.add_argument("--no-bauth", action="store_true", help="disable basic-authentication support; do not accept passwords from the 'Authenticate' header at all. NOTE: This breaks support for the android app")
    ap2.add_argument("--bauth-last", action="store_true", help="keeps basic-authentication enabled, but only as a last-resort; if a cookie is also provided then the cookie wins")
    ap2.add_argument("--ses-db", metavar="PATH", type=u, default=ses_db, help="where to store the sessions database (if you run multiple copyparty instances, make sure they use different DBs)")
    ap2.add_argument("--ses-len", metavar="CHARS", type=int, default=20, help="session key length; default is 120 bits ((20//4)*4*6)")
    ap2.add_argument("--no-ses", action="store_true", help="disable sessions; use plaintext passwords in cookies")
-    ap2.add_argument("--ipu", metavar="CIDR=USR", type=u, action="append", help="users with IP matching \033[33mCIDR\033[0m are auto-authenticated as username \033[33mUSR\033[0m; example: [\033[32m172.16.24.0/24=dave]")
+    ap2.add_argument("--grp-all", metavar="NAME", type=u, default="acct", help="the name of the auto-generated group which contains every username which is known")
    ap2.add_argument("--ipu", metavar="CIDR=USR", type=u, action="append", help="\033[34mREPEATABLE:\033[0m users with IP matching \033[33mCIDR\033[0m are auto-authenticated as username \033[33mUSR\033[0m; example: [\033[32m172.16.24.0/24=dave]")
    ap2.add_argument("--ipr", metavar="CIDR=USR", type=u, action="append", help="\033[34mREPEATABLE:\033[0m username \033[33mUSR\033[0m can only connect from an IP matching one or more \033[33mCIDR\033[0m (comma-sep.); example: [\033[32m192.168.123.0/24,172.16.0.0/16=dave]")
    ap2.add_argument("--have-idp-hdrs", type=u, default="", help=argparse.SUPPRESS)
    ap2.add_argument("--have-ipu-or-ipr", type=u, default="", help=argparse.SUPPRESS)
 def add_chpw(ap):
    db_path = os.path.join(E.cfg, "chpw.json")
-    ap2 = ap.add_argument_group('user-changeable passwords options')
+    ap2 = ap.add_argument_group("user-changeable passwords options")
    ap2.add_argument("--chpw", action="store_true", help="allow users to change their own passwords")
-    ap2.add_argument("--chpw-no", metavar="U,U,U", type=u, action="append", help="do not allow password-changes for this comma-separated list of usernames")
+    ap2.add_argument("--chpw-no", metavar="U,U,U", type=u, action="append", help="\033[34mREPEATABLE:\033[0m do not allow password-changes for this comma-separated list of usernames")
    ap2.add_argument("--chpw-db", metavar="PATH", type=u, default=db_path, help="where to store the passwords database (if you run multiple copyparty instances, make sure they use different DBs)")
    ap2.add_argument("--chpw-len", metavar="N", type=int, default=8, help="minimum password length")
    ap2.add_argument("--chpw-v", metavar="LVL", type=int, default=2, help="verbosity of summary on config load [\033[32m0\033[0m] = nothing at all, [\033[32m1\033[0m] = number of users, [\033[32m2\033[0m] = list users with default-pw, [\033[32m3\033[0m] = list all users")
@ -1190,6 +1305,7 @@ def add_zc_mdns(ap):
    ap2.add_argument("--zm-lh", metavar="PATH", type=u, default="", help="link a specific folder for http shares")
    ap2.add_argument("--zm-lf", metavar="PATH", type=u, default="", help="link a specific folder for ftp shares")
    ap2.add_argument("--zm-ls", metavar="PATH", type=u, default="", help="link a specific folder for smb shares")
    ap2.add_argument("--zm-fqdn", metavar="FQDN", type=u, default="--name.local", help="the domain to announce; NOTE: using anything other than .local is nonstandard and could cause problems")
    ap2.add_argument("--zm-mnic", action="store_true", help="merge NICs which share subnets; assume that same subnet means same network")
    ap2.add_argument("--zm-msub", action="store_true", help="merge subnets on each NIC -- always enabled for ipv6 -- reduces network load, but gnome-gvfs clients may stop working, and clients cannot be in subnets that the server is not")
    ap2.add_argument("--zm-noneg", action="store_true", help="disable NSEC replies -- try this if some clients don't see copyparty")
@ -1207,12 +1323,12 @@ def add_zc_ssdp(ap):
 def add_ftp(ap):
-    ap2 = ap.add_argument_group('FTP options (TCP only)')
+    ap2 = ap.add_argument_group("FTP options (TCP only)")
    ap2.add_argument("--ftp", metavar="PORT", type=int, default=0, help="enable FTP server on \033[33mPORT\033[0m, for example \033[32m3921")
    ap2.add_argument("--ftps", metavar="PORT", type=int, default=0, help="enable FTPS server on \033[33mPORT\033[0m, for example \033[32m3990")
    ap2.add_argument("--ftpv", action="store_true", help="verbose")
    ap2.add_argument("--ftp4", action="store_true", help="only listen on IPv4")
-    ap2.add_argument("--ftp-ipa", metavar="CIDR", type=u, default="", help="only accept connections from IP-addresses inside \033[33mCIDR\033[0m; specify [\033[32many\033[0m] to disable inheriting \033[33m--ipa\033[0m. Examples: [\033[32mlan\033[0m] or [\033[32m10.89.0.0/16, 192.168.33.0/24\033[0m]")
+    ap2.add_argument("--ftp-ipa", metavar="CIDR", type=u, default="", help="only accept connections from IP-addresses inside \033[33mCIDR\033[0m (comma-separated); specify [\033[32many\033[0m] to disable inheriting \033[33m--ipa\033[0m. Examples: [\033[32mlan\033[0m] or [\033[32m10.89.0.0/16, 192.168.33.0/24\033[0m]")
    ap2.add_argument("--ftp-no-ow", action="store_true", help="if target file exists, reject upload instead of overwrite")
    ap2.add_argument("--ftp-wt", metavar="SEC", type=int, default=7, help="grace period for resuming interrupted uploads (any client can write to any file last-modified more recently than \033[33mSEC\033[0m seconds ago)")
    ap2.add_argument("--ftp-nat", metavar="ADDR", type=u, default="", help="the NAT address to use for passive connections")
@ -1220,7 +1336,7 @@ def add_ftp(ap):
 def add_webdav(ap):
-    ap2 = ap.add_argument_group('WebDAV options')
+    ap2 = ap.add_argument_group("WebDAV options")
    ap2.add_argument("--daw", action="store_true", help="enable full write support, even if client may not be webdav. \033[1;31mWARNING:\033[0m This has side-effects -- PUT-operations will now \033[1;31mOVERWRITE\033[0m existing files, rather than inventing new filenames to avoid loss of data. You might want to instead set this as a volflag where needed. By not setting this flag, uploaded files can get written to a filename which the client does not expect (which might be okay, depending on client)")
    ap2.add_argument("--dav-inf", action="store_true", help="allow depth:infinite requests (recursive file listing); extremely server-heavy but required for spec compliance -- luckily few clients rely on this")
    ap2.add_argument("--dav-mac", action="store_true", help="disable apple-garbage filter -- allow macos to create junk files (._* and .DS_Store, .Spotlight-*, .fseventsd, .Trashes, .AppleDouble, __MACOS)")
@ -1230,7 +1346,7 @@ def add_webdav(ap):
 def add_tftp(ap):
-    ap2 = ap.add_argument_group('TFTP options (UDP only)')
+    ap2 = ap.add_argument_group("TFTP options (UDP only)")
    ap2.add_argument("--tftp", metavar="PORT", type=int, default=0, help="enable TFTP server on \033[33mPORT\033[0m, for example \033[32m69 \033[0mor \033[32m3969")
    ap2.add_argument("--tftp4", action="store_true", help="only listen on IPv4")
    ap2.add_argument("--tftpv", action="store_true", help="verbose")
@ -1238,12 +1354,12 @@ def add_tftp(ap):
    ap2.add_argument("--tftp-no-fast", action="store_true", help="debug: disable optimizations")
    ap2.add_argument("--tftp-lsf", metavar="PTN", type=u, default="\\.?(dir|ls)(\\.txt)?", help="return a directory listing if a file with this name is requested and it does not exist; defaults matches .ls, dir, .dir.txt, ls.txt, ...")
    ap2.add_argument("--tftp-nols", action="store_true", help="if someone tries to download a directory, return an error instead of showing its directory listing")
-    ap2.add_argument("--tftp-ipa", metavar="CIDR", type=u, default="", help="only accept connections from IP-addresses inside \033[33mCIDR\033[0m; specify [\033[32many\033[0m] to disable inheriting \033[33m--ipa\033[0m. Examples: [\033[32mlan\033[0m] or [\033[32m10.89.0.0/16, 192.168.33.0/24\033[0m]")
+    ap2.add_argument("--tftp-ipa", metavar="CIDR", type=u, default="", help="only accept connections from IP-addresses inside \033[33mCIDR\033[0m (comma-separated); specify [\033[32many\033[0m] to disable inheriting \033[33m--ipa\033[0m. Examples: [\033[32mlan\033[0m] or [\033[32m10.89.0.0/16, 192.168.33.0/24\033[0m]")
    ap2.add_argument("--tftp-pr", metavar="P-P", type=u, default="", help="the range of UDP ports to use for data transfer, for example \033[32m12000-13000")
 def add_smb(ap):
-    ap2 = ap.add_argument_group('SMB/CIFS options')
+    ap2 = ap.add_argument_group("SMB/CIFS options")
    ap2.add_argument("--smb", action="store_true", help="enable smb (read-only) -- this requires running copyparty as root on linux and macos unless \033[33m--smb-port\033[0m is set above 1024 and your OS does port-forwarding from 445 to that.\n\033[1;31mWARNING:\033[0m this protocol is DANGEROUS and buggy! Never expose to the internet!")
    ap2.add_argument("--smbw", action="store_true", help="enable write support (please dont)")
    ap2.add_argument("--smb1", action="store_true", help="disable SMBv2, only enable SMBv1 (CIFS)")
@ -1257,30 +1373,30 @@ def add_smb(ap):
 def add_handlers(ap):
-    ap2 = ap.add_argument_group('handlers (see --help-handlers)')
+    ap2 = ap.add_argument_group("handlers (see --help-handlers)")
-    ap2.add_argument("--on404", metavar="PY", type=u, action="append", help="handle 404s by executing \033[33mPY\033[0m file")
+    ap2.add_argument("--on404", metavar="PY", type=u, action="append", help="\033[34mREPEATABLE:\033[0m handle 404s by executing \033[33mPY\033[0m file")
-    ap2.add_argument("--on403", metavar="PY", type=u, action="append", help="handle 403s by executing \033[33mPY\033[0m file")
+    ap2.add_argument("--on403", metavar="PY", type=u, action="append", help="\033[34mREPEATABLE:\033[0m handle 403s by executing \033[33mPY\033[0m file")
    ap2.add_argument("--hot-handlers", action="store_true", help="recompile handlers on each request -- expensive but convenient when hacking on stuff")
 def add_hooks(ap):
-    ap2 = ap.add_argument_group('event hooks (see --help-hooks)')
+    ap2 = ap.add_argument_group("event hooks (see --help-hooks)")
-    ap2.add_argument("--xbu", metavar="CMD", type=u, action="append", help="execute \033[33mCMD\033[0m before a file upload starts")
+    ap2.add_argument("--xbu", metavar="CMD", type=u, action="append", help="\033[34mREPEATABLE:\033[0m execute \033[33mCMD\033[0m before a file upload starts")
-    ap2.add_argument("--xau", metavar="CMD", type=u, action="append", help="execute \033[33mCMD\033[0m after  a file upload finishes")
+    ap2.add_argument("--xau", metavar="CMD", type=u, action="append", help="\033[34mREPEATABLE:\033[0m execute \033[33mCMD\033[0m after  a file upload finishes")
-    ap2.add_argument("--xiu", metavar="CMD", type=u, action="append", help="execute \033[33mCMD\033[0m after  all uploads finish and volume is idle")
+    ap2.add_argument("--xiu", metavar="CMD", type=u, action="append", help="\033[34mREPEATABLE:\033[0m execute \033[33mCMD\033[0m after  all uploads finish and volume is idle")
-    ap2.add_argument("--xbc", metavar="CMD", type=u, action="append", help="execute \033[33mCMD\033[0m before a file copy")
+    ap2.add_argument("--xbc", metavar="CMD", type=u, action="append", help="\033[34mREPEATABLE:\033[0m execute \033[33mCMD\033[0m before a file copy")
-    ap2.add_argument("--xac", metavar="CMD", type=u, action="append", help="execute \033[33mCMD\033[0m after  a file copy")
+    ap2.add_argument("--xac", metavar="CMD", type=u, action="append", help="\033[34mREPEATABLE:\033[0m execute \033[33mCMD\033[0m after  a file copy")
-    ap2.add_argument("--xbr", metavar="CMD", type=u, action="append", help="execute \033[33mCMD\033[0m before a file move/rename")
+    ap2.add_argument("--xbr", metavar="CMD", type=u, action="append", help="\033[34mREPEATABLE:\033[0m execute \033[33mCMD\033[0m before a file move/rename")
-    ap2.add_argument("--xar", metavar="CMD", type=u, action="append", help="execute \033[33mCMD\033[0m after  a file move/rename")
+    ap2.add_argument("--xar", metavar="CMD", type=u, action="append", help="\033[34mREPEATABLE:\033[0m execute \033[33mCMD\033[0m after  a file move/rename")
-    ap2.add_argument("--xbd", metavar="CMD", type=u, action="append", help="execute \033[33mCMD\033[0m before a file delete")
+    ap2.add_argument("--xbd", metavar="CMD", type=u, action="append", help="\033[34mREPEATABLE:\033[0m execute \033[33mCMD\033[0m before a file delete")
-    ap2.add_argument("--xad", metavar="CMD", type=u, action="append", help="execute \033[33mCMD\033[0m after  a file delete")
+    ap2.add_argument("--xad", metavar="CMD", type=u, action="append", help="\033[34mREPEATABLE:\033[0m execute \033[33mCMD\033[0m after  a file delete")
-    ap2.add_argument("--xm", metavar="CMD", type=u, action="append", help="execute \033[33mCMD\033[0m on message")
+    ap2.add_argument("--xm", metavar="CMD", type=u, action="append", help="\033[34mREPEATABLE:\033[0m execute \033[33mCMD\033[0m on message")
-    ap2.add_argument("--xban", metavar="CMD", type=u, action="append", help="execute \033[33mCMD\033[0m if someone gets banned (pw/404/403/url)")
+    ap2.add_argument("--xban", metavar="CMD", type=u, action="append", help="\033[34mREPEATABLE:\033[0m execute \033[33mCMD\033[0m if someone gets banned (pw/404/403/url)")
    ap2.add_argument("--hook-v", action="store_true", help="verbose hooks")
 def add_stats(ap):
-    ap2 = ap.add_argument_group('grafana/prometheus metrics endpoint')
+    ap2 = ap.add_argument_group("grafana/prometheus metrics endpoint")
    ap2.add_argument("--stats", action="store_true", help="enable openmetrics at /.cpr/metrics for admin accounts")
    ap2.add_argument("--nos-hdd", action="store_true", help="disable disk-space metrics (used/free space)")
    ap2.add_argument("--nos-vol", action="store_true", help="disable volume size metrics (num files, total bytes, vmaxb/vmaxn)")
@ -1290,21 +1406,23 @@ def add_stats(ap):
 def add_yolo(ap):
-    ap2 = ap.add_argument_group('yolo options')
+    ap2 = ap.add_argument_group("yolo options")
    ap2.add_argument("--allow-csrf", action="store_true", help="disable csrf protections; let other domains/sites impersonate you through cross-site requests")
    ap2.add_argument("--cookie-lax", action="store_true", help="allow cookies from other domains (if you follow a link from another website into your server, you will arrive logged-in); this reduces protection against CSRF")
    ap2.add_argument("--no-fnugg", action="store_true", help="disable the smoketest for caching-related issues in the web-UI")
    ap2.add_argument("--getmod", action="store_true", help="permit ?move=[...] and ?delete as GET")
    ap2.add_argument("--wo-up-readme", action="store_true", help="allow users with write-only access to upload logues and readmes without adding the _wo_ filename prefix (volflag=wo_up_readme)")
 def add_optouts(ap):
-    ap2 = ap.add_argument_group('opt-outs')
+    ap2 = ap.add_argument_group("opt-outs")
    ap2.add_argument("-nw", action="store_true", help="never write anything to disk (debug/benchmark)")
    ap2.add_argument("--keep-qem", action="store_true", help="do not disable quick-edit-mode on windows (it is disabled to avoid accidental text selection in the terminal window, as this would pause execution)")
    ap2.add_argument("--no-dav", action="store_true", help="disable webdav support")
    ap2.add_argument("--no-del", action="store_true", help="disable delete operations")
    ap2.add_argument("--no-mv", action="store_true", help="disable move/rename operations")
    ap2.add_argument("--no-cp", action="store_true", help="disable copy operations")
    ap2.add_argument("--no-fs-abrt", action="store_true", help="disable ability to abort ongoing copy/move")
    ap2.add_argument("-nth", action="store_true", help="no title hostname; don't show \033[33m--name\033[0m in <title>")
    ap2.add_argument("-nih", action="store_true", help="no info hostname -- don't show in UI")
    ap2.add_argument("-nid", action="store_true", help="no info disk-usage -- don't show in UI")
@ -1324,9 +1442,9 @@ def add_optouts(ap):
 def add_safety(ap):
-    ap2 = ap.add_argument_group('safety options')
+    ap2 = ap.add_argument_group("safety options")
    ap2.add_argument("-s", action="count", default=0, help="increase safety: Disable thumbnails / potentially dangerous software (ffmpeg/pillow/vips), hide partial uploads, avoid crawlers.\n └─Alias of\033[32m --dotpart --no-thumb --no-mtag-ff --no-robots --force-js")
-    ap2.add_argument("-ss", action="store_true", help="further increase safety: Prevent js-injection, accidental move/delete, broken symlinks, webdav, 404 on 403, ban on excessive 404s.\n └─Alias of\033[32m -s --unpost=0 --no-del --no-mv --hardlink --vague-403 -nih")
+    ap2.add_argument("-ss", action="store_true", help="further increase safety: Prevent js-injection, accidental move/delete, broken symlinks, webdav requires login, 404 on 403, ban on excessive 404s.\n └─Alias of\033[32m -s --unpost=0 --no-del --no-mv --hardlink --dav-auth --vague-403 -nih")
    ap2.add_argument("-sss", action="store_true", help="further increase safety: Enable logging to disk, scan for dangerous symlinks.\n └─Alias of\033[32m -ss --no-dav --no-logues --no-readme -lo=cpp-%%Y-%%m%%d-%%H%%M%%S.txt.xz --ls=**,*,ln,p,r")
    ap2.add_argument("--ls", metavar="U[,V[,F]]", type=u, default="", help="do a sanity/safety check of all volumes on startup; arguments \033[33mUSER\033[0m,\033[33mVOL\033[0m,\033[33mFLAGS\033[0m (see \033[33m--help-ls\033[0m); example [\033[32m**,*,ln,p,r\033[0m]")
    ap2.add_argument("--xvol", action="store_true", help="never follow symlinks leaving the volume root, unless the link is into another volume where the user has similar access (volflag=xvol)")
@ -1348,6 +1466,8 @@ def add_safety(ap):
    ap2.add_argument("--sus-urls", metavar="R", type=u, default=r"\.php$|(^|/)wp-(admin|content|includes)/", help="URLs which are considered sus / eligible for banning; disable with blank or [\033[32mno\033[0m]")
    ap2.add_argument("--nonsus-urls", metavar="R", type=u, default=r"^(favicon\.ico|robots\.txt)$|^apple-touch-icon|^\.well-known", help="harmless URLs ignored from 404-bans; disable with blank or [\033[32mno\033[0m]")
    ap2.add_argument("--early-ban", action="store_true", help="if a client is banned, reject its connection as soon as possible; not a good idea to enable when proxied behind cloudflare since it could ban your reverse-proxy")
    ap2.add_argument("--cookie-nmax", metavar="N", type=int, default=50, help="reject HTTP-request from client if they send more than N cookies")
    ap2.add_argument("--cookie-cmax", metavar="N", type=int, default=8192, help="reject HTTP-request from client if more than N characters in Cookie header")
    ap2.add_argument("--aclose", metavar="MIN", type=int, default=10, help="if a client maxes out the server connection limit, downgrade it from connection:keep-alive to connection:close for \033[33mMIN\033[0m minutes (and also kill its active connections) -- disable with 0")
    ap2.add_argument("--loris", metavar="B", type=int, default=60, help="if a client maxes out the server connection limit without sending headers, ban it for \033[33mB\033[0m minutes; disable with [\033[32m0\033[0m]")
    ap2.add_argument("--acao", metavar="V[,V]", type=u, default="*", help="Access-Control-Allow-Origin; list of origins (domains/IPs without port) to accept requests from; [\033[32mhttps://1.2.3.4\033[0m]. Default [\033[32m*\033[0m] allows requests from all sites but removes cookies and http-auth; only ?pw=hunter2 survives")
@ -1355,7 +1475,7 @@ def add_safety(ap):
 def add_salt(ap, fk_salt, dk_salt, ah_salt):
-    ap2 = ap.add_argument_group('salting options')
+    ap2 = ap.add_argument_group("salting options")
    ap2.add_argument("--ah-alg", metavar="ALG", type=u, default="none", help="account-pw hashing algorithm; one of these, best to worst: \033[32margon2 scrypt sha2 none\033[0m (each optionally followed by alg-specific comma-sep. config)")
    ap2.add_argument("--ah-salt", metavar="SALT", type=u, default=ah_salt, help="account-pw salt; ignored if \033[33m--ah-alg\033[0m is none (default)")
    ap2.add_argument("--ah-gen", metavar="PW", type=u, default="", help="generate hashed password for \033[33mPW\033[0m, or read passwords from STDIN if \033[33mPW\033[0m is [\033[32m-\033[0m]")
@ -1369,23 +1489,23 @@ def add_salt(ap, fk_salt, dk_salt, ah_salt):
 def add_shutdown(ap):
-    ap2 = ap.add_argument_group('shutdown options')
+    ap2 = ap.add_argument_group("shutdown options")
    ap2.add_argument("--ign-ebind", action="store_true", help="continue running even if it's impossible to listen on some of the requested endpoints")
    ap2.add_argument("--ign-ebind-all", action="store_true", help="continue running even if it's impossible to receive connections at all")
    ap2.add_argument("--exit", metavar="WHEN", type=u, default="", help="shutdown after \033[33mWHEN\033[0m has finished; [\033[32mcfg\033[0m] config parsing, [\033[32midx\033[0m] volscan + multimedia indexing")
 def add_logging(ap):
-    ap2 = ap.add_argument_group('logging options')
+    ap2 = ap.add_argument_group("logging options")
    ap2.add_argument("-q", action="store_true", help="quiet; disable most STDOUT messages")
-    ap2.add_argument("-lo", metavar="PATH", type=u, default="", help="logfile, example: \033[32mcpp-%%Y-%%m%%d-%%H%%M%%S.txt.xz\033[0m (NB: some errors may appear on STDOUT only)")
+    ap2.add_argument("-lo", metavar="PATH", type=u, default="", help="logfile; use .txt for plaintext or .xz for compressed. Example: \033[32mcpp-%%Y-%%m%%d-%%H%%M%%S.txt.xz\033[0m (NB: some errors may appear on STDOUT only)")
    ap2.add_argument("--no-ansi", action="store_true", default=not VT100, help="disable colors; same as environment-variable NO_COLOR")
    ap2.add_argument("--ansi", action="store_true", help="force colors; overrides environment-variable NO_COLOR")
    ap2.add_argument("--no-logflush", action="store_true", help="don't flush the logfile after each write; tiny bit faster")
    ap2.add_argument("--no-voldump", action="store_true", help="do not list volumes and permissions on startup")
    ap2.add_argument("--log-utc", action="store_true", help="do not use local timezone; assume the TZ env-var is UTC (tiny bit faster)")
    ap2.add_argument("--log-tdec", metavar="N", type=int, default=3, help="timestamp resolution / number of timestamp decimals")
-    ap2.add_argument("--log-badpwd", metavar="N", type=int, default=1, help="log failed login attempt passwords: 0=terse, 1=plaintext, 2=hashed")
+    ap2.add_argument("--log-badpwd", metavar="N", type=int, default=2, help="log failed login attempt passwords: 0=terse, 1=plaintext, 2=hashed")
    ap2.add_argument("--log-conn", action="store_true", help="debug: print tcp-server msgs")
    ap2.add_argument("--log-htp", action="store_true", help="debug: print http-server threadpool scaling")
    ap2.add_argument("--ihead", metavar="HEADER", type=u, action='append', help="print request \033[33mHEADER\033[0m; [\033[32m*\033[0m]=all")
@ -1394,7 +1514,7 @@ def add_logging(ap):
 def add_admin(ap):
-    ap2 = ap.add_argument_group('admin panel options')
+    ap2 = ap.add_argument_group("admin panel options")
    ap2.add_argument("--no-reload", action="store_true", help="disable ?reload=cfg (reload users/volumes/volflags from config file)")
    ap2.add_argument("--no-rescan", action="store_true", help="disable ?scan (volume reindexing)")
    ap2.add_argument("--no-stack", action="store_true", help="disable ?stack (list all stacks)")
@ -1408,17 +1528,18 @@ def add_admin(ap):
 def add_thumbnail(ap):
    th_ram = (RAM_AVAIL or RAM_TOTAL or 9) * 0.6
    th_ram = int(max(min(th_ram, 6), 0.3) * 10) / 10
-    ap2 = ap.add_argument_group('thumbnail options')
+    ap2 = ap.add_argument_group("thumbnail options")
    ap2.add_argument("--no-thumb", action="store_true", help="disable all thumbnails (volflag=dthumb)")
    ap2.add_argument("--no-vthumb", action="store_true", help="disable video thumbnails (volflag=dvthumb)")
    ap2.add_argument("--no-athumb", action="store_true", help="disable audio thumbnails (spectrograms) (volflag=dathumb)")
    ap2.add_argument("--th-size", metavar="WxH", default="320x256", help="thumbnail res (volflag=thsize)")
    ap2.add_argument("--th-mt", metavar="CORES", type=int, default=CORES, help="num cpu cores to use for generating thumbnails")
-    ap2.add_argument("--th-convt", metavar="SEC", type=float, default=60.0, help="conversion timeout in seconds (volflag=convt)")
+    ap2.add_argument("--th-convt", metavar="SEC", type=float, default=60.0, help="convert-to-image timeout in seconds (volflag=convt)")
    ap2.add_argument("--ac-convt", metavar="SEC", type=float, default=150.0, help="convert-to-audio timeout in seconds (volflag=aconvt)")
    ap2.add_argument("--th-ram-max", metavar="GB", type=float, default=th_ram, help="max memory usage (GiB) permitted by thumbnailer; not very accurate")
    ap2.add_argument("--th-crop", metavar="TXT", type=u, default="y", help="crop thumbnails to 4:3 or keep dynamic height; client can override in UI unless force. [\033[32my\033[0m]=crop, [\033[32mn\033[0m]=nocrop, [\033[32mfy\033[0m]=force-y, [\033[32mfn\033[0m]=force-n (volflag=crop)")
    ap2.add_argument("--th-x3", metavar="TXT", type=u, default="n", help="show thumbs at 3x resolution; client can override in UI unless force. [\033[32my\033[0m]=yes, [\033[32mn\033[0m]=no, [\033[32mfy\033[0m]=force-yes, [\033[32mfn\033[0m]=force-no (volflag=th3x)")
-    ap2.add_argument("--th-dec", metavar="LIBS", default="vips,pil,ff", help="image decoders, in order of preference")
+    ap2.add_argument("--th-dec", metavar="LIBS", default="vips,pil,raw,ff", help="image decoders, in order of preference")
    ap2.add_argument("--th-no-jpg", action="store_true", help="disable jpg output")
    ap2.add_argument("--th-no-webp", action="store_true", help="disable webp output")
    ap2.add_argument("--th-ff-jpg", action="store_true", help="force jpg output for video thumbs (avoids issues on some FFmpeg builds)")
@ -1427,22 +1548,27 @@ def add_thumbnail(ap):
    ap2.add_argument("--th-clean", metavar="SEC", type=int, default=43200, help="cleanup interval; 0=disabled")
    ap2.add_argument("--th-maxage", metavar="SEC", type=int, default=604800, help="max folder age -- folders which haven't been poked for longer than \033[33m--th-poke\033[0m seconds will get deleted every \033[33m--th-clean\033[0m seconds")
    ap2.add_argument("--th-covers", metavar="N,N", type=u, default="folder.png,folder.jpg,cover.png,cover.jpg", help="folder thumbnails to stat/look for; enabling \033[33m-e2d\033[0m will make these case-insensitive, and try them as dotfiles (.folder.jpg), and also automatically select thumbnails for all folders that contain pics, even if none match this pattern")
    ap2.add_argument("--th-spec-p", metavar="N", type=u, default=1, help="for music, do spectrograms or embedded coverart? [\033[32m0\033[0m]=only-art, [\033[32m1\033[0m]=prefer-art, [\033[32m2\033[0m]=only-spec")
    # https://pillow.readthedocs.io/en/stable/handbook/image-file-formats.html
    # https://github.com/libvips/libvips
    # https://stackoverflow.com/a/47612661
    # ffmpeg -hide_banner -demuxers | awk '/^ D  /{print$2}' | while IFS= read -r x; do ffmpeg -hide_banner -h demuxer=$x; done | grep -E '^Demuxer |extensions:'
-    ap2.add_argument("--th-r-pil", metavar="T,T", type=u, default="avif,avifs,blp,bmp,cbz,dcx,dds,dib,emf,eps,fits,flc,fli,fpx,gif,heic,heics,heif,heifs,icns,ico,im,j2p,j2k,jp2,jpeg,jpg,jpx,pbm,pcx,pgm,png,pnm,ppm,psd,qoi,sgi,spi,tga,tif,tiff,webp,wmf,xbm,xpm", help="image formats to decode using pillow")
+    ap2.add_argument("--th-r-pil", metavar="T,T", type=u, default="avif,avifs,blp,bmp,cbz,dcx,dds,dib,emf,eps,epub,fits,flc,fli,fpx,gif,heic,heics,heif,heifs,icns,ico,im,j2p,j2k,jp2,jpeg,jpg,jpx,pbm,pcx,pgm,png,pnm,ppm,psd,qoi,sgi,spi,tga,tif,tiff,webp,wmf,xbm,xpm", help="image formats to decode using pillow")
-    ap2.add_argument("--th-r-vips", metavar="T,T", type=u, default="avif,exr,fit,fits,fts,gif,hdr,heic,jp2,jpeg,jpg,jpx,jxl,nii,pfm,pgm,png,ppm,svg,tif,tiff,webp", help="image formats to decode using pyvips")
+    ap2.add_argument("--th-r-vips", metavar="T,T", type=u, default="avif,exr,fit,fits,fts,gif,hdr,heic,heics,heif,heifs,jp2,jpeg,jpg,jpx,jxl,nii,pfm,pgm,png,ppm,svg,tif,tiff,webp", help="image formats to decode using pyvips")
-    ap2.add_argument("--th-r-ffi", metavar="T,T", type=u, default="apng,avif,avifs,bmp,cbz,dds,dib,fit,fits,fts,gif,hdr,heic,heics,heif,heifs,icns,ico,jp2,jpeg,jpg,jpx,jxl,pbm,pcx,pfm,pgm,png,pnm,ppm,psd,qoi,sgi,tga,tif,tiff,webp,xbm,xpm", help="image formats to decode using ffmpeg")
+    ap2.add_argument("--th-r-raw", metavar="T,T", type=u, default="arw,cr2,cr3,crw,dcr,dng,erf,k25,kdc,mrw,nef,orf,pef,raf,raw,sr2,srf,x3f", help="image formats to decode using rawpy")
    ap2.add_argument("--th-r-ffi", metavar="T,T", type=u, default="apng,avif,avifs,bmp,cbz,dds,dib,epub,fit,fits,fts,gif,hdr,heic,heics,heif,heifs,icns,ico,jp2,jpeg,jpg,jpx,jxl,pbm,pcx,pfm,pgm,png,pnm,ppm,psd,qoi,sgi,tga,tif,tiff,webp,xbm,xpm", help="image formats to decode using ffmpeg")
    ap2.add_argument("--th-r-ffv", metavar="T,T", type=u, default="3gp,asf,av1,avc,avi,flv,h264,h265,hevc,m4v,mjpeg,mjpg,mkv,mov,mp4,mpeg,mpeg2,mpegts,mpg,mpg2,mts,nut,ogm,ogv,rm,ts,vob,webm,wmv", help="video formats to decode using ffmpeg")
    ap2.add_argument("--th-r-ffa", metavar="T,T", type=u, default="aac,ac3,aif,aiff,alac,alaw,amr,apac,ape,au,bonk,dfpwm,dts,flac,gsm,ilbc,it,itgz,itxz,itz,m4a,mdgz,mdxz,mdz,mo3,mod,mp2,mp3,mpc,mptm,mt2,mulaw,oga,ogg,okt,opus,ra,s3m,s3gz,s3xz,s3z,tak,tta,ulaw,wav,wma,wv,xm,xmgz,xmxz,xmz,xpk", help="audio formats to decode using ffmpeg")
    ap2.add_argument("--th-spec-cnv", metavar="T", type=u, default="it,itgz,itxz,itz,mdgz,mdxz,mdz,mo3,mod,s3m,s3gz,s3xz,s3z,xm,xmgz,xmxz,xmz,xpk", help="audio formats which provoke https://trac.ffmpeg.org/ticket/10797 (huge ram usage for s3xmodit spectrograms)")
-    ap2.add_argument("--au-unpk", metavar="E=F.C", type=u, default="mdz=mod.zip, mdgz=mod.gz, mdxz=mod.xz, s3z=s3m.zip, s3gz=s3m.gz, s3xz=s3m.xz, xmz=xm.zip, xmgz=xm.gz, xmxz=xm.xz, itz=it.zip, itgz=it.gz, itxz=it.xz, cbz=jpg.cbz", help="audio/image formats to decompress before passing to ffmpeg")
+    ap2.add_argument("--au-unpk", metavar="E=F.C", type=u, default="mdz=mod.zip, mdgz=mod.gz, mdxz=mod.xz, s3z=s3m.zip, s3gz=s3m.gz, s3xz=s3m.xz, xmz=xm.zip, xmgz=xm.gz, xmxz=xm.xz, itz=it.zip, itgz=it.gz, itxz=it.xz, cbz=jpg.cbz, epub=jpg.epub", help="audio/image formats to decompress before passing to ffmpeg")
 def add_transcoding(ap):
-    ap2 = ap.add_argument_group('transcoding options')
+    ap2 = ap.add_argument_group("transcoding options")
    ap2.add_argument("--q-opus", metavar="KBPS", type=int, default=128, help="target bitrate for transcoding to opus; set 0 to disable")
    ap2.add_argument("--q-mp3", metavar="QUALITY", type=u, default="q2", help="target quality for transcoding to mp3, for example [\033[32m192k\033[0m] (CBR) or [\033[32mq0\033[0m] (CQ/CRF, q0=maxquality, q9=smallest); set 0 to disable")
    ap2.add_argument("--allow-wav", action="store_true", help="allow transcoding to wav (lossless, uncompressed)")
    ap2.add_argument("--allow-flac", action="store_true", help="allow transcoding to flac (lossless, compressed)")
    ap2.add_argument("--no-caf", action="store_true", help="disable transcoding to caf-opus (affects iOS v12~v17), will use mp3 instead")
    ap2.add_argument("--no-owa", action="store_true", help="disable transcoding to webm-opus (iOS v18 and later), will use mp3 instead")
    ap2.add_argument("--no-acode", action="store_true", help="disable audio transcoding")
@ -1451,7 +1577,7 @@ def add_transcoding(ap):
 def add_tail(ap):
-    ap2 = ap.add_argument_group('tailing options (realtime streaming of a growing file)')
+    ap2 = ap.add_argument_group("tailing options (realtime streaming of a growing file)")
    ap2.add_argument("--tail-who", metavar="LVL", type=int, default=2, help="who can tail? [\033[32m0\033[0m]=nobody, [\033[32m1\033[0m]=admins, [\033[32m2\033[0m]=authenticated-with-read-access, [\033[32m3\033[0m]=everyone-with-read-access (volflag=tail_who)")
    ap2.add_argument("--tail-cmax", metavar="N", type=int, default=64, help="do not allow starting a new tail if more than \033[33mN\033[0m active downloads")
    ap2.add_argument("--tail-tmax", metavar="SEC", type=float, default=0, help="terminate connection after \033[33mSEC\033[0m seconds; [\033[32m0\033[0m]=never (volflag=tail_tmax)")
@ -1461,7 +1587,7 @@ def add_tail(ap):
 def add_rss(ap):
-    ap2 = ap.add_argument_group('RSS options')
+    ap2 = ap.add_argument_group("RSS options")
    ap2.add_argument("--rss", action="store_true", help="enable RSS output (experimental) (volflag=rss)")
    ap2.add_argument("--rss-nf", metavar="HITS", type=int, default=250, help="default number of files to return (url-param 'nf')")
    ap2.add_argument("--rss-fext", metavar="E,E", type=u, default="", help="default list of file extensions to include (url-param 'fext'); blank=all")
@ -1470,7 +1596,7 @@ def add_rss(ap):
 def add_db_general(ap, hcores):
    noidx = APPLESAN_TXT if MACOS else ""
-    ap2 = ap.add_argument_group('general db options')
+    ap2 = ap.add_argument_group("general db options")
    ap2.add_argument("-e2d", action="store_true", help="enable up2k database; this enables file search, upload-undo, improves deduplication")
    ap2.add_argument("-e2ds", action="store_true", help="scan writable folders for new files on startup; sets \033[33m-e2d\033[0m")
    ap2.add_argument("-e2dsa", action="store_true", help="scans all folders on startup; sets \033[33m-e2ds\033[0m")
@ -1479,8 +1605,8 @@ def add_db_general(ap, hcores):
    ap2.add_argument("-e2vp", action="store_true", help="on hash mismatch: panic and quit copyparty")
    ap2.add_argument("--hist", metavar="PATH", type=u, default="", help="where to store volume data (db, thumbs); default is a folder named \".hist\" inside each volume (volflag=hist)")
    ap2.add_argument("--dbpath", metavar="PATH", type=u, default="", help="override where the volume databases are to be placed; default is the same as \033[33m--hist\033[0m (volflag=dbpath)")
-    ap2.add_argument("--no-hash", metavar="PTN", type=u, default="", help="regex: disable hashing of matching absolute-filesystem-paths during e2ds folder scans (volflag=nohash)")
+    ap2.add_argument("--no-hash", metavar="PTN", type=u, default="", help="regex: disable hashing of matching absolute-filesystem-paths during e2ds folder scans (must be specified as one big regex, not multiple times) (volflag=nohash)")
-    ap2.add_argument("--no-idx", metavar="PTN", type=u, default=noidx, help="regex: disable indexing of matching absolute-filesystem-paths during e2ds folder scans (volflag=noidx)")
+    ap2.add_argument("--no-idx", metavar="PTN", type=u, default=noidx, help="regex: disable indexing of matching absolute-filesystem-paths during e2ds folder scan (must be specified as one big regex, not multiple times) (volflag=noidx)")
    ap2.add_argument("--no-dirsz", action="store_true", help="do not show total recursive size of folders in listings, show inode size instead; slightly faster (volflag=nodirsz)")
    ap2.add_argument("--re-dirsz", action="store_true", help="if the directory-sizes in the UI are bonkers, use this along with \033[33m-e2dsa\033[0m to rebuild the index from scratch")
    ap2.add_argument("--no-dhash", action="store_true", help="disable rescan acceleration; do full database integrity check -- makes the db ~5%% smaller and bootup/rescans 3~10x slower")
@ -1499,7 +1625,7 @@ def add_db_general(ap, hcores):
 def add_db_metadata(ap):
-    ap2 = ap.add_argument_group('metadata db options')
+    ap2 = ap.add_argument_group("metadata db options")
    ap2.add_argument("-e2t", action="store_true", help="enable metadata indexing; makes it possible to search for artist/title/codec/resolution/...")
    ap2.add_argument("-e2ts", action="store_true", help="scan newly discovered files for metadata on startup; sets \033[33m-e2t\033[0m")
    ap2.add_argument("-e2tsr", action="store_true", help="delete all metadata from DB and do a full rescan; sets \033[33m-e2ts\033[0m")
@ -1509,15 +1635,16 @@ def add_db_metadata(ap):
    ap2.add_argument("--mtag-mt", metavar="CORES", type=int, default=CORES, help="num cpu cores to use for tag scanning")
    ap2.add_argument("--mtag-v", action="store_true", help="verbose tag scanning; print errors from mtp subprocesses and such")
    ap2.add_argument("--mtag-vv", action="store_true", help="debug mtp settings and mutagen/FFprobe parsers")
-    ap2.add_argument("-mtm", metavar="M=t,t,t", type=u, action="append", help="add/replace metadata mapping")
+    ap2.add_argument("-mtm", metavar="M=t,t,t", type=u, action="append", help="\033[34mREPEATABLE:\033[0m add/replace metadata mapping")
    ap2.add_argument("-mte", metavar="M,M,M", type=u, help="tags to index/display (comma-sep.); either an entire replacement list, or add/remove stuff on the default-list with +foo or /bar", default=DEF_MTE)
    ap2.add_argument("-mth", metavar="M,M,M", type=u, help="tags to hide by default (comma-sep.); assign/add/remove same as \033[33m-mte\033[0m", default=DEF_MTH)
-    ap2.add_argument("-mtp", metavar="M=[f,]BIN", type=u, action="append", help="read tag \033[33mM\033[0m using program \033[33mBIN\033[0m to parse the file")
+    ap2.add_argument("-mtp", metavar="M=[f,]BIN", type=u, action="append", help="\033[34mREPEATABLE:\033[0m read tag \033[33mM\033[0m using program \033[33mBIN\033[0m to parse the file")
 def add_txt(ap):
-    ap2 = ap.add_argument_group('textfile options')
+    ap2 = ap.add_argument_group("textfile options")
    ap2.add_argument("--md-hist", metavar="TXT", type=u, default="s", help="where to store old version of markdown files; [\033[32ms\033[0m]=subfolder, [\033[32mv\033[0m]=volume-histpath, [\033[32mn\033[0m]=nope/disabled (volflag=md_hist)")
    ap2.add_argument("--txt-eol", metavar="TYPE", type=u, default="", help="enable EOL conversion when writing documents; supported: CRLF, LF (volflag=txt_eol)")
    ap2.add_argument("-mcr", metavar="SEC", type=int, default=60, help="the textfile editor will check for serverside changes every \033[33mSEC\033[0m seconds")
    ap2.add_argument("-emp", action="store_true", help="enable markdown plugins -- neat but dangerous, big XSS risk")
    ap2.add_argument("--exp", action="store_true", help="enable textfile expansion -- replace {{self.ip}} and such; see \033[33m--help-exp\033[0m (volflag=exp)")
@ -1527,7 +1654,7 @@ def add_txt(ap):
 def add_og(ap):
-    ap2 = ap.add_argument_group('og / open graph / discord-embed options')
+    ap2 = ap.add_argument_group("og / open graph / discord-embed options")
    ap2.add_argument("--og", action="store_true", help="disable hotlinking and return an html document instead; this is required by open-graph, but can also be useful on its own (volflag=og)")
    ap2.add_argument("--og-ua", metavar="RE", type=u, default="", help="only disable hotlinking / engage OG behavior if the useragent matches regex \033[33mRE\033[0m (volflag=og_ua)")
    ap2.add_argument("--og-tpl", metavar="PATH", type=u, default="", help="do not return the regular copyparty html, but instead load the jinja2 template at \033[33mPATH\033[0m (if path contains 'EXT' then EXT will be replaced with the requested file's extension) (volflag=og_tpl)")
@ -1545,12 +1672,14 @@ def add_og(ap):
 def add_ui(ap, retry):
-    ap2 = ap.add_argument_group('ui options')
+    THEMES = 10
    ap2 = ap.add_argument_group("ui options")
    ap2.add_argument("--grid", action="store_true", help="show grid/thumbnails by default (volflag=grid)")
    ap2.add_argument("--gsel", action="store_true", help="select files in grid by ctrl-click (volflag=gsel)")
-    ap2.add_argument("--lang", metavar="LANG", type=u, default="eng", help="language; one of the following: \033[32meng nor chi\033[0m")
+    ap2.add_argument("--localtime", action="store_true", help="default to local timezone instead of UTC")
-    ap2.add_argument("--theme", metavar="NUM", type=int, default=0, help="default theme to use (0..7)")
+    ap2.add_argument("--lang", metavar="LANG", type=u, default="eng", help="language, for example \033[32meng\033[0m / \033[32mnor\033[0m / ...")
-    ap2.add_argument("--themes", metavar="NUM", type=int, default=8, help="number of themes installed")
+    ap2.add_argument("--theme", metavar="NUM", type=int, default=0, help="default theme to use (0..%d)" % (THEMES - 1,))
    ap2.add_argument("--themes", metavar="NUM", type=int, default=THEMES, help="number of themes installed")
    ap2.add_argument("--au-vol", metavar="0-100", type=int, default=50, choices=range(0, 101), help="default audio/video volume percent")
    ap2.add_argument("--sort", metavar="C,C,C", type=u, default="href", help="default sort order, comma-separated column IDs (see header tooltips), prefix with '-' for descending. Examples: \033[32mhref -href ext sz ts tags/Album tags/.tn\033[0m (volflag=sort)")
    ap2.add_argument("--nsort", action="store_true", help="default-enable natural sort of filenames with leading numbers (volflag=nsort)")
@ -1559,8 +1688,8 @@ def add_ui(ap, retry):
    ap2.add_argument("--qdel", metavar="LVL", type=int, default=2, help="number of confirmations to show when deleting files (2/1/0)")
    ap2.add_argument("--unlist", metavar="REGEX", type=u, default="", help="don't show files/folders matching \033[33mREGEX\033[0m in file list. WARNING: Purely cosmetic! Does not affect API calls, just the browser. Example: [\033[32m\\.(js|css)$\033[0m] (volflag=unlist)")
    ap2.add_argument("--favico", metavar="TXT", type=u, default="c 000 none" if retry else "🎉 000 none", help="\033[33mfavicon-text\033[0m [ \033[33mforeground\033[0m [ \033[33mbackground\033[0m ] ], set blank to disable")
-    ap2.add_argument("--ext-th", metavar="E=VP", type=u, action="append", help="use thumbnail-image \033[33mVP\033[0m for file-extension \033[33mE\033[0m, example: [\033[32mexe=/.res/exe.png\033[0m] (volflag=ext_th)")
+    ap2.add_argument("--ext-th", metavar="E=VP", type=u, action="append", help="\033[34mREPEATABLE:\033[0m use thumbnail-image \033[33mVP\033[0m for file-extension \033[33mE\033[0m, example: [\033[32mexe=/.res/exe.png\033[0m] (volflag=ext_th)")
-    ap2.add_argument("--mpmc", metavar="URL", type=u, default="", help="change the mediaplayer-toggle mouse cursor; URL to a folder with {2..5}.png inside (or disable with [\033[32m.\033[0m])")
+    ap2.add_argument("--mpmc", type=u, default="", help=argparse.SUPPRESS)
    ap2.add_argument("--spinner", metavar="TXT", type=u, default="🌲", help="\033[33memoji\033[0m or \033[33memoji,css\033[0m Example: [\033[32m🥖,padding:0\033[0m]")
    ap2.add_argument("--css-browser", metavar="L", type=u, default="", help="URL to additional CSS to include in the filebrowser html")
    ap2.add_argument("--js-browser", metavar="L", type=u, default="", help="URL to additional JS to include in the filebrowser html")
@ -1575,6 +1704,7 @@ def add_ui(ap, retry):
    ap2.add_argument("--ver", action="store_true", help="show version on the control panel (incompatible with \033[33m-nb\033[0m)")
    ap2.add_argument("--k304", metavar="NUM", type=int, default=0, help="configure the option to enable/disable k304 on the controlpanel (workaround for buggy reverse-proxies); [\033[32m0\033[0m] = hidden and default-off, [\033[32m1\033[0m] = visible and default-off, [\033[32m2\033[0m] = visible and default-on")
    ap2.add_argument("--no304", metavar="NUM", type=int, default=0, help="configure the option to enable/disable no304 on the controlpanel (workaround for buggy caching in browsers); [\033[32m0\033[0m] = hidden and default-off, [\033[32m1\033[0m] = visible and default-off, [\033[32m2\033[0m] = visible and default-on")
    ap2.add_argument("--ctl-re", metavar="SEC", type=int, default=1, help="the controlpanel Refresh-button will autorefresh every SEC; [\033[32m0\033[0m] = just once")
    ap2.add_argument("--md-sbf", metavar="FLAGS", type=u, default="downloads forms popups scripts top-navigation-by-user-activation", help="list of capabilities to allow in the iframe 'sandbox' attribute for README.md docs (volflag=md_sbf); see https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#sandbox")
    ap2.add_argument("--lg-sbf", metavar="FLAGS", type=u, default="downloads forms popups scripts top-navigation-by-user-activation", help="list of capabilities to allow in the iframe 'sandbox' attribute for prologue/epilogue docs (volflag=lg_sbf)")
    ap2.add_argument("--md-sba", metavar="TXT", type=u, default="", help="the value of the iframe 'allow' attribute for README.md docs, for example [\033[32mfullscreen\033[0m] (volflag=md_sba)")
@ -1585,7 +1715,7 @@ def add_ui(ap, retry):
 def add_debug(ap):
-    ap2 = ap.add_argument_group('debug options')
+    ap2 = ap.add_argument_group("debug options")
    ap2.add_argument("--vc", action="store_true", help="verbose config file parser (explain config)")
    ap2.add_argument("--cgen", action="store_true", help="generate config file from current config (best-effort; probably buggy)")
    ap2.add_argument("--deps", action="store_true", help="list information about detected optional dependencies")
@ -1750,16 +1880,7 @@ def main(argv: Optional[list[str]] = None) -> None:
    ensure_webdeps()
-    for k, v in zip(argv[1:], argv[2:]):
+    argv = expand_cfg(argv)
        if k == "-c" and os.path.isfile(v):
            supp = args_from_cfg(v)
            argv.extend(supp)
    for k in argv[1:]:
        v = k[2:]
        if k.startswith("-c") and v and os.path.isfile(v):
            supp = args_from_cfg(v)
            argv.extend(supp)
    deprecated: list[tuple[str, str]] = [
        ("--salt", "--warksalt"),
@ -1785,7 +1906,7 @@ def main(argv: Optional[list[str]] = None) -> None:
        argv[idx] = nk + ov
        time.sleep(2)
-    da = len(argv) == 1
+    da = len(argv) == 1 and not CFG_DEF
    try:
        if da:
            argv.extend(["--qr"])
--- a/copyparty/version.py
+++ b/copyparty/version.py
@ -1,8 +1,8 @@
 # coding: utf-8
-VERSION = (1, 18, 8)
+VERSION = (1, 19, 2)
-CODENAME = "logtail"
+CODENAME = "usernames"
-BUILD_DT = (2025, 7, 31)
+BUILD_DT = (2025, 8, 17)
 S_VERSION = ".".join(map(str, VERSION))
 S_BUILD_DT = "{0:04d}-{1:02d}-{2:02d}".format(*BUILD_DT)
--- a/copyparty/authsrv.py
+++ b/copyparty/authsrv.py
@ -881,6 +881,15 @@ class VFS(object):
                return None
        if "xvol" in self.flags:
            self_ap = self.realpath + os.sep
            if aps.startswith(self_ap):
                vp = aps[len(self_ap) :]
                if ANYWIN:
                    vp = vp.replace(os.sep, "/")
                vn2, _ = self._find(vp)
                if self == vn2:
                    return self
            all_aps = self.shr_all_aps or self.root.all_aps
            for vap, vns in all_aps:
@ -1099,6 +1108,9 @@ class AuthSrv(object):
            if rejected:
                continue
            if gn == self.args.grp_all:
                gn = ""
            # if ap/vp has a user/group placeholder, make sure to keep
            # track so the same user/group is mapped when setting perms;
            # otherwise clear un/gn to indicate it's a regular volume
@ -1208,6 +1220,7 @@ class AuthSrv(object):
        self.load_idp_db(bool(self.idp_accs))
        ret = {un: gns[:] for un, gns in self.idp_accs.items()}
        ret.update({zs: [""] for zs in acct if zs not in ret})
        grps[self.args.grp_all] = list(ret.keys())
        for gn, uns in grps.items():
            for un in uns:
                try:
@ -1685,6 +1698,9 @@ class AuthSrv(object):
                    self.log("\n{0}\n{1}{0}".format(t, "\n".join(slns)))
                    raise
        self.args.have_idp_hdrs = bool(self.args.idp_h_usr or self.args.idp_hm_usr)
        self.args.have_ipu_or_ipr = bool(self.args.ipu or self.args.ipr)
        self.setup_pwhash(acct)
        defpw = acct.copy()
        self.setup_chpw(acct)
@ -1697,9 +1713,10 @@ class AuthSrv(object):
            mount = cased
-        if not mount and not self.args.idp_h_usr:
+        if not mount and not self.args.have_idp_hdrs:
            # -h says our defaults are CWD at root and read/write for everyone
            axs = AXS(["*"], ["*"], None, None)
            ehint = ""
            if self.is_lxc:
                t = "Read-access has been disabled due to failsafe: Docker detected, but %s. This failsafe is to prevent unintended access if this is due to accidental loss of config. You can override this safeguard and allow read/write to all of /w/ by adding the following arguments to the docker container:  -v .::rw"
                if len(cfg_files_loaded) == 1:
@ -1709,11 +1726,23 @@ class AuthSrv(object):
                else:
                    self.log(t % ("the config does not define any volumes",), 1)
                axs = AXS()
                ehint = "; please try moving them up one level, into the parent folder:"
            elif self.args.c:
                t = "Read-access has been disabled due to failsafe: No volumes were defined by the config-file. This failsafe is to prevent unintended access if this is due to accidental loss of config. You can override this safeguard and allow read/write to the working-directory by adding the following arguments:  -v .::rw"
                self.log(t, 1)
                axs = AXS()
-            vfs = VFS(self.log_func, absreal("."), "", "", axs, self.vf0())
+                ehint = ":"
            if ehint:
                try:
                    files = os.listdir(E.cfg)
                except:
                    files = []
                hits = [x for x in files if x.lower().endswith(".conf")]
                if hits:
                    t = "Hint: Found some config files in [%s], but these were not automatically loaded because they are in the wrong place%s %s\n"
                    self.log(t % (E.cfg, ehint, ", ".join(hits)), 3)
            zvf = {"tcolor": self.args.tcolor}
            vfs = VFS(self.log_func, absreal("."), "", "", axs, zvf)
            if not axs.uread:
                self.badcfg1 = True
        elif "" not in mount:
@ -1857,7 +1886,7 @@ class AuthSrv(object):
        if missing_users:
            zs = ", ".join(k for k in sorted(missing_users))
-            if self.args.idp_h_usr:
+            if self.args.have_idp_hdrs:
                t = "the following users are unknown, and assumed to come from IdP: "
                self.log(t + zs, c=6)
            else:
@ -1868,6 +1897,16 @@ class AuthSrv(object):
        if LEELOO_DALLAS in all_users:
            raise Exception("sorry, reserved username: " + LEELOO_DALLAS)
        zsl = []
        for usr in list(acct)[:]:
            zs = acct[usr].strip()
            if not zs:
                zs = ub64enc(os.urandom(48)).decode("ascii")
                zsl.append(usr)
            acct[usr] = zs
        if zsl:
            self.log("generated random passwords for users %r" % (zsl,), 6)
        seenpwds = {}
        for usr, pwd in acct.items():
            if pwd in seenpwds:
@ -2188,12 +2227,12 @@ class AuthSrv(object):
                if vf not in vol.flags:
                    vol.flags[vf] = getattr(self.args, ga)
-            zs = "forget_ip gid nrand tail_who u2abort u2ow uid ups_who zip_who"
+            zs = "forget_ip gid nrand tail_who th_spec_p u2abort u2ow uid unp_who ups_who zip_who"
            for k in zs.split():
                if k in vol.flags:
                    vol.flags[k] = int(vol.flags[k])
-            zs = "convt tail_fd tail_rate tail_tmax"
+            zs = "aconvt convt tail_fd tail_rate tail_tmax"
            for k in zs.split():
                if k in vol.flags:
                    vol.flags[k] = float(vol.flags[k])
@ -2524,7 +2563,7 @@ class AuthSrv(object):
            if not self.args.no_voldump:
                self.log(t)
-            if have_e2d or self.args.idp_h_usr:
+            if have_e2d or self.args.have_idp_hdrs:
                t = self.chk_sqlite_threadsafe()
                if t:
                    self.log("\n\033[{}\033[0m\n".format(t))
@ -2629,6 +2668,8 @@ class AuthSrv(object):
        self.re_pwd = None
        pwds = [re.escape(x) for x in self.iacct.keys()]
        pwds.extend(list(self.sesa))
        if self.args.usernames:
            pwds.extend([x.split(":", 1)[1] for x in pwds if ":" in x])
        if pwds:
            if self.ah.on:
                zs = r"(\[H\] pw:.*|[?&]pw=)([^&]+)"
@ -2751,6 +2792,8 @@ class AuthSrv(object):
                "s_name": self.args.bname,
                "have_up2k_idx": "e2d" in vf,
                "have_acode": not self.args.no_acode,
                "have_c2flac": self.args.allow_flac,
                "have_c2wav": self.args.allow_wav,
                "have_shr": self.args.shr,
                "have_zip": not self.args.no_zip,
                "have_mv": not self.args.no_mv,
@ -2775,6 +2818,7 @@ class AuthSrv(object):
                "dth3x": vf["th3x"],
                "dvol": self.args.au_vol,
                "idxh": int(self.args.ih),
                "dutc": not self.args.localtime,
                "themes": self.args.themes,
                "turbolvl": self.args.turbo,
                "nosubtle": self.args.nosubtle,
@ -2809,7 +2853,7 @@ class AuthSrv(object):
    def load_idp_db(self, quiet=False) -> None:
        # mutex me
        level = self.args.idp_store
-        if level < 2 or not self.args.idp_h_usr:
+        if level < 2 or not self.args.have_idp_hdrs:
            return
        assert sqlite3  # type: ignore  # !rm
@ -2865,7 +2909,10 @@ class AuthSrv(object):
        n = []
        q = "insert into us values (?,?,?)"
-        for uname in self.acct:
+        accs = list(self.acct)
        if self.args.have_idp_hdrs and self.args.idp_cookie:
            accs.extend(self.idp_accs.keys())
        for uname in accs:
            if uname not in ases:
                sid = ub64enc(os.urandom(blen)).decode("ascii")
                cur.execute(q, (uname, sid, int(time.time())))
@ -2923,6 +2970,9 @@ class AuthSrv(object):
            t = "minimum password length: %d characters"
            return False, t % (self.args.chpw_len,)
        if self.args.usernames:
            pw = "%s:%s" % (uname, pw)
        hpw = self.ah.hash(pw) if self.ah.on else pw
        if hpw == self.acct[uname]:
@ -3014,6 +3064,12 @@ class AuthSrv(object):
        self.log("chpw: " + msg, 6)
    def setup_pwhash(self, acct: dict[str, str]) -> None:
        if self.args.usernames:
            for uname, pw in list(acct.items())[:]:
                if pw.startswith("+") and len(pw) == 33:
                    continue
                acct[uname] = "%s:%s" % (uname, pw)
        self.ah = PWHash(self.args)
        if not self.ah.on:
            if self.args.ah_cli or self.args.ah_gen:
@ -3457,7 +3513,7 @@ def expand_config_file(
    ipath += " -> " + fp
    ret.append("#\033[36m opening cfg file{}\033[0m".format(ipath))
-    cfg_lines = read_utf8(log, fp, True).split("\n")
+    cfg_lines = read_utf8(log, fp, True).replace("\t", " ").split("\n")
    if True:  # diff-golf
        for oln in [x.rstrip() for x in cfg_lines]:
            ln = oln.split("  #")[0].strip()
--- a/copyparty/cfg.py
+++ b/copyparty/cfg.py
@ -68,6 +68,7 @@ def vf_bmap() -> dict[str, str]:
 def vf_vmap() -> dict[str, str]:
    """argv-to-volflag: simple values"""
    ret = {
        "ac_convt": "aconvt",
        "no_hash": "nohash",
        "no_idx": "noidx",
        "re_maxage": "scan",
@ -111,11 +112,14 @@ def vf_vmap() -> dict[str, str]:
        "tail_tmax",
        "tail_who",
        "tcolor",
        "th_spec_p",
        "txt_eol",
        "unlist",
        "u2abort",
        "u2ts",
        "uid",
        "gid",
        "unp_who",
        "ups_who",
        "zip_who",
        "zipmaxn",
@ -259,7 +263,9 @@ flagcats = {
        "thsize": "thumbnail res; WxH",
        "crop": "center-cropping (y/n/fy/fn)",
        "th3x": "3x resolution (y/n/fy/fn)",
-        "convt": "conversion timeout in seconds",
+        "convt": "convert-to-image timeout in seconds",
        "aconvt": "convert-to-audio timeout in seconds",
        "th_spec_p=1": "make spectrograms? 0=never 1=fallback 2=always",
        "ext_th=s=/b.png": "use /b.png as thumbnail for file-extension s",
    },
    "handlers\n(better explained in --help-handlers)": {
@ -322,6 +328,7 @@ flagcats = {
        "exp": "enable textfile expansion; see --help-exp",
        "exp_md": "placeholders to expand in markdown files; see --help",
        "exp_lg": "placeholders to expand in prologue/epilogue; see --help",
        "txt_eol=lf": "enable EOL conversion when writing docs (LF or CRLF)",
    },
    "tailing": {
        "notail": "disable ?tail (download a growing file continuously)",
@ -339,6 +346,7 @@ flagcats = {
        "dky": 'allow seeing files (not folders) inside a specific folder\nwith "g" perm, and does not require a valid dirkey to do so',
        "rss": "allow '?rss' URL suffix (experimental)",
        "rmagic": "expensive analysis for mimetype accuracy",
        "unp_who=2": "unpost only if same... 1=ip+name, 2=ip, 3=name",
        "ups_who=2": "restrict viewing the list of recent uploads",
        "zip_who=2": "restrict access to download-as-zip/tar",
        "zipmaxn=9k": "reject download-as-zip if more than 9000 files",
--- a/copyparty/dxml.py
+++ b/copyparty/dxml.py
@ -65,6 +65,9 @@ DXMLParser = _DXMLParser
 def parse_xml(txt: str) -> ET.Element:
    """
    Parse XML into an xml.etree.ElementTree.Element while defusing some unsafe parts.
    """
    parser = DXMLParser()
    parser.feed(txt)
    return parser.close()  # type: ignore
--- a/copyparty/ftpd.py
+++ b/copyparty/ftpd.py
@ -83,7 +83,12 @@ class FtpAuth(DummyAuthorizer):
        uname = "*"
        if username != "anonymous":
            uname = ""
-            for zs in (password, username):
+            if args.usernames:
                alts = ["%s:%s" % (username, password)]
            else:
                alts = password, username
            for zs in alts:
                zs = asrv.iacct.get(asrv.ah.hash(zs), "")
                if zs:
                    uname = zs
@ -91,6 +96,10 @@ class FtpAuth(DummyAuthorizer):
        if args.ipu and uname == "*":
            uname = args.ipu_iu[args.ipu_nm.map(ip)]
        if args.ipr and uname in args.ipr_u:
            if not args.ipr_u[uname].map(ip):
                logging.warning("username [%s] rejected by --ipr", uname)
                uname = "*"
        if not uname or not (asrv.vfs.aread.get(uname) or asrv.vfs.awrite.get(uname)):
            g = self.hub.gpwd
@ -280,9 +289,12 @@ class FtpFs(AbstractedFS):
            # returning 550 is library-default and suitable
            raise FSE("No such file or directory")
-        avfs = vfs.chk_ap(ap, st)
+        if vfs.realpath:
-        if not avfs:
+            avfs = vfs.chk_ap(ap, st)
-            raise FSE("Permission denied", 1)
+            if not avfs:
                raise FSE("Permission denied", 1)
        else:
            avfs = vfs
        self.cwd = nwd
        (
@ -397,8 +409,12 @@ class FtpFs(AbstractedFS):
            return st
    def utime(self, path: str, timeval: float) -> None:
-        ap = self.rv2a(path, w=True)[0]
+        try:
-        return bos.utime(ap, (timeval, timeval))
+            ap = self.rv2a(path, w=True)[0]
            return bos.utime(ap, (int(time.time()), int(timeval)))
        except Exception as ex:
            logging.error("ftp.utime: %s, %r", ex, ex)
            raise
    def lstat(self, path: str) -> os.stat_result:
        ap = self.rv2a(path)[0]
@ -487,7 +503,11 @@ class FtpHandler(FTPHandler):
    def ftp_STOR(self, file: str, mode: str = "w") -> Any:
        # Optional[str]
        vp = join(self.fs.cwd, file).lstrip("/")
-        ap, vfs, rem = self.fs.v2a(vp, w=True)
+        try:
            ap, vfs, rem = self.fs.v2a(vp, w=True)
        except Exception as ex:
            self.respond("550 %s" % (ex,), logging.info)
            return
        self.vfs_map[ap] = vp
        xbu = vfs.flags.get("xbu")
        if xbu and not runhook(
@ -607,7 +627,7 @@ class Ftpd(object):
        if "::" in ips:
            ips.append("0.0.0.0")
-        ips = [x for x in ips if "unix:" not in x]
+        ips = [x for x in ips if not x.startswith(("unix:", "fd:"))]
        if self.args.ftp4:
            ips = [x for x in ips if ":" not in x]
--- a/copyparty/httpcli.py
+++ b/copyparty/httpcli.py
@ -62,6 +62,7 @@ from .util import (
    alltrace,
    atomic_move,
    b64dec,
    eol_conv,
    exclude_dotfiles,
    formatdate,
    fsenc,
@ -107,6 +108,7 @@ from .util import (
    sendfile_py,
    set_fperms,
    stat_resource,
    str_anchor,
    ub64dec,
    ub64enc,
    ujoin,
@ -261,7 +263,8 @@ class HttpCli(object):
    def _assert_safe_rem(self, rem: str) -> None:
        # sanity check to prevent any disasters
-        if rem.startswith("/") or rem.startswith("../") or "/../" in rem:
+        # (this function hopefully serves no purpose; validation has already happened at this point, this only exists as a last-ditch effort just in case)
        if rem.startswith(("/", "../")) or "/../" in rem:
            raise Exception("that was close")
    def _gen_fk(self, alg: int, salt: str, fspath: str, fsize: int, inode: int) -> str:
@ -382,9 +385,20 @@ class HttpCli(object):
                try:
                    cli_ip = zsl[n].strip()
                except:
-                    cli_ip = zsl[0].strip()
+                    cli_ip = self.ip
-                    t = "rproxy={} oob x-fwd {}"
+                    self.bad_xff = True
-                    self.log(t.format(self.args.rproxy, zso), c=3)
+                    if self.args.rproxy != 9999999:
                        t = "global-option --rproxy %d could not be used (out-of-bounds) for the received header [%s]"
                        self.log(t % (self.args.rproxy, zso), c=3)
                    else:
                        zsl = [
                            "  rproxy: %d   if this client's IP-address is [%s]"
                            % (-1 - zd, zs.strip())
                            for zd, zs in enumerate(zsl)
                        ]
                        t = 'could not determine the client\'s IP-address because the global-option --rproxy has not been configured, so the request-header [%s] specified by global-option --xff-hdr cannot be used safely! Please see the "reverse-proxy" section in the readme. The best approach is to configure your reverse-proxy to give copyparty the exact IP-address to assume (perhaps in another header), but you may also try the following:'
                        t = t % (self.args.xff_hdr,)
                        self.log("%s\n\n%s\n" % (t, "\n".join(zsl)), 3)
                pip = self.conn.addr[0]
                xffs = self.conn.xff_nm
@ -548,7 +562,7 @@ class HttpCli(object):
        zso = self.headers.get("cookie")
        if zso:
-            if len(zso) > 8192:
+            if len(zso) > self.args.cookie_cmax:
                self.loud_reply("cookie header too big", status=400)
                return False
            zsll = [x.split("=", 1) for x in zso.split(";") if "=" in x]
@ -556,11 +570,15 @@ class HttpCli(object):
            cookie_pw = cookies.get("cppws") or cookies.get("cppwd") or ""
            if "b" in cookies and "b" not in uparam:
                uparam["b"] = cookies["b"]
            if len(cookies) > self.args.cookie_nmax:
                self.loud_reply("too many cookies", status=400)
        else:
            cookies = {}
            cookie_pw = ""
-        if len(uparam) > 10 or len(cookies) > 50:
+        if len(uparam) > 12:
            t = "http-request rejected; num.params: %d %r"
            self.log(t % (len(uparam), self.req), 3)
            self.loud_reply("u wot m8", status=400)
            return False
@ -606,8 +624,22 @@ class HttpCli(object):
            or "*"
        )
-        if self.args.idp_h_usr:
+        if self.args.have_idp_hdrs:
-            idp_usr = self.headers.get(self.args.idp_h_usr) or ""
+            idp_usr = ""
            if self.args.idp_hm_usr:
                for hn, hmv in self.args.idp_hm_usr_p.items():
                    zs = self.headers.get(hn)
                    if zs:
                        for zs1, zs2 in hmv.items():
                            if zs == zs1:
                                idp_usr = zs2
                                break
                    if idp_usr:
                        break
            for hn in self.args.idp_h_usr:
                if idp_usr:
                    break
                idp_usr = self.headers.get(hn)
            if idp_usr:
                idp_grp = (
                    self.headers.get(self.args.idp_h_grp) or ""
@ -657,11 +689,20 @@ class HttpCli(object):
                    self.pw = ""
                    self.uname = idp_usr
                    self.html_head += "<script>var is_idp=1</script>\n"
                    zs = self.asrv.ases.get(idp_usr)
                    if zs:
                        self.set_idp_cookie(zs)
                else:
                    self.log("unknown username: %r" % (idp_usr,), 1)
-        if self.args.ipu and self.uname == "*":
+        if self.args.have_ipu_or_ipr:
-            self.uname = self.conn.ipu_iu[self.conn.ipu_nm.map(self.ip)]
+            if self.args.ipu and self.uname == "*":
                self.uname = self.conn.ipu_iu[self.conn.ipu_nm.map(self.ip)]
            ipr = self.conn.hsrv.ipr
            if ipr and self.uname in ipr:
                if not ipr[self.uname].map(self.ip):
                    self.log("username [%s] rejected by --ipr" % (self.uname,), 3)
                    self.uname = "*"
        self.rvol = self.asrv.vfs.aread[self.uname]
        self.wvol = self.asrv.vfs.awrite[self.uname]
@ -683,7 +724,7 @@ class HttpCli(object):
            cookies["b"] = ""
        vn, rem = self.asrv.vfs.get(self.vpath, self.uname, False, False)
-        if "xdev" in vn.flags or "xvol" in vn.flags:
+        if vn.realpath and ("xdev" in vn.flags or "xvol" in vn.flags):
            ap = vn.canonical(rem)
            avn = vn.chk_ap(ap)
        else:
@ -911,7 +952,7 @@ class HttpCli(object):
        if status == 304:
            self.out_headers.pop("Content-Length", None)
            self.out_headers.pop("Content-Type", None)
-            self.out_headerlist.clear()
+            self.out_headerlist[:] = []
            if self.k304():
                self.keepalive = False
        else:
@ -1195,15 +1236,6 @@ class HttpCli(object):
                    self.reply(b"ssdp is disabled in server config", 404)
                    return False
            if self.vpath.startswith(".cpr/dd/") and self.args.mpmc:
                if self.args.mpmc == ".":
                    raise Pebkac(404)
                loc = self.args.mpmc.rstrip("/") + self.vpath[self.vpath.rfind("/") :]
                h = {"Location": loc, "Cache-Control": "max-age=39"}
                self.reply(b"", 301, headers=h)
                return True
            if self.vpath == ".cpr/metrics":
                return self.conn.hsrv.metrics.tx(self)
@ -1591,6 +1623,10 @@ class HttpCli(object):
                    "quota-available-bytes": str(bfree),
                    "quota-used-bytes": str(btot - bfree),
                }
                if "quotaused" in props:  # macos finder crazytalk
                    df["quotaused"] = df["quota-used-bytes"]
                    if "quota" in props:
                        df["quota"] = df["quota-available-bytes"]  # idk, makes it happy
            else:
                df = {}
        else:
@ -1975,6 +2011,9 @@ class HttpCli(object):
        if "eshare" in self.uparam:
            return self.handle_eshare()
        if "fs_abrt" in self.uparam:
            return self.handle_fs_abrt()
        if "application/octet-stream" in ctype:
            return self.handle_post_binary()
@ -2082,16 +2121,16 @@ class HttpCli(object):
        rnd, lifetime, xbu, xau = self.upload_flags(vfs)
        lim = vfs.get_dbv(rem)[0].lim
        fdir = vfs.canonical(rem)
        if lim:
            fdir, rem = lim.all(
                self.ip, rem, remains, vfs.realpath, fdir, self.conn.hsrv.broker
            )
        fn = None
        if rem and not self.trailing_slash and not bos.path.isdir(fdir):
            fdir, fn = os.path.split(fdir)
            rem, _ = vsplit(rem)
        if lim:
            fdir, rem = lim.all(
                self.ip, rem, remains, vfs.realpath, fdir, self.conn.hsrv.broker
            )
        bos.makedirs(fdir, vf=vfs.flags)
        open_ka: dict[str, Any] = {"fun": open}
@ -2929,24 +2968,37 @@ class HttpCli(object):
    def handle_chpw(self) -> bool:
        assert self.parser  # !rm
        if self.args.usernames:
            self.parser.require("uname", 64)
        pwd = self.parser.require("pw", 64)
        self.parser.drop()
        ok, msg = self.asrv.chpw(self.conn.hsrv.broker, self.uname, pwd)
        if ok:
            self.cbonk(self.conn.hsrv.gpwc, pwd, "pw", "too many password changes")
            if self.args.usernames:
                pwd = "%s:%s" % (self.uname, pwd)
            ok, msg = self.get_pwd_cookie(pwd)
            if ok:
                msg = "new password OK"
        redir = (self.args.SRS + "?h") if ok else ""
-        h2 = '<a href="' + self.args.SRS + '?h">ack</a>'
+        h2 = '<a href="' + self.args.SRS + '?h">continue</a>'
        html = self.j2s("msg", h1=msg, h2=h2, redir=redir)
        self.reply(html.encode("utf-8"))
        return True
    def handle_login(self) -> bool:
        assert self.parser  # !rm
        if self.args.usernames and not (
            self.args.shr and self.vpath.startswith(self.args.shr1)
        ):
            try:
                un = self.parser.require("uname", 64)
            except:
                un = ""
        else:
            un = ""
        pwd = self.parser.require("cppwd", 64)
        try:
            uhash = self.parser.require("uhash", 256)
@ -2957,6 +3009,9 @@ class HttpCli(object):
        if not pwd:
            raise Pebkac(422, "password cannot be blank")
        if un:
            pwd = "%s:%s" % (un, pwd)
        dst = self.args.SRS
        if self.vpath:
            dst += quotep(self.vpaths)
@ -2969,7 +3024,8 @@ class HttpCli(object):
            dst += "_=1#" + html_escape(uhash, True, True)
        _, msg = self.get_pwd_cookie(pwd)
-        html = self.j2s("msg", h1=msg, h2='<a href="' + dst + '">ack</a>', redir=dst)
+        h2 = '<a href="' + dst + '">continue</a>'
        html = self.j2s("msg", h1=msg, h2=h2, redir=dst)
        self.reply(html.encode("utf-8"))
        return True
@ -2983,7 +3039,7 @@ class HttpCli(object):
        self.get_pwd_cookie("x")
        dst = self.args.SRS + "?h"
-        h2 = '<a href="' + dst + '">ack</a>'
+        h2 = '<a href="' + dst + '">continue</a>'
        html = self.j2s("msg", h1="ok bye", h2=h2, redir=dst)
        self.reply(html.encode("utf-8"))
        return True
@ -3036,6 +3092,19 @@ class HttpCli(object):
        return dur > 0, msg
    def set_idp_cookie(self, ases) -> None:
        k = "cppws" if self.is_https else "cppwd"
        ck = gencookie(
            k,
            ases,
            self.args.R,
            self.args.cookie_lax,
            self.is_https,
            self.args.idp_cookie,
            "; HttpOnly",
        )
        self.out_headers["Set-Cookie"] = ck
    def handle_mkdir(self) -> bool:
        assert self.parser  # !rm
        new_dir = self.parser.require("name", 512)
@ -3109,6 +3178,20 @@ class HttpCli(object):
                if "fperms" in vfs.flags:
                    set_fperms(f, vfs.flags)
            dbv, vrem = vfs.get_dbv(rem)
            self.conn.hsrv.broker.say(
                "up2k.hash_file",
                dbv.realpath,
                dbv.vpath,
                dbv.flags,
                vrem,
                sanitized,
                self.ip,
                bos.stat(fn).st_mtime,
                self.uname,
                True,
            )
        vpath = "{}/{}".format(self.vpath, sanitized).lstrip("/")
        self.redirect(vpath, "?edit")
        return True
@ -3560,7 +3643,7 @@ class HttpCli(object):
        rem = "{}/{}".format(rp, fn).strip("/")
        dbv, vrem = vfs.get_dbv(rem)
-        if not rem.endswith(".md") and not self.can_delete:
+        if not rem.lower().endswith(".md") and not self.can_delete:
            raise Pebkac(400, "only markdown pls")
        if nullwrite:
@ -3644,6 +3727,9 @@ class HttpCli(object):
        if p_field != "body":
            raise Pebkac(400, "expected body, got {}".format(p_field))
        if "txt_eol" in vfs.flags:
            p_data = eol_conv(p_data, vfs.flags["txt_eol"])
        xbu = vfs.flags.get("xbu")
        if xbu:
            if not runhook(
@ -4614,7 +4700,9 @@ class HttpCli(object):
        else:
            fn = self.host.split(":")[0]
-        if vn.flags.get("zipmax") and (not self.uname or not "zipmaxu" in vn.flags):
+        if vn.flags.get("zipmax") and not (
            vn.flags.get("zipmaxu") and self.uname != "*"
        ):
            maxs = vn.flags.get("zipmaxs_v") or 0
            maxn = vn.flags.get("zipmaxn_v") or 0
            nf = 0
@ -4668,7 +4756,7 @@ class HttpCli(object):
        # for f in fgen: print(repr({k: f[k] for k in ["vp", "ap"]}))
        cfmt = ""
        if self.thumbcli and not self.args.no_bacode:
-            for zs in ("opus", "mp3", "w", "j", "p"):
+            for zs in ("opus", "mp3", "flac", "wav", "w", "j", "p"):
                if zs in self.ouparam or uarg == zs:
                    cfmt = zs
@ -4914,7 +5002,7 @@ class HttpCli(object):
            rip = host
        vp = (self.uparam["hc"] or "").lstrip("/")
-        pw = self.pw or "hunter2"
+        pw = self.ouparam.get("pw") or "hunter2"
        if pw in self.asrv.sesa:
            pw = "hunter2"
@ -5008,7 +5096,7 @@ class HttpCli(object):
            wvol = [x for x in wvol if "unlistcw" not in allvols[x[1:-1]].flags]
        fmt = self.uparam.get("ls", "")
-        if not fmt and (self.ua.startswith("curl/") or self.ua.startswith("fetch")):
+        if not fmt and self.ua.startswith(("curl/", "fetch")):
            fmt = "v"
        if fmt in ["v", "t", "txt"]:
@ -5048,6 +5136,13 @@ class HttpCli(object):
            self.reply(zb, mime="text/plain; charset=utf-8")
            return True
        re_btn = ""
        nre = self.args.ctl_re
        if "re" in self.uparam:
            self.out_headers["Refresh"] = str(nre)
        elif nre:
            re_btn = "&re=%s" % (nre,)
        html = self.j2s(
            "splash",
            this=self,
@ -5065,6 +5160,7 @@ class HttpCli(object):
            mtpq=vs["mtpq"],
            dbwt=vs["dbwt"],
            url_suf=suf,
            re=re_btn,
            k304=self.k304(),
            no304=self.no304(),
            k304vis=self.args.k304 > 0,
@ -5110,7 +5206,7 @@ class HttpCli(object):
            t = '<h1 id="n">404 not found &nbsp;┐( ´ -`)┌</h1><p><a id="r" href="{}/?h">go home</a></p>'
            pt = "404 not found  ┐( ´ -`)┌"
-        if self.ua.startswith("curl/") or self.ua.startswith("fetch"):
+        if self.ua.startswith(("curl/", "fetch")):
            pt = "# acct: %s\n%s\n" % (self.uname, pt)
            self.reply(pt.encode("utf-8"), status=rc)
            return True
@ -5354,15 +5450,16 @@ class HttpCli(object):
                raise Pebkac(500, "sqlite3 not found on server; unpost is disabled")
            raise Pebkac(500, "server busy, cannot unpost; please retry in a bit")
-        zs = self.uparam.get("filter") or ""
+        sfilt = self.uparam.get("filter") or ""
-        filt = re.compile(zs, re.I) if zs else None
+        nfi, vfi = str_anchor(sfilt)
-        lm = "ups %r" % (zs,)
+        lm = "ups %d%r" % (nfi, sfilt)
        if self.args.shr and self.vpath.startswith(self.args.shr1):
            shr_dbv, shr_vrem = self.vn.get_dbv(self.rem)
        else:
            shr_dbv = None
        wret: dict[str, Any] = {}
        ret: list[dict[str, Any]] = []
        t0 = time.time()
        lim = time.time() - self.args.unpost
@ -5384,7 +5481,13 @@ class HttpCli(object):
        x = self.conn.hsrv.broker.ask(
            "up2k.get_unfinished_by_user", self.uname, "" if bad_xff else self.ip
        )
-        uret = x.get()
+        zdsa: dict[str, Any] = x.get()
        uret: list[dict[str, Any]] = []
        if "timeout" in zdsa:
            wret["nou"] = 1
        else:
            uret = zdsa["f"]
        nu = len(uret)
        if not self.args.unpost:
            allvols = []
@ -5398,6 +5501,10 @@ class HttpCli(object):
            and ("*" in x.axs.uwrite or self.uname in x.axs.uwrite or x == shr_dbv)
        ]
        q = ""
        qp = (0,)
        q_c = -1
        for vol in allvols:
            cur = idx.get_cur(vol)
            if not cur:
@ -5405,11 +5512,33 @@ class HttpCli(object):
            nfk, fk_alg = fk_vols.get(vol) or (0, 0)
            zi = vol.flags["unp_who"]
            if q_c != zi:
                q_c = zi
                q = "select sz, rd, fn, at from up where "
                if zi == 1:
                    q += "ip=? and un=?"
                    qp = (self.ip, self.uname, lim)
                elif zi == 2:
                    q += "ip=?"
                    qp = (self.ip, lim)
                if zi == 3:
                    q += "un=?"
                    qp = (self.uname, lim)
                q += " and at>? order by at desc"
            n = 2000
-            q = "select sz, rd, fn, at from up where ip=? and at>? order by at desc"
+            for sz, rd, fn, at in cur.execute(q, qp):
            for sz, rd, fn, at in cur.execute(q, (self.ip, lim)):
                vp = "/" + "/".join(x for x in [vol.vpath, rd, fn] if x)
-                if filt and not filt.search(vp):
+                if nfi == 0 or (nfi == 1 and vfi in vp.lower()):
                    pass
                elif nfi == 2:
                    if not vp.lower().startswith(vfi):
                        continue
                elif nfi == 3:
                    if not vp.lower().endswith(vfi):
                        continue
                else:
                    continue
                n -= 1
@ -5430,6 +5559,8 @@ class HttpCli(object):
        if len(ret) > 2000:
            ret = ret[:2000]
        if len(ret) >= 2000:
            wret["oc"] = 1
        for rv in ret:
            rv["vp"] = quotep(rv["vp"])
@ -5449,6 +5580,13 @@ class HttpCli(object):
            )
            rv["vp"] += "?k=" + fk[:nfk]
        if not allvols:
            wret["noc"] = 1
            ret = []
        nc = len(ret)
        ret = uret + ret
        if shr_dbv:
            # translate vpaths from share-target to share-url
            # to satisfy access checks
@ -5463,12 +5601,11 @@ class HttpCli(object):
            for v in ret:
                v["vp"] = self.args.SR + v["vp"]
-        if not allvols:
+        wret["f"] = ret
-            ret = [{"kinshi": 1}]
+        wret["nu"] = nu
-
+        wret["nc"] = nc
-        jtxt = '{"u":%s,"c":%s}' % (uret, json.dumps(ret, separators=(",\n", ": ")))
+        jtxt = json.dumps(wret, separators=(",\n", ": "))
-        zi = len(uret.split('\n"pd":')) - 1
+        self.log("%s #%d+%d %.2fsec" % (lm, nu, nc, time.time() - t0))
        self.log("%s #%d+%d %.2fsec" % (lm, zi, len(ret), time.time() - t0))
        self.reply(jtxt.encode("utf-8", "replace"), mime="application/json")
        return True
@ -5483,8 +5620,8 @@ class HttpCli(object):
            raise Pebkac(500, "server busy, cannot list recent uploads; please retry")
        sfilt = self.uparam.get("filter") or ""
-        filt = re.compile(sfilt, re.I) if sfilt else None
+        nfi, vfi = str_anchor(sfilt)
-        lm = "ru %r" % (sfilt,)
+        lm = "ru %d%r" % (nfi, sfilt)
        self.log(lm)
        ret: list[dict[str, Any]] = []
@ -5516,10 +5653,18 @@ class HttpCli(object):
                continue
            n = 1000
-            q = "select sz, rd, fn, ip, at from up where at>0 order by at desc"
+            q = "select sz, rd, fn, ip, at, un from up where at>0 order by at desc"
-            for sz, rd, fn, ip, at in cur.execute(q):
+            for sz, rd, fn, ip, at, un in cur.execute(q):
                vp = "/" + "/".join(x for x in [vol.vpath, rd, fn] if x)
-                if filt and not filt.search(vp):
+                if nfi == 0 or (nfi == 1 and vfi in vp.lower()):
                    pass
                elif nfi == 2:
                    if not vp.lower().startswith(vfi):
                        continue
                elif nfi == 3:
                    if not vp.lower().endswith(vfi):
                        continue
                else:
                    continue
                if not dots and "/." in vp:
@ -5530,6 +5675,7 @@ class HttpCli(object):
                    "sz": sz,
                    "ip": ip,
                    "at": at,
                    "un": un,
                    "nfk": nfk,
                    "adm": adm,
                }
@ -5574,12 +5720,16 @@ class HttpCli(object):
                adm = rv.pop("adm")
                if not adm:
                    rv["ip"] = "(You)" if rv["ip"] == self.ip else "(?)"
                    if rv["un"] not in ("*", self.uname):
                        rv["un"] = "(?)"
        else:
            for rv in ret:
                adm = rv.pop("adm")
                if not adm:
                    rv["ip"] = "(You)" if rv["ip"] == self.ip else "(?)"
                    rv["at"] = 0
                    if rv["un"] not in ("*", self.uname):
                        rv["un"] = "(?)"
        if self.is_vproxied:
            for v in ret:
@ -5858,7 +6008,9 @@ class HttpCli(object):
                self.asrv.vfs.get(vdst, self.uname, False, True, False, True)
                wunlink(self.log, dabs, dvn.flags)
-        x = self.conn.hsrv.broker.ask("up2k.handle_mv", self.uname, self.ip, vsrc, vdst)
+        x = self.conn.hsrv.broker.ask(
            "up2k.handle_mv", self.ouparam.get("akey"), self.uname, self.ip, vsrc, vdst
        )
        self.loud_reply(x.get(), status=201)
        return True
@ -5888,10 +6040,21 @@ class HttpCli(object):
                self.asrv.vfs.get(vdst, self.uname, False, True, False, True)
                wunlink(self.log, dabs, dvn.flags)
-        x = self.conn.hsrv.broker.ask("up2k.handle_cp", self.uname, self.ip, vsrc, vdst)
+        x = self.conn.hsrv.broker.ask(
            "up2k.handle_cp", self.ouparam.get("akey"), self.uname, self.ip, vsrc, vdst
        )
        self.loud_reply(x.get(), status=201)
        return True
    def handle_fs_abrt(self):
        if self.args.no_fs_abrt:
            t = "aborting an ongoing copy/move is disabled in server config"
            raise Pebkac(403, t)
        self.conn.hsrv.broker.say("up2k.handle_fs_abrt", self.uparam["fs_abrt"])
        self.loud_reply("aborting", status=200)
        return True
    def tx_ls(self, ls: dict[str, Any]) -> bool:
        dirs = ls["dirs"]
        files = ls["files"]
@ -5951,6 +6114,12 @@ class HttpCli(object):
        else:
            [x.pop(k) for k in ["name", "dt"] for y in [dirs, files] for x in y]
            # nonce (tlnote: norwegian for flake as in snowflake)
            if self.args.no_fnugg:
                ls["fnugg"] = "nei"
            elif "fnugg" in self.headers:
                ls["fnugg"] = self.headers["fnugg"]
            ret = json.dumps(ls)
            mime = "application/json"
@ -6133,7 +6302,8 @@ class HttpCli(object):
                if not use_filekey:
                    return self.tx_404(True)
-            if add_og and not abspath.lower().endswith(".md"):
+            is_md = abspath.lower().endswith(".md")
            if add_og and not is_md:
                if og_ua or self.host not in self.headers.get("referer", ""):
                    self.vpath, og_fn = vsplit(self.vpath)
                    vpath = self.vpath
@ -6145,10 +6315,10 @@ class HttpCli(object):
                    vpnodes.pop()
            if (
-                (abspath.endswith(".md") or self.can_delete)
+                (is_md or self.can_delete)
                and "nohtml" not in vn.flags
                and (
-                    ("v" in self.uparam and abspath.endswith(".md"))
+                    (is_md and "v" in self.uparam)
                    or "edit" in self.uparam
                    or "edit2" in self.uparam
                )
@ -6205,11 +6375,7 @@ class HttpCli(object):
        is_ls = "ls" in self.uparam
        is_js = self.args.force_js or self.cookies.get("js") == "y"
-        if (
+        if not is_ls and not add_og and self.ua.startswith(("curl/", "fetch")):
            not is_ls
            and not add_og
            and (self.ua.startswith("curl/") or self.ua.startswith("fetch"))
        ):
            self.uparam["ls"] = "v"
            is_ls = True
@ -6485,13 +6651,15 @@ class HttpCli(object):
            tags = {k: v for k, v in r}
            if is_admin:
-                q = "select ip, at from up where rd=? and fn=?"
+                q = "select ip, at, un from up where rd=? and fn=?"
                try:
-                    zs1, zs2 = icur.execute(q, erd_efn).fetchone()
+                    zs1, zs2, zs3 = icur.execute(q, erd_efn).fetchone()
                    if zs1:
                        tags["up_ip"] = zs1
                    if zs2:
                        tags[".up_at"] = zs2
                    if zs3:
                        tags["up_by"] = zs3
                except:
                    pass
            elif add_up_at:
@ -6512,7 +6680,7 @@ class HttpCli(object):
            lmte = list(mte)
            if self.can_admin:
-                lmte.extend(("up_ip", ".up_at"))
+                lmte.extend(("up_by", "up_ip", ".up_at"))
            if "nodirsz" not in vf:
                tagset.add(".files")
--- a/copyparty/httpsrv.py
+++ b/copyparty/httpsrv.py
@ -70,6 +70,7 @@ from .util import (
    build_netmap,
    has_resource,
    ipnorm,
    load_ipr,
    load_ipu,
    load_resource,
    min_ex,
@ -193,6 +194,11 @@ class HttpSrv(object):
        else:
            self.ipu_iu = self.ipu_nm = None
        if self.args.ipr:
            self.ipr = load_ipr(self.log, self.args.ipr)
        else:
            self.ipr = None
        self.ipa_nm = build_netmap(self.args.ipa)
        self.xff_nm = build_netmap(self.args.xff_src)
        self.xff_lan = build_netmap("lan")
@ -324,7 +330,8 @@ class HttpSrv(object):
            spins = 0
            while self.ncli >= self.nclimax:
                if not spins:
-                    self.log(self.name, "at connection limit; waiting", 3)
+                    t = "at connection limit (global-option 'nc'); waiting"
                    self.log(self.name, t, 3)
                spins += 1
                time.sleep(0.1)
--- a/copyparty/mdns.py
+++ b/copyparty/mdns.py
@ -76,7 +76,8 @@ class MDNS(MCast):
        if not self.args.zm_nwa_1:
            set_avahi_379()
-        zs = self.args.name + ".local."
+        zs = self.args.zm_fqdn or (self.args.name + ".local")
        zs = zs.replace("--name", self.args.name).rstrip(".") + "."
        zs = zs.encode("ascii", "replace").decode("ascii", "replace")
        self.hn = "-".join(x for x in zs.split("?") if x) or (
            "vault-{}".format(random.randint(1, 255))
--- a/copyparty/mtag.py
+++ b/copyparty/mtag.py
@ -29,7 +29,7 @@ from .util import (
 )
 if True:  # pylint: disable=using-constant-test
-    from typing import Any, Optional, Union
+    from typing import IO, Any, Optional, Union
    from .util import NamedLogger, RootLogger
@ -67,6 +67,8 @@ HAVE_FFPROBE = not os.environ.get("PRTY_NO_FFPROBE") and have_ff("ffprobe")
 CBZ_PICS = set("png jpg jpeg gif bmp tga tif tiff webp avif".split())
 CBZ_01 = re.compile(r"(^|[^0-9v])0+[01]\b")
 FMT_AU = set("mp3 ogg flac wav".split())
 class MParser(object):
    def __init__(self, cmdline: str) -> None:
@ -174,6 +176,9 @@ def au_unpk(
                raise Exception("no images inside cbz")
            fi = zf.open(using)
        elif pk == "epub":
            fi = get_cover_from_epub(log, abspath)
        else:
            raise Exception("unknown compression %s" % (pk,))
@ -203,7 +208,7 @@ def au_unpk(
 def ffprobe(
    abspath: str, timeout: int = 60
-) -> tuple[dict[str, tuple[int, Any]], dict[str, list[Any]]]:
+) -> tuple[dict[str, tuple[int, Any]], dict[str, list[Any]], list[Any], dict[str, Any]]:
    cmd = [
        b"ffprobe",
        b"-hide_banner",
@ -217,8 +222,17 @@ def ffprobe(
    return parse_ffprobe(so)
-def parse_ffprobe(txt: str) -> tuple[dict[str, tuple[int, Any]], dict[str, list[Any]]]:
+def parse_ffprobe(
-    """ffprobe -show_format -show_streams"""
+    txt: str,
 ) -> tuple[dict[str, tuple[int, Any]], dict[str, list[Any]], list[Any], dict[str, Any]]:
    """
    txt: output from ffprobe -show_format -show_streams
    returns:
     * normalized tags
     * original/raw tags
     * list of streams
     * format props
    """
    streams = []
    fmt = {}
    g = {}
@ -242,7 +256,7 @@ def parse_ffprobe(txt: str) -> tuple[dict[str, tuple[int, Any]], dict[str, list[
    ret: dict[str, Any] = {}  # processed
    md: dict[str, list[Any]] = {}  # raw tags
-    is_audio = fmt.get("format_name") in ["mp3", "ogg", "flac", "wav"]
+    is_audio = fmt.get("format_name") in FMT_AU
    if fmt.get("filename", "").split(".")[-1].lower() in ["m4a", "aac"]:
        is_audio = True
@ -270,6 +284,8 @@ def parse_ffprobe(txt: str) -> tuple[dict[str, tuple[int, Any]], dict[str, list[
                ["channel_layout", "chs"],
                ["sample_rate", ".hz"],
                ["bit_rate", ".aq"],
                ["bits_per_sample", ".bps"],
                ["bits_per_raw_sample", ".bprs"],
                ["duration", ".dur"],
            ]
@ -309,7 +325,7 @@ def parse_ffprobe(txt: str) -> tuple[dict[str, tuple[int, Any]], dict[str, list[
                ret[rk] = v1
    if ret.get("vc") == "ansi":  # shellscript
-        return {}, {}
+        return {}, {}, [], {}
    for strm in streams:
        for sk, sv in strm.items():
@ -358,7 +374,77 @@ def parse_ffprobe(txt: str) -> tuple[dict[str, tuple[int, Any]], dict[str, list[
    zero = int("0")
    zd = {k: (zero, v) for k, v in ret.items()}
-    return zd, md
+    return zd, md, streams, fmt
 def get_cover_from_epub(log: "NamedLogger", abspath: str) -> Optional[IO[bytes]]:
    import zipfile
    from .dxml import parse_xml
    try:
        from urlparse import urljoin  # Python2
    except ImportError:
        from urllib.parse import urljoin  # Python3
    with zipfile.ZipFile(abspath, "r") as z:
        # First open the container file to find the package document (.opf file)
        try:
            container_root = parse_xml(z.read("META-INF/container.xml").decode())
        except KeyError:
            log("epub: no container file found in %s" % (abspath,))
            return None
        # https://www.w3.org/TR/epub-33/#sec-container.xml-rootfile-elem
        container_ns = {"": "urn:oasis:names:tc:opendocument:xmlns:container"}
        # One file could contain multiple package documents, default to the first one
        rootfile_path = container_root.find("./rootfiles/rootfile", container_ns).get(
            "full-path"
        )
        # Then open the first package document to find the path of the cover image
        try:
            package_root = parse_xml(z.read(rootfile_path).decode())
        except KeyError:
            log("epub: no package document found in %s" % (abspath,))
            return None
        # https://www.w3.org/TR/epub-33/#sec-package-doc
        package_ns = {"": "http://www.idpf.org/2007/opf"}
        # https://www.w3.org/TR/epub-33/#sec-cover-image
        coverimage_path_node = package_root.find(
            "./manifest/item[@properties='cover-image']", package_ns
        )
        if coverimage_path_node is not None:
            coverimage_path = coverimage_path_node.get("href")
        else:
            # This might be an EPUB2 file, try the legacy way of specifying covers
            coverimage_path = _get_cover_from_epub2(log, package_root, package_ns)
        # This url is either absolute (in the .epub) or relative to the package document
        adjusted_cover_path = urljoin(rootfile_path, coverimage_path)
        return z.open(adjusted_cover_path)
 def _get_cover_from_epub2(
    log: "NamedLogger", package_root, package_ns
 ) -> Optional[str]:
    # <meta name="cover" content="id-to-cover-image"> in <metadata>, then
    # <item> in <manifest>
    cover_id = package_root.find("./metadata/meta[@name='cover']", package_ns).get(
        "content"
    )
    if not cover_id:
        return None
    for node in package_root.iterfind("./manifest/item", package_ns):
        if node.get("id") == cover_id:
            cover_path = node.get("href")
            return cover_path
    return None
 class MTag(object):
@ -629,7 +715,7 @@ class MTag(object):
        if not bos.path.isfile(abspath):
            return {}
-        ret, md = ffprobe(abspath, self.args.mtag_to)
+        ret, md, _, _ = ffprobe(abspath, self.args.mtag_to)
        if self.args.mtag_vv:
            for zd in (ret, dict(md)):
--- a/copyparty/multicast.py
+++ b/copyparty/multicast.py
@ -183,11 +183,7 @@ class MCast(object):
                srv.ips[oth_ip.split("/")[0]] = ipaddress.ip_network(oth_ip, False)
            # gvfs breaks if a linklocal ip appears in a dns reply
-            ll = {
+            ll = {k: v for k, v in srv.ips.items() if k.startswith(("169.254", "fe80"))}
                k: v
                for k, v in srv.ips.items()
                if k.startswith("169.254") or k.startswith("fe80")
            }
            rt = {k: v for k, v in srv.ips.items() if k not in ll}
            if self.args.ll or not rt:
--- a/copyparty/pwhash.py
+++ b/copyparty/pwhash.py
@ -147,6 +147,10 @@ class PWHash(object):
    def cli(self) -> None:
        import getpass
        if self.args.usernames:
            t = "since you have enabled --usernames, please provide username:password"
            print(t)
        while True:
            try:
                p1 = getpass.getpass("password> ")
--- a/copyparty/svchub.py
+++ b/copyparty/svchub.py
@ -2,6 +2,7 @@
 from __future__ import print_function, unicode_literals
 import argparse
 import atexit
 import errno
 import logging
 import os
@ -38,6 +39,7 @@ from .th_srv import (
    HAVE_FFPROBE,
    HAVE_HEIF,
    HAVE_PIL,
    HAVE_RAW,
    HAVE_VIPS,
    HAVE_WEBP,
    ThumbSrv,
@ -64,6 +66,7 @@ from .util import (
    build_netmap,
    expat_ver,
    gzip,
    load_ipr,
    load_ipu,
    lock_file,
    min_ex,
@ -72,6 +75,7 @@ from .util import (
    pybin,
    start_log_thrs,
    start_stackmon,
    termsize,
    ub64enc,
 )
@ -152,6 +156,7 @@ class SvcHub(object):
            args.no_del = True
            args.no_mv = True
            args.hardlink = True
            args.dav_auth = True
            args.vague_403 = True
            args.nih = True
@ -240,7 +245,7 @@ class SvcHub(object):
            t = "WARNING: --th-ram-max is very small (%.2f GiB); will not be able to %s"
            self.log("root", t % (args.th_ram_max, zs), 3)
-        if args.chpw and args.idp_h_usr:
+        if args.chpw and args.have_idp_hdrs:
            t = "ERROR: user-changeable passwords is incompatible with IdP/identity-providers; you must disable either --chpw or --idp-h-usr"
            self.log("root", t, 1)
            raise Exception(t)
@ -256,6 +261,10 @@ class SvcHub(object):
            setattr(args, "ipu_iu", iu)
            setattr(args, "ipu_nm", nm)
        if args.ipr:
            ipr = load_ipr(self.log, args.ipr, True)
            setattr(args, "ipr_u", ipr)
        for zs in "ah_salt fk_salt dk_salt".split():
            if getattr(args, "show_%s" % (zs,)):
                self.log("root", "effective %s is %s" % (zs, getattr(args, zs)))
@ -265,7 +274,7 @@ class SvcHub(object):
            args.no_ses = True
            args.shr = ""
-        if args.idp_store and args.idp_h_usr:
+        if args.idp_store and args.have_idp_hdrs:
            self.setup_db("idp")
        if not self.args.no_ses:
@ -321,6 +330,8 @@ class SvcHub(object):
            decs.pop("vips", None)
        if not HAVE_PIL:
            decs.pop("pil", None)
        if not HAVE_RAW:
            decs.pop("raw", None)
        if not HAVE_FFMPEG or not HAVE_FFPROBE:
            decs.pop("ff", None)
@ -427,6 +438,9 @@ class SvcHub(object):
                getattr(args, zs).mutex = threading.Lock()
            except:
                pass
        if args.ipr:
            for nm in args.ipr_u.values():
                nm.mutex = threading.Lock()
    def _db_onfail_ses(self) -> None:
        self.args.no_ses = True
@ -772,6 +786,39 @@ class SvcHub(object):
    def sigterm(self) -> None:
        self.signal_handler(signal.SIGTERM, None)
    def sticky_qr(self) -> None:
        tw, th = termsize()
        zs1, qr = self.tcpsrv.qr.split("\n", 1)
        url, colr = zs1.split(" ", 1)
        nl = len(qr.split("\n"))  # numlines
        lp = 3 if nl * 2 + 4 < tw else 0  # leftpad
        lp0 = lp
        if self.args.qr_pin == 2:
            url = ""
        else:
            while lp and (nl + lp) * 2 + len(url) + 1 > tw:
                lp -= 1
            if (nl + lp) * 2 + len(url) + 1 > tw:
                qr = url + "\n" + qr
                url = ""
                nl += 1
                lp = lp0
        sh = 1 + th - nl
        if lp:
            zs = " " * lp
            qr = zs + qr.replace("\n", "\n" + zs)
        if url:
            url = "%s\033[%d;%dH%s\033[0m" % (colr, sh + 1, (nl + lp) * 2, url)
        qr = colr + qr
        def unlock():
            print("\033[s\033[r\033[u", file=sys.stderr)
        atexit.register(unlock)
        t = "%s\033[%dA" % ("\n" * nl, nl)
        t = "%s\033[s\033[1;%dr\033[%dH%s%s\033[u" % (t, sh - 1, sh, qr, url)
        self.pr(t, file=sys.stderr)
    def cb_httpsrv_up(self) -> None:
        self.httpsrv_up += 1
        if self.httpsrv_up != self.broker.num_workers:
@ -784,7 +831,10 @@ class SvcHub(object):
                break
        if self.tcpsrv.qr:
-            self.log("qr-code", self.tcpsrv.qr)
+            if self.args.qr_pin:
                self.sticky_qr()
            else:
                self.log("qr-code", self.tcpsrv.qr)
        else:
            self.log("root", "workers OK\n")
@ -811,6 +861,7 @@ class SvcHub(object):
            (HAVE_ZMQ, "pyzmq", "send zeromq messages from event-hooks"),
            (HAVE_HEIF, "pillow-heif", "read .heif images with pillow (rarely useful)"),
            (HAVE_AVIF, "pillow-avif", "read .avif images with pillow (rarely useful)"),
            (HAVE_RAW, "rawpy", "read RAW images"),
        ]
        if ANYWIN:
            to_check += [
@ -850,15 +901,6 @@ class SvcHub(object):
    def _check_env(self) -> None:
        al = self.args
        try:
            files = os.listdir(E.cfg)
        except:
            files = []
        hits = [x for x in files if x.lower().endswith(".conf")]
        if hits:
            t = "WARNING: found config files in [%s]: %s\n  config files are not expected here, and will NOT be loaded (unless your setup is intentionally hella funky)"
            self.log("root", t % (E.cfg, ", ".join(hits)), 3)
        if self.args.no_bauth:
            t = "WARNING: --no-bauth disables support for the Android app; you may want to use --bauth-last instead"
@ -868,7 +910,7 @@ class SvcHub(object):
        have_tcp = False
        for zs in al.i:
-            if not zs.startswith("unix:"):
+            if not zs.startswith(("unix:", "fd:")):
                have_tcp = True
        if not have_tcp:
            zb = False
@ -878,7 +920,7 @@ class SvcHub(object):
                    setattr(al, zs, False)
                    zb = True
            if zb:
-                t = "only listening on unix-sockets; cannot enable zeroconf/mdns/ssdp as requested"
+                t = "not listening on any ip-addresses (only unix-sockets and/or FDs); cannot enable zeroconf/mdns/ssdp as requested"
                self.log("root", t, 3)
        if not self.args.no_dav:
@ -978,10 +1020,23 @@ class SvcHub(object):
            al.sus_urls = None
        al.xff_hdr = al.xff_hdr.lower()
-        al.idp_h_usr = al.idp_h_usr.lower()
+        al.idp_h_usr = [x.lower() for x in al.idp_h_usr or []]
        al.idp_h_grp = al.idp_h_grp.lower()
        al.idp_h_key = al.idp_h_key.lower()
        al.idp_hm_usr_p = {}
        for zs0 in al.idp_hm_usr or []:
            try:
                sep = zs0[:1]
                hn, zs1, zs2 = zs0[1:].split(sep)
                hn = hn.lower()
                if hn in al.idp_hm_usr_p:
                    al.idp_hm_usr_p[hn][zs1] = zs2
                else:
                    al.idp_hm_usr_p[hn] = {zs1: zs2}
            except:
                raise Exception("invalid --idp-hm-usr [%s]" % (zs0,))
        al.ftp_ipa_nm = build_netmap(al.ftp_ipa or al.ipa, True)
        al.tftp_ipa_nm = build_netmap(al.tftp_ipa or al.ipa, True)
@ -1026,6 +1081,8 @@ class SvcHub(object):
        except:
            raise Exception("invalid --mv-retry [%s]" % (self.args.mv_retry,))
        al.js_utc = "false" if al.localtime else "true"
        al.tcolor = al.tcolor.lstrip("#")
        if len(al.tcolor) == 3:  # fc5 => ffcc55
            al.tcolor = "".join([x * 2 for x in al.tcolor])
@ -1407,7 +1464,14 @@ class SvcHub(object):
            fmt = "\033[36m%s \033[33m%-21s \033[0m%s\n"
            if self.no_ansi:
-                fmt = "%s %-21s %s\n"
+                if c == 1:
                    fmt = "%s %-21s CRIT: %s\n"
                elif c == 3:
                    fmt = "%s %-21s WARN: %s\n"
                elif c == 6:
                    fmt = "%s %-21s  BTW: %s\n"
                else:
                    fmt = "%s %-21s  LOG: %s\n"
                if "\033" in msg:
                    msg = RE_ANSI.sub("", msg)
                if "\033" in src:
--- a/copyparty/tcpsrv.py
+++ b/copyparty/tcpsrv.py
@ -25,8 +25,8 @@ from .util import (
    termsize,
 )
-if True:
+if True:  # pylint: disable=using-constant-test
-    from typing import Generator, Union
+    from typing import Generator, Optional, Union
 if TYPE_CHECKING:
    from .svchub import SvcHub
@ -245,8 +245,10 @@ class TcpSrv(object):
    def _listen(self, ip: str, port: int) -> None:
        uds_perm = uds_gid = -1
        bound: Optional[socket.socket] = None
        tcp = False
        if "unix:" in ip:
            tcp = False
            ipv = socket.AF_UNIX
            uds = ip.split(":")
            ip = uds[-1]
@ -259,7 +261,12 @@ class TcpSrv(object):
                    import grp
                    uds_gid = grp.getgrnam(uds[2]).gr_gid
        elif "fd:" in ip:
            fd = ip[3:]
            bound = socket.socket(fileno=int(fd))
            tcp = bound.proto == socket.IPPROTO_TCP
            ipv = bound.family
        elif ":" in ip:
            tcp = True
            ipv = socket.AF_INET6
@ -267,7 +274,7 @@ class TcpSrv(object):
            tcp = True
            ipv = socket.AF_INET
-        srv = socket.socket(ipv, socket.SOCK_STREAM)
+        srv = bound or socket.socket(ipv, socket.SOCK_STREAM)
        if not ANYWIN or self.args.reuseaddr:
            srv.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
@ -285,6 +292,10 @@ class TcpSrv(object):
        if getattr(self.args, "freebind", False):
            srv.setsockopt(socket.SOL_IP, socket.IP_FREEBIND, 1)
        if bound:
            self.srv.append(srv)
            return
        try:
            if tcp:
                srv.bind((ip, port))
@ -437,7 +448,7 @@ class TcpSrv(object):
    def detect_interfaces(self, listen_ips: list[str]) -> dict[str, Netdev]:
        from .stolen.ifaddr import get_adapters
-        listen_ips = [x for x in listen_ips if "unix:" not in x]
+        listen_ips = [x for x in listen_ips if not x.startswith(("unix:", "fd:"))]
        nics = get_adapters(True)
        eps: dict[str, Netdev] = {}
@ -583,8 +594,7 @@ class TcpSrv(object):
        if not ip:
            return ""
-        if ":" in ip:
+        hip = "[%s]" % (ip,) if ":" in ip else ip
            ip = "[{}]".format(ip)
        if self.args.http_only:
            https = ""
@ -596,7 +606,7 @@ class TcpSrv(object):
        ports = t1.get(ip, t2.get(ip, []))
        dport = 443 if https else 80
        port = "" if dport in ports or not ports else ":{}".format(ports[0])
-        txt = "http{}://{}{}/{}".format(https, ip, port, self.args.qrl)
+        txt = "http{}://{}{}/{}".format(https, hip, port, self.args.qrl)
        btxt = txt.encode("utf-8")
        if PY2:
@ -604,6 +614,10 @@ class TcpSrv(object):
        fg = self.args.qr_fg
        bg = self.args.qr_bg
        nocolor = fg == -1
        if nocolor:
            fg = 0
        pad = self.args.qrp
        zoom = self.args.qrz
        qrc = QrCode.encode_binary(btxt)
@ -631,6 +645,8 @@ class TcpSrv(object):
        qr = qr.replace("\n", "\033[K\n") + "\033[K"  # win10do
        cc = " \033[0;38;5;{0};47;48;5;{1}m" if fg else " \033[0;30;47m"
        if nocolor:
            cc = " \033[0m"
        t = cc + "\n{2}\033[999G\033[0m\033[J"
        t = t.format(fg, bg, qr)
        if ANYWIN:
--- a/copyparty/tftpd.py
+++ b/copyparty/tftpd.py
@ -179,7 +179,7 @@ class Tftpd(object):
        if "::" in ips:
            ips.append("0.0.0.0")
-        ips = [x for x in ips if "unix:" not in x]
+        ips = [x for x in ips if not x.startswith(("unix:", "fd:"))]
        if self.args.tftp4:
            ips = [x for x in ips if ":" not in x]
--- a/copyparty/th_cli.py
+++ b/copyparty/th_cli.py
@ -36,11 +36,15 @@ class ThumbCli(object):
            if not c:
                raise Exception()
        except:
-            c = {k: set() for k in ["thumbable", "pil", "vips", "ffi", "ffv", "ffa"]}
+            c = {
                k: set()
                for k in ["thumbable", "pil", "vips", "raw", "ffi", "ffv", "ffa"]
            }
        self.thumbable = c["thumbable"]
        self.fmt_pil = c["pil"]
        self.fmt_vips = c["vips"]
        self.fmt_raw = c["raw"]
        self.fmt_ffi = c["ffi"]
        self.fmt_ffv = c["ffv"]
        self.fmt_ffa = c["ffa"]
@ -88,7 +92,7 @@ class ThumbCli(object):
        if rem.startswith(".hist/th/") and rem.split(".")[-1] in ["webp", "jpg", "png"]:
            return os.path.join(ptop, rem)
-        if fmt[:1] in "jw":
+        if fmt[:1] in "jw" and fmt != "wav":
            sfmt = fmt[:1]
            if sfmt == "j" and self.args.th_no_jpg:
@ -129,7 +133,7 @@ class ThumbCli(object):
        tpath = thumb_path(histpath, rem, mtime, fmt, self.fmt_ffa)
        tpaths = [tpath]
-        if fmt[:1] == "w":
+        if fmt[:1] == "w" and fmt != "wav":
            # also check for jpg (maybe webp is unavailable)
            tpaths.append(tpath.rsplit(".", 1)[0] + ".jpg")
--- a/copyparty/th_srv.py
+++ b/copyparty/th_srv.py
@ -2,6 +2,7 @@
 from __future__ import print_function, unicode_literals
 import hashlib
 import io
 import logging
 import os
 import re
@ -50,7 +51,7 @@ HAVE_AVIF = False
 HAVE_WEBP = False
 EXTS_TH = set(["jpg", "webp", "png"])
-EXTS_AC = set(["opus", "owa", "caf", "mp3"])
+EXTS_AC = set(["opus", "owa", "caf", "mp3", "flac", "wav"])
 EXTS_SPEC_SAFE = set("aif aiff flac mp3 opus wav".split())
 PTN_TS = re.compile("^-?[0-9a-f]{8,10}$")
@ -85,7 +86,10 @@ try:
        if os.environ.get("PRTY_NO_PIL_HEIF"):
            raise Exception()
-        from pyheif_pillow_opener import register_heif_opener
+        try:
            from pillow_heif import register_heif_opener
        except ImportError:
            from pyheif_pillow_opener import register_heif_opener
        register_heif_opener()
        HAVE_HEIF = True
@ -112,14 +116,28 @@ except:
 try:
    if os.environ.get("PRTY_NO_VIPS"):
-        raise Exception()
+        raise ImportError()
    HAVE_VIPS = True
    import pyvips
    logging.getLogger("pyvips").setLevel(logging.WARNING)
-except:
+except Exception as e:
    HAVE_VIPS = False
    if not isinstance(e, ImportError):
        logging.warning("libvips found, but failed to load: " + str(e))
 try:
    if os.environ.get("PRTY_NO_RAW"):
        raise Exception()
    HAVE_RAW = True
    import rawpy
    logging.getLogger("rawpy").setLevel(logging.WARNING)
 except:
    HAVE_RAW = False
 th_dir_cache = {}
@ -205,11 +223,19 @@ class ThumbSrv(object):
        if self.args.th_clean:
            Daemon(self.cleaner, "thumb.cln")
-        self.fmt_pil, self.fmt_vips, self.fmt_ffi, self.fmt_ffv, self.fmt_ffa = [
+        (
            self.fmt_pil,
            self.fmt_vips,
            self.fmt_raw,
            self.fmt_ffi,
            self.fmt_ffv,
            self.fmt_ffa,
        ) = [
            set(y.split(","))
            for y in [
                self.args.th_r_pil,
                self.args.th_r_vips,
                self.args.th_r_raw,
                self.args.th_r_ffi,
                self.args.th_r_ffv,
                self.args.th_r_ffa,
@ -232,6 +258,9 @@ class ThumbSrv(object):
        if "vips" in self.args.th_dec:
            self.thumbable |= self.fmt_vips
        if "raw" in self.args.th_dec:
            self.thumbable |= self.fmt_raw
        if "ff" in self.args.th_dec:
            for zss in [self.fmt_ffi, self.fmt_ffv, self.fmt_ffa]:
                self.thumbable |= zss
@ -313,6 +342,7 @@ class ThumbSrv(object):
            "thumbable": self.thumbable,
            "pil": self.fmt_pil,
            "vips": self.fmt_vips,
            "raw": self.fmt_raw,
            "ffi": self.fmt_ffi,
            "ffv": self.fmt_ffv,
            "ffa": self.fmt_ffa,
@ -355,8 +385,10 @@ class ThumbSrv(object):
                tex = tpath.rsplit(".", 1)[-1]
                want_mp3 = tex == "mp3"
                want_opus = tex in ("opus", "owa", "caf")
                want_flac = tex == "flac"
                want_wav = tex == "wav"
                want_png = tex == "png"
-                want_au = want_mp3 or want_opus
+                want_au = want_mp3 or want_opus or want_flac or want_wav
                for lib in self.args.th_dec:
                    can_au = lib == "ff" and (
                        ext in self.fmt_ffa or ext in self.fmt_ffv
@ -366,11 +398,17 @@ class ThumbSrv(object):
                        funs.append(self.conv_pil)
                    elif lib == "vips" and ext in self.fmt_vips:
                        funs.append(self.conv_vips)
                    elif lib == "raw" and ext in self.fmt_raw:
                        funs.append(self.conv_raw)
                    elif can_au and (want_png or want_au):
                        if want_opus:
                            funs.append(self.conv_opus)
                        elif want_mp3:
                            funs.append(self.conv_mp3)
                        elif want_flac:
                            funs.append(self.conv_flac)
                        elif want_wav:
                            funs.append(self.conv_wav)
                        elif want_png:
                            funs.append(self.conv_waves)
                            png_ok = True
@ -474,35 +512,38 @@ class ThumbSrv(object):
        return im
    def conv_image_pil(self, im: "Image.Image", tpath: str, fmt: str, vn: VFS) -> None:
        try:
            im = self.fancy_pillow(im, fmt, vn)
        except Exception as ex:
            self.log("fancy_pillow {}".format(ex), "90")
            im.thumbnail(self.getres(vn, fmt))
        fmts = ["RGB", "L"]
        args = {"quality": 40}
        if tpath.endswith(".webp"):
            # quality 80 = pillow-default
            # quality 75 = ffmpeg-default
            # method 0 = pillow-default, fast
            # method 4 = ffmpeg-default
            # method 6 = max, slow
            fmts.extend(("RGBA", "LA"))
            args["method"] = 6
        else:
            # default q = 75
            args["progressive"] = True
        if im.mode not in fmts:
            # print("conv {}".format(im.mode))
            im = im.convert("RGB")
        im.save(tpath, **args)
    def conv_pil(self, abspath: str, tpath: str, fmt: str, vn: VFS) -> None:
        self.wait4ram(0.2, tpath)
        with Image.open(fsenc(abspath)) as im:
-            try:
+            self.conv_image_pil(im, tpath, fmt, vn)
                im = self.fancy_pillow(im, fmt, vn)
            except Exception as ex:
                self.log("fancy_pillow {}".format(ex), "90")
                im.thumbnail(self.getres(vn, fmt))
            fmts = ["RGB", "L"]
            args = {"quality": 40}
            if tpath.endswith(".webp"):
                # quality 80 = pillow-default
                # quality 75 = ffmpeg-default
                # method 0 = pillow-default, fast
                # method 4 = ffmpeg-default
                # method 6 = max, slow
                fmts.extend(("RGBA", "LA"))
                args["method"] = 6
            else:
                # default q = 75
                args["progressive"] = True
            if im.mode not in fmts:
                # print("conv {}".format(im.mode))
                im = im.convert("RGB")
            im.save(tpath, **args)
    def conv_vips(self, abspath: str, tpath: str, fmt: str, vn: VFS) -> None:
        self.wait4ram(0.2, tpath)
@ -525,9 +566,53 @@ class ThumbSrv(object):
        assert img  # type: ignore  # !rm
        img.write_to_file(tpath, Q=40)
    def conv_raw(self, abspath: str, tpath: str, fmt: str, vn: VFS) -> None:
        self.wait4ram(0.2, tpath)
        with rawpy.imread(abspath) as raw:
            thumb = raw.extract_thumb()
        if thumb.format == rawpy.ThumbFormat.JPEG and tpath.endswith(".jpg"):
            # if we have a jpg thumbnail and no webp output is available,
            # just write the jpg directly (it'll be the wrong size, but it's fast)
            with open(tpath, "wb") as f:
                f.write(thumb.data)
        if HAVE_VIPS:
            crops = ["centre", "none"]
            if "f" in fmt:
                crops = ["none"]
            w, h = self.getres(vn, fmt)
            kw = {"height": h, "size": "down", "intent": "relative"}
            for c in crops:
                try:
                    kw["crop"] = c
                    if thumb.format == rawpy.ThumbFormat.BITMAP:
                        img = pyvips.Image.new_from_array(
                            thumb.data, interpretation="rgb"
                        )
                        img = img.thumbnail_image(w, **kw)
                    else:
                        img = pyvips.Image.thumbnail_buffer(thumb.data, w, **kw)
                    break
                except:
                    if c == crops[-1]:
                        raise
            assert img  # type: ignore  # !rm
            img.write_to_file(tpath, Q=40)
        elif HAVE_PIL:
            if thumb.format == rawpy.ThumbFormat.BITMAP:
                im = Image.fromarray(thumb.data, "RGB")
            else:
                im = Image.open(io.BytesIO(thumb.data))
            self.conv_image_pil(im, tpath, fmt, vn)
        else:
            raise Exception(
                "either pil or vips is needed to process embedded bitmap thumbnails in raw files"
            )
    def conv_ffmpeg(self, abspath: str, tpath: str, fmt: str, vn: VFS) -> None:
        self.wait4ram(0.2, tpath)
-        ret, _ = ffprobe(abspath, int(vn.flags["convt"] / 2))
+        ret, _, _, _ = ffprobe(abspath, int(vn.flags["convt"] / 2))
        if not ret:
            return
@ -538,6 +623,17 @@ class ThumbSrv(object):
            dur = ret[".dur"][1] if ".dur" in ret else 4
            seek = [b"-ss", "{:.0f}".format(dur / 3).encode("utf-8")]
        self._ffmpeg_im(abspath, tpath, fmt, vn, seek, b"0:v:0")
    def _ffmpeg_im(
        self,
        abspath: str,
        tpath: str,
        fmt: str,
        vn: VFS,
        seek: list[bytes],
        imap: bytes,
    ) -> None:
        scale = "scale={0}:{1}:force_original_aspect_ratio="
        if "f" in fmt:
            scale += "decrease,setsar=1:1"
@ -556,7 +652,7 @@ class ThumbSrv(object):
        cmd += seek
        cmd += [
            b"-i", fsenc(abspath),
-            b"-map", b"0:v:0",
+            b"-map", imap,
            b"-vf", bscale,
            b"-frames:v", b"1",
            b"-metadata:s:v:0", b"rotate=0",
@ -577,11 +673,11 @@ class ThumbSrv(object):
            ]
        cmd += [fsenc(tpath)]
-        self._run_ff(cmd, vn)
+        self._run_ff(cmd, vn, "convt")
-    def _run_ff(self, cmd: list[bytes], vn: VFS, oom: int = 400) -> None:
+    def _run_ff(self, cmd: list[bytes], vn: VFS, kto: str, oom: int = 400) -> None:
        # self.log((b" ".join(cmd)).decode("utf-8"))
-        ret, _, serr = runcmd(cmd, timeout=vn.flags["convt"], nice=True, oom=oom)
+        ret, _, serr = runcmd(cmd, timeout=vn.flags[kto], nice=True, oom=oom)
        if not ret:
            return
@ -625,7 +721,7 @@ class ThumbSrv(object):
        raise sp.CalledProcessError(ret, (cmd[0], b"...", cmd[-1]))
    def conv_waves(self, abspath: str, tpath: str, fmt: str, vn: VFS) -> None:
-        ret, _ = ffprobe(abspath, int(vn.flags["convt"] / 2))
+        ret, _, _, _ = ffprobe(abspath, int(vn.flags["convt"] / 2))
        if "ac" not in ret:
            raise Exception("not audio")
@ -663,7 +759,7 @@ class ThumbSrv(object):
        # fmt: on
        cmd += [fsenc(tpath)]
-        self._run_ff(cmd, vn)
+        self._run_ff(cmd, vn, "convt")
        if "pngquant" in vn.flags:
            wtpath = tpath + ".png"
@ -684,11 +780,31 @@ class ThumbSrv(object):
            else:
                atomic_move(self.log, wtpath, tpath, vn.flags)
    def conv_emb_cv(
        self, abspath: str, tpath: str, fmt: str, vn: VFS, strm: dict[str, Any]
    ) -> None:
        self.wait4ram(0.2, tpath)
        self._ffmpeg_im(
            abspath, tpath, fmt, vn, [], b"0:" + strm["index"].encode("ascii")
        )
    def conv_spec(self, abspath: str, tpath: str, fmt: str, vn: VFS) -> None:
-        ret, _ = ffprobe(abspath, int(vn.flags["convt"] / 2))
+        ret, raw, strms, ctnr = ffprobe(abspath, int(vn.flags["convt"] / 2))
        if "ac" not in ret:
            raise Exception("not audio")
        want_spec = vn.flags.get("th_spec_p", 1)
        if want_spec < 2:
            for strm in strms:
                if (
                    strm.get("codec_type") == "video"
                    and strm.get("DISPOSITION:attached_pic") == "1"
                ):
                    return self.conv_emb_cv(abspath, tpath, fmt, vn, strm)
        if not want_spec:
            raise Exception("spectrograms forbidden by volflag")
        fext = abspath.split(".")[-1].lower()
        # https://trac.ffmpeg.org/ticket/10797
@ -724,7 +840,7 @@ class ThumbSrv(object):
                b"-y", fsenc(infile),
            ]
            # fmt: on
-            self._run_ff(cmd, vn)
+            self._run_ff(cmd, vn, "convt")
        fc = "[0:a:0]aresample=48000{},showspectrumpic=s="
        if "3" in fmt:
@ -766,7 +882,7 @@ class ThumbSrv(object):
            ]
        cmd += [fsenc(tpath)]
-        self._run_ff(cmd, vn)
+        self._run_ff(cmd, vn, "convt")
    def conv_mp3(self, abspath: str, tpath: str, fmt: str, vn: VFS) -> None:
        quality = self.args.q_mp3.lower()
@ -774,7 +890,7 @@ class ThumbSrv(object):
            raise Exception("disabled in server config")
        self.wait4ram(0.2, tpath)
-        tags, rawtags = ffprobe(abspath, int(vn.flags["convt"] / 2))
+        tags, rawtags, _, _ = ffprobe(abspath, int(vn.flags["convt"] / 2))
        if "ac" not in tags:
            raise Exception("not audio")
@ -805,14 +921,74 @@ class ThumbSrv(object):
            fsenc(tpath)
        ]
        # fmt: on
-        self._run_ff(cmd, vn, oom=300)
+        self._run_ff(cmd, vn, "aconvt", oom=300)
    def conv_flac(self, abspath: str, tpath: str, fmt: str, vn: VFS) -> None:
        if self.args.no_acode or not self.args.allow_flac:
            raise Exception("flac not permitted in server config")
        self.wait4ram(0.2, tpath)
        tags, _, _, _ = ffprobe(abspath, int(vn.flags["convt"] / 2))
        if "ac" not in tags:
            raise Exception("not audio")
        self.log("conv2 flac", 6)
        # fmt: off
        cmd = [
            b"ffmpeg",
            b"-nostdin",
            b"-v", b"error",
            b"-hide_banner",
            b"-i", fsenc(abspath),
            b"-map", b"0:a:0",
            b"-c:a", b"flac",
            fsenc(tpath)
        ]
        # fmt: on
        self._run_ff(cmd, vn, "aconvt", oom=300)
    def conv_wav(self, abspath: str, tpath: str, fmt: str, vn: VFS) -> None:
        if self.args.no_acode or not self.args.allow_wav:
            raise Exception("wav not permitted in server config")
        self.wait4ram(0.2, tpath)
        tags, _, _, _ = ffprobe(abspath, int(vn.flags["convt"] / 2))
        if "ac" not in tags:
            raise Exception("not audio")
        bits = tags[".bps"][1]
        if bits == 0.0:
            bits = tags[".bprs"][1]
        codec = b"pcm_s32le"
        if bits <= 16.0:
            codec = b"pcm_s16le"
        elif bits <= 24.0:
            codec = b"pcm_s24le"
        self.log("conv2 wav", 6)
        # fmt: off
        cmd = [
            b"ffmpeg",
            b"-nostdin",
            b"-v", b"error",
            b"-hide_banner",
            b"-i", fsenc(abspath),
            b"-map", b"0:a:0",
            b"-c:a", codec,
            fsenc(tpath)
        ]
        # fmt: on
        self._run_ff(cmd, vn, "aconvt", oom=300)
    def conv_opus(self, abspath: str, tpath: str, fmt: str, vn: VFS) -> None:
        if self.args.no_acode or not self.args.q_opus:
            raise Exception("disabled in server config")
        self.wait4ram(0.2, tpath)
-        tags, rawtags = ffprobe(abspath, int(vn.flags["convt"] / 2))
+        tags, rawtags, _, _ = ffprobe(abspath, int(vn.flags["convt"] / 2))
        if "ac" not in tags:
            raise Exception("not audio")
@ -861,7 +1037,7 @@ class ThumbSrv(object):
            fsenc(tpath)
        ]
        # fmt: on
-        self._run_ff(cmd, vn, oom=300)
+        self._run_ff(cmd, vn, "aconvt", oom=300)
    def _conv_caf(
        self,
@ -901,7 +1077,7 @@ class ThumbSrv(object):
            fsenc(tmp_opus)
        ]
        # fmt: on
-        self._run_ff(cmd, vn, oom=300)
+        self._run_ff(cmd, vn, "aconvt", oom=300)
        # iOS fails to play some "insufficiently complex" files
        # (average file shorter than 8 seconds), so of course we
@ -928,7 +1104,7 @@ class ThumbSrv(object):
                fsenc(tpath)
            ]
            # fmt: on
-            self._run_ff(cmd, vn, oom=300)
+            self._run_ff(cmd, vn, "aconvt", oom=300)
        else:
            # simple remux should be safe
@ -947,7 +1123,7 @@ class ThumbSrv(object):
                fsenc(tpath)
            ]
            # fmt: on
-            self._run_ff(cmd, vn, oom=300)
+            self._run_ff(cmd, vn, "aconvt", oom=300)
        try:
            wunlink(self.log, tmp_opus, vn.flags)
--- a/copyparty/u2idx.py
+++ b/copyparty/u2idx.py
@ -391,7 +391,7 @@ class U2idx(object):
            fk_alg = 2 if "fka" in flags else 1
            c = cur.execute(uq, tuple(vuv))
            for hit in c:
-                w, ts, sz, rd, fn, ip, at = hit[:7]
+                w, ts, sz, rd, fn = hit[:5]
                if rd.startswith("//") or fn.startswith("//"):
                    rd, fn = s3dec(rd, fn)
--- a/copyparty/up2k.py
+++ b/copyparty/up2k.py
@ -77,7 +77,7 @@ except:
 if HAVE_SQLITE3:
    import sqlite3
-DB_VER = 5
+DB_VER = 6
 if True:  # pylint: disable=using-constant-test
    from typing import Any, Optional, Pattern, Union
@ -86,7 +86,10 @@ if TYPE_CHECKING:
    from .svchub import SvcHub
 zsg = "avif,avifs,bmp,gif,heic,heics,heif,heifs,ico,j2p,j2k,jp2,jpeg,jpg,jpx,png,tga,tif,tiff,webp"
-CV_EXTS = set(zsg.split(","))
+ICV_EXTS = set(zsg.split(","))
 zsg = "3gp,asf,av1,avc,avi,flv,m4v,mjpeg,mjpg,mkv,mov,mp4,mpeg,mpeg2,mpegts,mpg,mpg2,mts,nut,ogm,ogv,rm,vob,webm,wmv"
 VCV_EXTS = set(zsg.split(","))
 zsg = "nohash noidx xdev xvol"
 VF_AFFECTS_INDEXING = set(zsg.split(" "))
@ -141,6 +144,7 @@ class Up2k(object):
        self.salt = self.args.warksalt
        self.r_hash = re.compile("^[0-9a-zA-Z_-]{44}$")
        self.abrt_key = ""
        self.gid = 0
        self.gt0 = 0
@ -372,11 +376,12 @@ class Up2k(object):
                if ineed == ihash or not ineed:
                    continue
                poke = job["poke"]
                zt = (
                    ineed / ihash,
                    job["size"],
-                    int(job["t0c"]),
+                    int(job.get("t0c", poke)),
-                    int(job["poke"]),
+                    int(poke),
                    djoin(vtop, job["prel"], job["name"]),
                )
                ret.append(zt)
@ -399,12 +404,14 @@ class Up2k(object):
        return "{}"
-    def get_unfinished_by_user(self, uname, ip) -> str:
+    def get_unfinished_by_user(self, uname, ip) -> dict[str, Any]:
        # returns dict due to ExceptionalQueue
        if PY2 or not self.reg_mutex.acquire(timeout=2):
-            return '[{"timeout":1}]'
+            return {"timeout": 1}
        ret: list[tuple[int, str, int, int, int]] = []
        userset = set([(uname or "\n"), "*"])
        n = 1000
        try:
            for ptop, tab2 in self.registry.items():
                cfg = self.flags.get(ptop, {}).get("u2abort", 1)
@ -419,7 +426,6 @@ class Up2k(object):
                        or (addr and addr != job["addr"])
                    ):
                        continue
                    zt5 = (
                        int(job["t0"]),
                        djoin(job["vtop"], job["prel"], job["name"]),
@ -428,6 +434,9 @@ class Up2k(object):
                        len(job["hash"]),
                    )
                    ret.append(zt5)
                    n -= 1
                    if not n:
                        break
        finally:
            self.reg_mutex.release()
@ -444,7 +453,7 @@ class Up2k(object):
            }
            for (at, vp, sz, nn, nh) in ret
        ]
-        return json.dumps(ret2, separators=(",\n", ": "))
+        return {"f": ret2}
    def get_unfinished(self) -> str:
        if PY2 or not self.reg_mutex.acquire(timeout=0.5):
@ -894,7 +903,7 @@ class Up2k(object):
        self.iacct = self.asrv.iacct
        self.grps = self.asrv.grps
-        have_e2d = self.args.idp_h_usr or self.args.chpw or self.args.shr
+        have_e2d = self.args.have_idp_hdrs or self.args.chpw or self.args.shr
        vols = list(all_vols.values())
        t0 = time.time()
@ -1474,7 +1483,7 @@ class Up2k(object):
        unreg: list[str] = []
        files: list[tuple[int, int, str]] = []
        fat32 = True
-        cv = ""
+        cv = vcv = ""
        th_cvd = self.args.th_coversd
        th_cvds = self.args.th_coversd_set
@ -1569,25 +1578,24 @@ class Up2k(object):
                rsz += sz
                files.append((sz, lmod, iname))
-                liname = iname.lower()
+                if sz:
-                if (
+                    liname = iname.lower()
-                    sz
+                    ext = liname.rsplit(".", 1)[-1]
-                    and (
+                    if (
                        liname in th_cvds
-                        or (
+                        or (not cv and ext in ICV_EXTS and not iname.startswith("."))
-                            not cv
+                    ) and (
                            and liname.rsplit(".", 1)[-1] in CV_EXTS
                            and not iname.startswith(".")
                        )
                    )
                    and (
                        not cv
                        or liname not in th_cvds
                        or cv.lower() not in th_cvds
                        or th_cvd.index(liname) < th_cvd.index(cv.lower())
-                    )
+                    ):
-                ):
+                        cv = iname
-                    cv = iname
+                    elif not vcv and ext in VCV_EXTS and not iname.startswith("."):
                        vcv = iname
        if not cv:
            cv = vcv
        if not self.args.no_dirsz:
            tnf += len(files)
@ -1647,7 +1655,7 @@ class Up2k(object):
            abspath = cdirs + fn
            nohash = reh.search(abspath) if reh else False
-            sql = "select w, mt, sz, ip, at from up where rd = ? and fn = ?"
+            sql = "select w, mt, sz, ip, at, un from up where rd = ? and fn = ?"
            try:
                c = db.c.execute(sql, (rd, fn))
            except:
@ -1656,7 +1664,7 @@ class Up2k(object):
            in_db = list(c.fetchall())
            if in_db:
                self.pp.n -= 1
-                dw, dts, dsz, ip, at = in_db[0]
+                dw, dts, dsz, ip, at, un = in_db[0]
                if len(in_db) > 1:
                    t = "WARN: multiple entries: %r => %r |%d|\n%r"
                    rep_db = "\n".join([repr(x) for x in in_db])
@ -1669,6 +1677,9 @@ class Up2k(object):
                if dts == lmod and dsz == sz and (nohash or dw[0] != "#" or not sz):
                    continue
                if un is None:
                    un = ""
                t = "reindex %r => %r mtime(%s/%s) size(%s/%s)"
                self.log(t % (top, rp, dts, lmod, dsz, sz))
                self.db_rm(db.c, rd, fn, 0)
@ -1679,6 +1690,7 @@ class Up2k(object):
                dw = ""
                ip = ""
                at = 0
                un = ""
            self.pp.msg = "a%d %s" % (self.pp.n, abspath)
@ -1704,9 +1716,10 @@ class Up2k(object):
            if dw and dw != wark:
                ip = ""
                at = 0
                un = ""
            # skip upload hooks by not providing vflags
-            self.db_add(db.c, {}, rd, fn, lmod, sz, "", "", wark, wark, "", "", ip, at)
+            self.db_add(db.c, {}, rd, fn, lmod, sz, "", "", wark, wark, "", un, ip, at)
            db.n += 1
            db.nf += 1
            tfa += 1
@ -2143,8 +2156,8 @@ class Up2k(object):
            with self.mutex:
                try:
-                    q = "select rd, fn, ip, at from up where substr(w,1,16)=? and +w=?"
+                    q = "select rd, fn, ip, at, un from up where substr(w,1,16)=? and +w=?"
-                    rd, fn, ip, at = cur.execute(q, (w16, w)).fetchone()
+                    rd, fn, ip, at, un = cur.execute(q, (w16, w)).fetchone()
                except:
                    # file modified/deleted since spooling
                    continue
@ -2163,12 +2176,15 @@ class Up2k(object):
            abspath = djoin(ptop, rd, fn)
            self.pp.msg = "c%d %s" % (nq, abspath)
            if not mpool:
-                n_tags = self._tagscan_file(cur, entags, w, abspath, ip, at)
+                n_tags = self._tagscan_file(cur, entags, w, abspath, ip, at, un)
            else:
                oth_tags = {}
                if ip:
-                    oth_tags = {"up_ip": ip, "up_at": at}
+                    oth_tags["up_ip"] = ip
-                else:
+                if at:
-                    oth_tags = {}
+                    oth_tags["up_at"] = at
                if un:
                    oth_tags["up_by"] = un
                mpool.put(Mpqe({}, entags, w, abspath, oth_tags))
                with self.mutex:
@ -2324,8 +2340,8 @@ class Up2k(object):
                    if w in in_progress:
                        continue
-                    q = "select rd, fn, ip, at from up where substr(w,1,16)=? limit 1"
+                    q = "select rd, fn, ip, at, un from up where substr(w,1,16)=? limit 1"
-                    rd, fn, ip, at = cur.execute(q, (w,)).fetchone()
+                    rd, fn, ip, at, un = cur.execute(q, (w,)).fetchone()
                    rd, fn = s3dec(rd, fn)
                    abspath = djoin(ptop, rd, fn)
@ -2349,7 +2365,10 @@ class Up2k(object):
                    if ip:
                        oth_tags["up_ip"] = ip
                    if at:
                        oth_tags["up_at"] = at
                    if un:
                        oth_tags["up_by"] = un
                    jobs.append(Mpqe(parsers, set(), w, abspath, oth_tags))
                    in_progress[w] = True
@ -2538,6 +2557,7 @@ class Up2k(object):
        abspath: str,
        ip: str,
        at: float,
        un: Optional[str],
    ) -> int:
        """will mutex(main)"""
        assert self.mtag  # !rm
@ -2558,7 +2578,10 @@ class Up2k(object):
        if ip:
            tags["up_ip"] = ip
        if at:
            tags["up_at"] = at
        if un:
            tags["up_by"] = un
        with self.mutex:
            return self._tag_file(write_cur, entags, wark, abspath, tags)
@ -2662,16 +2685,19 @@ class Up2k(object):
        if not existed and ver is None:
            return self._try_create_db(db_path, cur)
-        if ver == 4:
+        for upver in (4, 5):
            if ver != upver:
                continue
            try:
                t = "creating backup before upgrade: "
                cur = self._backup_db(db_path, cur, ver, t)
-                self._upgrade_v4(cur)
+                getattr(self, "_upgrade_v%d" % (upver,))(cur)
-                ver = 5
+                ver += 1  # type: ignore
            except:
-                self.log("WARN: failed to upgrade from v4", 3)
+                self.log("WARN: failed to upgrade from v%d" % (ver,), 3)
        if ver == DB_VER:
            # these no longer serve their intended purpose but they're great as additional sanchks
            self._add_dhash_tab(cur)
            self._add_xiu_tab(cur)
            self._add_cv_tab(cur)
@ -2773,7 +2799,7 @@ class Up2k(object):
            idx = r"create index up_w on up(w)"
        for cmd in [
-            r"create table up (w text, mt int, sz int, rd text, fn text, ip text, at int)",
+            r"create table up (w text, mt int, sz int, rd text, fn text, ip text, at int, un text)",
            r"create index up_vp on up(rd, fn)",
            r"create index up_fn on up(fn)",
            r"create index up_ip on up(ip)",
@ -2806,6 +2832,15 @@ class Up2k(object):
        cur.connection.commit()
    def _upgrade_v5(self, cur: "sqlite3.Cursor") -> None:
        for cmd in [
            r"alter table up add column un text",
            r"update kv set v=6 where k='sver'",
        ]:
            cur.execute(cmd)
        cur.connection.commit()
    def _add_dhash_tab(self, cur: "sqlite3.Cursor") -> None:
        # v5 -> v5a
        try:
@ -2827,7 +2862,7 @@ class Up2k(object):
        # v5a -> v5b
        # store rd+fn rather than warks to support nohash vols
        try:
-            cur.execute("select ws, rd, fn from iu limit 1").fetchone()
+            cur.execute("select c, w, rd, fn from iu limit 1").fetchone()
            return
        except:
            pass
@ -3003,7 +3038,7 @@ class Up2k(object):
                    argv = [dwark[:16], dwark]
                c2 = cur.execute(q, tuple(argv))
-                for _, dtime, dsize, dp_dir, dp_fn, ip, at in c2:
+                for _, dtime, dsize, dp_dir, dp_fn, ip, at, _ in c2:
                    if dp_dir.startswith("//") or dp_fn.startswith("//"):
                        dp_dir, dp_fn = s3dec(dp_dir, dp_fn)
@ -3425,7 +3460,7 @@ class Up2k(object):
            try:
                vrel = vjoin(job["prel"], fname)
                xlink = bool(vf.get("xlink"))
-                cur, wark, _, _, _, _ = self._find_from_vpath(ptop, vrel)
+                cur, wark, _, _, _, _, _ = self._find_from_vpath(ptop, vrel)
                self._forget_file(ptop, vrel, cur, wark, True, st.st_size, xlink)
            except Exception as ex:
                self.log("skipping replace-relink: %r" % (ex,))
@ -3882,14 +3917,14 @@ class Up2k(object):
            # plugins may expect this to look like an actual IP
            db_ip = "1.1.1.1" if "no_db_ip" in vflags else ip
-        sql = "insert into up values (?,?,?,?,?,?,?)"
+        sql = "insert into up values (?,?,?,?,?,?,?,?)"
-        v = (dwark, int(ts), sz, rd, fn, db_ip, int(at or 0))
+        v = (dwark, int(ts), sz, rd, fn, db_ip, int(at or 0), usr)
        try:
            db.execute(sql, v)
        except:
            assert self.mem_cur  # !rm
            rd, fn = s3enc(self.mem_cur, rd, fn)
-            v = (dwark, int(ts), sz, rd, fn, db_ip, int(at or 0))
+            v = (dwark, int(ts), sz, rd, fn, db_ip, int(at or 0), usr)
            db.execute(sql, v)
        self.volsize[db] += sz
@ -3981,6 +4016,9 @@ class Up2k(object):
            except:
                pass
    def handle_fs_abrt(self, akey: str) -> None:
        self.abrt_key = akey
    def handle_rm(
        self,
        uname: str,
@ -4027,7 +4065,7 @@ class Up2k(object):
            vn, rem = vn0.get_dbv(rem0)
            ptop = vn.realpath
            with self.mutex, self.reg_mutex:
-                abrt_cfg = self.flags.get(ptop, {}).get("u2abort", 1)
+                abrt_cfg = vn.flags.get("u2abort", 1)
                addr = (ip or "\n") if abrt_cfg in (1, 2) else ""
                user = ((uname or "\n"), "*") if abrt_cfg in (1, 3) else None
                reg = self.registry.get(ptop, {}) if abrt_cfg else {}
@ -4048,17 +4086,22 @@ class Up2k(object):
                if partial:
                    dip = ip
                    dat = time.time()
                    dun = uname
                    un_cfg = 1
                else:
-                    if not self.args.unpost:
+                    un_cfg = vn.flags["unp_who"]
                    if not self.args.unpost or not un_cfg:
                        t = "the unpost feature is disabled in server config"
                        raise Pebkac(400, t)
-                    _, _, _, _, dip, dat = self._find_from_vpath(ptop, rem)
+                    _, _, _, _, dip, dat, dun = self._find_from_vpath(ptop, rem)
            t = "you cannot delete this: "
            if not dip:
                t += "file not found"
-            elif dip != ip:
+            elif dip != ip and un_cfg in (1, 2):
                t += "not uploaded by (You)"
            elif dun != uname and un_cfg in (1, 3):
                t += "not uploaded by (You)"
            elif dat < time.time() - self.args.unpost:
                t += "uploaded too long ago"
@ -4147,7 +4190,7 @@ class Up2k(object):
                    try:
                        ptop = dbv.realpath
                        xlink = bool(dbv.flags.get("xlink"))
-                        cur, wark, _, _, _, _ = self._find_from_vpath(ptop, volpath)
+                        cur, wark, _, _, _, _, _ = self._find_from_vpath(ptop, volpath)
                        self._forget_file(
                            ptop, volpath, cur, wark, True, st.st_size, xlink
                        )
@ -4190,7 +4233,7 @@ class Up2k(object):
        return n_files, ok + ok2, ng + ng2
-    def handle_cp(self, uname: str, ip: str, svp: str, dvp: str) -> str:
+    def handle_cp(self, abrt: str, uname: str, ip: str, svp: str, dvp: str) -> str:
        if svp == dvp or dvp.startswith(svp + "/"):
            raise Pebkac(400, "cp: cannot copy parent into subfolder")
@ -4237,6 +4280,8 @@ class Up2k(object):
                        dvpf = dvp + svpf[len(svp) :]
                        self._cp_file(uname, ip, svpf, dvpf, curs)
                        if abrt and abrt == self.abrt_key:
                            raise Pebkac(400, "filecopy aborted by http-api")
                    for v in curs:
                        v.connection.commit()
@ -4306,7 +4351,7 @@ class Up2k(object):
        bos.makedirs(os.path.dirname(dabs), vf=dvn.flags)
-        c1, w, ftime_, fsize_, ip, at = self._find_from_vpath(
+        c1, w, ftime_, fsize_, ip, at, un = self._find_from_vpath(
            svn_dbv.realpath, srem_dbv
        )
        c2 = self.cur.get(dvn.realpath)
@ -4331,7 +4376,7 @@ class Up2k(object):
                    w,
                    w,
                    "",
-                    "",
+                    un or "",
                    ip or "",
                    at or 0,
                )
@ -4404,7 +4449,7 @@ class Up2k(object):
        return "k"
-    def handle_mv(self, uname: str, ip: str, svp: str, dvp: str) -> str:
+    def handle_mv(self, abrt: str, uname: str, ip: str, svp: str, dvp: str) -> str:
        if svp == dvp or dvp.startswith(svp + "/"):
            raise Pebkac(400, "mv: cannot move parent into subfolder")
@ -4459,6 +4504,8 @@ class Up2k(object):
                        dvpf = dvp + svpf[len(svp) :]
                        self._mv_file(uname, ip, svpf, dvpf, curs)
                        if abrt and abrt == self.abrt_key:
                            raise Pebkac(400, "filemove aborted by http-api")
                    for v in curs:
                        v.connection.commit()
@ -4590,7 +4637,7 @@ class Up2k(object):
            return "k"
-        c1, w, ftime_, fsize_, ip, at = self._find_from_vpath(svn.realpath, srem)
+        c1, w, ftime_, fsize_, ip, at, un = self._find_from_vpath(svn.realpath, srem)
        c2 = self.cur.get(dvn.realpath)
        has_dupes = False
@ -4624,7 +4671,7 @@ class Up2k(object):
                    w,
                    w,
                    "",
-                    "",
+                    un or "",
                    ip or "",
                    at or 0,
                )
@ -4724,13 +4771,14 @@ class Up2k(object):
        Optional[int],
        str,
        Optional[int],
        str,
    ]:
        cur = self.cur.get(ptop)
        if not cur:
-            return None, None, None, None, "", None
+            return None, None, None, None, "", None, ""
        rd, fn = vsplit(vrem)
-        q = "select w, mt, sz, ip, at from up where rd=? and fn=? limit 1"
+        q = "select w, mt, sz, ip, at, un from up where rd=? and fn=? limit 1"
        try:
            c = cur.execute(q, (rd, fn))
        except:
@ -4739,9 +4787,9 @@ class Up2k(object):
        hit = c.fetchone()
        if hit:
-            wark, ftime, fsize, ip, at = hit
+            wark, ftime, fsize, ip, at, un = hit
-            return cur, wark, ftime, fsize, ip, at
+            return cur, wark, ftime, fsize, ip, at, un
-        return cur, None, None, None, "", None
+        return cur, None, None, None, "", None, ""
    def _forget_file(
        self,
--- a/copyparty/util.py
+++ b/copyparty/util.py
@ -399,6 +399,9 @@ application swf=x-shockwave-flash m3u=vnd.apple.mpegurl db3=vnd.sqlite3 sqlite=v
 text ass=plain ssa=plain
 image jpg=jpeg xpm=x-xpixmap psd=vnd.adobe.photoshop jpf=jpx tif=tiff ico=x-icon djvu=vnd.djvu
 image heic=heic-sequence heif=heif-sequence hdr=vnd.radiance svg=svg+xml
 image arw=x-sony-arw cr2=x-canon-cr2 crw=x-canon-crw dcr=x-kodak-dcr dng=x-adobe-dng erf=x-epson-erf
 image k25=x-kodak-k25 kdc=x-kodak-kdc mrw=x-minolta-mrw nef=x-nikon-nef orf=x-olympus-orf
 image pef=x-pentax-pef raf=x-fuji-raf raw=x-panasonic-raw sr2=x-sony-sr2 srf=x-sony-srf x3f=x-sigma-x3f
 audio caf=x-caf mp3=mpeg m4a=mp4 mid=midi mpc=musepack aif=aiff au=basic qcp=qcelp
 video mkv=x-matroska mov=quicktime avi=x-msvideo m4v=x-m4v ts=mp2t
 video asf=x-ms-asf flv=x-flv 3gp=3gpp 3g2=3gpp2 rmvb=vnd.rn-realmedia-vbr
@ -2396,6 +2399,21 @@ def ujoin(rd: str, fn: str) -> str:
        return rd or fn
 def str_anchor(txt) -> tuple[int, str]:
    if not txt:
        return 0, ""
    txt = txt.lower()
    a = txt.startswith("^")
    b = txt.endswith("$")
    if not b:
        if not a:
            return 1, txt  # ~
        return 2, txt[1:]  # ^
    if not a:
        return 3, txt[:-1]  # $
    return 4, txt[1:-1]  # ^$
 def log_reloc(
    log: "NamedLogger",
    re: dict[str, str],
@ -2936,6 +2954,27 @@ def load_ipu(
    return ip_u, nm
 def load_ipr(
    log: "RootLogger", iprs: list[str], defer_mutex: bool = False
 ) -> dict[str, NetMap]:
    ret = {}
    for ipr in iprs:
        try:
            zs, uname = ipr.split("=")
            cidrs = zs.split(",")
        except:
            t = "\n  invalid value %r for argument --ipr; must be CIDR[,CIDR[,...]]=UNAME (192.168.0.0/16=amelia)"
            raise Exception(t % (ipr,))
        try:
            nm = NetMap(["::"], cidrs, True, True, defer_mutex)
        except Exception as ex:
            t = "failed to translate --ipr into netmap, probably due to invalid config: %r"
            log("root", t % (ex,), 1)
            raise
        ret[uname] = nm
    return ret
 def yieldfile(fn: str, bufsz: int) -> Generator[bytes, None, None]:
    readsz = min(bufsz, 128 * 1024)
    with open(fsenc(fn), "rb", bufsz) as f:
@ -2967,6 +3006,17 @@ def justcopy(
    return tlen, "checksum-disabled", "checksum-disabled"
 def eol_conv(
    fin: Generator[bytes, None, None], conv: str
 ) -> Generator[bytes, None, None]:
    crlf = conv.lower() == "crlf"
    for buf in fin:
        buf = buf.replace(b"\r", b"")
        if crlf:
            buf = buf.replace(b"\n", b"\r\n")
        yield buf
 def hashcopy(
    fin: Generator[bytes, None, None],
    fout: Union[typing.BinaryIO, typing.IO[Any]],
@ -3552,7 +3602,7 @@ def runihook(
    verbose: bool,
    cmd: str,
    vol: "VFS",
-    ups: list[tuple[str, int, int, str, str, str, int]],
+    ups: list[tuple[str, int, int, str, str, str, int, str]],
 ) -> bool:
    _, chk, fork, jtxt, wait, sp_ka, acmd = _parsehook(log, cmd)
    bcmd = [sfsenc(x) for x in acmd]
--- a/copyparty/web/baguettebox.js
+++ b/copyparty/web/baguettebox.js
@ -48,6 +48,7 @@ window.baguetteBox = (function () {
    var onFSC = function (e) {
        isFullscreen = !!document.fullscreenElement;
        clmod(document.documentElement, 'bb_fsc', isFullscreen);
    };
    var overlayClickHandler = function (e) {
@ -402,7 +403,7 @@ window.baguetteBox = (function () {
            if (isFullscreen)
                document.exitFullscreen();
            else
-                (vid() || ebi('bbox-overlay')).requestFullscreen();
+                ebi('bbox-overlay').requestFullscreen();
        }
        catch (ex) {
            if (IPHONE)
--- a/copyparty/web/browser.css
+++ b/copyparty/web/browser.css
@ -1113,18 +1113,7 @@ html.y #widget.open {
 	top: -.12em;
 }
 #wtico {
-	cursor: url(dd/4.png), pointer;
+	cursor: pointer;
 	animation: cursor 500ms;
 }
 #wtico:hover {
 	animation: cursor 500ms infinite;
 }
@keyframes cursor {
 	 0% {cursor: url(dd/2.png), pointer}
 	30% {cursor: url(dd/3.png), pointer}
 	50% {cursor: url(dd/4.png), pointer}
 	75% {cursor: url(dd/5.png), pointer}
 	85% {cursor: url(dd/4.png), pointer}
 }
@keyframes spin {
 	100% {transform: rotate(360deg)}
@ -1385,6 +1374,7 @@ html.y #ops svg circle {
 #op_cfg input[type=text] {
 	top: -.3em;
 }
 .opview select,
 .opview input[type=text] {
 	color: var(--fg);
 	background: var(--txt-bg);
@ -1395,6 +1385,11 @@ html.y #ops svg circle {
 	border-radius: .2em;
 	padding: .2em .3em;
 }
 .opview select {
 	padding: .3em;
 	margin: .2em .4em;
 	background: var(--bg-u3);
 }
 .opview input.err {
 	color: var(--err-fg);
 	background: var(--err-bg);
@ -1936,6 +1931,11 @@ html.y #tree.nowrap .ntree a+a:hover {
 	padding: 0;
 	font-size: 1.5em;
 }
 #fs_abrt {
 	margin-top: 1em;
 	text-shadow: 0;
 	box-shadow: 1px 1px 0 var(--bg-d3);
 }
 #doc {
 	overflow: visible;
 	background: #fff;
@ -2126,6 +2126,13 @@ html.noscroll .sbar::-webkit-scrollbar {
 	vertical-align: middle;
 	transition: transform .23s, left .23s, top .23s, width .23s, height .23s;
 }
 html.bb_fsc .full-image img,
 html.bb_fsc .full-image video {
 	max-height: 100%;
 }
 html.bb_fsc figcaption {
 	display: none;
 }
 .full-image img.nt,
 .full-image video.nt {
 	transition: none;
@ -3278,3 +3285,790 @@ html.d #treepar {
 		transition: background-color .3s ease, color .3s ease;
 	}
 }
 html.ey {
  --negative-space: 0em; /* Use this to change the global spacing of the 95 theme */
  --font-main: consolas;
  --font-serif: consolas;
  --font-mono: consolas;
  --w: #fff;
  --w2: #dfdfdf;
  --w3: grey;
  --fg: #000;
  --fg-max: #0000ff;
  --fg-weak: #0000ff;
  --bg: #c6c3c6;
  --bg-d3: #ff0;
  --bg-d2: var(--w3);
  --bg-d1: var(--bg);
  --bg-u2: var(--bg);
  --bg-u3: var(--bg);
  --bg-u5: var(--shadow-color-2);
  --tab-alt: #00f;
  --g-fsel-bg: #00f;
  --g-sel-bg: #00f;
  --g-fsel-b1: #fff;
  --row-alt: var(--w);
  --scroll: var(--silver);
  --f-sel-sh: transparent;
  --a: #000;
  --a-b: #fff;
  --a-hil: #fff;
  --a-h-bg: var(--bg);
  --a-dark: var(--a);
  --a-gray: var(--fg-weak);
  --btn-fg: var(--fg);
  --btn-bg: var(--bg);
  --btn-h-fg: var(--fg);
  --btn-h-bg: var(--bg);
  --btn-1-fg: var(--fg);
  --btn-1-bg: var(--bg);
  --btn-1h-bg: var(--bg-d3);
  --txt-sh: a;
  --txt-bg: var(--white);
  --u2-b1-bg: var(--w2);
  --u2-b2-bg: var(--w2);
  --u2-txt-bg: var(--w2);
  --u2-tab-bg: a;
  --u2-tab-1-bg: var(--w2);
  --sort-1: var(--fg-weak);
  --tree-bg: var(--w);
  --g-b1: a;
  --g-b2: a;
  --g-f-bg: var(--w2);
  --f-sh1: 0.1;
  --f-sh2: 0.02;
  --f-sh3: 0.1;
  --f-h-b1: a;
  --srv-1: var(--w);
  --srv-3: var(--a);
  --mp-sh: a;
  --black: #000;
  --white: #fff;
  --grey: grey;
  --silver: silver;
  --transparent: transparent;
  --shadow-color-1: #0a0a0a;
  --shadow-color-2: #808080;
  --border-dashed-black: 1px dashed var(--black);
  --radius: 0;
  --focus-outline: 1px dashed var(--black);
  --hover-outline: 1px dotted var(--black);
  --fm-off: var(--w3);
  --ttlbar: linear-gradient(90deg, navy, #1084d0);
  --inset-bg: var(--white);
  --scroll-bkg: var(--white);
  /*All sides*/
  --shadow-outset: inset -1px -1px var(--shadow-color-1),
    inset 1px 1px var(--white), inset -2px -2px var(--grey),
    inset 2px 2px var(--w2);
  --shadow-inset: inset -1px -1px var(--white),
    inset 1px 1px var(--shadow-color-1), inset -2px -2px var(--w2),
    inset 2px 2px var(--shadow-color-2);
  --shadow-input: inset -1px -1px var(--white), inset 1px 1px var(--grey),
    inset -2px -2px var(--w2), inset 2px 2px var(--shadow-color-1);
  /*Indiv sides*/
  --shadow-outset-bottom: inset 0 -1px var(--shadow-color-1),
    inset 0 -2px var(--grey);
  --shadow-outset-right: inset -1px 0 var(--shadow-color-1),
    inset -2px 0 var(--grey);
  --shadow-outset-left: inset 1px 0 var(--white), inset 2px 0 var(--w2);
  --shadow-outset-top: inset 0 1px var(--white), inset 0 2px var(--w2);
  --shadow-inset-bottom: inset 0 -1px var(--white), inset 0 -2px var(--w2);
  --shadow-inset-right: inset -1px 0 var(--white), inset -2px 0 var(--w2);
  --shadow-inset-left: inset 1px 0 var(--shadow-color-1),
    inset 2px 0 var(--shadow-color-2);
  --shadow-inset-top: inset 0 1px var(--shadow-color-1),
    inset 0 2px var(--shadow-color-2);
 }
 html.ez {
  --negative-space: 0em; /* Use this to change the global spacing of your theme :) */
  --font-main: consolas;
  --font-serif: consolas;
  --font-mono: consolas;
  --w: #fff;
  --w2: var(--inset-bg);
  --w3: grey;
  --fg: #cfcfcf;
  --fg-max: #47b8ff;
  --fg-weak: #47b8ff;
  --bg: #383838;
  --bg-d3: #600000;
  --bg-d2: var(--shadow-color-1);
  --bg-d1: var(--bg);
  --u2-tab-1-fg: #ff0;
  --bg-u2: var(--bg);
  --bg-u3: var(--bg);
  --bg-u5: var(--shadow-color-2);
  --tab-alt: #47b8ff;
  --g-fsel-bg: #0000b7;
  --g-sel-bg: #00f;
  --g-fsel-b1: #fff;
  --row-alt: #555555;
  --scroll: #555555;
  --f-sel-sh: transparent;
  --a: var(--fg);
  --a-b: var(--fg);
  --a-hil: var(--fg);
  --btn-1h-bg: var(--bg-d3);
  --a-h-bg: var(--bg);
  --a-dark: var(--a);
  --a-gray: var(--fg-weak);
  --btn-fg: var(--white);
  --btn-bg: var(--bg);
  --btn-h-fg: var(--white);
  --btn-h-bg: var(--bg);
  --btn-1-fg: var(--white);
  --btn-1-bg: var(--bg);
  --txt-sh: a;
  --u2-b1-bg: var(--w2);
  --u2-b2-bg: var(--w2);
  --u2-txt-bg: var(--w2);
  --u2-tab-bg: a;
  --u2-tab-1-bg: var(--w2);
  --sort-1: var(--fg-weak);
  --g-b1: a;
  --g-b2: a;
  --g-f-bg: var(--w2);
  --f-sh1: 0.1;
  --f-sh2: 0.02;
  --f-sh3: 0.1;
  --f-h-b1: a;
  --srv-1: var(--w);
  --srv-3: var(--a);
  --mp-sh: a;
  --black: #000;
  --white: #fff;
  --grey: grey;
  --silver: #858585;
  --transparent: transparent;
  --shadow-color-1: #101010;
  --shadow-color-2: #1f1f1f;
  --border-dashed-black: 1px dashed var(--shadow-color-1);
  --radius: 0;
  --focus-outline: 1px dashed var(--white);
  --hover-outline: 1px dotted var(--white);
  --fm-off: var(--w3);
  --ttlbar: linear-gradient(90deg, var(--shadow-color-1) 20%, #888888);
  --inset-bg: #3f3f3f;
  --tree-bg: var(--inset-bg);
  --txt-bg: var(--inset-bg);
  --scroll-bkg: var(--black);
  /*All sides*/
  --shadow-outset: inset -1px -1px var(--shadow-color-1), inset 1px 1px #878787,
    inset -2px -2px var(--shadow-color-2), inset 2px 2px #575757;
  --shadow-inset: inset -1px -1px #878787, inset 1px 1px var(--shadow-color-1),
    inset -2px -2px #575757, inset 2px 2px var(--shadow-color-2);
  --shadow-input: inset -1px -1px var(--white),
    inset 1px 1px var(--shadow-color-2), inset -2px -2px #575757,
    inset 2px 2px var(--shadow-color-1);
  --shadow-outset-bottom: inset 0 -1px var(--shadow-color-1),
    inset 0 -2px var(--shadow-color-2);
  --shadow-outset-right: inset -1px 0 var(--shadow-color-1),
    inset -2px 0 var(--shadow-color-2);
  --shadow-outset-left: inset 1px 0 #878787, inset 2px 0 #575757;
  --shadow-outset-top: inset 0 1px #878787, inset 0 2px #575757;
  --shadow-inset-bottom: inset 0 -1px #878787, inset 0 -2px #575757;
  --shadow-inset-right: inset -1px 0 #878787, inset -2px 0 #575757;
  --shadow-inset-left: inset 1px 0 var(--shadow-color-1),
    inset 2px 0 var(--shadow-color-2);
  --shadow-inset-top: inset 0 1px var(--shadow-color-1),
    inset 0 2px var(--shadow-color-2);
 }
 html.e {
  text-shadow: none;
 }
 html.e #files,
 html.e #u2conf input[type="checkbox"]:hover + label,
 html.e .tgl.btn.on:hover,
 html.e body {
  background: var(--bg);
 }
 html.e #pctl a,
 html.e #repl,
 html.e #u2conf a,
 html.e #u2conf input[type="checkbox"] + label,
 html.e #wfp a,
 html.e .btn,
 html.e .eq_step,
 html.e input[type="submit"] {
  box-shadow: var(--shadow-outset);
  border-radius: var(--radius);
  background: var(--bg);
  border: 0;
 }
 a.s0r,
 html.e #ghead a.s0,
 html.e #u2conf input[type="checkbox"]:checked + label,
 html.e .tgl.btn.on,
 html.e input[type="submit"]:active {
  box-shadow: var(--shadow-inset) !important;
 }
 html.e #ops a:hover,
 html.e #pctl a:hover,
 html.e #repl:hover,
 html.e #u2conf a:hover,
 html.e #u2conf input[type="checkbox"]:hover + label,
 html.e #wfp a:hover,
 html.e .btn:hover,
 html.e .eq_step:hover,
 html.e input[type="submit"]:hover {
  outline: var(--hover-outline);
  outline-offset: -4px;
 }
 html.e .ntree a:hover,
 html.e :focus,
 html.e :focus + label,
 html.e a:active,
 html.e tr:focus,
 input[type="text"]:focus {
  outline: var(--focus-outline) !important;
 }
 html.e tr:focus {
  box-shadow: none;
 }
 html.e #pctl a:focus,
 html.e #repl:hover,
 html.e #u2conf input[type="checkbox"]:focus + label,
 html.e #wfp a:focus,
 html.e .btn:focus,
 html.e .eq_step:focus {
  border: 0 !important;
  outline: var(--focus-outline) !important;
  outline-offset: 2px;
  box-shadow: var(--shadow-outset) !important;
 }
 html.e #files tbody,
 html.e #u2cards a.act {
  box-shadow: var(--shadow-inset);
 }
 html.e #files {
  border: 2px groove var(--transparent);
  box-sizing: border-box;
  width: 100%;
  padding: 0.3em;
  top: 0;
  border: 0;
 }
 html.e #files tbody tr td,
 html.e #files thead th {
  border-radius: var(--radius);
 }
 #files td {
  background: var(--w2);
 }
 html.e #files tr {
  background-color: var(--black);
 }
 html.e #srv_info span,
 html.e label {
  color: var(--btn-fg) !important;
 }
 html.e #acc_info {
  background: var(--transparent);
  color: var(--white);
  height: 2em;
  left: 1em;
  width: fit-content;
 }
 html.e #acc_info,
 html.e #ops,
 html.e #srv_info {
  display: flex;
  align-items: center;
 }
 html.e #flogout:before {
  padding-left: 0.2em;
  padding-right: 0.4em;
  content: " | ";
 }
 html.e #blogout {
  color: var(--w);
  box-shadow: none;
  background: transparent;
 }
 html.e .opwide > div {
  border-left: 1px solid var(--fg);
 }
 html.e #srv_info {
  background: var(--transparent);
  color: var(--white);
  height: fit-content;
  top: 3.2em;
  left: 1em;
  gap: 0.2em;
 }
 html.e #u2cards a.act {
  padding: 0.2em 1em;
 }
 html.e #u2btn {
  border: var(--border-dashed-black);
  border-radius: var(--border-radius);
  transform: translateY(30%);
 }
 html.e #ops,
 html.e #ops a {
  border-radius: var(--radius);
 }
@media only screen and (max-width: 600px) {
  html.e #acc_info {
    background: var(--transparent);
    color: var(--white);
    height: fit-content;
    align-items: center;
    top: 3.2em;
    right: 1em;
    left: auto;
    display: flex;
    gap: 0.2em;
  }
  html.e #u2btn {
    transform: none;
  }
 }
 html.e #ops {
  background: var(--ttlbar);
  /*HC*/
  box-shadow: inset 0-1px grey, inset 0-2px var(--shadow-color-1);
  height: 2em;
  gap: 0.6em;
  padding: 0.2em;
  flex-direction: row-reverse;
  margin-bottom: 1.2em;
 }
 html.e #srch_form,
 html.e .opbox {
  padding-bottom: 1em;
  padding-top: 1em;
  max-width: 100vw;
 }
 html.e #ghead,
 html.e #ops a {
  align-items: center;
  display: flex;
 }
 html.e #ops a {
  text-shadow: 1px 1px 0 rgba(0, 0, 0, 0.5);
  height: 1.4em;
  padding: 0;
  box-shadow: var(--shadow-outset);
  background: var(--bg);
  aspect-ratio: 1/1;
  justify-content: center;
  font-size: 1.25em;
  z-index: 4;
 }
 html.e #blogout:focus,
 html.e #ops a:focus {
  outline: 1px dashed var(--w) !important;
 }
 html.e #blogout:hover {
  text-decoration: underline;
 }
 html.e #ops > a:not(:first-child).act {
  height: 1.4em;
  width: 1.4em;
  padding-bottom: 0.3em;
  margin-top: 0.3em;
  border-top-left-radius: 3px;
  border-top-right-radius: 3px;
  box-shadow: var(--shadow-inset-left), var(--shadow-inset-top),
    var(--shadow-inset-right);
  z-index: 6;
 }
 html.e #ops a.act {
  box-shadow: var(--shadow-inset);
  border-bottom: 0;
 }
 html.e a:active {
  border: 0;
 }
 html.e :focus,
 html.e :focus + label {
  border: 0 !important;
  outline-offset: 1px;
  border-radius: var(--radius) !important;
  box-shadow: inherit;
 }
 html.e #opa_x {
  text-shadow: 0 0 0 var(--transparent) !important;
  color: var(--bg) !important;
  display: flex;
 }
 html.e #opa_x:before {
  content: "⨯";
  color: var(--fg) !important;
  margin-top: -0.1em;
  font-size: 1.75em;
  position: absolute;
 }
 html.e .opbox {
  margin: -1.2em 0 0;
  box-shadow: var(--shadow-inset-bottom), var(--shadow-inset-left),
    var(--shadow-inset-right);
  border-radius: var(--radius);
  z-index: 5;
  background: var(--bg);
 }
 html.e #srch_form {
  margin: 0;
  border-radius: var(--radius);
 }
 html.e #op_unpost {
  max-width: 100vw;
  margin: 0;
 }
 html.e label:focus {
  box-shadow: 0 0;
 }
 html.e #tree {
  box-shadow: none;
  padding-right: 5px;
 }
 html.e #tt {
  background: var(--w2);
 }
 html.e .mdo a {
  background: 0 0;
  text-decoration: underline;
 }
 html.e .mdo code,
 html.e .mdo pre {
  color: var(--white);
  background: var(--w2);
  border: 0;
 }
 html.e .mdo h1,
 html.e .mdo h2 {
  background: 0 0;
  border-color: var(--w2);
 }
 html.e #tt,
 html.e .mdo ol ol,
 html.e .mdo ol ul,
 html.e .mdo ul ol,
 html.e .mdo ul ul {
  border-color: var(--w2);
 }
 html.e .mdo li > em,
 html.e .mdo p > em,
 html.e .mdo td > em {
  color: #fd0;
 }
 html.e input.txtbox,
 html.e input[type="text"],
 html.e select {
  background-color: var(--txt-bg);
  box-shadow: var(--shadow-input) !important;
  box-sizing: border-box;
  padding: 3px 4px;
  border-radius: var(--radius);
  border: 0;
 }
 html.e #gfiles {
  box-shadow: var(--shadow-outset);
  background: var(--bg);
  padding: 0.4em;
  display: flex;
  flex-direction: column;
  gap: 0.3em;
 }
 html.e #ggrid {
  background-color: var(--inset-bg);
  box-shadow: var(--shadow-input);
  padding: 1.5em;
  margin: 0;
  overflow-x: scroll;
 }
 html.e #ghead {
  margin: 0;
  justify-content: flex-end;
  gap: 0.4em;
  padding: 0;
  overflow: auto;
  top: 0px;
  border-radius: 0px;
 }
 html.e #ghead a {
  margin: 0;
  border-radius: var(--radius);
 }
 html.e ::-webkit-scrollbar,
 html.e::-webkit-scrollbar {
  width: 16px !important;
  height: 16px !important;
  background: var(--transparent) !important;
 }
 html.e ::-webkit-scrollbar-button,
 html.e ::-webkit-scrollbar-thumb,
 html.e::-webkit-scrollbar-button,
 html.e::-webkit-scrollbar-thumb {
  width: 16px !important;
  height: 16px !important;
  background: var(--scroll) !important;
  /*HC*/
  box-shadow: var(--shadow-outset);
  border: 1px solid !important;
  border-color: var(--silver) var(--black) var(--black) var(--silver) !important;
 }
 html.e ::-webkit-scrollbar-track,
 html.e::-webkit-scrollbar-track {
  image-rendering: optimize-contrast !important;
  background-image: url(data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHZpZXdCb3g9IjAgLTAuNSAyIDIiIHNoYXBlLXJlbmRlcmluZz0iY3Jpc3BFZGdlcyI+CjxtZXRhZGF0YT5NYWRlIHdpdGggUGl4ZWxzIHRvIFN2ZyBodHRwczovL2NvZGVwZW4uaW8vc2hzaGF3L3Blbi9YYnh2Tmo8L21ldGFkYXRhPgo8cGF0aCBzdHJva2U9IiNjMGMwYzAiIGQ9Ik0wIDBoMU0xIDFoMSIgLz4KPC9zdmc+) !important;
  background-position: 0 0 !important;
  background-repeat: repeat !important;
  background-size: 2px !important;
  background: var(--scroll-bkg);
 }
 #tree::-webkit-scrollbar,
 #tree::-webkit-scrollbar-track {
  background: var(--scroll-bkg);
 }
 html.e ::-webkit-scrollbar-button,
 html.e::-webkit-scrollbar-button {
  background-repeat: no-repeat !important;
  background-size: 16px !important;
 }
 html.e ::-webkit-scrollbar-button:single-button:vertical:decrement,
 html.e::-webkit-scrollbar-button:single-button:vertical:decrement {
  background-image: url(data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHZpZXdCb3g9IjAgLTAuNSAxNiAxNiIgc2hhcGUtcmVuZGVyaW5nPSJjcmlzcEVkZ2VzIj4KPG1ldGFkYXRhPk1hZGUgd2l0aCBQaXhlbHMgdG8gU3ZnIGh0dHBzOi8vY29kZXBlbi5pby9zaHNoYXcvcGVuL1hieHZOajwvbWV0YWRhdGE+CjxwYXRoIHN0cm9rZT0iIzAwMDAwMCIgZD0iTTcgNWgxTTYgNmgzTTUgN2g1TTQgOGg3IiAvPgo8L3N2Zz4=) !important;
 }
 html.e ::-webkit-scrollbar-button:single-button:vertical:increment,
 html.e::-webkit-scrollbar-button:single-button:vertical:increment {
  background-image: url(data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHZpZXdCb3g9IjAgLTAuNSAxNiAxNiIgc2hhcGUtcmVuZGVyaW5nPSJjcmlzcEVkZ2VzIj4KPG1ldGFkYXRhPk1hZGUgd2l0aCBQaXhlbHMgdG8gU3ZnIGh0dHBzOi8vY29kZXBlbi5pby9zaHNoYXcvcGVuL1hieHZOajwvbWV0YWRhdGE+CjxwYXRoIHN0cm9rZT0iIzAwMDAwMCIgZD0iTTQgNWg3TTUgNmg1TTYgN2gzTTcgOGgxIiAvPgo8L3N2Zz4=) !important;
 }
 html.e ::-webkit-scrollbar-button:single-button:horizontal:decrement,
 html.e::-webkit-scrollbar-button:single-button:horizontal:decrement {
  background-image: url(data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHZpZXdCb3g9IjAgLTAuNSAxNiAxNiIgc2hhcGUtcmVuZGVyaW5nPSJjcmlzcEVkZ2VzIj4KPG1ldGFkYXRhPk1hZGUgd2l0aCBQaXhlbHMgdG8gU3ZnIGh0dHBzOi8vY29kZXBlbi5pby9zaHNoYXcvcGVuL1hieHZOajwvbWV0YWRhdGE+CjxwYXRoIHN0cm9rZT0iIzAwMDAwMCIgZD0iTTggM2gxTTcgNGgyTTYgNWgzTTUgNmg0TTYgN2gzTTcgOGgyTTggOWgxIiAvPgo8L3N2Zz4=) !important;
 }
 html.e ::-webkit-scrollbar-button:single-button:horizontal:increment,
 html.e::-webkit-scrollbar-button:single-button:horizontal:increment {
  background-image: url(data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHZpZXdCb3g9IjAgLTAuNSAxNiAxNiIgc2hhcGUtcmVuZGVyaW5nPSJjcmlzcEVkZ2VzIj4KPG1ldGFkYXRhPk1hZGUgd2l0aCBQaXhlbHMgdG8gU3ZnIGh0dHBzOi8vY29kZXBlbi5pby9zaHNoYXcvcGVuL1hieHZOajwvbWV0YWRhdGE+CjxwYXRoIHN0cm9rZT0iIzAwMDAwMCIgZD0iTTYgM2gxTTYgNGgyTTYgNWgzTTYgNmg0TTYgN2gzTTYgOGgyTTYgOWgxIiAvPgo8L3N2Zz4=) !important;
 }
 html.e ::-webkit-scrollbar-corner,
 html.e::-webkit-scrollbar-corner {
  background: var(--silver) !important;
 }
 html,
 html.e #tree {
  scrollbar-color: inherit !important;
 }
 html.e #tree {
  background: var(--bg);
  padding-left: 0.4em;
  padding-top: 0;
  margin-left: var(--negative-space);
 }
 html.e.noscroll #tree {
  /*HC*/
  box-shadow: 1px 1px var(--grey), 2px 2px var(--shadow-color-1),
    var(--shadow-outset-bottom);
 }
 html.e #treeh {
  background: var(--bg);
  box-shadow: var(--shadow-outset-top), var(--shadow-outset-bottom);
  width: calc(1.5em + var(--nav-sz) - var(--sbw));
  height: 2.4em;
  border: none;
  top: -2px;
  display: flex;
  align-items: center;
  gap: 0.6em;
 }
 html.e #treeh .btn {
  margin: 0px;
  top: auto;
 }
 html.e #tree ul {
  border-left: var(--border-dashed-black);
  margin-left: 2.15em;
 }
 html.e .ntree a:first-child {
  font-family: scp, monospace, monospace;
  font-size: 1.2em;
  line-height: 0;
  background: var(--inset-bg);
  aspect-ratio: 1/1;
  text-align: center;
  align-content: center;
  border-radius: var(--radius) !important;
  padding: 0.057em;
  border: 1px solid var(--black);
 }
 html.e .ntree a:first-child:after {
  content: ".";
  position: absolute;
  border-top: var(--border-dashed-black);
  color: var(--transparent);
  font-size: 0.9em;
  margin-left: 0.13em;
 }
 html.e #treeul {
  border: 0 !important;
  position: static;
  margin: 0 !important;
  min-height: 100%;
  height: max-content;
 }
 html.e .ntree a:last-of-type:before {
  content: "📁";
  margin-left: 0.3em;
 }
 html.e .ntree {
  padding-left: 1em !important;
  padding-top: 0.3em !important;
  background: var(--inset-bg);
  box-shadow: var(--shadow-inset-left), var(--shadow-inset-bottom);
 }
 html.e #tree li {
  margin-left: -0.5em;
  border-top: 0;
 }
 html.e .ntree a:hover {
  outline-offset: -2px;
  color: var(--fg);
  border-radius: var(--radius) !important;
 }
 html.e #treepar {
  width: calc(-1em + var(--nav-sz) - var(--sbw));
  overflow: hidden;
  left: -0.7em;
  box-shadow: var(--shadow-inset-left), var(--shadow-inset-top);
  border-left: 0 !important;
  border-bottom: var(--border-dashed-black);
  margin-left: calc(2.1em - (1em - var(--negative-space))) !important;
 }
 html.e #path,
 html.e #widgeti,
 html.e #wtoggle,
 html.e #wtoggle a,
 html.e #files,
 html.e #files thead th,
 html.e #ghead a,
 html.e #tree {
  box-shadow: var(--shadow-outset);
 }
 html.e.noscroll #treepar {
  width: calc(var(--nav-sz) - 1em);
 }
 html.e #docul {
  border-left: 0 !important;
  margin-left: 0 !important;
 }
 html.e #wrap {
  transform: translateX(calc((var(--negative-space) * 2) - 1.2em));
  padding-right: var(--negative-space);
  position: relative;
  margin-right: calc((var(--negative-space) * 2) - 1.2em);
  margin-top: var(--negative-space);
  margin-left: 1.2em;
  /*overflow-x: auto; fix for OOB table when screen space is limited (mobile), but removes sticky header*/
 }
 html.e input[type="radio"] {
  accent-color: #232323;
 }
 html.e #path {
  width: calc(100% - 0.4em);
  display: flex;
  align-items: center;
  margin: 0;
  padding: 0.2em;
  overflow-x: auto;
 }
 html.e #path i {
  border: 1px solid var(--w);
  border-color: var(--w);
  margin: 0;
  border-width: 0.1em 0.1em 0 0;
  height: 0.5em;
  width: 0.5em;
 }/*
 html.e #hovertree:after {
  color: red;
  content: "BUGGY";
 html.ez #hovertree:after {
  color: rgb(255 98 98);
  content: "BUGGY";
 }
 }*/
 html.e #widget {
  box-shadow: 0 0;
  border: 0 !important;
 }
 html.e #wtico,
 html.e #zip1 {
  box-shadow: 0 0 !important;
 }
 html.e #wtgrid {
  top: -0.09em;
 }
 html.e #wfs,
 html.e #wm3u,
 html.e #wnp,
 html.e #wzip {
  border-width: 0 1px 0 0;
 }
 html.e #wfm.act + #wzip1 + #wzip,
 html.e #wfm.act + #wzip1 + #wzip + #wnp {
  border-left-width: 1px;
 }
 html.e #barpos {
  /* border-radius: var(--radius); */
  box-shadow: var(--shadow-inset);
 }
 html.e #goh + span {
  border-left: 0.1em solid var(--bg-u5);
 }
 html.e #wfp {
  margin: var(--negative-space);
  font-size: 0;
  display: inline-block;
 }
 html.e #wfp a {
  font-size: large;
  display: inline-block;
 }
 html.e #repl {
  font-size: large;
  padding: 0.33em;
  right: calc(var(--negative-space) * 0.89);
  position: absolute;
 }
 html.e #epi {
  text-align: center;
  text-wrap-mode: nowrap;
  margin: 0px;
 }
 html.e #epi.logue:not(.mdo) {
  padding: 0.8em;
  box-shadow: var(--shadow-outset);
 }
 html.e #epi.logue.mdo {
  padding-left: 3px;
 }
 html.e #doc {
  box-shadow: var(--shadow-inset);
  background: var(--inset-bg);
  margin: 0.2em;
  border-radius: var(--radius);
 }
 html.e #detree {
  padding: 0px;
 }
--- a/copyparty/web/browser.html
+++ b/copyparty/web/browser.html
@ -110,7 +110,7 @@
 <tr><td>{{ f.lead }}</td><td><a href="{{ f.href }}">{{ f.name|e }}</a></td><td>{{ f.sz }}</td>
 {%- if f.tags is defined %}
 	{%- for k in taglist %}<td>{{ f.tags[k]|e }}</td>{%- endfor %}
-{%- endif %}<td>{{ f.ext|e }}</td><td>{{ f.dt }}</td></tr>
+{%- endif %}<td>{{ f.ext }}</td><td>{{ f.dt }}</td></tr>
 {%- endfor %}
 		</tbody>
--- a/copyparty/web/browser.js
+++ b/copyparty/web/browser.js
--- a/copyparty/web/dd/2.png
+++ b/copyparty/web/dd/2.png
--- a/copyparty/web/dd/3.png
+++ b/copyparty/web/dd/3.png
--- a/copyparty/web/dd/4.png
+++ b/copyparty/web/dd/4.png
--- a/copyparty/web/dd/5.png
+++ b/copyparty/web/dd/5.png
--- a/copyparty/web/dd/init.py
+++ b/copyparty/web/dd/init.py
--- a/copyparty/web/md2.js
+++ b/copyparty/web/md2.js
@ -255,7 +255,7 @@ function Modpoll() {
        }
        console.log('modpoll...');
-        var url = (document.location + '').split('?')[0] + '?_=' + Date.now();
+        var url = (location + '').split('?')[0] + '?_=' + Date.now();
        var xhr = new XHR();
        xhr.open('GET', url, true);
        xhr.responseType = 'text';
@ -346,7 +346,7 @@ function save(e) {
        fd.append("lastmod", (force ? -1 : last_modified));
        fd.append("body", txt);
-        var url = (document.location + '').split('?')[0];
+        var url = (location + '').split('?')[0];
        var xhr = new XHR();
        xhr.open('POST', url, true);
        xhr.responseType = 'text';
@ -404,7 +404,7 @@ function save_cb() {
 function run_savechk(lastmod, txt, btn, ntry) {
    // download the saved doc from the server and compare
-    var url = (document.location + '').split('?')[0] + '?_=' + Date.now();
+    var url = (location + '').split('?')[0] + '?_=' + Date.now();
    var xhr = new XHR();
    xhr.open('GET', url, true);
    xhr.responseType = 'text';
--- a/copyparty/web/mde.js
+++ b/copyparty/web/mde.js
@ -6,7 +6,7 @@ var dom_doc = ebi('m');
 var dom_md = ebi('mt');
 (function () {
-    var n = document.location + '';
+    var n = location + '';
    n = (n.slice(n.indexOf('//') + 2).split('?')[0] + '?v').split('/');
    n[0] = 'top';
    var loc = [];
@ -113,7 +113,7 @@ function save(mde) {
        fd.append("lastmod", (force ? -1 : last_modified));
        fd.append("body", txt);
-        var url = (document.location + '').split('?')[0];
+        var url = (location + '').split('?')[0];
        var xhr = new XHR();
        xhr.open('POST', url, true);
        xhr.responseType = 'text';
@ -166,7 +166,7 @@ function save_cb() {
    //alert('save OK -- wrote ' + r.size + ' bytes.\n\nsha512: ' + r.sha512);
    // download the saved doc from the server and compare
-    var url = (document.location + '').split('?')[0] + '?_=' + Date.now();
+    var url = (location + '').split('?')[0] + '?_=' + Date.now();
    var xhr = new XHR();
    xhr.open('GET', url, true);
    xhr.responseType = 'text';
--- a/copyparty/web/rups.html
+++ b/copyparty/web/rups.html
@ -19,20 +19,14 @@
        <a href="{{ r }}/?h">control-panel</a>
        &nbsp; Filter: <input type="text" id="filter" size="20" placeholder="documents/passwords" />
        &nbsp; <span id="hits"></span>
-        <table id="tab"><thead><tr>
+        <div id="tw"></div>
            <th>size</th>
            <th>who</th>
            <th>when</th>
            <th>age</th>
            <th>dir</th>
            <th>file</th>
        </tr></thead><tbody id="tb"></tbody></table>
    </div>
 	<a href="#" id="repl">π</a>
 	<script>
 var SR="{{ r }}",
 	lang="{{ lang }}",
    dutc={{ this.args.js_utc }},
 	dfavico="{{ favico }}";
 var STG = window.localStorage;
--- a/copyparty/web/rups.js
+++ b/copyparty/web/rups.js
@ -1,5 +1,6 @@
 function render() {
-    var ups = V.ups, now = V.now, html = [];
+    var html = ['<table id="tab"><thead><tr><th>size</th><th>who</th><th>ip</th><th>when</th><th>age</th><th>dir</th><th>file</th></tr></thead><tbody>'];
    var ups = V.ups, now = V.now;
    ebi('filter').value = V.filter;
    ebi('hits').innerHTML = 'showing ' + ups.length + ' files';
@ -10,11 +11,12 @@ function render() {
            fn = esc(uricom_dec(vsp[1])),
            at = f.at,
            td = now - f.at,
-            ts = !at ? '(?)' : unix2iso(at),
+            ts = !at ? '(?)' : unix2ui(at),
            sa = !at ? '(?)' : td > 60 ? shumantime(td) : (td + 's'),
            sz = ('' + f.sz).replace(/\B(?=(\d{3})+(?!\d))/g, " ");
        html.push('<tr><td>' + sz +
            '</td><td>' + (f.un || '') +
            '</td><td>' + f.ip +
            '</td><td>' + ts +
            '</td><td>' + sa +
@ -26,7 +28,8 @@ function render() {
        var t = V.filter ? ' matching the filter' : '';
        html = ['<tr><td colspan="6">there are no uploads' + t + '</td></tr>'];
    }
-    ebi('tb').innerHTML = html.join('');
+    html.push('</tbody></table>');
    ebi('tw').innerHTML = html.join('\n');
 }
 render();
@ -46,7 +49,7 @@ function ask(e) {
            V = JSON.parse(this.responseText)
        }
        catch (ex) {
-            ebi('tb').innerHTML = '<tr><td colspan="6">failed to decode server response as json: <pre>' + esc(this.responseText) + '</pre></td></tr>';
+            ebi('tw').innerHTML = 'failed to decode server response as json: <pre>' + esc(this.responseText) + '</pre>';
            return;
        }
        render();
--- a/copyparty/web/shares.html
+++ b/copyparty/web/shares.html
@ -66,6 +66,7 @@
 var SR="{{ r }}",
    shr="{{ shr }}",
 	lang="{{ lang }}",
    dutc={{ this.args.js_utc }},
 	dfavico="{{ favico }}";
 var STG = window.localStorage;
--- a/copyparty/web/shares.js
+++ b/copyparty/web/shares.js
@ -1,11 +1,9 @@
 var SRS = SR.trimEnd('/') + '/';
 var t = QSA('a[k]');
 for (var a = 0; a < t.length; a++)
    t[a].onclick = rm;
 function rm() {
-    var u = SRS + '?eshare=rm&skey=' + uricom_enc(this.getAttribute('k')),
+    var u = SR + '/?eshare=rm&skey=' + uricom_enc(this.getAttribute('k')),
        xhr = new XHR();
    xhr.open('POST', u, true);
@ -15,7 +13,7 @@ function rm() {
 function bump() {
    var k = this.closest('tr').getElementsByTagName('a')[2].getAttribute('k'),
-        u = SRS + '?skey=' + uricom_enc(k) + '&eshare=' + this.value,
+        u = SR + '/?skey=' + uricom_enc(k) + '&eshare=' + this.value,
        xhr = new XHR();
    xhr.open('POST', u, true);
@ -27,7 +25,7 @@ function cb() {
    if (this.status !== 200)
        return modal.alert('<h6>server error</h6>' + esc(unpre(this.responseText)));
-    document.location = '?shares';
+    location = '?shares';
 }
 function qr(e) {
@ -66,7 +64,7 @@ function showqr(href) {
        for (var b = 7; b < 9; b++) {
            var v = buf[ibuf++];
            tr[a].cells[b].innerHTML =
-                v ? unix2iso(v).replace(' ', ',&nbsp;') : 'never';
+                v ? unix2ui(v).replace(' ', ',&nbsp;') : 'never';
        }
    for (var a = 0; a < tr.length; a++)
--- a/copyparty/web/splash.css
+++ b/copyparty/web/splash.css
@ -24,6 +24,7 @@ h1 {
 li {
 	margin: 1em 0;
 }
 #lo,
 a {
 	color: #047;
 	background: #fff;
@ -47,6 +48,7 @@ td a {
 	float: right;
 	margin: -.2em 0 0 .8em;
 }
 #lo,
 .logout,
 a.r {
 	color: #c04;
@ -176,12 +178,14 @@ html.z {
 html.z h1 {
 	border-color: #777;
 }
 html.z #lo,
 html.z a {
 	color: #fff;
 	background: #057;
 	border-color: #37a;
 }
 html.z .logout,
 html.z #lo,
 html.z a.r {
 	background: #804;
 	border-color: #c28;
--- a/copyparty/web/splash.html
+++ b/copyparty/web/splash.html
@ -15,14 +15,14 @@
 <body>
 	<div id="wrap">
 		{%- if not in_shr %}
-		<a id="a" href="{{ r }}/?h" class="af">refresh</a>
+		<a id="a" href="{{ r }}/?h{{ re }}" class="af">refresh</a>
 		<a id="v" href="{{ r }}/?hc" class="af">connect</a>
 		{%- if this.uname == '*' %}
 			<p id="b">howdy stranger &nbsp; <small>(you're not logged in)</small></p>
 		{%- else %}
 			<a id="c" href="{{ r }}/?pw=x" class="logout">logout</a>
-			<p><span id="m">welcome back,</span> <strong>{{ this.uname|e }}</strong></p>
+			<p><span id="m">welcome back,</span> <strong id="un">{{ this.uname|e }}</strong></p>
 		{%- endif %}
 		{%- endif %}
@ -120,7 +120,12 @@
 		<div>
 			<form id="lf" method="post" enctype="multipart/form-data" action="{{ r }}/{{ qvpath }}">
 				<input type="hidden" id="la" name="act" value="login" />
 				{% if this.args.usernames %}
 				<input type="text" id="lu" name="uname" placeholder=" username" size="12" />
 				<input type="password" id="lp" name="cppwd" placeholder=" password" size="12" />
 				{% else %}
 				<input type="password" id="lp" name="cppwd" placeholder=" password" />
 				{% endif %}
 				<input type="hidden" name="uhash" id="uhash" value="x" />
 				<input type="submit" id="ls" value="login" />
 				{% if chpw %}
@ -163,6 +168,13 @@
 			<li><a id="af" href="{{ r }}/?ru">show recent uploads</a></li>
 			<li><a id="k" href="{{ r }}/?reset" class="r" onclick="localStorage.clear();return true">reset client settings</a></li>
 			{%- if this.uname != '*' %}
 			<li><form method="post" enctype="multipart/form-data">
 				<input type="hidden" name="act" value="logout" />
 				<input type="submit" id="lo" value="logout “{{ this.uname|e }}” everywhere" />
 			</form></li>
 			{% endif %}
 		</ul>
 	</div>
--- a/copyparty/web/splash.js
+++ b/copyparty/web/splash.js
@ -1,3 +1,5 @@
 // please add translations in alphabetic order, but keep "nor" and "eng" first
 // (lines ending with //m are machine translations)
 var Ls = {
 	"nor": {
 		"a1": "oppdater",
@ -15,6 +17,11 @@ var Ls = {
 		"j1": "k304 bryter tilkoplingen for hver HTTP 304. Dette hjelper mot visse mellomtjenere som kan sette seg fast / plutselig slutter å laste sider, men det reduserer også ytelsen betydelig",
 		"k1": "nullstill innstillinger",
 		"l1": "logg inn:",
 		"ls3": "logg inn",
 		"lu4": "brukernavn",
 		"lp4": "passord",
 		"lo3": "logg ut “{0}” overalt",
 		"lo2": "avslutter økten på alle nettlesere",
 		"m1": "velkommen tilbake,",
 		"n1": "404: filen finnes ikke &nbsp;┐( ´ -`)┌",
 		"o1": 'eller kanskje du ikke har tilgang? prøv et passord eller <a href="' + SR + '/?h">gå hjem</a>',
@ -44,13 +51,13 @@ var Ls = {
 	"eng": {
 		"d2": "shows the state of all active threads",
 		"e2": "reload config files (accounts/volumes/volflags),$Nand rescan all e2ds volumes$N$Nnote: any changes to global settings$Nrequire a full restart to take effect",
 		"lo2": "ends the session on all browsers",
 		"u2": "time since the last server write$N( upload / rename / ... )$N$N17d = 17 days$N1h23 = 1 hour 23 minutes$N4m56 = 4 minutes 56 seconds",
 		"v2": "use this server as a local HDD",
 		"ta1": "fill in your new password first",
 		"ta2": "repeat to confirm new password:",
 		"ta3": "found a typo; please try again",
 	},
 	"chi": {
 		"a1": "更新",
 		"b1": "你好 &nbsp; <small>(你尚未登录)</small>",
@ -67,6 +74,11 @@ var Ls = {
 		"j1": "k304 会在每个 HTTP 304 时断开连接。这有助于避免某些代理服务器卡住或突然停止加载页面，但也会显著降低性能。",
 		"k1": "重置设置",
 		"l1": "登录：",
        "ls3": "登录", //m
        "lu4": "用户名", //m
        "lp4": "密码", //m
 		"lo3": "在所有地方注销 {0}", //m
 		"lo2": "这将结束在所有浏览器中的会话", //m
 		"m1": "欢迎回来，",
 		"n1": "404: 文件不存在 &nbsp;┐( ´ -`)┌",
 		"o1": '或者你可能没有权限？尝试输入密码或 <a href="' + SR + '/?h">回家</a>',
@ -93,38 +105,88 @@ var Ls = {
 		"af1": "显示最近上传的文件", //m
 		"ag1": "查看已知 IdP 用户", //m
 	},
-
+	"cze": {
 		"a1": "obnovit",
 		"b1": "ahoj cizinče &nbsp; <small>(nejsi přihlášen)</small>",
 		"c1": "odhlásit se",
 		"d1": "vypsat zásobníku",
 		"d2": "zobrazit stav všech aktivních vláken",
 		"e1": "znovu načíst konfiguraci",
 		"e2": "znovu načíst konfigurační soubory (accounts/volumes/volflags),$Na prohledat všechny e2ds úložiště$N$Npoznámka: všechny změny globálních nastavení$Nvyžadují úplné restartování, aby se projevily",
 		"f1": "můžeš procházet:",
 		"g1": "můžeš nahrávat do:",
 		"cc1": "další věci:",
 		"h1": "zakázat k304",
 		"i1": "povolit k304",
 		"j1": "povolení k304 odpojí vašeho klienta při každém HTTP 304, což může zabránit některým chybovým proxy serverům, aby se zasekly (náhle nenačítaly stránky), <em>ale</em> také to obecně zpomalí věci",
 		"k1": "resetovat nastavení klienta",
 		"l1": "přihlaste se pro více:",
        "ls3": "přihlásit se", //m
        "lu4": "uživatelské jméno", //m
        "lp4": "heslo", //m
 		"lo3": "odhlásit “{0}” všude", //m
 		"lo2": "tímto ukončíte relaci ve všech prohlížečích", //m
 		"m1": "vítej zpět,",
 		"n1": "404 nenalezeno &nbsp;┐( ´ -`)┌",
 		"o1": 'nebo možná nemáš přístup -- zkus heslo nebo <a href="' + SR + '/?h">jdi domů</a>',
 		"p1": "403 zakázáno &nbsp;~┻━┻",
 		"q1": 'použij heslo nebo <a href="' + SR + '/?h">jdi domů</a>',
 		"r1": "jdi domů",
 		".s1": "znovu prohledat",
 		"t1": "akce",
 		"u2": "čas od posledního zápisu na server$N( upload / rename / ... )$N$N17d = 17 dní$N1h23 = 1 hodina 23 minut$N4m56 = 4 minuty 56 sekund",
 		"v1": "připojit",
 		"v2": "použít tento server jako místní HDD",
 		"w1": "přepnout na https",
 		"x1": "změnit heslo",
 		"y1": "upravit sdílení",
 		"z1": "odblokovat toto sdílení:",
 		"ta1": "nejprve vyplňte své nové heslo",
 		"ta2": "zopakujte pro potvrzení nového hesla:",
 		"ta3": "nalezen překlep; zkuste to prosím znovu",
 		"aa1": "příchozí soubory:",
 		"ab1": "deaktivovat no304",
 		"ac1": "povolit no304",
 		"ad1": "povolení no304 deaktivuje veškeré mezipaměti; zkuste to, pokud k304 nestačilo. To ovšem zapříčíní obrovské množství síťového provozu!",
 		"ae1": "aktivní stahování:",
 		"af1": "zobrazit nedávné nahrávání",
 	},
 	"deu": {
 		"a1": "Neu laden",
 		"b1": "Tach, wie geht's? &nbsp; <small>(Du bist nicht angemeldet)</small>",
 		"c1": "Abmelden",
-		"d1": "Zustand",  // TLNote: "d2" is the tooltip for this button
+		"d1": "Zustand",
 		"d2": "Zeigt den Zustand aller aktiven Threads",
 		"e1": "Config neu laden",
 		"e2": "Konfigurationsdatei neu laden (Accounts/Volumes/VolFlags)$Nund scannt alle e2ds-Volumes$N$NBeachte: Jegliche Änderung an globalen Einstellungen$Nbenötigt einen Neustart zum Anwenden",
 		"f1": "Du kannst lesen:",
 		"g1": "Du kannst hochladen nach:",
 		"cc1": "Andere Dinge:",
-		"h1": "k304 deaktivieren",  // TLNote: "j1" explains what k304 is
+		"h1": "k304 deaktivieren",
 		"i1": "k304 aktivieren",
 		"j1": "k304 trennt die Clientverbindung bei jedem HTTP 304, was Bugs mit problematischen Proxies vorbeugen kann (z.B. nicht ladenden Seiten), macht Dinge aber generell langsamer",
 		"k1": "Client-Einstellungen zurücksetzen",
 		"l1": "Melde dich an für mehr:",
-		"m1": "Willkommen zurück,",  // TLNote: "welcome back, USERNAME"
+        "ls3": "Anmelden", //m
        "lu4": "Benutzername", //m
        "lp4": "Passwort", //m
 		"lo3": "“{0}” überall abmelden", //m
 		"lo2": "Dies beendet die Sitzung in allen Browsern", //m
 		"m1": "Willkommen zurück,",
 		"n1": "404 Nicht gefunden &nbsp;┐( ´ -`)┌",
 		"o1": 'or maybe you don\'t have access -- try a password or <a href="' + SR + '/?h">go home</a>',
 		"p1": "403 Verboten &nbsp;~┻━┻",
 		"q1": 'Benutze ein Passwort oder <a href="' + SR + '/?h">gehe zur Homepage</a>',
 		"r1": "Gehe zur Homepage",
 		".s1": "Neu scannen",
-		"t1": "Aktion",  // TLNote: this is the header above the "rescan" buttons
+		"t1": "Aktion",
 		"u2": "time since the last server write$N( upload / rename / ... )$N$N17d = 17 days$N1h23 = 1 hour 23 minutes$N4m56 = 4 minutes 56 seconds",
 		"v1": "Verbinden",
 		"v2": "Benutze diesen Server als lokale Festplatte",
 		"w1": "Zu HTTPS wechseln",
 		"x1": "Passwort ändern",
-		"y1": "Shares bearbeiten",  // TLNote: shows the list of folders that the user has decided to share
+		"y1": "Shares bearbeiten",
-		"z1": "Share entsperren:",  // TLNote: the password prompt to see a hidden share
+		"z1": "Share entsperren:",
 		"ta1": "Trage zuerst dein Passwort ein",
 		"ta2": "Wiederhole dein Passwort zur Bestätigung:",
 		"ta3": "Da stimmt etwas nicht; probier's nochmal",
@ -133,7 +195,569 @@ var Ls = {
 		"ac1": "no304 aktivieren",
 		"ad1": "Das Aktivieren von no304 deaktiviert jegliche Form von Caching; probier dies, wenn k304 nicht genug war. Dies verschwendet eine grosse Menge Netzwerk-Traffic!",
 		"ae1": "Aktive Downloads:",
-        "af1": "Zeige neue Uploads",
+		"af1": "Zeige neue Uploads",
 	},
 	"fin": {
 		"a1": "päivitä",
 		"b1": "hei sie muukalainen &nbsp; <small>(et ole kirjautunut sisään)</small>",
 		"c1": "kirjaudu ulos",
 		"d1": "tulosta pinojälki",
 		"d2": "näytä kaikkien aktiivisten säikeiden tila",
 		"e1": "päivitä konffit",
 		"e2": "lataa konfiguraatiotiedostot uudelleen (käyttäjätilit/asemat/asemaflagit),$Nja skannaa kaikki e2ds asemat uudelleen$N$Nhuom: kaikki global-asetuksiin$Ntehdyt muutokset vaativat täyden$Nuudelleenkäynnistyksen",
 		"f1": "voit selata näitä:",
 		"g1": "voit ladata näihin:",
 		"cc1": "muuta:",
 		"h1": "poista k304 käytöstä",
 		"i1": "ota k304 käyttöön",
 		"j1": "k304 katkaisee yhteytesi jokaisella HTTP 304:llä, mikä voi estää joitain bugisia välityspalvelimia jumittumasta/lopettamasta sivujen lataamista, <em>mutta</em> se myös vähentää suorituskykyä",
 		"k1": "nollaa asetukset",
 		"l1": "kirjaudu sisään:",
        "ls3": "kirjaudu sisään", //m
        "lu4": "käyttäjätunnus", //m
        "lp4": "salasana", //m
 		"lo3": "kirjaa “{0}” ulos kaikkialta", //m
 		"lo2": "tämä lopettaa istunnon kaikissa selaimissa", //m
 		"m1": "tervetuloa takaisin,",
 		"n1": "404: ei löytynyt mitään &nbsp;┐( ´ -`)┌",
 		"o1": 'tai ehkä sinulla ei vain ole käyttöoikeuksia? kokeile salasanaa tai <a href="' + SR + '/?h">mene kotiin</a>',
 		"p1": "403: pääsy kielletty &nbsp;~┻━┻",
 		"q1": 'kokeile salasanaa tai <a href="' + SR + '/?h">mene kotiin</a>',
 		"r1": "mene kotiin",
 		".s1": "uudelleenkartoita",
 		"t1": "toiminto",
 		"u2": "aika viimeisestä palvelimen kirjoituksesta$N( lataus / uudelleennimeäminen / tms. )$N$N17d = 17 päivää$N1h23 = 1 tunti 23 minuuttia$N4m56 = 4 minuuttia 56 sekuntia",
 		"v1": "yhdistä",
 		"v2": "käytä tätä palvelinta paikallisena kiintolevynä",
 		"w1": "vaihda https:ään",
 		"x1": "vaihda salasana",
 		"y1": "muokkaa jakoja",
 		"z1": "avaa tämä jako:",
 		"ta1": "täytä ensin uusi salasana",
 		"ta2": "toista vahvistaaksesi uuden salasanan:",
 		"ta3": "löytyi kirjoitusvirhe; yritä uudelleen",
 		"aa1": "saapuvat:",
 		"ab1": "poista no304 käytöstä",
 		"ac1": "ota no304 käyttöön",
 		"ad1": "no304:n lopettaa välimuistin käytön kokonaan; kokeile tätä jos k304 ei riittänyt. Tuhlaa valtavan määrän verkkoliikennettä!",
 		"ae1": "lähtevät:",
 		"af1": "näytä viimeaikaiset lataukset",
 		"ag1": "näytä tunnetut IdP-käyttäjät",
 	},
 	"fra": {
 		"a1": "rafraîchir",
 		"b1": "salut étranger &nbsp; <small>(vous n'êtes pas connecté.)</small>",
 		"c1": "déconnexion",
 		"d1": "vidange de la pile",
 		"d2": "affiche l'état de tous les threads actifs",
 		"e1": "recharger la configuration",
 		"e2": "recharger le fichier de configuration (comptes/volumes/indicateurs de volume),$Net rescanner tous les volumes e2ds$N$Nnote : n'importe quel changement aux paramètres globaux$Nnécessite un redémarrage complet pour prendre effet",
 		"f1": "vous pouvez naviguer :",
 		"g1": "vous pouvez télécharger sur :",
 		"cc1": "autres choses :",
 		"h1": "désactiver k304",
 		"i1": "activer k304",
 		"j1": "activer k304 va déconnecter votre client sur chaque HTTP 304, ce qui peut éviter à certains proxies défectueux de rester bloqués (les pages ne se chargent soudainement plus), <em>mais</em> cela ralentira également les choses en général",
 		"k1": "réinitialiser les paramètres du client",
 		"l1": "connectez-vous pour en savoir plus :",
        "ls3": "se connecter", //m
        "lu4": "nom d'utilisateur", //m
        "lp4": "mot de passe", //m
 		"lo3": "déconnecter “{0}” partout", //m
 		"lo2": "cela mettra fin à la session sur tous les navigateurs", //m
 		"m1": "heureux de vous revoir,",
 		"n1": "404 introuvable &nbsp;┐( ´ -`)┌",
 		"o1": 'ou peut-être que vous n\'y avez pas accès -- essayer un mot de passe ou <a href="' + SR + '/?h">aller à la page d\'accueil</a>',
 		"p1": "403 interdit &nbsp;~┻━┻",
 		"q1": 'utiliser un mot de passe ou <a href="' + SR + '/?h">aller à la page d\'accueil</a>',
 		"r1": "aller à la page d\'accueil",
 		".s1": "rescanner",
 		"t1": "action",
 		"u2": "temps écoulé depuis la dernière écriture sur le serveur$N(téléchargement/renommage/...)$N$N17j = 17 jours$N1h23 = 1 heure 23 minutes$N4m56 = 4 minutes 56 secondes",
 		"v1": "connecter",
 		"v2": "utilisez ce serveur en tant que disque dur local",
 		"w1": "passer à https",
 		"x1": "changer mot de passe",
 		"y1": "modifier les partages",
 		"z1": "déverrouiller ce partage :",
 		"ta1": "entrez d'abord votre nouveau mot de passe",
 		"ta2": "répétez pour confirmer le nouveau mot de passe :",
 		"ta3": "une faute de frappe a été détectée ; veuillez réessayer.",
 		"aa1": "fichiers entrants :",
 		"ab1": "désactiver no304",
 		"ac1": "activer no304",
 		"ad1": "l'activation de no304 désactivera toute mise en cache ; essayez ceci si k304 n'était pas suffisant. Cela va générer un trafic réseau considérable !",
 		"ae1": "téléchargements actifs :",
        "af1": "afficher les derniers téléchargements",
 	},
 	"grc": {
 		"a1": "ανανέωση",
 		"b1": "γεια σου ξένε! &nbsp; <small>(δεν είσαι συνδεδεμένος)</small>",
 		"c1": "αποσύνδεση",
 		"d1": "λίστα διεργασιών",
 		"d2": "εμφανίζει την κατάσταση όλων των ενεργών διεργασιών",
 		"e1": "επαναφόρτωση του cfg",
 		"e2": "φορτώνει ξανά τα αρχεία ρυθμίσεων (λογαριασμοί/τόμοι/volflags),$Nκαι κάνει επανεξέταση όλων των τόμων e2ds$N$Nσημείωση: οποιαδήποτε αλλαγή στις καθολικές ρυθμίσεις$Nαπαιτεί πλήρη επανεκκίνηση για να εφαρμοστεί",
 		"f1": "μπορείς να περιηγηθείς:",
 		"g1": "μπορείς να εκτελέσεις μεταφόρτωση σε:",
 		"cc1": "άλλα πράγματα:",
 		"h1": "απενεργοποίση k304",
 		"i1": "ενεργοποίηση k304",
 		"j1": "η ενεργοποίηση του k304 θα αποσυνδέσει το πρόγραμμα πελάτη σου σε κάθε HTTP 304, κάτι που μπορεί να αποτρέψει κάποια προβληματικά proxies από το να κολλάνε (να μην φορτώνουν ξαφνικά σελίδες), <em>αλλά</em> θα κάνει τα πράγματα, γενικά πιο αργά",
 		"k1": "επαναφορά ρυθμίσεων στο πρόγραμμα πελάτη",
 		"l1": "συνδέσου για περισσότερα:",
        "ls3": "σύνδεση", //m
        "lu4": "όνομα χρήστη", //m
        "lp4": "κωδικός πρόσβασης", //m
 		"lo3": "αποσύνδεση του “{0}” από παντού", //m
 		"lo2": "αυτό θα τερματίσει τη συνεδρία σε όλους τους περιηγητές", //m
 		"m1": "καλώς ήρθες,",
 		"n1": "404 δεν βρέθηκε &nbsp;┐( ´ -`)┌",
 		"o1": '´η μήπως δεν έχεις πρόσβαση -- δοκίμασε έναν κωδικό <a href="' + SR + '/?h">πήγαινε στην αρχική</a>',
 		"p1": "403 απαγορευμένο &nbsp;~┻━┻",
 		"q1": 'δοκίμασε έναν κωδικό <a href="' + SR + '/?h">πήγαινε στην αρχική</a>',
 		"r1": "πίσω στην αρχική",
 		".s1": "επανάληψη σάρωσης",
 		"t1": "ενέργεια",
 		"u2": "χρόνος από την τελευταία εγγραφή του διακομιστή$N( μεταφόρτωση / μετονομασία / ... )$N$N17d = 17 days$N1ω23 = 1 ώρα 23 λεπτά$N4λ56 = 4 λεπτά 56 δευτερόλεπτα",
 		"v1": "σύνδεση",
 		"v2": "χρησιμοποίησε αυτόν το διακομιστή σαν τοπικό δίσκο",
 		"w1": "εναλλαγή σε https",
 		"x1": "αλλαγή κωδικού",
 		"y1": "επεξεργασία κοινόχρηστων φακέλων",
 		"z1": "ξεκλείδωμα αυτού του κοινόχρηστου φακέλου:",
 		"ta1": "συμπλήρωσε πρώτα το νέο σου κωδικό",
 		"ta2": "επανέλαβε για να επιβεβαιώσεις το νέο κωδικό:",
 		"ta3": "βρέθηκε τυπογραφικό λάθος· δοκίμασε ξανά",
 		"aa1": "εισερχόμενα αρχεία:",
 		"ab1": "απενεργοποίηση no304",
 		"ac1": "ενεργοποίηση no304",
 		"ad1": "η ενεργοποίηση του no304 θα απενεργοποιήσει όλη την προσωρινή αποθήκευση· δοκίμασέ το αν το k304 δεν ήταν αρκετό. Προσοχή, θα σπαταλήσει τεράστιο όγκο δικτυακής κίνησης!",
 		"ae1": "ενεργές μεταφορτώσεις:",
 		"af1": "προβολή πρόσφατων μεταφορτώσεων",
 	},
 	"ita": {
 		"a1": "aggiorna",
 		"b1": "ciao &nbsp; <small>(non sei connesso)</small>",
 		"c1": "disconnetti",
 		"d1": "stato",
 		"d2": "mostra lo stato di tutti i thread attivi",
 		"e1": "ricarica configurazione",
 		"e2": "ricarica i file di configurazione (account/volumi/flag dei volumi),\n e riesegue la scansione di tutti i volumi e2ds.\n\nNota: qualsiasi modifica alle impostazioni globali richiede un riavvio completo per avere effetto",
 		"f1": "puoi visualizzare:",
 		"g1": "puoi caricare su:",
 		"cc1": "altro:",
 		"h1": "disattiva k304",
 		"i1": "attiva k304",
 		"j1": "k304 interrompe la connessione per ogni HTTP 304. Questo aiuta contro alcuni proxy difettosi che possono bloccarsi o smettere improvvisamente di caricare pagine, ma riduce notevolmente le prestazioni",
 		"k1": "resetta impostazioni",
 		"l1": "accedi:",
        "ls3": "accedi", //m
        "lu4": "nome utente", //m
        "lp4": "password", //m
 		"lo3": "disconnetti “{0}” ovunque", //m
 		"lo2": "questo terminerà la sessione su tutti i browser", //m
 		"m1": "bentornato,",
 		"n1": "404: file non trovato &nbsp;┐( ´ -`)┌",
 		"o1": "oppure forse non hai accesso? prova una password o <a href=\"SR/?h\">torna alla home</a>",
 		"p1": "403: accesso negato &nbsp;~┻━┻",
 		"q1": "prova una password o <a href=\"SR/?h\">torna alla home</a>",
 		"r1": "torna alla home",
 		".s1": "mappa",
 		"t1": "azione",
 		"u2": "tempo dall'ultima scrittura sul server\n (caricamento / rinomina / ...)\n\n17d = 17 giorni\n1h23 = 1 ora 23 minuti\n4m56 = 4 minuti 56 secondi",
 		"v1": "connetti",
 		"v2": "usa questo server come un disco locale",
 		"w1": "passa a https",
 		"x1": "cambia password",
 		"y1": "le tue condivisioni",
 		"z1": "sblocca area:",
 		"ta1": "devi prima inserire una nuova password",
 		"ta2": "ripeti per confermare la nuova password:",
 		"ta3": "errore di digitazione; riprova",
 		"aa1": "in arrivo:",
 		"ab1": "disattiva no304",
 		"ac1": "attiva no304",
 		"ad1": "no304 disabilita completamente la cache. Se k304 non è sufficiente, prova questa opzione. Aumenterà notevolmente il consumo di dati!",
 		"ae1": "in uscita:",
 		"af1": "mostra i file caricati di recente",
 		"ag1": "mostra utenti IdP conosciuti"
 	},
 	"kor": {
 		"a1": "새로고침",
 		"b1": "어이 친구! 처음 보는 얼굴인데? &nbsp; <small>(로그인되어 있지 않습니다)</small>",
 		"c1": "로그아웃",
 		"d1": "스택 덤프하기",
 		"d2": "모든 활성 스레드의 상태를 표시합니다",
 		"e1": "설정 다시 불러오기",
 		"e2": "설정 파일(계정/볼륨/볼륨 플래그)을 다시 불러오고,$N모든 e2ds 볼륨을 다시 스캔합니다$N$N참고: 전역 설정에 대한 변경 사항은$N적용하려면 전체 재시작이 필요합니다",
 		"f1": "탐색 가능한 곳:",
 		"g1": "업로드 가능한 곳:",
 		"cc1": "기타 항목:",
 		"h1": "k304 비활성화",
 		"i1": "k304 활성화",
 		"j1": "k304를 활성화하면 모든 HTTP 304 응답 시 클라이언트 연결이 끊어집니다. 이는 일부 프록시가 멈추는 현상(갑자기 페이지가 로드되지 않음)을 방지할 수 있지만, <em>대신 전반적인 속도는 느려집니다.</em>",
 		"k1": "클라이언트 설정 초기화",
 		"l1": "로그인하기:",
        "ls3": "로그인", //m
        "lu4": "사용자 이름", //m
        "lp4": "비밀번호", //m
 		"lo3": "{0}을(를) 모든 곳에서 로그아웃", //m
 		"lo2": "이 작업은 모든 브라우저에서 세션을 종료합니다", //m
 		"m1": "또 오셨네요,",
 		"n1": "404 찾을 수 없음 &nbsp;┐( ´ -`)┌",
 		"o1": "또는 접근 권한이 없을 수 있습니다. 비밀번호를 입력하거나 <a href=\"' + SR + '/?h\">홈으로 이동</a>하세요",
 		"p1": "403 접근 금지 &nbsp;~┻━┻",
 		"q1": "비밀번호를 입력하거나 <a href=\"' + SR + '/?h\">홈으로 이동</a>하세요",
 		"r1": "홈으로 이동",
 		".s1": "다시 스캔",
 		"t1": "작업",
 		"u2": "서버에 마지막으로 쓰기 작업을 한 후 경과된 시간$N(업로드 / 이름 변경 / 등등...)$N$N17d = 17일$N1h23 = 1시간 23분$N4m56 = 4분 56초",
 		"v1": "연결",
 		"v2": "이 서버를 로컬 하드디스크처럼 사용하기",
 		"w1": "HTTPS로 전환",
 		"x1": "비밀번호 변경",
 		"y1": "공유 설정",
 		"z1": "이 공유 잠금해제:",
 		"ta1": "새 비밀번호를 먼저 입력하세요",
 		"ta2": "새 비밀번호 확인을 위해 다시 입력하세요:",
 		"ta3": "오타가 있습니다. 다시 시도해주세요",
 		"aa1": "수신 중인 파일:",
 		"ab1": "no304 비활성화",
 		"ac1": "no304 활성화",
 		"ad1": "no304를 활성화하면 모든 캐싱이 비활성화됩니다. k304로 충분하지 않은 경우 시도해보세요. 네트워크 트래픽이 대량으로 낭비됩니다!",
 		"ae1": "활성 다운로드:",
 		"af1": "최근 업로드 보기",
 		"ag1": "IdP 캐시 보기"
 	},
 	"nld": {
 		"a1": "Update",
 		"b1": "Hallo, hoe gaat het met jou? &nbsp; <small>(Je bent niet ingelogd)</small>",
 		"c1": "Uitloggen",
 		"d1": "Voorwaarde",
 		"d2": "Toont de status van alle actieve threads",
 		"e1": "Configuratie opnieuw laden.",
 		"e2": "Leest configuratiebestanden opnieuw in$N(accounts, volumes, volumeschakelaars)$Nen brengt alle e2ds-volumes in kaart$N$Nopmerking: veranderingen in globale parameters$Nvereist een volledige herstart van de server",
 		"f1": "Je kan het volgende lezen:",
 		"g1": "Je kan naar het volgende uploaden:",
 		"cc1": "Schakelaars en dergelijke:",
 		"h1": "k304 uitschakelen",
 		"i1": "k304 inschakelen",
 		"j1": "k304 verbreekt de verbinding voor elke HTTP 304. Dit helpt tegen bepaalde proxy servers die kunnen vastlopen/plotseling stoppen met het laden van pagina's, maar het vermindert ook de prestaties aanzienlijk",
 		"k1": "Instellingen resetten",
 		"l1": "Inloggen:",
        "ls3": "inloggen", //m
        "lu4": "gebruikersnaam", //m
        "lp4": "wachtwoord", //m
 		"lo3": "“{0}” overal afmelden", //m
 		"lo2": "dit zal de sessie in alle browsers beëindigen", //m
 		"m1": "Welkom terug,",
 		"n1": "404: bestand bestaat niet &nbsp;┐( ´ -`)┌",
 		"o1": 'of misschien heb je geen toegang? probeer een wachtwoord of <a href="' + SR + '/?h">ga naar startscherm</a>',
 		"p1": "403: toegang geweigerd &nbsp;~┻━┻",
 		"q1": 'Probeer een wachtwoord of <a href="' + SR + '/?h">ga naar startscherm</a>',
 		"r1": "Ga naar startscherm",
 		".s1": "Kaart",
 		"t1": "Actie",
 		"u2": "Tijd sinds iemand voor het laatst naar de server schreef$N( upload / naamswijziging / ... )$N$N17d = 17 dagen$N1h23 = 1 uur 23 minuten$N4m56 = 4 minuten 56 secondes",
 		"v1": "Verbinden",
 		"v2": "Gebruik deze server als een lokale harde schijf",
 		"w1": "Overschakelen naar https",
 		"x1": "Wachtwoord wijzigen",
 		"y1": "Jou gedeelde items",
 		"z1": "Ontgrendel gebied:",
 		"ta1": "Je moet eerst een nieuw wachtwoord invoeren",
 		"ta2": "Herhaal om nieuw wachtwoord te bevestigen:",
 		"ta3": "Typefout gevonden; probeer het opnieuw",
 		"aa1": "Inkomend:",
 		"ab1": "Schakel nr. 304 uit",
 		"ac1": "Schakel nr. 304 in",
 		"ad1": "Nr. 304 stopt al het cachegebruik. Als k304 niet voldoende was, probeer dan deze. Vermenigvuldigt het dataverbruik.!",
 		"ae1": "Uitgaand:",
 		"af1": "Recent geüploade bestanden weergeven",
 		"ag1": "Bekende IdP-gebruikers weergeven",
 	},
 	"nno": {
 		"a1": "oppdatér",
 		"b1": "heisann &nbsp; <small>(du er ikkje logga inn)</small>",
 		"c1": "logg ut",
 		"d1": "tilstand",
 		"d2": "vis tilstanden åt alle trådar",
 		"e1": "last innst.",
 		"e2": "les inn konfigurasjonsfiler på nytt$N(kontoer, volum, volumbrytarar)$Nog kartlegg alle e2ds-volum$N$Nmerk: endringer i globale parametrar$Nkrev ein full restart for å gjelde",
 		"f1": "du kan sjå på:",
 		"g1": "du kan laste opp åt:",
 		"cc1": "brytarar og slikt:",
 		"h1": "skru av k304",
 		"i1": "skru på k304",
 		"j1": "k304 bryt tilkoplinga for kvar HTTP 304. Dette hjelp mot visse mellomtjenarar som kan sette seg fast / plutselig sluttar å laste sider, men det sett óg ytinga ned betydelig",
 		"k1": "nullstill innstillinger",
 		"l1": "logg inn:",
        "ls3": "logg inn",
        "lu4": "brukarnamn",
        "lp4": "passord",
 		"lo3": "logg ut “{0}” overalt",
 		"lo2": "avslutt økta på alle nettlesarar",
 		"m1": "velkomen attende,",
 		"n1": "404: filen finnast ikkje &nbsp;┐( ´ -`)┌",
 		"o1": 'eller kanskje du ikkje har høve? prøv eit passord eller <a href="' + SR + '/?h">gå heim</a>',
 		"p1": "403: tilgang nektet &nbsp;~┻━┻",
 		"q1": 'prøv eit passord eller <a href="' + SR + '/?h">gå heim</a>',
 		"r1": "gå heim",
 		".s1": "kartlegg",
 		"t1": "handling",
 		"u2": "tid sidan nokon sist skreiv åt serveren$N( opplastning / namnendring / ... )$N$N17d = 17 dagar$N1h23 = 1 time 23 minutt$N4m56 = 4 minutt 56 sekund",
 		"v1": "kople åt",
 		"v2": "bruk denne serveren som ein lokal harddisk",
 		"w1": "bytt åt https",
 		"x1": "bytt passord",
 		"y1": "dine delinger",
 		"z1": "lås opp område:",
 		"ta1": "du må skrive eit nytt passord først",
 		"ta2": "gjenta for å stadfeste nytt passord:",
 		"ta3": "fant ein skrivefeil; vennligst prøv igjen",
 		"aa1": "innkommande:",
 		"ab1": "skru av no304",
 		"ac1": "skru på no304",
 		"ad1": "no304 stoppar all bruk av cache. Hvis ikkje k304 var nok, prøv denne. Vil mangedoble dataforbruk!",
 		"ae1": "utgående:",
 		"af1": "vis nylig opplasta filer",
 		"ag1": "vis kjente IdP-brukarar",
 	},
 	"pol": {
 		"a1": "odśwież",
 		"b1": "witaj, nieznajomy &nbsp; <small>(nie jesteś zalogowany)</small>",
 		"c1": "wyloguj się",
 		"d1": "zrzut stosu",
 		"d2": "pokazuje status wszystkich aktywnych wątków",
 		"e1": "przeładuj konfigurację",
 		"e2": "przeładuj pliki konfiguracyjne (konta/wolumeny/flagi wolumenów),$Ni przeskanuje wszystkie wolumeny e2ds$N$Nnotka: zmiany konfiguracji globalnej$Nwymagają pełnego uruchomienia ponownie serwera, aby zaczęły obowiązywać",
 		"f1": "możesz przeglądać:",
 		"g1": "możesz przesyłać do:",
 		"cc1": "inne:",
 		"h1": "wyłącz k304",
 		"i1": "włącz k304",
 		"j1": "włączenie k304 będzie odłączało klienta przy każdorazowym otrzymaniu kodu HTTP 304, co może zapobiec wieszaniu się wadliwych proxy, <em>ale</em> spowolni ogólne działanie",
 		"k1": "zresetuj ustawienia klienta",
 		"l1": "zaloguj się po więcej:",
        "ls3": "zaloguj się", //m
        "lu4": "nazwa użytkownika", //m
        "lp4": "hasło", //m
 		"lo3": "wyloguj “{0}” wszędzie", //m
 		"lo2": "spowoduje to zakończenie sesji we wszystkich przeglądarkach", //m
 		"m1": "Witaj,",
 		"n1": "404 nie znaleziono &nbsp;┐( ´ -`)┌",
 		"o1": 'lub możesz nie mieć dostępu -- spróbuj wprowadzić hasło lub <a href="' + SR + '/?h">przejdź do strony głównej</a>',
 		"p1": "403 odmowa dostępu &nbsp;~┻━┻",
 		"q1": 'użyj hasła lub <a href="' + SR + '/?h">przejdź do strony głównej</a>',
 		"r1": "idź do strony głównej",
 		".s1": "przeskanuj ponownie",
 		"t1": "akcje",
 		"u2": "czas od ostatniej interakcji z serwerem$N( przesyłania / zmiany nazwy / ... )$N$N17d = 17 dni$N1h23 = 1 godzina 23 minuty$N4m56 = 4 minuty 56 sekund",
 		"v1": "połącz",
 		"v2": "używaj tego serwera jako dysku lokalnego",
 		"w1": "przejdź na HTTPS",
 		"x1": "zmień hasło",
 		"y1": "edytuj udostępnione",
 		"z1": "odblokuj udostępnienie:",
 		"ta1": "najpierw wprowadź nowe hasło",
 		"ta2": "powtórz hasło dla potwierdzenia:",
 		"ta3": "znaleziono literówkę, spróbuj ponownie",
 		"aa1": "pliki przychodzące:",
 		"ab1": "wyłącz no304",
 		"ac1": "włącz no304",
 		"ad1": "włączenie no304 wyłączy przechowywanie jakiejkolwiek pamięci podręcznej. Zmarnuje to olbrzymią ilość ruchu sieciowego!",
 		"ae1": "trwające pobierania:",
 		"af1": "pokaż ostatnio przesłane pliki",
 		"ag1": "pokaż znanych użytkowników IdP",
 	},
 	"spa": {
 		"a1": "actualizar",
 		"b1": "hola &nbsp; <small>(no has iniciado sesión)</small>",
 		"c1": "cerrar sesión",
 		"d1": "volcar estado de la pila",
 		"d2": "muestra el estado de todos los hilos activos",
 		"e1": "recargar configuración",
 		"e2": "recargar archivos de configuración (cuentas/volúmenes/indicadores de vol.),$Ny reescanear todos los volúmenes e2ds$N$Nnota: cualquier cambio en la configuración global$Nrequiere un reinicio completo para surtir efecto",
 		"f1": "puedes explorar:",
 		"g1": "puedes subir a:",
 		"cc1": "otras cosas:",
 		"h1": "desactivar k304",
 		"i1": "activar k304",
 		"j1": "activar k304 desconectará tu cliente en cada HTTP 304, lo que puede evitar que algunos proxies con errores se atasquen (dejando de cargar páginas de repente), <em>pero</em> también ralentizará las cosas en general",
 		"k1": "restablecer config. de cliente",
 		"l1": "inicia sesión para más:",
        "ls3": "iniciar sesión", //m
        "lu4": "nombre de usuario", //m
        "lp4": "contraseña", //m
 		"lo3": "cerrar sesión de “{0}” en todas partes", //m
 		"lo2": "esto finalizará la sesión en todos los navegadores", //m
 		"m1": "bienvenido de nuevo,",
 		"n1": "404 no encontrado &nbsp;┐( ´ -`)┌",
 		"o1": '¿o quizás no tienes acceso? -- prueba con una contraseña o <a href=\"' + SR + '/?h\">vuelve al inicio</a>',
 		"p1": "403 prohibido &nbsp;~┻━┻",
 		"q1": 'usa una contraseña o <a href=\"' + SR + '/?h\">vuelve al inicio</a>',
 		"r1": "ir al inicio",
 		".s1": "reescanear",
 		"t1": "acción",
 		"u2": "tiempo desde la última escritura en el servidor$N( subida / renombrar / ... )$N$N17d = 17 días$N1h23 = 1 hora 23 minutos$N4m56 = 4 minutos 56 segundos",
 		"v1": "conectar",
 		"v2": "usar este servidor como un disco duro local",
 		"w1": "cambiar a https",
 		"x1": "cambiar contraseña",
 		"y1": "editar recursos compartidos",
 		"z1": "desbloquear este recurso compartido:",
 		"ta1": "primero escribe tu nueva contraseña",
 		"ta2": "repite para confirmar la nueva contraseña:",
 		"ta3": "hay un error; por favor, inténtalo de nuevo",
 		"aa1": "archivos entrantes:",
 		"ab1": "desactivar no304",
 		"ac1": "activar no304",
 		"ad1": "activar no304 desactivará todo el almacenamiento en caché; prueba esto si k304 no fue suficiente. ¡Esto desperdiciará una gran cantidad de tráfico de red!",
 		"ae1": "descargas activas:",
 		"af1": "mostrar subidas recientes",
 		"ag1": "mostrar usuarios IdP conocidos"
 	},
 	"swe": {
 		"a1": "uppdatera",
 		"b1": "tjena främling &nbsp; <small>(du är inte inloggad)</small>",
 		"c1": "logga ut",
 		"d1": "dumpa stacken",
 		"d2": "visar tillståndet på alla aktiva trådar",
 		"e1": "ladda om konfig.",
 		"e2": "ladda om konfigurationsfiler (konton/volymer/volflaggor),$Noch skanna om alla e2ds-volymer$N$Nobs.: ändrade globala inställningar$Nkräver en fullständig omstart",
 		"f1": "du kan bläddra:",
 		"g1": "du kan ladda upp till:",
 		"cc1": "annat:",
 		"h1": "avaktivera k304",
 		"i1": "aktivera k304",
 		"j1": "med k304 aktiverad kommer klienten att koppla bort sig vid varje HTTP 304-fel, vilket kan hindra vissa buggiga proxyservrar från att fastna (sidor slutar ladda), <em>men</em> saker kommer också att bli långsammare i allmänhet",
 		"k1": "återställ klientinställningar",
 		"l1": "logga in för att se mer:",
        "ls3": "logga in", //m
        "lu4": "användarnamn", //m
        "lp4": "lösenord", //m
 		"lo3": "logga ut “{0}” överallt", //m
 		"lo2": "avsluta sessionen i alla webbläsare", //m
 		"m1": "välkommen tillbaka,",
 		"n1": "404 hittades inte &nbsp;┐( ´ -`)┌",
 		"o1": 'eller så har du kanske inte tillgång -- prova ett lösenord eller <a href="' + SR + '/?h">åk hem</a>',
 		"p1": "403 nekat &nbsp;~┻━┻",
 		"q1": 'använd ett lösenord eller <a href="' + SR + '/?h">åk hem</a>',
 		"r1": "åk hem",
 		".s1": "skanna om",
 		"t1": "åtgärd",
 		"u2": "tid sedan senaste serverskrivning$N( uppladdning / namnbyte / ... )$N$N17d = 17 dagar$N1h23 = 1 timme 23 minuter$N4m56 = 4 minuter 56 sekunder",
 		"v1": "koppla upp",
 		"v2": "använd denna server som en lokal disk",
 		"w1": "byt till https",
 		"x1": "byt lösenord",
 		"y1": "redigera utdelningar",
 		"z1": "lås upp denna utdelning:",
 		"ta1": "fyll i ditt nya lösenord",
 		"ta2": "upprepa det nya lösenordet:",
 		"ta3": "det blev fel; vänligen försök igen",
 		"aa1": "inkommande filer:",
 		"ab1": "avaktivera no304",
 		"ac1": "aktivera no304",
 		"ad1": "detta stänger av all cachning; prova detta om k304 inte räckte till. Detta kommer att slösa enorma mängder nätverkstrafik!",
 		"ae1": "aktiva nedladdningar:",
        "af1": "visa senaste uppladdningar",
        "ag1": "visa idp-cache"
 	},
 	"ukr": {
 		"a1": "оновити",
 		"b1": "привітик, незнайомцю &nbsp; <small>(ви не авторизовані)</small>",
 		"c1": "вийти",
 		"d1": "трасування стека",
 		"d2": "показує стан усіх активних потоків",
 		"e1": "перезавантажити конфіг",
 		"e2": "перезавантажити файли конфігурації (облікові записи/томи/прапорці),$Nта пересканувати всі томи e2ds$N$Nувага: будь-які зміни глобальних налаштувань$Nвимагають повного перезапуску",
 		"f1": "ви можете бачити:",
 		"g1": "ви можете завантажувати файли в:",
 		"cc1": "всяка всячина:",
 		"h1": "вимкнути k304",
 		"i1": "увімкнути k304",
 		"j1": "увімкнення k304 буде відключати ваш клієнт при кожному HTTP 304, що може запобігти зависанню деяких глючних проксі (раптово перестають завантажувати сторінки), <em>але</em> це також зробить усе повільнішим загалом",
 		"k1": "скинути налаштування клієнта",
 		"l1": "авторизуйтесь для інших опцій:",
        "ls3": "увійти", //m
        "lu4": "ім'я користувача", //m
        "lp4": "пароль", //m
 		"lo3": "вийти з облікового запису “{0}” всюди", //m
 		"lo2": "це завершить сеанс у всіх браузерах", //m
 		"m1": "з поверненням,",
 		"n1": "404 не знайдено &nbsp;┐( ´ -`)┌",
 		"o1": 'або у вас немає доступу -- спробуйте авторизуватися або <a href="' + SR + '/?h">повернутися на головну</a>',
 		"p1": "403 доступ заборонений &nbsp;~┻━┻",
 		"q1": 'авторизуйтесь або <a href="' + SR + '/?h">поверніться на головну</a>',
 		"r1": "повернутися на головну",
 		".s1": "пересканувати",
 		"t1": "дія",
 		"u2": "час з останнього запису сервера$N( завантаження / перейменування / ... )$N$N17d = 17 днів$N1h23 = 1 година 23 хвилини$N4m56 = 4 хвилини 56 секунд",
 		"v1": "підключити",
 		"v2": "використовувати цей сервер як локальний HDD",
 		"w1": "перейти на https",
 		"x1": "змінити пароль",
 		"y1": "керування доступом",
 		"z1": "розблокувати:",
 		"ta1": "спочатку заповніть ваш новий пароль",
 		"ta2": "повторіть для підтвердження нового пароля:",
 		"ta3": "описка; спробуйте знову",
 		"aa1": "вхідні файли:",
 		"ab1": "вимкнути no304",
 		"ac1": "увімкнути no304",
 		"ad1": "увімкнення no304 вимкне все кешування; спробуйте це, якщо k304 було недостатньо. Це витратить величезну кількість мережевого трафіку!",
 		"ae1": "активні завантаження:",
 		"af1": "показати нещодавні завантаження",
 		"ag1": "показати відомих IdP-користувачів"
 	},
 	"rus": {
 		"a1": "обновить",
 		"b1": "приветик, незнакомец &nbsp; <small>(вы не авторизованы)</small>",
 		"c1": "выйти",
 		"d1": "трассировка стека",
 		"d2": "показывает состояние всех активных потоков",
 		"e1": "перезагрузить конфиг",
 		"e2": "перезагрузить файлы конфига (аккаунты/хранилища/флаги),$Nи пересканировать все хранилища с флагом e2ds$N$Nвнимание: изменения глобальных настроек$Nтребуют полного перезапуска сервера",
 		"f1": "вы можете видеть:",
 		"g1": "вы можете загружать файлы в:",
 		"cc1": "всякая всячина:",
 		"h1": "отключить k304",
 		"i1": "включить k304",
 		"j1": "включённый k304 будет отключать вас при получении HTTP 304, что может помочь при работе с некоторыми глючными прокси (перестают загружаться страницы), <em>но</em> это также сделает работу клиента медленнее",
 		"k1": "сбросить локальные настройки",
 		"l1": "авторизуйтесь для других опций:",
        "ls3": "войти", //m
        "lu4": "имя пользователя", //m
        "lp4": "пароль", //m
 		"lo3": "выйти из “{0}” везде", //m
 		"lo2": "это завершит сеанс во всех браузерах", //m
 		"m1": "с возвращением,",
 		"n1": "404 не найдено &nbsp;┐( ´ -`)┌",
 		"o1": 'или у вас нет доступа -- попробуйте авторизоваться или <a href="' + SR + '/?h">вернуться на главную</a>',
 		"p1": "403 доступ запрещён &nbsp;~┻━┻",
 		"q1": 'авторизуйтесь или <a href="' + SR + '/?h">вернитесь на главную</a>',
 		"r1": "вернуться на главную",
 		".s1": "пересканировать",
 		"t1": "действия",
 		"u2": "время с последней записи на сервер$N( загрузка / переименование / ... )$N$N17d = 17 дней$N1h23 = 1 час 23 минут$N4m56 = 4 минут 56 секунд",
 		"v1": "подключить",
 		"v2": "использовать сервер как локальный диск",
 		"w1": "перейти на https",
 		"x1": "поменять пароль",
 		"y1": "управление доступом",
 		"z1": "разблокировать:",
 		"ta1": "сначала введите свой новый пароль",
 		"ta2": "повторите новый пароль:",
 		"ta3": "опечатка; попробуйте снова",
 		"aa1": "входящие файлы:",
 		"ab1": "отключить no304",
 		"ac1": "включить no304",
 		"ad1": "включённый no304 полностью отключит хеширование; используйте, если k304 не помог. Сильно увеличит объём трафика!",
 		"ae1": "активные скачивания:",
 		"af1": "показать недавние загрузки",
 		"ag1": "показать известных IdP-пользователей",
 	},
 };
@ -153,7 +777,14 @@ for (var k in (d || {})) {
 			o[a].innerHTML = d[k];
 		else if (f == 2)
 			o[a].setAttribute("tt", d[k]);
 		else if (f == 3)
 			o[a].setAttribute("value", d[k]);
 		else if (f == 4)
 			o[a].setAttribute("placeholder", " " + d[k]);
 }
 var o1 = ebi('lo'), o2 = ebi('un');
 if (o1 && o2 && d.lo3)
 	o1.setAttribute("value", d.lo3.format(o2.textContent));
 try {
 	if (is_idp) {
@ -165,8 +796,8 @@ try {
 catch (ex) { }
 tt.init();
-var o = QS('input[name="cppwd"]');
+var o = QS('input[name="uname"]') || QS('input[name="cppwd"]');
-if (!ebi('c') && o.offsetTop + o.offsetHeight < window.innerHeight)
+if (!MOBILE && !ebi('c') && o.offsetTop + o.offsetHeight < window.innerHeight)
 	o.focus();
 o = ebi('u');
@ -175,6 +806,9 @@ if (o && /[0-9]+$/.exec(o.innerHTML))
 ebi('uhash').value = '' + location.hash;
 if (/\&re=/.test('' + location))
 	ebi('a').className = 'af g';
 (function() {
 	if (!ebi('x'))
 		return;
--- a/copyparty/web/svcs.html
+++ b/copyparty/web/svcs.html
@ -37,11 +37,12 @@
                {% if accs %}<code><b id="pw0">{{ pw }}</b></code>=password, {% endif %}<code><b>mp</b></code>=mountpoint
            </span>
            {% if accs %}<a href="#" id="setpw">use real password</a>{% endif %}
            <a href="#" id="qr">show qr</a>
        </p>
-        {% if args.idp_h_usr %}
+        {% if args.have_idp_hdrs %}
        <p style="line-height:2em"><b>WARNING:</b> this server is using IdP-based authentication, so this stuff may not work as advertised. Depending on server config, these commands can probably only be used to access areas which don't require authentication, unless you auth using any non-IdP accounts defined in the copyparty config. Please see <a href="https://github.com/9001/copyparty/blob/hovudstraum/docs/idp.md#connecting-webdav-clients">the IdP docs</a></p>
        {% endif %}
--- a/copyparty/web/svcs.js
+++ b/copyparty/web/svcs.js
@ -49,12 +49,14 @@ function setos(os) {
 setos(WINDOWS ? 'win' : LINUX ? 'lin' : MACOS ? 'mac' : 'idk');
 var pw = '';
 function setpw(e) {
    ev(e);
    modal.prompt('password:', '', function (v) {
        if (!v)
            return;
        pw = v;
        var pw0 = ebi('pw0').innerHTML,
            oa = QSA('b');
@ -67,3 +69,12 @@ function setpw(e) {
 }
 if (ebi('setpw'))
    ebi('setpw').onclick = setpw;
 ebi('qr').onclick = function () {
    var url = ('' + location).split('?')[0];
    if (pw)
        url += '?pw=' + pw;
    var txt = esc(url) + '<img class="b64" width="100" height="100" src="' + addq(url, 'qr') + '" />';
    modal.alert(txt);
 };
--- a/copyparty/web/up2k.js
+++ b/copyparty/web/up2k.js
@ -964,6 +964,7 @@ function up2k_init(subtle) {
            "t": 0
        },
        "car": 0,
        "nre": 0,
        "slow_io": null,
        "oserr": false,
        "modn": 0,
@ -1572,7 +1573,7 @@ function up2k_init(subtle) {
    function linklist() {
        var ret = [],
-            base = document.location.origin.replace(/\/$/, '');
+            base = location.origin.replace(/\/$/, '');
        for (var a = 0; a < st.files.length; a++) {
            var t = st.files[a],
@ -1595,7 +1596,7 @@ function up2k_init(subtle) {
        ev(e);
        var txt = linklist();
        cliptxt(txt + '\n', function () {
-            toast.inf(5, un_clip.format(txt.split('\n').length));
+            toast.inf(5, L.un_clip.format(txt.split('\n').length));
        });
    };
@ -1783,8 +1784,7 @@ function up2k_init(subtle) {
    }
    var tasker = (function () {
-        var running = false,
+        var running = false;
            was_busy = false;
        var defer = function () {
            running = false;
@ -1801,7 +1801,17 @@ function up2k_init(subtle) {
            while (true) {
                var now = Date.now(),
                    blocktime = now - r.tact,
-                    is_busy = st.car < st.files.length;
+                    was_busy = st.is_busy,
                    is_busy = !!(  // gzip take the wheel
                        st.car < st.files.length ||
                        st.busy.hash.length ||
                        st.todo.hash.length ||
                        st.busy.handshake.length ||
                        st.todo.handshake.length ||
                        st.busy.upload.length ||
                        st.todo.upload.length ||
                        st.busy.head.length ||
                        st.todo.head.length);
                if (blocktime > 2500)
                    console.log('main thread blocked for ' + blocktime);
@ -1809,7 +1819,16 @@ function up2k_init(subtle) {
                r.tact = now;
                if (was_busy && !is_busy) {
-                    for (var a = 0; a < st.files.length; a++) {
+                    var nre = 0, nf = 0;
                    for (var a = 0; a < st.files.length; a++)
                        if (st.files[a].want_recheck)
                            nre++;
                    console.log('nre', nre, 'st', st.nre);
                    if (st.nre != nre) {
                        st.nre = nre;
                        nf = st.files.length;
                    }
                    for (var a = 0; a < nf; a++) {
                        var t = st.files[a];
                        if (t.want_recheck) {
                            t.rechecks++;
@ -1817,7 +1836,7 @@ function up2k_init(subtle) {
                            push_t(st.todo.handshake, t);
                        }
                    }
-                    is_busy = st.todo.handshake.length;
+                    is_busy = !!st.todo.handshake.length;
                    try {
                        if (!is_busy && !uc.fsearch && !msel.getsel().length && (!mp.au || mp.au.paused))
                            treectl.goto();
@ -1826,7 +1845,7 @@ function up2k_init(subtle) {
                }
                if (was_busy != is_busy) {
-                    st.is_busy = was_busy = is_busy;
+                    st.is_busy = is_busy;
                    window[(is_busy ? "add" : "remove") +
                        "EventListener"]("beforeunload", warn_uploader_busy);
@ -1947,7 +1966,7 @@ function up2k_init(subtle) {
        for (var a = 0; a < st.files.length; a++) {
            var t = st.files[a];
-            if (t.want_recheck && !t.rechecks)
+            if (t.want_recheck && t.rechecks < 999)
                return;
        }
@ -2511,8 +2530,8 @@ function up2k_init(subtle) {
                        var msg = [];
                        for (var a = 0, aa = Math.min(20, response.hits.length); a < aa; a++) {
                            var hit = response.hits[a],
-                                tr = unix2iso(hit.ts),
+                                tr = unix2ui(hit.ts),
-                                tu = unix2iso(t.lmod),
+                                tu = unix2ui(t.lmod),
                                diff = parseInt(t.lmod) - parseInt(hit.ts),
                                cdiff = (Math.abs(diff) <= 2) ? '3c0' : 'f0b',
                                sdiff = '<span style="color:#' + cdiff + '">diff ' + diff;
@ -2693,8 +2712,9 @@ function up2k_init(subtle) {
                    if (ofs !== -1) {
                        err = err.slice(0, ofs + 1) + linksplit(err.slice(ofs + 2).trimEnd()).join(' / ');
                    }
-                    if (!t.rechecks && (err_pend || err_srcb)) {
+                    if (!t.rechecks)
                        t.rechecks = 0;
                    if (t.rechecks < 999 && (err_pend || err_srcb)) {
                        t.want_recheck = true;
                        if (st.busy.upload.length || st.busy.handshake.length || st.bytes.uploaded) {
                            err = L.u_dupdefer;
@ -2811,7 +2831,7 @@ function up2k_init(subtle) {
        if (!t.t_uploading)
            t.t_uploading = Date.now();
-        pvis.seth(t.n, 1, "🚀 send");
+        pvis.seth(t.n, 1, "🚀 " + L.ul_send);
        var chunksize = get_chunksize(t.size),
            car = pcar * chunksize,
@ -3187,7 +3207,7 @@ function up2k_init(subtle) {
            return;
        try {
-            ebi('lifew').innerHTML = unix2iso((st.lifetime || lifetime) +
+            ebi('lifew').innerHTML = unix2ui((st.lifetime || lifetime) +
                Date.now() / 1000 - new Date().getTimezoneOffset() * 60
            ).replace(' ', ', ').slice(0, -3);
        }
--- a/copyparty/web/util.js
+++ b/copyparty/web/util.js
@ -120,7 +120,7 @@ function esc(txt) {
 function basenames(txt) {
    return (txt + '').replace(/https?:\/\/[^ \/]+\//g, '/').replace(/js\?_=[a-zA-Z]{4}/g, 'js');
 }
-if ((document.location + '').indexOf(',rej,') + 1)
+if ((location + '').indexOf(',rej,') + 1)
    window.onunhandledrejection = function (e) {
        var err = e.reason;
        try {
@ -180,6 +180,9 @@ function vis_exh(msg, url, lineNo, columnNo, error) {
    if (!/\.js($|\?)/.exec(url))
        return;  // chrome debugger
    if (url.indexOf('extension://') + 1)
        return;
    if (url.indexOf(' > eval') + 1 && !evalex_fatal)
        return;  // md timer
@ -738,7 +741,7 @@ function assert_vp(path) {
    if (path.indexOf('//') + 1)
        throw 'nonlocal1: ' + path;
-    var o = window.location.origin;
+    var o = location.origin;
    if (have_URL && (new URL(path, o)).origin != o)
        throw 'nonlocal2: ' + path;
 }
@ -890,7 +893,7 @@ function uricom_adec(arr, li) {
 function get_evpath() {
-    var ret = document.location.pathname;
+    var ret = location.pathname;
    if (ret.indexOf('/') !== 0)
        ret = '/' + ret;
@ -907,11 +910,29 @@ function noq_href(el) {
 }
 function pad2(v) {
    return ('0' + v).slice(-2);
 }
 function unix2iso(ts) {
    return new Date(ts * 1000).toISOString().replace("T", " ").slice(0, -5);
 }
 function unix2iso_localtime(ts) {
    var o = new Date(ts * 1000),
        p = pad2;
    return "{0}-{1}-{2} {3}:{4}:{5}".format(
        o.getFullYear(),
        p(o.getMonth() + 1),
        p(o.getDate()),
        p(o.getHours()),
        p(o.getMinutes()),
        p(o.getSeconds()));
 }
 function s2ms(s) {
    s = Math.floor(s);
    var m = Math.floor(s / 60);
@ -999,9 +1020,13 @@ function lhumantime(v) {
    if (!L || tp.length < 2 || tp[1].indexOf('$') + 1)
        return t;
-    var ret = '';
+    var u, n, ret = '';
-    for (var a = 0; a < tp.length; a += 2)
+    for (var a = 0; a < tp.length; a += 2) {
-        ret += tp[a] + ' ' + L['ht_' + tp[a + 1] + (tp[a]==1?1:2)] + L.ht_and;
+        n = tp[a];
        u = L.ht_h5 ? (n==1 ? 1 : (n>1&&n<5) ? 2 : 5) :
            (n==1 ? 1 : 2);
        ret += tp[a] + ' ' + L['ht_' + tp[a + 1] + u] + L.ht_and;
    }
    return ret.slice(0, -L.ht_and.length);
 }
@ -1203,6 +1228,13 @@ function scfg_bind(obj, oname, cname, defval, cb) {
 }
 window.unix2ui = (function () {
    var v = sread('utctid');
    v = v ? (v === '0') : (window.dutc === false);
    return v ? unix2iso_localtime : unix2iso;
 })();
 function hist_push(url) {
    console.log("h-push " + url);
    try {
@ -1221,20 +1253,23 @@ function hist_replace(url) {
 function sethash(hv) {
    if (window.history && history.replaceState) {
-        hist_replace(document.location.pathname + document.location.search + '#' + hv);
+        hist_replace(location.pathname + location.search + '#' + hv);
    }
    else {
-        document.location.hash = hv;
+        location.hash = hv;
    }
 }
 function dl_file(url) {
    console.log('DL [%s]', url);
-    var o = mknod('a');
+    qsr('#dlfth');
    var o = mknod('a', 'dlfth');
    o.setAttribute('href', url);
    o.setAttribute('download', '');
-    o.click();
+    document.body.appendChild(o);
    ebi('dlfth').click();
    qsr('#dlfth');
 }
--- a/docs/changelog.md
+++ b/docs/changelog.md
@ -1,3 +1,229 @@
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀  
 # 2025-0810-1226  `v1.19.1`  archlinux fix
 ## 🧪 new features
 * new translations:
  * #486 French (thx @Tr3yWay996, @Packingdustry, @Alee14, @jakubiakfr, @Equinoxs!) e9ddfccf 7aa21483 b87f8f1b
  * #463 Polish (thx @pufereq and @daimond113!) 392a4db5
  * #537 Nynorsk (thx @chinatsu!) 3931bc27
 * #549 custom mdns domain 3c78c6a8
 ## 🩹 bugfixes
 * #539 FTP glitches when running on windows 8ba98877
 * #555 global-config didn't load through PRTY_CONFIG (thx @icxes!) 074e106e
 * macos: could take a while to establish webdav connection from finder a01870b7
 * ux:
  * dropdown colors 347cf6a5
  * case-sensitivity in filters e5e82295
  * iOS being too enthusiastic about using saved passwords 03acd65e
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀  
 # 2025-0807-2213  `v1.19.0`  usernames
 ## 🧪 new features
 * #511 login with username and password (not just password) can now optionally be enabled with `--usernames` 346515cc
  * if you have enabled password hashing (`ah-alg: argon2` or similar) then you will need to hash your passwords again after enabling usernames, hashing them as `username:password:`
 * #468 add Greek translation (thx @chamdim!) 50f46187 392abd06
 * #471 add Czech translation (thx @kubakubakuba!) c9556583
 * #515 support systemd socket acivation (thx @mati1210!) 9b9d2a92
 * #523 add QR-code to the connectpage bcc3b156
 * #513 optional EOL-conversion for texteditor 8b31ed88
 * controlpanel refresh-button now toggles automatic refresh 7ae84dea
 ## 🩹 bugfixes
 * fix stuck uploads when the up2k database (`e2d`) is not enabled 4a043568
  * if more than 60'000 files were uploaded and there were several dupes of some files, they could get stuck and never upload
  * upload performance is improved remarkably by enabling `e2d` so such huge uploads non-e2d had not been tested in a long time 
 * #467 #470 fix ui-crash when exporting links of all uploaded files to clipboard (thx @geekalaa!) 0df1901f
 * #487 fix ui-crash when the location url-part is `//` 0f55a1ae
 * fix viewing `.MD` files (8a0746c6)
 ## 🔧 other changes
 * when a reverse-proxy is detected, force explicit configuration of `--rproxy` to obtain correct client IP 3f8cb7e8
  * a bit inconvenient, but helps prevent potentially-dangerous misconfiguration
  * the necessary configuration changes are explained in the serverlog (you can't miss it)
  * thanks to @person4268 for pointing out that there was room for improvements!
 * failed login attempts now only log a sha512 hash of the provided password
  * to see login-attempts with incorrect passwords as plaintext like before, `log-badpwd: 1`
 * #502 add systemd user services and templated services (thx @icxes!) 34d98e99
 * #475 improve helptext for multivalue global-options c2ac57a2
 * #475 add [chungus.conf](https://github.com/9001/copyparty/blob/hovudstraum/docs/chungus.conf), massive extensive nonsensical demo config b664ebb0
 * try to detect proxies with incorrect caching behavior 9e980bb5
 * recent-uploads now support ie9 a57f7cc2
 * languages and themes are now dropdowns a9ee4f24
 * copyparty.exe: upgrade python to 3.13.6 a98360f2
 * introduce [copyparty-en.py](https://github.com/9001/copyparty/releases/latest/download/copyparty-en.py), english-only edition of copyparty-sfx.py to save space 33497e6b
 ## 🗿 known issues 
 * the `copyparty.pyz` in this release is english-only, and does not include the translations -- they got lost in transit while adjusting the buildscripts to make `copyparty-en.py`
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀  
 # 2025-0804-0013  `v1.18.10`  idp speedboost
 ## 🧪 new features
 * #426 add Dutch translation (thx @DeStilleGast!) 3798e19a
 * #458 add Italian translation (thx @AOTREVAI!) a38e6e65
 * #456 transcode to flac/wav (thx @missaustraliana!) b469db3c b2d48c64 0d09fb68
 * #439 config-file can be provided through `PRTY_CONFIG` (thx @icxes!) 971360e9
 * #459 videos can become folder thumbnails 16bbcce5
 * add `--idp-cookie`, session-tickets for IdP auth (performance boost) f9502c3d
  * useful when the IdP-server becomes a bottleneck
 ## 🩹 bugfixes
 * #412 fix PUT-uploads into volumes with `nosub` volflag 47fa4a92
 * #435 ignore spurious exceptions from browser extensions 39e55824
 * #449 IPv6 QR-Code didn't include port 66a5bf36
 * #295 do not force `d2d` in blank vfs (introduced in v1.18.3) 848315c0
 ## 🔧 other changes
 * #440 improved finnish translation (thx @icxes!) a68d5b03
 * point to the `-nc` option in the "at max connections" warning 153d240d
 * the play-button now indicates "play-as-audio" for video-files 40d56bb3
 * docs:
  * #411 improve password-hashing instructions (thx @chinponya!) c69c7c8a
  * #429 improve `--cert` helptext (thx @kzshantonu!) 7e3825f8
  * #413 copyparty is Wii Internet Channel compatible! (thx @techflashYT!) 50f16293
  * #461 how to use groups without IdP e85a7107
  * mention that WebDAV and OpenGraph are incompatible by default (and how to fix that) 0bc1b8f7
  * #345 short explanation about the sfx in quickstart ae5eefc5
 * #398 pypi-package now has extra-group `all` 6eaf8af1
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀  
 # 2025-0801-2056  `v1.18.9`  fix Denial-of-Service
 ## ⚠️ ATTN: this release fixes a Denial-of-Service vuln
 [CVE-2025-54796](https://github.com/9001/copyparty/security/advisories/GHSA-5662-2rj7-f2v6): an unauthenticated user could make the server grind to a halt by accessing a particular URL
 ## recent important news
 * [v1.18.9 (2025-08-01)](https://github.com/9001/copyparty/releases/tag/v1.18.9) fixed [CVE-2025-54796](https://github.com/9001/copyparty/security/advisories/GHSA-5662-2rj7-f2v6) (Denial-of-Service)
 * [v1.15.0 (2024-09-08)](https://github.com/9001/copyparty/releases/tag/v1.15.0) changed upload deduplication to be default-disabled
 * [v1.14.3 (2024-08-30)](https://github.com/9001/copyparty/releases/tag/v1.14.3) fixed a bug that was introduced in v1.13.8 (2024-08-13); this bug could lead to **data loss** -- see the v1.14.3 release-notes for details
 ## 🧪 new features
 * #310 translated to Spanish (thx @herruzo99!) a1dfd0be
 * #350 translated to Ukrainian (thx @MrMebelMan!) fea45e45
 * #321 translated to Russian (thx @A1Asriel!) 0b05c726
 * #381 translated to Finnish (thx @icxes and @Permik!) 7ecedb2c
  * haha it says surf
 * #312 add option to use localtime in the UI ad23b253
 * #386 initial packaging for debian (thx @Beethoven-n!) 3c6f0b17
 ## 🩹 bugfixes
 * CVE-2025-54796 / GHSA-5662-2rj7-f2v6 09910ba8
 * #347 fix upload-abort when uploading to a share 6d6d79fc
 * fix xiu backlog dropping on restart 3222ba3a
 * #375 fix crash on really old versions of python2.7 (thx @bb!) b69d5901
 * #388 another python2.7 fix: improve unicode support in u2c (thx @KevinXuxuxu!) 9c197535
 * log creator of new/blank markdown docs d0d2f206
 * #400 config didn't support indenting with tabs c1604288
 ## 🔧 other changes
 * `ack` was changed to `continue` 4fa7be2a
 ## 🌠 fun facts
 * the translations have made the sfx size balloon from 766 to 845 KiB in under a week... nice! keep em coming :tada: 
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀  
 # 2025-0731-0833  `v1.18.8`  sfx hotfix
 ## 🩹 bugfixes
 * #354 fix `copyparty-sfx.py` failing to start on certain versions of python c17ce4892ecdb4e11437bc2785d132bd8100eaec
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀  
 # 2025-0730-2131  `v1.18.7`  SECURITY: fix another XSS
 ## ⚠️ ATTN: this release fixes an XSS vulnerability
 [GHSA-8mx2-rjh8-q3jq](https://github.com/9001/copyparty/security/advisories/GHSA-8mx2-rjh8-q3jq), could let an attacker execute arbitrary JS by tricking you into clicking a malicious URL
 Soon there won't be many of these left, surely. Huge thanks to @Ju0x for finding and reporting this.
 ## 🧪 new features
 * #265 uid/gid for new files can be configured per-volume f1959988
  * has preconditions; [see readme](https://github.com/9001/copyparty#chmod-and-chown)
 * #212 add German translation (thx @rGunti, @Scotsguy, @chocolateimage) 9d32564c
 ## 🩹 bugfixes
 * GHSA-8mx2-rjh8-q3jq a8705e61
 * #276 windows: fix segfault (thx @kernel1994 for debugging!) a9d07c63
 * #272 webdav: send disk-size and disk-free to clients 4988a55e
 * #285 use disk-free sans root-reserve on linux (thx @Arklaum!) c3cc2dde 
 * cors-check was funky on IPv6 e9684d40
 * #325 upgrade sharex example for newer versions 6016ec93
 * #300 restore support for old versions of python 2.7 b7ca6f4a
 ## 🔧 other changes
 * shares: the config POST-target is now always the webroot (for ease of IdP configuration) fb7cbc42 
 * unlist: now applies to the navpane too fbf17be2
 * windows: show disk-usage as well, not just disk-free 5c6341e9
 * #228 nix-pkg improvements (thx @dtomvan!) 4915b14b
 * docker-compose: ensure logs appear in realtime 3cde1f3b
 * mention that IdP-volumes and users [can now be persisted](https://github.com/9001/copyparty/blob/hovudstraum/docs/idp.md#but-you-can-enable-idp-volume-persistence) 6069bc9b
 * #316 explain a scary-looking thing in the code 053de619
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀  
 # 2025-0728-2320  `v1.18.6`  reflink-dedup
 ## 🧪 new features
 * #201 add support for reflink-based dedup on cow filesystems df9feabc
  * combine `--dedup` with `--reflink` to enable, or volflags with same name
  * a better and safer alternative to the other dedup approaches (symlink/hardlink), but only possible to use in some cases:
    * needs linux 5.3 or newer, python 3.14 or newer, btrfs/xfs/zfs
    * not available in the docker images yet; needs a new version of python, so maybe next alpine release (november/december 2025)
 * ratelimit password changes to impede bruteforcing a2601fd6
  * limit is set by `--ban-pwc` (default is 5 changes in 60min)
 ## 🩹 bugfixes
 * #240 nixos: fix unixgroups issue (thx @chinponya!) 7c9c962b
 * #246 cbz: use correct page for thumbnail (thx @Scotsguy!) 542a1de1
 ## 🔧 other changes
 * volflag `nosub` now also prevents mkdir 0f2c6235
 * improve documentation:
  * #229 use the same example UDS path everywhere cb019afe
  * [example nginx config](https://github.com/9001/copyparty/blob/hovudstraum/contrib/nginx/copyparty.conf) had misleading cloudflare comment (thx @jmi2k!) 674fc1fe
  * more readable `--help-chmod` 03d23dae
  * #244 fix typo in `--help` 4f013f64
 * #242 hide "use real pw" on connectpage if no accounts (thx @toast003!) 025942a7
 * #211 docker: remove deprecated attribute (thx @ptweezy!) 5b98e104
 * #190 add the feature-showcase video to the readme (thx @RustoMCSpit!) 43e6da34
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀  
 # 2025-0727-2305  `v1.18.5`  SECURITY: fix XSS in media tags
--- a/docs/chungus.conf
+++ b/docs/chungus.conf
--- a/docs/devnotes.md
+++ b/docs/devnotes.md
@ -330,7 +330,6 @@ the features you can opt to drop are
 * `cm`/easymde, the "fancy" markdown editor, saves ~89k
 * `hl`, prism, the syntax hilighter, saves ~41k
 * `fnt`, source-code-pro, the monospace font, saves ~9k
 * `dd`, the custom mouse cursor for the media player tray tab, saves ~2k
 for the `re`pack to work, first run one of the sfx'es once to unpack it
@ -355,7 +354,7 @@ pip install mutagen  # audio metadata
 pip install pyftpdlib  # ftp server
 pip install partftpy  # tftp server
 pip install impacket  # smb server -- disable Windows Defender if you REALLY need this on windows
-pip install Pillow pyheif-pillow-opener  # thumbnails
+pip install Pillow pillow-heif  # thumbnails
 pip install pyvips  # faster thumbnails
 pip install psutil  # better cleanup of stuck metadata parsers on windows 
 pip install black==21.12b0 click==8.0.2 bandit pylint flake8 isort mypy  # vscode tooling
@ -415,6 +414,8 @@ to get started, first `cd` into the `scripts` folder
 * if you want to build the `.pyz` standalone "binary", now run `./make-pyz.sh`
 * if you want to build the `tar.gz` for use in a linux-distro package, now run `./make-tgz-release.sh theVersionNumber`
 * if you want to build a pypi package, now run `./make-pypi-release.sh d`
 * if you want to build a docker-image, you have two options:
--- a/docs/examples/docker/basic-docker-compose/copyparty.conf
+++ b/docs/examples/docker/basic-docker-compose/copyparty.conf
@ -6,7 +6,7 @@
 [global]
  e2dsa  # enable file indexing and filesystem scanning
  e2ts   # enable multimedia indexing
-  ansi   # enable colors in log messages
+  ansi   # enable colors in log messages (both in logfiles and stdout)
  # q, lo: /cfg/log/%Y-%m%d.log   # log to file instead of docker
--- a/docs/logo-sq.svg
+++ b/docs/logo-sq.svg
@ -0,0 +1,216 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <svg
  width="205mm"
  height="205mm"
  viewBox="0 0 205 205"
  version="1.1"
  id="svg1"
  inkscape:version="1.3.2 (091e20ef0f, 2023-11-25)"
  sodipodi:docname="logo-sq.svg"
  inkscape:export-filename="logo-sq.png"
  inkscape:export-xdpi="126.9"
  inkscape:export-ydpi="126.9"
  xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
  xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
  xmlns:xlink="http://www.w3.org/1999/xlink"
  xmlns="http://www.w3.org/2000/svg"
  xmlns:svg="http://www.w3.org/2000/svg"
  xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
  xmlns:cc="http://creativecommons.org/ns#"
  xmlns:dc="http://purl.org/dc/elements/1.1/">
 <sodipodi:namedview
   id="namedview1"
   pagecolor="#ffffff"
   bordercolor="#000000"
   borderopacity="0.25"
   inkscape:showpageshadow="2"
   inkscape:pageopacity="0.0"
   inkscape:pagecheckerboard="0"
   inkscape:deskcolor="#d1d1d1"
   inkscape:document-units="mm"
   inkscape:zoom="0.7165"
   inkscape:cx="367.1"
   inkscape:cy="434.1"
   inkscape:window-width="1920"
   inkscape:window-height="1022"
   inkscape:window-x="0"
   inkscape:window-y="0"
   inkscape:window-maximized="1"
   inkscape:current-layer="layer5" />
 <title
   id="title1">copyparty_logo</title>
 <defs
   id="defs1">
  <linearGradient
    inkscape:collect="always"
    id="linearGradient1">
   <stop
     style="stop-color:#ffcc55;stop-opacity:1"
     offset="0"
     id="stop1" />
   <stop
     style="stop-color:#ffcc00;stop-opacity:1"
     offset="0.2"
     id="stop2" />
   <stop
     style="stop-color:#ff8800;stop-opacity:1"
     offset="1"
     id="stop3" />
  </linearGradient>
  <linearGradient
    inkscape:collect="always"
    xlink:href="#linearGradient1"
    id="linearGradient2"
    x1="15"
    y1="15"
    x2="15"
    y2="143"
    gradientUnits="userSpaceOnUse"
    gradientTransform="matrix(0.7149,0,0,1,41.29,0)" />
 </defs>
 <metadata
   id="metadata5">
  <rdf:RDF>
   <cc:Work
     rdf:about="">
    <dc:format>image/svg+xml</dc:format>
    <dc:type
      rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
    <dc:title>copyparty_logo</dc:title>
    <dc:source>github.com/9001/copyparty</dc:source>
   </cc:Work>
  </rdf:RDF>
 </metadata>
 <g
   inkscape:groupmode="layer"
   id="layer1"
   inkscape:label="kassett"
   transform="translate(-46.02)">
  <rect
    style="fill:#333333;stroke-width:1.00023"
    id="rect1"
    width="205"
    height="205"
    x="46.02"
    y="0"
    rx="12.01"
    ry="12" />
  <rect
    style="fill:url(#linearGradient2);stroke-width:0.999736"
    id="rect2"
    width="193"
    height="128"
    x="52.02"
    y="15"
    rx="7.995"
    ry="8" />
  <rect
    style="fill:#333333;stroke-width:0.999983"
    id="rect3"
    width="142"
    height="52"
    x="77.52"
    y="77.83"
    rx="26"
    ry="26" />
  <circle
    style="fill:#cccccc"
    id="circle1"
    cx="104.5"
    cy="103.6"
    r="18" />
  <circle
    style="fill:#cccccc"
    id="circle2"
    cx="192.5"
    cy="103.6"
    r="18" />
  <path
    style="fill:#737373;stroke-width:0.999995px"
    d="m 71.53,205 7.55,-39 c 1.35,-6.2 4.23,-7.8 9.05,-8 45.27,-1 75.47,-1 120.77,0 4.9,0.2 7.5,1.8 9.1,8 l 7.5,39 z"
    id="path1"
    sodipodi:nodetypes="ccccccc" />
 </g>
 <g
   inkscape:groupmode="layer"
   id="layer3"
   inkscape:label="tekst"
   style="display:none"
   transform="translate(-46.02)">
  <text
    xml:space="preserve"
    style="font-size:38.8056px;line-height:1.25;font-family:Akbar;-inkscape-font-specification:Akbar;letter-spacing:3.70417px;word-spacing:0px;fill:#333333"
    x="47.15"
    y="55.55"
    id="text1"><tspan
     sodipodi:role="line"
     id="tspan1"
     x="47.15"
     y="55.55"
     style="-inkscape-font-specification:Akbar"
     rotate="0 0">copyparty</tspan></text>
 </g>
 <g
   inkscape:groupmode="layer"
   id="layer4"
   inkscape:label="stensatt"
   transform="translate(-46.02)">
  <path
    d="m 119.3,58.82 q -2.2,2.24 -11.8,5.54 -8.83,3.12 -10.89,3.12 -8.1,0 -12.54,-5.04 -4.3,-4.81 -4.3,-12.9 0,-11.06 9.24,-18.36 8.16,-6.5 17.99,-6.5 1.2,0 2.4,1.78 1.3,1.67 1.3,2.78 0,4.96 -5.4,6.5 -3.4,0.95 -10.06,2.78 -5.41,2.81 -5.41,10.58 0,7.71 7.14,7.71 2.1,0 2.1,0 1.43,0 3.53,-0.39 2.8,-0.56 7.2,-1.78 4.4,-1.31 5.3,-1.31 0.8,0 4.3,1.45 z"
    style="fill:#333333;stroke-width:0.999757"
    id="path11" />
  <path
    d="m 169.6,42.52 q 0,5.02 -3.8,7.89 -3.5,2.68 -9.3,2.68 -1.4,0 -5.3,-0.71 -3.7,-0.73 -5.1,-0.73 -3.9,0 -3.9,4.74 0,1.53 0.3,4.66 0.4,3.13 0.4,4.66 0,3.4 -1.5,5.07 -2.5,0 -5.5,-1.52 -2.6,-17.03 -2.6,-21.52 0,-6.53 3.2,-14.5 4.4,-10.85 12.1,-10.85 7.3,0 14.5,7.34 6.5,6.89 6.5,12.8 z m -7.5,0.36 Q 160.9,38.94 157,35 q -4.5,-4.49 -8.5,-4.49 -2.7,0 -4.5,3.94 -1.7,3.23 -1.7,5.85 0,0.84 0.7,2.22 0.7,1.43 1.5,1.43 2.2,0 6.4,0.54 4,0.55 6.2,0.55 0.5,0 2.6,-0.73 2,-0.84 2.6,-1.32 z"
    style="fill:#333333;stroke-width:0.999656"
    id="path13" />
  <path
    d="m 218.3,43.94 q 0,5.01 -3.6,7.89 -3.3,2.67 -8.6,2.67 -1.4,0 -5.1,-0.7 -3.5,-0.73 -4.9,-0.73 -3.7,0 -3.7,4.74 0,1.51 0.4,4.65 0.4,3.13 0.4,4.67 0,3.4 -1.4,5.07 -2.7,0 -5.6,-1.53 -2.7,-17.02 -2.7,-21.42 0,-6.53 3.4,-14.5 4.3,-10.85 11.9,-10.85 6.8,0 13.3,7.34 6.2,6.89 6.2,12.8 z m -7.2,0.36 q -1.1,-3.94 -4.7,-7.88 -4.3,-4.49 -8,-4.49 -2.5,0 -4.4,3.95 -1.6,3.21 -1.6,5.84 0,0.84 0.8,2.22 0.6,1.43 1.5,1.43 2,0 5.9,0.55 3.8,0.53 5.9,0.53 0.6,0 2.4,-0.72 1.9,-0.84 2.5,-1.33 z"
    style="fill:#333333;stroke-width:0.999656"
    id="path15" />
 </g>
 <g
   inkscape:groupmode="layer"
   id="layer5"
   inkscape:label="tagger"
   transform="translate(-46.02)"
   style="display:none">
  <g
    id="g1"
    transform="translate(13.52,4.761)">
   <path
     id="path4"
     style="fill:#333333"
     d="m 111.4,83.33 -9.5,5.5 2.5,4.33 9.5,-5.5 z m -33.78,19.47 -9.52,5.5 2.5,4.4 9.52,-5.5 z"
     sodipodi:nodetypes="cccccccccc" />
   <path
     id="path5"
     style="fill:#333333"
     d="m 88.5,73 v 11 h 5 V 73 Z m 0,39 v 11 h 5 v -11 z"
     sodipodi:nodetypes="cccccccccc" />
   <path
     id="path6"
     style="fill:#333333"
     d="m 68.1,87.67 9.53,5.5 2.5,-4.33 -9.53,-5.5 z m 33.8,19.53 9.5,5.5 2.5,-4.4 -9.5,-5.5 z"
     sodipodi:nodetypes="cccccccccc" />
  </g>
  <g
    id="g2"
    transform="rotate(30,132.7,290.2)">
   <path
     id="path7"
     style="fill:#333333"
     d="m 111.4,83.33 -9.5,5.5 2.5,4.33 9.5,-5.5 z m -33.78,19.47 -9.52,5.5 2.5,4.4 9.52,-5.5 z"
     sodipodi:nodetypes="cccccccccc" />
   <path
     id="path8"
     style="fill:#333333"
     d="m 88.5,73 v 11 h 5 V 73 Z m 0,39 v 11 h 5 v -11 z"
     sodipodi:nodetypes="cccccccccc" />
   <path
     id="path9"
     style="fill:#333333"
     d="m 68.1,87.67 9.53,5.5 2.5,-4.33 -9.53,-5.5 z m 33.8,19.53 9.5,5.5 2.5,-4.4 -9.5,-5.5 z"
     sodipodi:nodetypes="cccccccccc" />
  </g>
 </g>
 </svg>
--- a/docs/logo256.svg
+++ b/docs/logo256.svg
@ -0,0 +1,209 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <svg
  width="256mm"
  height="176mm"
  viewBox="0 0 256 176"
  version="1.1"
  id="svg1"
  inkscape:version="1.4 (e7c3feb100, 2024-10-09)"
  xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
  xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
  xmlns:xlink="http://www.w3.org/1999/xlink"
  xmlns="http://www.w3.org/2000/svg"
  xmlns:svg="http://www.w3.org/2000/svg"
  xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
  xmlns:cc="http://creativecommons.org/ns#"
  xmlns:dc="http://purl.org/dc/elements/1.1/">
 <title
   id="title1">copyparty_logo</title>
 <defs
   id="defs1">
  <linearGradient
    inkscape:collect="always"
    id="linearGradient1">
   <stop
     style="stop-color:#ffcc55;stop-opacity:1"
     offset="0"
     id="stop1" />
   <stop
     style="stop-color:#ffcc00;stop-opacity:1"
     offset="0.2"
     id="stop2" />
   <stop
     style="stop-color:#ff8800;stop-opacity:1"
     offset="1"
     id="stop3" />
  </linearGradient>
  <linearGradient
    inkscape:collect="always"
    xlink:href="#linearGradient1"
    id="linearGradient2"
    x1="12"
    y1="12"
    x2="12"
    y2="122"
    gradientUnits="userSpaceOnUse" />
 </defs>
 <metadata
   id="metadata5">
  <rdf:RDF>
   <cc:Work
     rdf:about="">
    <dc:format>image/svg+xml</dc:format>
    <dc:type
      rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
    <dc:title>copyparty_logo</dc:title>
    <dc:source>github.com/9001/copyparty</dc:source>
   </cc:Work>
  </rdf:RDF>
 </metadata>
 <g
   inkscape:groupmode="layer"
   id="layer1"
   inkscape:label="kassett">
  <rect
    style="fill:#333333"
    id="rect1"
    width="256"
    height="175"
    x="0"
    y="0"
    rx="12"
    ry="12" />
  <rect
    style="fill:url(#linearGradient2)"
    id="rect2"
    width="232"
    height="110"
    x="12"
    y="12"
    rx="8"
    ry="8" />
  <rect
    style="fill:#333333"
    id="rect3"
    width="148"
    height="44"
    x="54"
    y="62"
    rx="22"
    ry="22" />
  <circle
    style="fill:#cccccc"
    id="circle1"
    cx="77"
    cy="84"
    r="15" />
  <circle
    style="fill:#cccccc"
    id="circle2"
    cx="179"
    cy="84"
    r="15" />
  <path
    style="fill:#737373"
    d="m 41,176 8.5,-32.7 c 1.5,-5.2 4.8,-6.5 10.2,-6.7 51.2,-0.8 85.3,-0.8 136.5,0 5.5,0.17 8.5,1.5 10.2,6.7 L 215,176 Z"
    id="path1"
    sodipodi:nodetypes="ccccccc" />
 </g>
 <g
   inkscape:groupmode="layer"
   id="layer3"
   inkscape:label="tekst"
   style="display:none">
  <text
    xml:space="preserve"
    style="font-size:38.8056px;line-height:1.25;font-family:Akbar;-inkscape-font-specification:Akbar;letter-spacing:3.70417px;word-spacing:0px;fill:#333333"
    x="47.153069"
    y="55.548954"
    id="text1"><tspan
     sodipodi:role="line"
     id="tspan1"
     x="47.153069"
     y="55.548954"
     style="-inkscape-font-specification:Akbar"
     rotate="0 0">copyparty</tspan></text>
 </g>
 <g
   inkscape:groupmode="layer"
   id="layer4"
   inkscape:label="stensatt">
  <path
    d="m 54.39,43.64 q -0.73,0.79 -4.04,1.96 -3.07,1.11 -3.75,1.11 -2.82,0 -4.36,-1.79 -1.49,-1.71 -1.49,-4.58 0,-3.92 3.21,-6.52 2.81,-2.3 6.23,-2.3 0.34,0 0.79,0.63 0.46,0.6 0.46,0.99 0,1.76 -1.87,2.3 -1.17,0.34 -3.45,0.99 -1.88,0.99 -1.88,3.76 0,2.73 2.48,2.73 0.72,0 0.72,0 0.46,0 1.23,-0.14 0.94,-0.19 2.47,-0.63 1.54,-0.46 1.82,-0.46 0.34,0 1.49,0.51 z"
    style="fill:#333333"
    id="path11" />
  <path
    d="m 74.95,38.6 q 0,3.58 -3.16,5.93 -2.73,1.96 -5.86,1.96 -2.9,0 -5.12,-2.21 -2.13,-2.22 -2.13,-5.12 0,-3.08 2.68,-5.67 2.73,-2.56 5.8,-2.56 2.99,0 5.38,2.35 2.41,2.36 2.41,5.34 z m -2.9,0.14 q 0,-1.92 -1.49,-3.16 -1.45,-1.28 -3.42,-1.28 -0.1,0 -1.36,1.37 -1.23,1.32 -2.08,1.32 -0.52,0 -0.69,-0.26 -0.99,1.96 -0.99,2.56 0,1.92 1.82,2.9 1.37,0.77 3.07,0.77 1.71,0 3.21,-0.94 1.92,-1.19 1.92,-3.27 z"
    style="fill:#333333"
    id="path12" />
  <path
    d="m 96.46,40.14 q 0,2.39 -1.63,3.75 -1.53,1.28 -4.01,1.28 -0.59,0 -2.3,-0.34 -1.62,-0.34 -2.22,-0.34 -1.79,0 -1.79,2.25 0,0.73 0.2,2.22 0.17,1.49 0.17,2.22 0,1.62 -0.66,2.41 -1.23,0 -2.56,-0.72 -1.25,-8.11 -1.25,-10.24 0,-3.12 1.5,-6.91 2.02,-5.17 5.5,-5.17 3.16,0 6.23,3.5 2.82,3.28 2.82,6.1 z m -3.25,0.17 q -0.51,-1.88 -2.22,-3.76 -1.96,-2.13 -3.66,-2.13 -1.11,0 -1.99,1.88 -0.77,1.53 -0.77,2.78 0,0.4 0.32,1.06 0.37,0.68 0.73,0.68 0.94,0 2.73,0.26 1.79,0.25 2.73,0.25 0.26,0 1.11,-0.34 0.85,-0.4 1.11,-0.63 z"
    style="fill:#333333"
    id="path13" />
  <path
    d="m 113.7,34.33 q -1.8,3.5 -2.7,5.98 -0.1,0.25 -1.4,3.84 -0.3,1.16 -0.9,3.58 -0.4,2.42 -0.8,3.59 -0.9,2.41 -2,2.25 -1.2,-0.17 -1.3,-1.37 0,-0.17 0,-0.42 0,-0.14 0.2,-1.28 0.9,-4.3 0.9,-5.5 0,-0.46 -0.1,-0.63 -1.2,-2.08 -3.5,-6.32 -2.32,-4.24 -2.1,-6.57 1.3,-1.16 1.8,-1.16 0.4,0 1,0.52 0.5,0.51 0.6,0.93 0.7,5.29 4.1,9.48 0.9,-1.54 1.6,-3.45 0.4,-1.2 1.4,-3.54 1.6,-3.81 2.9,-3.81 0.1,0 0.3,0.1 0.8,0.25 1.1,2.39 z"
    style="fill:#333333"
    id="path14" />
  <path
    d="m 134.6,41.16 q 0,2.39 -1.6,3.76 -1.6,1.28 -4,1.28 -0.6,0 -2.3,-0.35 -1.7,-0.34 -2.3,-0.34 -1.7,0 -1.7,2.26 0,0.72 0.2,2.21 0.2,1.5 0.2,2.22 0,1.62 -0.6,2.42 -1.3,0 -2.6,-0.73 -1.3,-8.1 -1.3,-10.19 0,-3.12 1.6,-6.92 1.9,-5.16 5.4,-5.16 3.2,0 6.2,3.5 2.8,3.28 2.8,6.09 z m -3.2,0.17 q -0.6,-1.88 -2.3,-3.75 -1.9,-2.14 -3.6,-2.14 -1.1,0 -2,1.88 -0.8,1.54 -0.8,2.78 0,0.4 0.4,1.06 0.3,0.68 0.7,0.68 0.9,0 2.7,0.26 1.8,0.26 2.7,0.26 0.3,0 1.1,-0.35 0.9,-0.4 1.1,-0.63 z"
    style="fill:#333333"
    id="path15" />
  <path
    d="m 155.5,45.68 q 0,0.77 -0.5,1.28 -0.5,0.52 -1.2,0.52 -1.4,0 -2.6,-0.77 -1.2,-0.8 -1.8,-1.97 -0.5,-0.1 -1.2,0.73 -0.8,0.99 -1,1.06 -1,0.46 -3.3,0.46 -1.9,0 -3.3,-2.08 -1.3,-1.82 -1.3,-3.42 0,-2.9 2.9,-5.46 2.7,-2.47 5.7,-2.47 0.8,0 1.5,0.51 0.6,0.51 0.6,1.23 0,0.46 -0.3,0.94 2.1,0.77 2.1,2.41 0,0.3 -0.1,0.9 -0.1,0.6 -0.1,0.89 0,0.35 0.1,0.52 0.4,1.11 2.1,2.9 1.6,1.62 1.6,1.87 z m -6.9,-8.62 q -0.3,0 -0.9,-0.1 -0.7,-0.14 -1,-0.14 -1.1,0 -2.7,1.66 -1.6,1.65 -1.6,2.81 0,0.69 0.6,1.54 0.7,1.11 1.8,1.11 2.3,0 3,-2.47 0.5,-2.22 0.9,-4.41 z"
    style="fill:#333333"
    id="path16" />
  <path
    d="m 174.1,36.38 q -0.3,0.34 -1.3,0.34 -0.7,0 -2.1,-0.25 -1.5,-0.26 -2.1,-0.26 -4,0 -4.7,5.89 -0.3,2.64 -0.4,2.82 -0.3,0.85 -1.4,1.96 h -1 q -0.6,-1.03 -1.1,-3.5 -0.5,-2.36 -0.5,-3.64 0,-0.99 0.1,-1.28 0.2,-0.47 0.9,-0.47 0.2,0 0.5,0.26 0.3,0.26 0.3,0.26 1.6,-3.02 2.7,-3.93 1.5,-1.45 4.3,-1.45 1.2,0 3.1,0.77 2.4,0.99 2.8,2.39 z"
    style="fill:#333333"
    id="path17" />
  <path
    d="m 196,31.91 q 0.3,0.68 0.3,1.23 0,1.59 -2.1,1.59 -0.8,0 -2.9,-0.43 -2.2,-0.46 -2.9,-0.46 -1.1,0 -1.3,0.1 -0.4,0.18 -0.4,1.03 0,1.88 0.6,5.89 0.5,5 1.3,5.23 -0.3,0.3 -0.3,0.94 -1,0.59 -2.2,0.59 -1.2,0 -1.8,-3.32 -0.1,-1.17 -0.4,-6.63 -0.1,-3.92 -0.7,-4.69 -0.2,-0.4 -3.6,-0.3 -0.9,0 -1.4,0.1 -0.4,0 -0.3,0 -0.6,0 -1,-0.6 -0.4,-1.11 -0.4,-1.2 0,-1.22 3.5,-1.7 1.4,-0.14 4,-0.43 0,-0.72 -0.1,-2.18 0,-1.5 0,-2.22 0,-3.71 1.8,-3.71 0.4,0 1,0.51 0.5,0.51 0.5,0.94 v 6.74 q 0.9,1.02 4.2,1.45 3.4,0.43 4.6,1.59 z"
    style="fill:#333333"
    id="path18" />
  <path
    d="m 214.6,34.5 q -1.7,3.5 -2.8,5.98 -0.1,0.25 -1.3,3.84 -0.4,1.16 -0.8,3.58 -0.4,2.42 -0.9,3.59 -0.8,2.41 -2,2.25 -1.2,-0.17 -1.3,-1.37 -0.1,-0.17 -0.1,-0.42 0,-0.14 0.3,-1.28 0.9,-4.3 0.9,-5.5 0,-0.46 -0.1,-0.63 -1.2,-2.08 -3.5,-6.31 -2.3,-4.25 -2,-6.58 1.2,-1.16 1.8,-1.16 0.3,0 0.8,0.52 0.5,0.51 0.6,0.93 0.8,5.3 4.2,9.48 0.9,-1.54 1.6,-3.45 0.5,-1.2 1.4,-3.54 1.5,-3.81 2.9,-3.81 0.2,0 0.3,0.1 0.7,0.25 1.1,2.39 z"
    style="fill:#333333"
    id="path19" />
 </g>
 <g
   inkscape:groupmode="layer"
   id="layer5"
   inkscape:label="tagger">
  <g
    id="g1">
   <path
     id="path4"
     style="fill:#333333"
     d="m 94.2,71.8 -8,4.6 2,3.5 8,-4.7 z m -28.4,16.3 -8,4.7 2,3.4 8,-4.6 z"
     sodipodi:nodetypes="cccccccccc" />
   <path
     id="path5"
     style="fill:#333333"
     d="m 75,63 v 9.2 h 4 V 63 Z m 0,32.8 v 9.2 h 4 v -9.2 z"
     sodipodi:nodetypes="cccccccccc" />
   <path
     id="path6"
     style="fill:#333333"
     d="m 96.2,92.8 -8,-4.7 -2,3.5 8,4.6 z m -28.4,-16.4 -8,-4.6 -2,3.4 8,4.7 z"
     sodipodi:nodetypes="cccccccccc" />
  </g>
  <g
    id="g2">
   <path
     id="path7"
     style="fill:#333333"
     d="m 200,82 h -9 v 4 h 9 z m -33,0 h -9 v 4 h 9 z"
     sodipodi:nodetypes="cccccccccc" />
   <path
     id="path8"
     style="fill:#333333"
     d="m 191,101 -4,-7.8 -4,2 5,7.8 z m -16,-28.2 -5,-8 -3,2 4,8 z"
     sodipodi:nodetypes="cccccccccc" />
   <path
     id="path9"
     style="fill:#333333"
     d="m 170,103 5,-7.8 -4,-2 -4,7.8 z m 17,-28.2 4,-8 -3,-2 -5,8 z"
     sodipodi:nodetypes="cccccccccc" />
  </g>
 </g>
 </svg>
--- a/flake.nix
+++ b/flake.nix
@ -12,17 +12,14 @@
    }:
    {
      nixosModules.default = ./contrib/nixos/modules/copyparty.nix;
-      overlays.default = final: prev: rec {
+      overlays.default = final: prev: {
        copyparty = final.python3.pkgs.callPackage ./contrib/package/nix/copyparty {
          ffmpeg = final.ffmpeg-full;
        };
-
+        python3 = prev.python3.override {
-        partyfuse = prev.callPackage ./contrib/package/nix/partyfuse {
+          packageOverrides = pyFinal: pyPrev: {
-          inherit copyparty;
+            partftpy = pyFinal.callPackage ./contrib/package/nix/partftpy { };
-        };
+          };
        u2c = prev.callPackage ./contrib/package/nix/u2c {
          inherit copyparty;
        };
      };
    }
@ -54,8 +51,6 @@
        packages = {
          inherit (pkgs)
            copyparty
            partyfuse
            u2c
            ;
          default = self.packages.${system}.copyparty;
        };
--- a/pyproject.toml
+++ b/pyproject.toml
@ -45,6 +45,14 @@ classifiers = [
 "Demo Server" = "https://a.ocv.me/pub/demo/"
 [project.optional-dependencies]
 all = [
    "argon2-cffi",
    "partftpy>=0.4.0",
    "Pillow",
    "pyftpdlib",
    "pyopenssl",
    "pyzmq",
 ]
 thumbnails = ["Pillow"]
 thumbnails2 = ["pyvips"]
 audiotags = ["mutagen"]
@ -86,7 +94,6 @@ copyparty = [
    "web/*.css",
    "web/*.html",
    "web/a/*.bat",
    "web/dd/*.png",
    "web/deps/*.gz",
    "web/deps/*.woff*",
 ]
--- a/scripts/copyparty-repack.sh
+++ b/scripts/copyparty-repack.sh
@ -137,10 +137,10 @@ repack() {
 }
 repack sfx-full "re gz"
-repack sfx-ent  "re no-dd"
+repack sfx-ent  "re"
-repack sfx-ent  "re no-dd gz"
+repack sfx-ent  "re gz"
-repack sfx-lite "re no-dd no-cm no-hl"
+repack sfx-lite "re no-cm no-hl"
-repack sfx-lite "re no-dd no-cm no-hl gz"
+repack sfx-lite "re no-cm no-hl gz"
 # move fuse and up2k clients into copyparty-extras/,
--- a/scripts/docker/Dockerfile.dj
+++ b/scripts/docker/Dockerfile.dj
@ -19,13 +19,16 @@ RUN     apk add -U !pyc \
            vips-jxl vips-heif vips-poppler vips-magick \
            py3-numpy fftw libsndfile \
            vamp-sdk vamp-sdk-libs \
            libraw py3-numpy cython \
        && apk add -t .bd \
            bash wget gcc g++ make cmake patchelf \
            python3-dev ffmpeg-dev fftw-dev libsndfile-dev \
            py3-wheel py3-numpy-dev libffi-dev \
            vamp-sdk-dev \
            libraw-dev py3-numpy-dev \
        && rm -f /usr/lib/python3*/EXTERNALLY-MANAGED \
        && python3 -m pip install pyvips \
        && python3 -m pip install "$(wget -O- https://api.github.com/repos/letmaik/rawpy/releases/latest | awk -F\" '$2=="tarball_url"{print$4}')" \
        && bash install-deps.sh \
        && apk del py3-pip .bd \
        && chmod 777 /root \
--- a/scripts/docker/Dockerfile.iv
+++ b/scripts/docker/Dockerfile.iv
@ -14,11 +14,14 @@ RUN     apk add -U !pyc \
            ffmpeg \
            py3-magic \
            vips-jxl vips-heif vips-poppler vips-magick \
            libraw py3-numpy cython \
        && apk add -t .bd \
            bash wget gcc g++ make cmake patchelf \
            python3-dev py3-wheel libffi-dev \
            libraw-dev py3-numpy-dev \
        && rm -f /usr/lib/python3*/EXTERNALLY-MANAGED \
        && python3 -m pip install pyvips \
        && python3 -m pip install "$(wget -O- https://api.github.com/repos/letmaik/rawpy/releases/latest | awk -F\" '$2=="tarball_url"{print$4}')" \
        && apk del py3-pip .bd
 COPY    i/dist/copyparty-sfx.py innvikler.sh ./
--- a/scripts/make-rpm.sh
+++ b/scripts/make-rpm.sh
@ -0,0 +1,66 @@
 #!/bin/bash
 set -e
 #--localbuild to build webdeps and tar locally; otherwise just download prebuilt
 #--pm change packagemanager; otherwise default to dnf
 while [ ! -z "$1" ]; do
 	case $1 in
 		local-build)  local_build=1  ; ;;
 		pm)           shift;packagemanager="$1";  ;;
 	esac
 	shift
 done
 [ -e copyparty/__main__.py ] || cd ..
 [ -e copyparty/__main__.py ] ||
 {
 	echo "run me from within the project root folder"
 	echo
 	exit 1
 }
 packagemanager=${packagemanager:-dnf}
 ver=$(awk '/^VERSION/{gsub(/[^0-9]/," ");printf "%d.%d.%d\n",$1,$2,$3}' copyparty/__version__.py)
 releasedir="dist/temp_copyparty_$ver"
 sourcepkg="copyparty-$ver.tar.gz"
 #make temporary directory to build rpm in
 mkdir -p $releasedir/{BUILD,BUILDROOT,RPMS,SOURCES,SPECS,SRPMS}
 trap "rm -rf $releasedir" EXIT
 # make/get tarball
 if [ $local_build ]; then 
    if [ ! -f "copyparty/web/deps/mini-fa.woff" ]; then
        sudo $packagemanager update
        sudo $packagemanager install podman-docker docker
        make -C deps-docker
    fi
    if [ ! -f "dist/$sourcepkg" ]; then
        ./$cppdir/scripts/make-sfx.sh gz fast  # pulls some build-deps + good smoketest
        ./$cppdir/scripts/make-tgz-release.sh "$ver"
    fi
 else
    if [ ! -f "dist/$sourcepkg" ]; then
        curl -OL https://github.com/9001/copyparty/releases/download/v$ver/$sourcepkg --output-dir dist
    fi
 fi
 cp dist/$sourcepkg "$releasedir/SOURCES/$sourcepkg"
 cp "contrib/package/rpm/copyparty.spec" "$releasedir/SPECS/"
 sed -i "s/\$pkgver/$ver/g" "$releasedir/SPECS/copyparty.spec"
 sed -i "s/\$pkgrel/1/g"  "$releasedir/SPECS/copyparty.spec"
 sudo $packagemanager update
 sudo $packagemanager install \
 	rpmdevtools python-devel pyproject-rpm-macros \
 	python-wheel python-setuptools python-jinja2 \
    make pigz
 cd "$releasedir/"
 rpmbuild --define "_topdir `pwd`" -bb SPECS/copyparty.spec
 cd -
 rpm="copyparty-$ver-1.noarch.rpm"
 mv "$releasedir/RPMS/noarch/$rpm" dist/$rpm
--- a/scripts/make-sfx.sh
+++ b/scripts/make-sfx.sh
@ -46,8 +46,6 @@ help() { exec cat <<'EOF'
 # `no-fnt` saves ~9k by removing the source-code-pro font
 #   (browsers will try to use 'Consolas' instead)
 #
 # `no-dd` saves ~2k by removing the mouse cursor
 #
 # _____________________________________________________________________
 # build behavior:
 #
@ -61,8 +59,8 @@ help() { exec cat <<'EOF'
 #
 # _____________________________________________________________________
 # some usage examples:
-#   ./scripts/make-sfx.sh lang eng no-cm no-hl no-dd no-fnt no-smb no-pf
+#   ./scripts/make-sfx.sh lang eng no-cm no-hl no-fnt no-smb no-pf
-#   ./scripts/rls.sh sfx  lang eng no-cm no-hl no-dd no-fnt no-smb no-pf
+#   ./scripts/rls.sh sfx  lang eng no-cm no-hl no-fnt no-smb no-pf
 #   (reduces v1.14.2 from 700k to 495k)
 EOF
@ -76,7 +74,6 @@ gtar=$(command -v gtar || command -v gnutar) || true
 	sed()  { gsed  "$@"; }
 	find() { gfind "$@"; }
 	sort() { gsort "$@"; }
 	shuf() { gshuf "$@"; }
 	nproc() { gnproc; }
 	sha1sum() { shasum "$@"; }
 	unexpand() { gunexpand "$@"; }
@ -123,7 +120,6 @@ while [ ! -z "$1" ]; do
 		no-pf)  no_pf=1  ; ;;
 		no-fnt) no_fnt=1 ; ;;
 		no-hl)  no_hl=1  ; ;;
 		no-dd)  no_dd=1  ; ;;
 		no-cm)  no_cm=1  ; ;;
 		dl-wd)  dl_wd=1  ; ;;
 		ign-wd) ign_wd=1 ; ;;
@ -160,9 +156,9 @@ stamp=$(
 	done | sort | tail -n 1 | sha1sum | cut -c-16
 )
-rm -rf sfx$CSN/*
+rm -rf sfx/*
-mkdir -p sfx$CSN build
+mkdir -p sfx build
-cd sfx$CSN
+cd sfx
 tmpdir="$(
 	printf '%s\n' "$TMPDIR" /tmp |
@ -221,6 +217,7 @@ necho() {
 	tar -zxf $f
 	mv pyftpdlib-*/pyftpdlib .
 	rm -rf pyftpdlib-* pyftpdlib/test
 	patch -p1 <../scripts/patches/pyftpdlib-win313.patch
 	for f in pyftpdlib/_async{hat,ore}.py; do
 		[ -e "$f" ] || continue;
 		iawk 'NR<4||NR>27||!/^#/;NR==4{print"# license: https://opensource.org/licenses/ISC\n"}' $f
@ -398,7 +395,7 @@ ts=$(date -u +%s)
 hts=$(date -u +%Y-%m%d-%H%M%S) # --date=@$ts (thx osx)
 mkdir -p ../dist
-sfx_out=../dist/copyparty-sfx$CSN
+sfx_out=../dist/copyparty-sfx
 echo cleanup
 find -name '*.pyc' -delete
@ -456,13 +453,6 @@ rm -f ftp/pyftpdlib/{__main__,prefork}.py
 	ised "s/src:.*scp.*\)/src:local('Consolas')/" $f
 }
 [ $no_dd ] && {
 	rm -rf copyparty/web/dd
 	f=copyparty/web/browser.css
 	gzip -d "$f.gz" || true
 	ised 's/(cursor: ?)url\([^)]+\), ?(pointer)/\1\2/; s/[0-9]+% \{cursor:[^}]+\}//; s/animation: ?cursor[^};]+//' $f
 }
 [ $langs ] && {
 	echo $langs | grep -q eng || {
 		langs="eng|$langs"
@ -564,7 +554,7 @@ gzres() {
 }
-zdir="$tmpdir/cpp-mksfx$CSN"
+zdir="$tmpdir/cpp-mksfx"
 [ -e "$zdir/$stamp" ] || rm -rf "$zdir"
 mkdir -p "$zdir"
 echo a > "$zdir/$stamp"
@ -593,15 +583,7 @@ echo gen tarlist
 for d in copyparty partftpy magic j2 py2 py37 ftp; do find $d -type f || true; done |  # strip_hints
 sed -r 's/(.*)\.(.*)/\2 \1/' | LC_ALL=C sort |
 sed -r 's/([^ ]*) (.*)/\2.\1/' | grep -vE '/list1?$' > list1
-
+(grep -vE '\.gz$' list1; grep -E '\.gz$' list1) >list
 for n in {1..50}; do
 	(grep -vE '\.gz$' list1; grep -E '\.gz$' list1 | (shuf||gshuf) ) >list || true
 	s=$( (sha1sum||shasum) < list | cut -c-16)
 	grep -q $s "$zdir/h" 2>/dev/null && continue
 	echo $s >> "$zdir/h"
 	break
 done
 [ $n -eq 50 ] && exit
 echo creating tar
 tar -cf tar "${targs[@]}" --numeric-owner -T list
--- a/scripts/patches/pyftpdlib-win313.patch
+++ b/scripts/patches/pyftpdlib-win313.patch
@ -0,0 +1,41 @@
 Date: Tue, 22 Oct 2024 12:47:30 +0200
 Subject: Workaround for isabs() on Windows + Python 3.13 (#652)
 Starting from Python 3.13, `os.path.isabs("/foo")` on Windows return `False`
 diff --git a/pyftpdlib/filesystems.py b/pyftpdlib/filesystems.py
 index 9b9326bf..320ffe40 100644
 --- a/pyftpdlib/filesystems.py
 +++ b/pyftpdlib/filesystems.py
@@ -132,6 +132,16 @@ def cwd(self, path):
     # --- Pathname / conversion utilities
 +    @staticmethod
 +    def _isabs(path, _windows=os.name == "nt"):
 +        # Windows + Python 3.13: isabs() changed so that a path
 +        # starting with "/" is no longer considered absolute.
 +        # https://github.com/python/cpython/issues/44626
 +        # https://github.com/python/cpython/pull/113829/
 +        if _windows and path.startswith("/"):
 +            return True
 +        return os.path.isabs(path)
 +
     def ftpnorm(self, ftppath):
         """Normalize a "virtual" ftp pathname (typically the raw string
         coming from client) depending on the current working directory.
@@ -146,3 +156,3 @@
         assert isinstance(ftppath, unicode), ftppath
 -        if os.path.isabs(ftppath):
 +        if self._isabs(ftppath):
             p = os.path.normpath(ftppath)
@@ -162,3 +172,3 @@
         # This is for extra protection, maybe not really necessary.
 -        if not os.path.isabs(p):
 +        if not self._isabs(p):
             p = u("/")
@@ -201,3 +211,3 @@
         assert isinstance(fspath, unicode), fspath
 -        if os.path.isabs(fspath):
 +        if self._isabs(fspath):
             p = os.path.normpath(fspath)
--- a/scripts/prep.sh
+++ b/scripts/prep.sh
@ -22,10 +22,27 @@ update_arch_pkgbuild() {
    rm -rf x
 }
 update_mpr_pkgbuild() {
    cd "$self/../contrib/package/makedeb-mpr"
    rm -rf x
    mkdir x
    sha=$(sha256sum "$self/../dist/copyparty-$ver.tar.gz" | awk '{print$1}')
    awk -v ver=$ver -v sha=$sha '
        /^pkgver=/{sub(/[0-9\.]+/,ver)};
        /^sha256sums=/{sub(/[0-9a-f]{64}/,sha)};
        1' PKGBUILD >a
    mv a PKGBUILD
    rm -rf x
 }
 update_nixos_pin() {
    ( cd $self/../contrib/package/nix/copyparty;
      ./update.py $self/../dist/copyparty-sfx.py )
 }
 update_arch_pkgbuild
 update_mpr_pkgbuild
 update_nixos_pin
--- a/scripts/pyinstaller/deps.sha512
+++ b/scripts/pyinstaller/deps.sha512
@ -30,5 +30,5 @@ a726fb46cce24f781fc8b55a3e6dea0a884ebc3b2b400ea74aa02333699f4955a5dc1e2ec5927ac7
 3e39ea6e16b502d99a2e6544579095d0f7c6097761cd85135d5e929b9dec1b32e80669a846f94ee8c2cca9be2f5fe728625d09453988864c04e16bb8445c3f91  pillow-11.3.0-cp313-cp313-win_amd64.whl
 59fbbcae044f4ee73d203ac74b553b27bfad3e6b2f3fb290fd3f8774753c6b545176b6b3399c240b092d131d152290ce732750accd962dc1e48e930be85f5e53  pyinstaller-6.14.1-py3-none-win_amd64.whl
 fc6f3e144c5f5b662412de07cb8bf0c2eb3b3be21d19ec448aef3c4244d779b9ab8027fd67a4871e6e13823b248ea0f5a7a9241a53aef30f3b51a6d3cb5bdb3f  pyinstaller_hooks_contrib-2025.5-py3-none-any.whl
-2c7a52e223b8186c21009d3fa5ed6a856d8eb4ef3b98f5d24c378c6a1afbfa1378bd7a51d6addc500e263d7989efb544c862bf920055e740f137c702dfd9d18b  python-3.13.5-amd64.exe
+36db028e9f3d6805a57e89320283c07bd5eb0bb15c6edcd2ae4a7e46b06bfe6c96ed0793e8936cbb09b4f6b680a3f06dace2220a1e7d8b74ab6047698871db9e  python-3.13.7-amd64.exe
 2a0420f7faaa33d2132b82895a8282688030e939db0225ad8abb95a47bdb87b45318f10985fc3cee271a9121441c1526caa363d7f2e4a4b18b1a674068766e87  setuptools-80.9.0-py3-none-any.whl
--- a/scripts/pyinstaller/notes.txt
+++ b/scripts/pyinstaller/notes.txt
@ -40,7 +40,7 @@ fns=(
  pillow-11.3.0-cp313-cp313-win_amd64.whl
  pyinstaller-6.14.1-py3-none-win_amd64.whl
  pyinstaller_hooks_contrib-2025.5-py3-none-any.whl
-  python-3.13.5-amd64.exe
+  python-3.13.7-amd64.exe
  setuptools-80.9.0-py3-none-any.whl
 )
 [ $w7 ] && fns+=(
--- a/scripts/rls.sh
+++ b/scripts/rls.sh
@ -32,11 +32,8 @@ v=$1
 rm -f ../dist/copyparty-sfx*
 shift
 ./make-sfx.sh "$@"
-f=../dist/copyparty-sfx
+../dist/copyparty-sfx.py --version >/dev/null
-[ -e $f.py ] && s= || s=-gz
+mv ../dist/copyparty-{sfx,int}.py
 # TODO: the -gz suffix is gone, can drop all the $s stuff probably
 $f$s.py --version >/dev/null
 while [ "$1" ]; do
    case "$1" in
@ -46,27 +43,10 @@ while [ "$1" ]; do
    shift
 done
-[ $parallel -gt 1 ] && {
+./make-pyz.sh 
    printf '\033[%s' s 2r H "0;1;37;44mbruteforcing sfx size -- press enter to terminate" K u "7m $* " K $'27m\n'
    trap "rm -f .sfx-run; printf '\033[%s' s r u" INT TERM EXIT
    touch .sfx-run
    min=99999999
    for ((a=0; a<$parallel; a++)); do
        while [ -e .sfx-run ]; do
            CSN=$a ./make-sfx.sh re "$@"
            sz=$(wc -c <$f$a$s.py | awk '{print$1}')
            [ $sz -ge $min ] && continue
            mv $f$a$s.py $f$s.py.$sz
            min=$sz
        done &
    done
    read
    exit
 }
-while true; do
+./make-sfx.sh re lang eng "$@" 
-    mv $f$s.py $f$s.$(wc -c <$f$s.py | awk '{print$1}').py
+mv ../dist/copyparty-{sfx,en}.py
-    ./make-sfx.sh re "$@"
+mv ../dist/copyparty-{int,sfx}.py
 done
 # git tag -d v$v; git push --delete origin v$v
--- a/scripts/sfx.ls
+++ b/scripts/sfx.ls
@ -73,12 +73,6 @@ copyparty/web/browser.js,
 copyparty/web/browser2.html,
 copyparty/web/cf.html,
 copyparty/web/copyparty.gif,
 copyparty/web/dd,
 copyparty/web/dd/2.png,
 copyparty/web/dd/3.png,
 copyparty/web/dd/4.png,
 copyparty/web/dd/5.png,
 copyparty/web/dd/__init__.py,
 copyparty/web/deps,
 copyparty/web/deps/__init__.py,
 copyparty/web/deps/busy.mp3,
--- a/scripts/tl.js
+++ b/scripts/tl.js
@ -81,6 +81,7 @@ var tl_cpanel = {
 		"ad1": "enabling no304 will disable all caching; try this if k304 wasn't enough. This will waste a huge amount of network traffic!",
 		"ae1": "active downloads:",
        "af1": "show recent uploads",
 		"ag1": "view idp cache",
 	},
 };
@ -315,6 +316,7 @@ var tl_browser = {
 		"ct_qdel": 'when deleting files, only ask for confirmation once">qdel',
 		"ct_dir1st": 'sort folders before files">📁 first',
 		"ct_nsort": 'natural sort (for filenames with leading digits)">nsort',
 		"ct_utc": 'show all datetimes in UTC">UTC',
 		"ct_readme": 'show README.md in folder listings">📜 readme',
 		"ct_idxh": 'show index.html instead of folder listing">htm',
 		"ct_sbars": 'show scrollbars">⟊',
@ -390,6 +392,8 @@ var tl_browser = {
 		"mt_c2owa": "opus-weba, for iOS 17.5 and newer\">owa",
 		"mt_c2caf": "opus-caf, for iOS 11 through 17\">caf",
 		"mt_c2mp3": "use this on very old devices\">mp3",
 		"mt_c2flac": "best sound quality, but huge downloads\">flac",
 		"mt_c2wav": "uncompressed playback (even bigger)\">wav",
 		"mt_c2ok": "nice, good choice",
 		"mt_c2nd": "that's not the recommended output format for your device, but that's fine",
 		"mt_c2ng": "your device does not seem to support this output format, but let's try anyways",
--- a/setup.py
+++ b/setup.py
@ -132,11 +132,11 @@ args = {
        "copyparty.stolen.ifaddr",
        "copyparty.web",
        "copyparty.web.a",
        "copyparty.web.dd",
        "copyparty.web.deps",
    ],
    "install_requires": ["jinja2"],
    "extras_require": {
        "all": ["argon2-cffi", "partftpy>=0.4.0", "Pillow", "pyftpdlib", "pyopenssl", "pyzmq"],
        "thumbnails": ["Pillow"],
        "thumbnails2": ["pyvips"],
        "audiotags": ["mutagen"],
--- a/tests/test_idp.py
+++ b/tests/test_idp.py
@ -63,7 +63,7 @@ class TestVFS(unittest.TestCase):
        cfgdir = os.path.join(here, "res", "idp")
        # globals are applied by main so need to cheat a little
-        xcfg = {"idp_h_usr": "x-idp-user", "idp_h_grp": "x-idp-group"}
+        xcfg = {"idp_h_usr": ["x-idp-user"], "idp_h_grp": "x-idp-group"}
        return here, cfgdir, xcfg
--- a/tests/util.py
+++ b/tests/util.py
@ -143,7 +143,7 @@ class Cfg(Namespace):
    def __init__(self, a=None, v=None, c=None, **ka0):
        ka = {}
-        ex = "chpw cookie_lax daw dav_auth dav_mac dav_rt e2d e2ds e2dsa e2t e2ts e2tsr e2v e2vu e2vp early_ban ed emp exp force_js getmod grid gsel hardlink hardlink_only ih ihead magic nid nih no_acode no_athumb no_bauth no_clone no_cp no_dav no_db_ip no_del no_dirsz no_dupe no_lifetime no_logues no_mv no_pipe no_poll no_readme no_robots no_sb_md no_sb_lg no_scandir no_tail no_tarcmp no_thumb no_vthumb no_zip nrand nsort nw og og_no_head og_s_title ohead q rand re_dirsz reflink rmagic rss smb srch_dbg srch_excl stats uqe vague_403 vc ver wo_up_readme write_uplog xdev xlink xvol zipmaxu zs"
+        ex = "allow_flac allow_wav chpw cookie_lax daw dav_auth dav_mac dav_rt e2d e2ds e2dsa e2t e2ts e2tsr e2v e2vu e2vp early_ban ed emp exp force_js getmod grid gsel hardlink hardlink_only ih ihead localtime magic nid nih no_acode no_athumb no_bauth no_clone no_cp no_dav no_db_ip no_del no_dirsz no_dupe no_fnugg no_lifetime no_logues no_mv no_pipe no_poll no_readme no_robots no_sb_md no_sb_lg no_scandir no_tail no_tarcmp no_thumb no_vthumb no_u2abrt no_zip nrand nsort nw og og_no_head og_s_title ohead q rand re_dirsz reflink rmagic rss smb srch_dbg srch_excl stats uqe usernames vague_403 vc ver wo_up_readme write_uplog xdev xlink xvol zipmaxu zs"
        ka.update(**{k: False for k in ex.split()})
        ex = "dav_inf dedup dotpart dotsrch hook_v no_dhash no_fastboot no_fpool no_htp no_rescan no_sendfile no_ses no_snap no_up_list no_voldump re_dhash see_dots plain_ip"
@ -155,22 +155,22 @@ class Cfg(Namespace):
        ex = "gid uid"
        ka.update(**{k: -1 for k in ex.split()})
-        ex = "hash_mt hsortn qdel safe_dedup srch_time tail_fd tail_rate u2abort u2j u2sz"
+        ex = "hash_mt hsortn qdel safe_dedup srch_time tail_fd tail_rate th_spec_p u2abort u2j u2sz unp_who"
        ka.update(**{k: 1 for k in ex.split()})
-        ex = "au_vol dl_list mtab_age reg_cap s_thead s_tbody tail_tmax tail_who th_convt ups_who zip_who"
+        ex = "ac_convt au_vol dl_list mtab_age reg_cap s_thead s_tbody tail_tmax tail_who th_convt ups_who zip_who"
        ka.update(**{k: 9 for k in ex.split()})
-        ex = "db_act forget_ip idp_store k304 loris no304 nosubtle re_maxage rproxy rsp_jtr rsp_slp s_wr_slp snap_wri theme themes turbo u2ow zipmaxn zipmaxs"
+        ex = "ctl_re db_act forget_ip idp_cookie idp_store k304 loris no304 nosubtle qr_pin re_maxage rproxy rsp_jtr rsp_slp s_wr_slp snap_wri theme themes turbo u2ow zipmaxn zipmaxs"
        ka.update(**{k: 0 for k in ex.split()})
-        ex = "ah_alg bname chmod_f chpw_db doctitle df exit favico idp_h_usr ipa html_head lg_sba lg_sbf log_fk md_sba md_sbf name og_desc og_site og_th og_title og_title_a og_title_v og_title_i shr tcolor textfiles unlist vname xff_src zipmaxt R RS SR"
+        ex = "ah_alg bname chmod_f chpw_db doctitle df exit favico ipa html_head lg_sba lg_sbf log_fk md_sba md_sbf name og_desc og_site og_th og_title og_title_a og_title_v og_title_i shr tcolor textfiles txt_eol unlist vname xff_src zipmaxt R RS SR"
        ka.update(**{k: "" for k in ex.split()})
        ex = "ban_403 ban_404 ban_422 ban_pw ban_pwc ban_url spinner"
        ka.update(**{k: "no" for k in ex.split()})
-        ex = "ext_th grp on403 on404 xac xad xar xau xban xbc xbd xbr xbu xiu xm"
+        ex = "ext_th grp idp_h_usr idp_hm_usr ipr on403 on404 xac xad xar xau xban xbc xbd xbr xbu xiu xm"
        ka.update(**{k: [] for k in ex.split()})
        ex = "exp_lg exp_md"
@ -185,9 +185,12 @@ class Cfg(Namespace):
            E=E,
            bup_ck="sha512",
            chmod_d="755",
            cookie_cmax=8192,
            cookie_nmax=50,
            dbd="wal",
            dk_salt="b" * 16,
            fk_salt="a" * 16,
            grp_all="acct",
            idp_gsep=re.compile("[|:;+,]"),
            iobuf=256 * 1024,
            lang="eng",
Author	SHA1	Message	Date
ed	e7f2c6d806	update pkgs to 1.19.2	2025-08-17 11:51:56 +00:00
ed	a113d3b925	v1.19.2	2025-08-17 11:21:25 +00:00
ed	96cb5abf53	extend vips heif formats	2025-08-17 11:07:02 +00:00
ed	55c85d0984	docker: add rawpy to iv/dj	2025-08-17 11:06:38 +00:00
ed	782e2f1de3	bbox: stay fullscreen	2025-08-17 10:42:45 +00:00
ed	f4727f8ea3	fix config expansion order; closes #556	2025-08-17 10:05:25 +00:00
ed	d4cf42e760	show severity in logs with no-ansi; #616	2025-08-17 09:06:23 +00:00
ed	98d117b8ad	music-thumbs: use embedded art as default (closes #252 ); previous behavior can be restored with --th-spec-p 2 thumbnails cache (.hist/th/) must be deleted to take effect	2025-08-16 23:00:15 +00:00
ed	d9046f7e01	fix xvol false-positive; given the following config: * volume /a mapped to /srv/nas/ * volume /b mapped to /srv/nas/foo/ * anyone can read volume /a but not /b accessing /a/foo/ would incorrectly fail because the xvol-check would select /b based on its abspath being physically closer, not considering that the same abspath is reachable from /a	2025-08-16 21:55:51 +00:00
ed	dcc6b1b4ef	fix download-selection in old firefox; closes #618	2025-08-16 21:54:45 +00:00
ed	274c074775	hide --rp-loc in tree; closes #306	2025-08-16 20:45:46 +00:00
Toast	187cae25bf	Build nix packages from source (#253 ) * nix: get source tarball with update.py * nix: build from source nix: remove u2c and partyfuse packages The main copyparty package has u2c and partyfuse, so these packages are redundant now nix: add fusepy dependency fix: nix: use replace pyfuse with fusepy * nix: fix extra python packages * nix: add optional dependencies * nix: add partftpy package * nix: add tftp parameter to package * nix: enable pyproject for partftpy package * nix: replace partftpy overlay with real package * nix: add updater for partftpy * nix: bring back local release pin to update.py nix: update local release pin function in update.py --------- Signed-off-by: Toast <39011842+toast003@users.noreply.github.com>	2025-08-16 06:29:03 +02:00
ed	43a19779c1	ftp: fix potential utime issue; closes #539	2025-08-15 21:36:02 +00:00
ed	23ea1c8a14	better dropdown color	2025-08-15 21:35:10 +00:00
ed	e3c7d6776e	fix test	2025-08-15 21:34:56 +00:00
ed	4df033ecc3	[DB-V6]: store usernames; closes #530	2025-08-15 21:33:13 +00:00
ed	1228b5510b	option -ss requires webdav login; closes #613	2025-08-15 20:14:35 +00:00
ed	62e072a2ed	restrict account to ip/subnet; closes #397	2025-08-15 20:12:17 +00:00
ed	a4649d1e71	generic header auth (closes #504 ); extends idp-auth to also accept a collection of headers (and expected values of those headers) and map those to certain users useful for Tailscale-User-Login and similar	2025-08-15 19:19:21 +00:00
ed	f4a3fba29c	add global-logout button	2025-08-14 21:53:57 +00:00
ed	3aa8b7aa2d	ftp: reject uploads nicely; closes #573 if a client tries to upload where it does not have write-access, rather than kicking the client with an exception, reply properly	2025-08-14 20:31:58 +00:00
ed	d56230573d	separate audio-transcode timeout (#598 )	2025-08-14 20:02:32 +00:00
ed	af8620da92	fix `--lang` helptext; closes #594	2025-08-14 19:50:50 +00:00
ed	2961dea5bb	tl cleanup	2025-08-14 19:36:20 +00:00
nyqui	4e878d2f1e	initial Korean translation (#583 ) Signed-off-by: nyqui <67160376+nyqui@users.noreply.github.com>	2025-08-14 19:30:41 +00:00
ed	7f44875061	autogen pw for blank-pw users (closes #596 ); if a user is defined with a blank password, generate a strong password for that user	2025-08-14 19:22:04 +00:00
ed	68907eaf48	add "@acct", a group with all authed users; closes #604	2025-08-14 19:11:57 +00:00
ed	c4a4fddd27	translations: OK/Cancel; closes #599	2025-08-14 18:36:31 +00:00
ed	5b62742512	run from src with py3.9	2025-08-14 18:10:55 +00:00
ed	554cc2f3ee	support xdev/xvol in rootless vfs; closes #603	2025-08-14 18:09:23 +00:00
ed	6303effe59	configurable max num cookies	2025-08-14 17:49:48 +00:00
ed	659f351c65	support pillow-heif; closes #607	2025-08-14 16:42:48 +00:00
Bevinsky	d676a86f3f	Add Swedish translation (#551 )	2025-08-13 22:50:15 +00:00
ed	715d374ee4	button to abort copy/move; closes #572	2025-08-12 21:46:42 +00:00
Danny Piper	c9fd608732	feat: added cr3 to raw formats list Signed-off-by: Danny Piper <djpiper28@gmail.com>	2025-08-12 22:19:54 +02:00
ed	c32a672a68	fix transcoding tooltips; closes #580	2025-08-12 19:34:44 +00:00
ed	69d9878acd	use the good name	2025-08-12 19:03:34 +00:00
varphi	d8662aeb0e	add win95 light and dark themes (#581 )	2025-08-12 19:01:41 +00:00
mat	a407eb9269	warn if failed to import pyvips pyvips uses `ffi.callback()`, which fails on on some systems	2025-08-12 20:15:26 +02:00
ed	1ebe06f51e	sticky qr-code; #533	2025-08-11 20:49:09 +00:00
ed	88243ac8d6	make-rpm: small tweaks; * fail fast on error * ensure all deps Signed-off-by: ed <s@ocv.me>	2025-08-11 20:36:14 +02:00
Kamalei Zestri	6ccc9224f3	make rpm	2025-08-11 20:36:14 +02:00
Adam R. Nelson	0177a9b402	Add RAW file thumbnailing support via rawpy (#567 ) * add RAW image file types to mimetype list * add RAW thumbnailer via rawpy --------- Signed-off-by: Adam R. Nelson <adam@nels.onl> Signed-off-by: ed <s@ocv.me>	2025-08-11 17:28:01 +00:00
AppleTheGolden	9435e6b2e2	EPUB Thumbnailing support (#561 ) * EPUB Thumbnailing support --------- Signed-off-by: ed <s@ocv.me> Co-authored-by: ed <s@ocv.me>	2025-08-10 20:30:37 +00:00
Bevinsky	0da93659a4	Add missing translated string in up2k.	2025-08-10 22:04:09 +02:00
ed	db2a03409c	update pkgs to 1.19.1	2025-08-10 12:44:51 +00:00
ed	c2cee222bd	v1.19.1	2025-08-10 12:26:12 +00:00
ed	b87f8f1b01	french improvements by @Equinoxs #553	2025-08-10 12:10:54 +00:00
ed	a01870b744	avoid macos bug (finder hangs on connect)	2025-08-10 13:55:52 +02:00
ed	3560eeb10e	better with sessions	2025-08-10 13:55:29 +02:00
ed	03acd65e96	avoid ios bug (keystore spam)	2025-08-10 11:45:20 +00:00
ed	e5e822951d	fix filter case-sensitivity	2025-08-10 11:31:12 +00:00
ed	347cf6a546	fix dropdown color	2025-08-10 11:28:22 +00:00
ed	8ba98877ee	patch pyftpdlib, fixes #539 upgrading pyftpdlib brings only pain and no benefits so grafting a patch for this instead	2025-08-10 11:23:22 +00:00
ed	3c78c6a880	custom mdns domain, closes #549	2025-08-10 10:07:41 +00:00
Andrew Lee	7aa21483c5	French translation part 2: splash.js #553	2025-08-10 10:06:23 +00:00
icxes	074e106e24	fix PRTY_CONFIG not reading global flags from the config	2025-08-10 12:02:44 +02:00
Tr3yWay996	e9ddfccfb6	Add French translation (#486 ) Add French translation (#486) --------- Signed-off-by: ed <s@ocv.me> Co-authored-by: Packingdustry <alois.mc@hotmail.com> Co-authored-by: Andrew Lee <andrew@alee14.me> Co-authored-by: A. Jakubiak <contact@jakubiak.fr>	2025-08-09 20:26:52 +00:00
Chloe Surett	91ce7a29aa	Add .idea to .gitignore (#547 )	2025-08-09 20:17:20 +00:00
Artur Borecki	392a4db55b	Add Polish translation (#463 ) Add Polish translation --------- Signed-off-by: Artur Borecki <me@pufereq.pl> Signed-off-by: ed <s@ocv.me> Co-authored-by: dai <contact@daimond113.com> Co-authored-by: ed <s@ocv.me>	2025-08-08 22:55:57 +00:00
Kent Daleng	3931bc2779	legg åt nynorskoversetjing (#537 ) * legg åt nynorskoversetjing, og fikser et par typos på bokmål også :) * add nno to splash, fix a few more stray typos * more til -> åt --------- Signed-off-by: Kent D <lolexplode@gmail.com>	2025-08-08 22:54:24 +02:00
chamdim	bd514f0666	Greek: fix typos (#529 ) Signed-off-by: chamdim <94919340+chamdim@users.noreply.github.com>	2025-08-08 09:54:27 +02:00
chamdim	f8a7c02f23	Greek: fix typo (#528 ) Signed-off-by: chamdim <94919340+chamdim@users.noreply.github.com>	2025-08-08 09:54:11 +02:00
Vlad	0dd5987250	add Ukrainian translations for control panel (#525 )	2025-08-08 09:53:50 +02:00
ed	4eca4885f3	update pkgs to 1.19.0	2025-08-07 22:43:08 +00:00
ed	e9ecb2edc5	v1.19.0	2025-08-07 22:13:52 +00:00
ed	f0b1c82b44	i18n: support czech declensions	2025-08-07 22:09:11 +00:00
Jakub Pelc	c955658332	Czech translation (#471 ) * added czech translation * add czech translations to splash --------- Signed-off-by: Jakub Pelc <jakub.pelc@seznam.cz> Signed-off-by: ed <s@ocv.me> Co-authored-by: ed <s@ocv.me>	2025-08-07 21:48:32 +00:00
ed	a98360f213	copyparty.exe: update to python 3.13.6	2025-08-07 21:30:55 +00:00
ed	33497e6b11	sfx: add english-only	2025-08-07 21:28:56 +00:00
ed	36ab323d08	sfx: simplify (remove bruteforce packing)	2025-08-07 21:26:59 +00:00
ed	1bf23fabc6	unames: fix shares	2025-08-07 20:59:41 +00:00
ed	d9e3f998d1	fix zipmaxu (it did nothing)	2025-08-07 20:53:25 +00:00
ed	1b71294aab	close #387	2025-08-07 20:30:09 +00:00
ed	346515ccf1	add optional username login; closes #511	2025-08-07 20:29:44 +00:00
icxes	3c42a34f7b	update PKGBUILD; remove prisonparty user service	2025-08-07 19:59:42 +00:00
icxes	13499d2846	remove prisonparty-user.service there is no real point to a prisonparty user service, as chroot requires root	2025-08-07 19:59:42 +00:00
ed	8b31ed8816	text-editor: optional EOL conversion; closes #513	2025-08-07 19:11:28 +00:00
ed	bcc3b1568e	add qrcode to connectpage; closes #523	2025-08-07 18:39:22 +00:00
ed	2943c7f2d5	move the docker config smoketest over here	2025-08-07 18:30:40 +00:00
exci	34d98e9980	add systemd user services and templated services (#502 ) * move service files from contrib/package/arch/ to /contrib/systemd/ * add simpler default copyparty.conf that puts users in jail * remove warning about .conf files in ~/.config/copyparty/ * update PKGBUILD with changes * add links to configuration examples in index.md * fix link to the example config * update README.md arch instructions --------- Co-authored-by: icxes <icxes@dev.null@need.moe> Co-authored-by: ed <s@ocv.me>	2025-08-07 18:10:26 +00:00
ed	9e980bb552	try to detect proxies with misbehaving caches (#488 )	2025-08-07 17:57:10 +00:00
ed	3f8cb7e877	xff: require explicit configuration of --rproxy; try to avoid dangerous misconfiguration of how to determine the client's IP by more aggressively asking for the correct config; if the --xff-hdr (default: x-forwarded-for) appears in a request then it will now be ignored unless --rproxy says which IP to use	2025-08-07 17:00:42 +00:00
ed	4a04356814	fix non-e2d dupe finalizing; when the up2k database is not enabled, only the 38400 most recent uploads are kept in memory serverside the webui did not anticipate this, expecting the server to finalize all dupes with just a single pass of brief handshakes fix this by doing as many passes as necessary, only stopping if a pass does not make any progress (filesystem-issues or some such)	2025-08-07 15:57:51 +00:00
ed	8a0746c6af	fix viewing .MD files	2025-08-07 15:24:15 +00:00
ed	54caf63f6a	optimize	2025-08-07 15:18:59 +00:00
mati1210	9b9d2a92ca	support systemd socket activation (fd passing) (#515 ) * add support for socket passing * slight tweaks before merge --------- Signed-off-by: mat <matheuz1210@gmail.com> Signed-off-by: ed <s@ocv.me> Co-authored-by: ed <s@ocv.me>	2025-08-07 15:00:53 +00:00
ed	a9ee4f24d5	dropdowns for languages, themes, key-notation	2025-08-06 21:53:20 +00:00
ed	29a4e54799	tl cleanup	2025-08-06 21:10:15 +00:00
ed	3b26884c69	tl cleanup	2025-08-06 21:08:11 +00:00
ed	392abd0675	add greek splash tl; closes #493	2025-08-06 21:02:25 +00:00
chamdim	50f46187f1	Greek translation (#468 ) * Greek translation * Update browser.js * greek: fixes before merge --------- Signed-off-by: chamdim <94919340+chamdim@users.noreply.github.com> Signed-off-by: ed <s@ocv.me> Co-authored-by: ed <s@ocv.me>	2025-08-06 21:00:42 +00:00
ed	7ae84dea1a	autorefresh controlpanel	2025-08-06 20:30:01 +00:00
ed	a57f7cc2f8	ie9: recent-uploads	2025-08-06 20:25:29 +00:00
ed	0f55a1ae86	fix js-crash for url `//`; closes #487	2025-08-06 20:24:31 +00:00
ed	00cb1f74e2	golf	2025-08-06 20:23:39 +00:00
ed	b664ebb01f	add chungus.conf (#475 )	2025-08-04 22:56:37 +00:00
ed	c2ac57a2a8	improve helptext for multi-value options (#475 )	2025-08-04 22:56:30 +00:00
geekalaa	0df1901fc0	fix: add missing L. prefix for un_clip localization string Fixes ReferenceError when copying links from recently uploaded files. The un_clip localization string was missing the L. prefix in up2k.js. Fixes #467	2025-08-04 18:11:16 +00:00
ed	8c000fd683	cleanup	2025-08-04 00:40:27 +00:00
ed	d4397e7217	update pkgs to 1.18.10	2025-08-04 00:39:26 +00:00
ed	d7e7e77f93	v1.18.10	2025-08-04 00:13:54 +00:00
ed	715f8424b3	tl cleanup	2025-08-03 23:42:51 +00:00
ed	40d56bb3f0	indicate play-as-audio for video files	2025-08-03 23:35:08 +00:00
ed	f9502c3df3	add idp-cookie; for high-traffic / glitchy auth servers	2025-08-03 23:27:53 +00:00
ed	ae5eefc528	add sfx explanation; #345	2025-08-03 23:02:56 +00:00
ed	6eaf8af15a	pypi: add extras-group "all"; closes #398	2025-08-03 22:50:12 +00:00
ed	848315c009	do not force d2d with default vfs; #295 fixes v1.18.3 regression	2025-08-03 22:43:57 +00:00
ed	47fa4a9299	fix nosub with PUT uploads; closes #412	2025-08-03 22:34:37 +00:00
ed	9db8037e39	remove old joke end of an era	2025-08-03 22:24:36 +00:00
ed	39e5582496	ignore browser-extension errors; closes #435	2025-08-03 22:14:31 +00:00
ed	16bbcce51b	videos can be folder thumbnails; closes #459	2025-08-03 22:10:33 +00:00
ed	e85a71070e	docs: groups; closes #461	2025-08-03 21:42:26 +00:00
ed	d0499257c8	fix tests	2025-08-03 21:36:38 +00:00
ed	7d3a5c1e97	black	2025-08-03 21:35:52 +00:00
ed	153d240d0d	mention the -nc option in the max-conn errormsg	2025-08-03 21:35:33 +00:00
ed	66a5bf365b	fix ipv6 qrcode port; closes #449	2025-08-03 21:33:08 +00:00
ed	0d09fb6818	audio transcoding tweaks	2025-08-03 21:23:41 +00:00
Toby Kohlhagen	b2d48c646f	Add flac transcoding option	2025-08-03 20:23:27 +00:00
Toby Kohlhagen	b469db3c62	Add wav transcoding option	2025-08-03 20:23:27 +00:00
AOTREVAI	a38e6e65d5	Translate to Italian (#458 ) * Translating to Italian * Update browser.js * sync splash.js, browser.js * Update browser.js * Update splash.js --------- Signed-off-by: AOTREVAI <46420278+AOTREVAI@users.noreply.github.com>	2025-08-03 20:38:16 +02:00
DeStilleGast	3798e19a26	Dutch translation (#426 ) * Update browser.js to include Dutch language * Update splash.js to include some Dutch translations Signed-off-by: DeStilleGast <3677706+DeStilleGast@users.noreply.github.com>	2025-08-03 18:20:10 +02:00
Beethoven	c805c60f40	(scripts/prep.sh) update i forgot to follow the style woops Signed-off-by: Beethoven <44652883+Beethoven-n@users.noreply.github.com>	2025-08-03 13:27:27 +00:00
Chinpo Nya	c69c7c8ac0	additional instructions for --ah-cli	2025-08-03 13:26:56 +00:00
Techflash	50f1629355	Add test results for Wii Internet Channel Signed-off-by: Techflash <72118300+techflashYT@users.noreply.github.com>	2025-08-03 13:23:18 +00:00
ed	0bc1b8f715	readme: webdav and opengraph are incompatible by default	2025-08-03 10:22:52 +00:00
icxes	a68d5b03f1	fixup finnish translation here and there	2025-08-03 08:43:47 +00:00
ed	971360e914	set config from PRTY_CONFIG; closes #439	2025-08-02 23:24:32 +00:00
Kazi	7e3825f8f5	More verbose help text for TLS certificate flag (#429 ) * Clarify TLS key in help text * More verbose help text --------- Signed-off-by: Kazi <kzshantonu@users.noreply.github.com>	2025-08-02 14:06:57 +00:00
ed	b700072107	update pkgs to 1.18.9	2025-08-01 21:27:28 +00:00
ed	ca22cd8853	v1.18.9	2025-08-01 20:56:27 +00:00
ed	09910ba807	fix GHSA-5662-2rj7-f2v6 ; an unauthenticated user could make the server inaccessible by accessing the recent-uploads page and using an expensive filter fixed by making the filter not regex-based, only supporting bare-minimum anchoring (^foo bar$)	2025-08-01 20:42:49 +00:00
Beethoven	3c6f0b17d0	add Debian packaging via MPR (#385 ) * (scripts/prep.sh) prep mpr package at the same time as the arch package * (contrib/package/makedeb-mpr/) add MPR package i wanted this on my raspberry pi and i could've done it with docker but this gives me a systemd service. i haven't actually uploaded this at all --------- Signed-off-by: Beethoven <44652883+Beethoven-n@users.noreply.github.com>	2025-08-01 22:10:03 +02:00
ed	4fa7be2a48	change "ack" to "continue"; longer text so easier to tap on mobile, and less confusing for people who aren't network engineers and/or kernel hackers thx @JanluOfficial for the idea	2025-08-01 19:56:16 +00:00
ed	941761e6e7	tl cleanup	2025-08-01 19:50:38 +00:00
ed	c160428810	support tabs in configfiles; closes #400	2025-08-01 18:00:48 +00:00
ed	ad23b253dc	add `--localtime` for ui; closes #312	2025-08-01 17:55:34 +00:00
ed	d0d2f206a9	log creator of new/blank markdown files too	2025-08-01 17:49:23 +00:00
exci	7ecedb2ce2	add finnish translation (#381 ) * reorder translations alphabetically * R comes before S * add initial finnish translation * add splash.js for finnish translation * add ct_utc translation (fin) * fix finnish translation problems pointed out in review --------- Co-authored-by: icxes <icxes@dev.null@need.moe>	2025-08-01 19:46:46 +02:00
ed	fee1416cbc	redundant	2025-08-01 15:09:10 +00:00
ed	6d6d79fcbc	fix upload-abort in shares; closes #347	2025-08-01 15:08:55 +00:00
KevinXuxuxu	9c19753546	[u2c.py] Fix unicode files argument handling for py2.7	2025-08-01 14:39:57 +00:00
Juan Herruzo	4e8b88d8f6	fixed newline structure	2025-08-01 14:33:20 +00:00
Juan Herruzo	1ee89ec21d	order spa alphabetically in language selector	2025-08-01 14:33:20 +00:00
Juan Herruzo	9dcb45133b	order spa alphabetically	2025-08-01 14:33:20 +00:00
Juan Herruzo	1a5b7d40a8	changed esp to spa	2025-08-01 14:33:20 +00:00
Juan Herruzo	6e35171c88	added splash.js translation	2025-08-01 14:33:20 +00:00
Juan Herruzo	af34fbf1a4	fix badly translated keys	2025-08-01 14:33:20 +00:00
Juan Herruzo	be729fe557	small tweaks in the localization when looking a it in the gui	2025-08-01 14:33:20 +00:00
Juan Herruzo	a1dfd0be33	added spanish draft	2025-08-01 14:33:20 +00:00
Kevin Leutzinger	d357ff0d16	Update README.md Signed-off-by: Kevin Leutzinger <6435727+kleutzinger@users.noreply.github.com>	2025-07-31 23:07:32 +00:00
Kevin Leutzinger	e965dc9c74	Add `uvx copyparty` Signed-off-by: Kevin Leutzinger <6435727+kleutzinger@users.noreply.github.com>	2025-07-31 23:07:32 +00:00
Toast	f401fa7f6c	nix: remove space from list separator The extra speces made copyparty freak out if you tried listening to an ip address and a unix socket at the same time	2025-07-31 23:05:31 +00:00
Benjamin Bock	b69d590176	Improve Python 2 compatibility	2025-07-31 23:05:03 +00:00
ed	1f966bb9d5	devnotes: add tgz to build-from-scratch procedure	2025-07-31 22:57:14 +00:00
ed	3222ba3acd	man	2025-07-31 22:56:45 +00:00
ed	0e35f37638	tl cleanup	2025-07-31 22:11:49 +00:00
ed	edb5c2bdce	Revert "Added Dutch(NL) translation" (#380 ) This reverts commit `a2faf4e1e9`.	2025-07-31 21:56:06 +00:00
ed	714744f73e	Revert "Added Dutch(NL) Translation to `splash.js` (#373 )" (#379 ) This reverts commit `1c86b64a4e`.	2025-07-31 21:55:38 +00:00
Bart	1c86b64a4e	Added Dutch(NL) Translation to `splash.js` (#373 )	2025-07-31 18:43:55 +00:00
crypt0rr	a2faf4e1e9	Added Dutch(NL) translation	2025-07-31 18:23:50 +00:00
ed	b46b5c35e3	tl cleanup	2025-07-31 18:19:47 +00:00
Vlad	fea45e451d	add Ukrainian translation (#350 )	2025-07-31 19:20:36 +02:00
Altair	0b05c726de	Translate to Russian (#321 )	2025-07-31 19:01:41 +02:00
ed	cd460902b0	update pkgs to 1.18.8	2025-07-31 08:45:18 +00:00