audioplayer: s-s: use clamp from util (#1313)

README.md

@@ -1440,7 +1440,7 @@ general usage:
 on macos, connect from finder:
 * [Go] -> [Connect to Server...] -> http://192.168.123.1:3923/
 
-to upload or edit files with WebDAV clients, enable the `daw` volflag (because most WebDAV clients expect this) and give your account the delete-permission. This avoids getting several copies of the same file on the server. HOWEVER: This will also make all PUT-uploads overwrite existing files if the user has delete-access, so use with caution.
+to be able to edit existing files, the client must have the Delete-permission, and some webdav clients will also require the [daw](https://copyparty.eu/cli/#g-daw) volflag or global-option (not necessary if the client sends the `x-oc-mtime` header). Without `daw`, those clients will fail to modify existing files and instead create new copies with names like `notes.txt-1771978661.726032-3i9GPghL.txt`. **NOTE:** Enabling `daw` will also make all PUT-uploads overwrite existing files if the user has delete-access, so use with caution. Another alternative is the [dav-port](https://copyparty.eu/cli/#g-dav-port) option
 
 > note: if you have enabled [IdP authentication](#identity-providers) then that may cause issues for some/most webdav clients; see [the webdav section in the IdP docs](https://github.com/9001/copyparty/blob/hovudstraum/docs/idp.md#connecting-webdav-clients)
 

contrib/package/arch/PKGBUILD

@@ -3,7 +3,7 @@
 # NOTE: You generally shouldn't use this PKGBUILD on Arch, as it is mainly for testing purposes. Install copyparty using pacman instead.
 
 pkgname=copyparty
-pkgver="1.20.7"
+pkgver="1.20.10"
 pkgrel=1
 pkgdesc="File server with accelerated resumable uploads, dedup, WebDAV, SFTP, FTP, TFTP, zeroconf, media indexer, thumbnails++"
 arch=("any")
@@ -24,7 +24,7 @@ optdepends=("ffmpeg: thumbnails for videos, images (slower) and audio, music tag
 )
 source=("https://github.com/9001/${pkgname}/releases/download/v${pkgver}/${pkgname}-${pkgver}.tar.gz")
 backup=("etc/${pkgname}/copyparty.conf" )
-sha256sums=("a05ae0226c6171551d0af0e8dbbbbf6d6c32fa19ec06446b5f56726dcce1b8c4")
+sha256sums=("a651df2ab768ebdf2f41b7ff1e1fec788ae8a34848ce228c189f2d0f566c9fd9")
 
 build() {
     cd "${srcdir}/${pkgname}-${pkgver}/copyparty/web"

contrib/package/makedeb-mpr/PKGBUILD

@@ -2,7 +2,7 @@
 
 
 pkgname=copyparty
-pkgver=1.20.7
+pkgver=1.20.10
 pkgrel=1
 pkgdesc="File server with accelerated resumable uploads, dedup, WebDAV, SFTP, FTP, TFTP, zeroconf, media indexer, thumbnails++"
 arch=("any")
@@ -21,7 +21,7 @@ optdepends=("ffmpeg: thumbnails for videos, images (slower) and audio, music tag
 )
 source=("https://github.com/9001/${pkgname}/releases/download/v${pkgver}/${pkgname}-${pkgver}.tar.gz")
 backup=("/etc/${pkgname}.d/init" )
-sha256sums=("a05ae0226c6171551d0af0e8dbbbbf6d6c32fa19ec06446b5f56726dcce1b8c4")
+sha256sums=("a651df2ab768ebdf2f41b7ff1e1fec788ae8a34848ce228c189f2d0f566c9fd9")
 
 build() {
     cd "${srcdir}/${pkgname}-${pkgver}/copyparty/web"

contrib/package/nix/copyparty/pin.json

@@ -1,5 +1,5 @@
 {
-    "url": "https://github.com/9001/copyparty/releases/download/v1.20.7/copyparty-1.20.7.tar.gz",
-    "version": "1.20.7",
-    "hash": "sha256-oFrgImxhcVUdCvDo27u/bWwy+hnsBkRrX1ZybczhuMQ="
+    "url": "https://github.com/9001/copyparty/releases/download/v1.20.10/copyparty-1.20.10.tar.gz",
+    "version": "1.20.10",
+    "hash": "sha256-plHfKrdo698vQbf/Hh/seIroo0hIziKMGJ8tD1Zsn9k="
 }

copyparty/__main__.py

@@ -1482,7 +1482,7 @@ def add_ftp(ap):
 
 def add_webdav(ap):
     ap2 = ap.add_argument_group("WebDAV options")
-    ap2.add_argument("--daw", action="store_true", help="enable full write support, even if client may not be webdav. \033[1;31mWARNING:\033[0m This has side-effects -- PUT-operations will now \033[1;31mOVERWRITE\033[0m existing files, rather than inventing new filenames to avoid loss of data. You might want to instead set this as a volflag where needed. By not setting this flag, uploaded files can get written to a filename which the client does not expect (which might be okay, depending on client)")
+    ap2.add_argument("--daw", action="store_true", help="enable full write support, even if client may not be webdav. Some webdav clients need this option for editing existing files; not necessary for clients that send the 'x-oc-mtime' header. Regardless, the delete-permission must always be given. \033[1;31mWARNING:\033[0m This has side-effects -- PUT-operations will now \033[1;31mOVERWRITE\033[0m existing files, rather than inventing new filenames to avoid loss of data. You might want to instead set this as a volflag where needed. By not setting this flag, uploaded files can get written to a filename which the client does not expect (which might be okay, depending on client)")
     ap2.add_argument("--dav-inf", action="store_true", help="allow depth:infinite requests (recursive file listing); extremely server-heavy but required for spec compliance -- luckily few clients rely on this")
     ap2.add_argument("--dav-mac", action="store_true", help="disable apple-garbage filter -- allow macos to create junk files (._* and .DS_Store, .Spotlight-*, .fseventsd, .Trashes, .AppleDouble, __MACOS)")
     ap2.add_argument("--dav-rt", action="store_true", help="show symlink-destination's lastmodified instead of the link itself; always enabled for recursive listings (volflag=davrt)")

copyparty/__version__.py

@@ -1,8 +1,8 @@
 # coding: utf-8
 
-VERSION = (1, 20, 8)
+VERSION = (1, 20, 10)
 CODENAME = "sftp is fine too"
-BUILD_DT = (2026, 2, 22)
+BUILD_DT = (2026, 2, 25)
 
 S_VERSION = ".".join(map(str, VERSION))
 S_BUILD_DT = "{0:04d}-{1:02d}-{2:02d}".format(*BUILD_DT)

copyparty/httpcli.py

@@ -178,6 +178,7 @@ RE_HTTP1 = re.compile(r"(GET|HEAD|POST|PUT) [^ ]+ HTTP/1.1$")
 RE_HR = re.compile(r"[<>\"'&]")
 RE_MDV = re.compile(r"(.*)\.([0-9]+\.[0-9]{3})(\.[Mm][Dd])$")
 RE_RSS_KW = re.compile(r"(\{[^} ]+\})")
+RE_SETCK = re.compile(r"[^0-9a-z=]")
 
 UPARAM_CC_OK = set("doc move tree".split())
 
@@ -649,8 +650,8 @@ class HttpCli(object):
             if len(zso) > self.args.cookie_cmax:
                 self.loud_reply("cookie header too big", status=400)
                 return False
-            zsll = [x.split("=", 1) for x in zso.split(";") if "=" in x]
-            cookies = {k.strip(): unescape_cookie(zs) for k, zs in zsll}
+            zsll = [x.lstrip().split("=", 1) for x in zso.split(";") if "=" in x]
+            cookies = {k.rstrip(): unescape_cookie(zs.strip(), k) for k, zs in zsll}
             cookie_pw = cookies.get("cppws" if self.is_https else "cppwd") or ""
             if "b" in cookies and "b" not in uparam:
                 uparam["b"] = cookies["b"]
@@ -2575,6 +2576,10 @@ class HttpCli(object):
                     vfs.flags.get("daw")
                     or "replace" in self.headers
                     or "x-oc-mtime" in self.headers
+                    or (
+                        self.args.dav_port
+                        and self.args.dav_port == self.s.getsockname()[1]
+                    )
                 )
             ) or (
                 not bos.path.exists(os.path.join(fdir, tnam))
@@ -5628,7 +5633,10 @@ class HttpCli(object):
         return True
 
     def setck(self) -> bool:
-        k, v = self.uparam["setck"].split("=", 1)
+        zs = self.uparam["setck"]
+        if len(zs) > 9 or RE_SETCK.search(zs):
+            raise Pebkac(400, "illegal value")
+        k, v = zs.split("=")
         t = 0 if v in ("", "x") else 86400 * 299
         ck = gencookie(k, v, self.args.R, True, False, t)
         self.out_headerlist.append(("Set-Cookie", ck))

copyparty/svchub.py

@@ -1439,7 +1439,7 @@ class SvcHub(object):
                 self.log("root", "ssdp startup failed;\n" + min_ex(), 3)
 
     def reload(self, rescan_all_vols: bool, up2k: bool) -> str:
-        t = "config has been reloaded"
+        t = "users, volumes, and volflags have been reloaded"
         with self.reload_mutex:
             self.log("root", "reloading config")
             self.asrv.reload(9 if up2k else 4)
@@ -1449,6 +1449,7 @@ class SvcHub(object):
                 t += "; volumes are now reinitializing"
             else:
                 self.log("root", "reload done")
+            t += "\n\nchanges to global options (if any) require a restart of copyparty to take effect"
             self.broker.reload()
         return t
 

copyparty/util.py

@@ -3439,8 +3439,10 @@ def rmdirs_up(top: str, stop: str) -> tuple[list[str], list[str]]:
     return [top] + ok, ng
 
 
-def unescape_cookie(orig: str) -> str:
+def unescape_cookie(orig: str, name: str) -> str:
     # mw=idk; doot=qwe%2Crty%3Basd+fgh%2Bjkl%25zxc%26vbn  # qwe,rty;asd fgh+jkl%zxc&vbn
+    if not name.startswith("cppw"):
+        orig = orig[:3]
     ret = []
     esc = ""
     for ch in orig:

copyparty/web/browser.js

@@ -10041,7 +10041,7 @@ var mpss = (function() {
 			vthresh: afilt.sscv[0],
 			sthresh: afilt.sscv[1],
 			etresh: afilt.sscv[2],
-			sspeed: Math.min(8.0, Math.max(0.15, afilt.sscv[3])),
+			sspeed: clamp(afilt.sscv[3], 0.15, 8.0),
 			rspeed: 0.2,
 			loopInterval: 25,
 		};

docs/changelog.md

@@ -1,3 +1,43 @@
+▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀  
+# 2026-0225-0834  `v1.20.9`  SECURITY: XSS fix
+
+## ⚠️ ATTN: this release fixes an XSS vulnerability
+
+[GHSA-62cr-6wp5-q43h](https://github.com/9001/copyparty/security/advisories/GHSA-62cr-6wp5-q43h) could let an attacker execute arbitrary JS by tricking you into clicking a malicious link 31b2801f
+
+## 🔧 other changes
+
+* webdav: [dav-port](https://copyparty.eu/cli/#g-dav-port) can be used as an alternative to [daw](https://copyparty.eu/cli/#g-daw) d21242fc
+
+
+
+▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀  
+# 2026-0222-1507  `v1.20.8`  no265
+
+## 🧪 new features
+
+* #1298 add Hungarian translation (thx @sonacl!) eefb181b f37c3b96
+* #1299 chown now accepts 4-digit values (thx @new-sashok724!) 5a7504fd
+
+## 🩹 bugfixes
+
+* audioplayer skip-silence:
+  * #1303 clamp ffwd to safe values (thx @icxes!) f5e70c7f
+  * fix crash on folderchange f1a433a6
+
+## 🔧 other changes
+
+* due to [legal reasons](https://github.com/9001/copyparty/blob/hovudstraum/docs/bad-codecs.md), the [docker-images](https://github.com/9001/copyparty/blob/hovudstraum/scripts/docker) and [bootable flashdrive](https://a.ocv.me/pub/stuff/edcd001/enterprise-edition/) are now unable to create thumbnails of HEVC/h265 videos and heif/heic images 1bec91d1
+  * this primarily means photos/videos taken with iphones (and maybe some samsung phones)
+  * on the bright side, this has made the docker-images much smaller; `ac` is now half the size it used to be, and `iv` / `dj` are each 97 MiB smaller
+
+## 🌠 fun facts
+
+* if you wanna see your car doing its best impression of a frictionless spherical cow, I can warmly (heh) recommend the icy snowcoated countryroads of viken this weekend
+  * goes oddly well with [sakuraburst - deconstructing nature](https://www.youtube.com/watch?v=MJjO-pwYpJg)
+
+
+
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀  
 # 2026-0214-2315  `v1.20.7`  fika
 

scripts/docker/innvikler.sh

@@ -87,7 +87,6 @@ rm -rf \
 cd /usr/lib/python3.*/site-packages
 rm -rf \
   numpy/*/tests \
-  cryptography/hazmat/bindings/_rust.abi3.so \
   /usr/share/mime/packages/freedesktop.org.xml
 
 cd /usr/lib/python3.*/site-packages/copyparty/