audioplayer: s-s: use clamp from util (#1313 )

update pkgs to 1.20.10
v1.20.10
2026-02-26 13:33:09 -07:00 · 2026-02-25 17:07:45 +00:00 · 2026-02-25 15:37:31 +00:00 · 2026-02-25 15:33:12 +00:00 · 2026-02-25 15:27:03 +00:00 · 2026-02-25 15:24:51 +00:00
8 changed files with 26 additions and 12 deletions
--- a/contrib/package/arch/PKGBUILD
+++ b/contrib/package/arch/PKGBUILD
@ -3,7 +3,7 @@
 # NOTE: You generally shouldn't use this PKGBUILD on Arch, as it is mainly for testing purposes. Install copyparty using pacman instead.

 pkgname=copyparty
-pkgver="1.20.8"
+pkgver="1.20.10"
 pkgrel=1
 pkgdesc="File server with accelerated resumable uploads, dedup, WebDAV, SFTP, FTP, TFTP, zeroconf, media indexer, thumbnails++"
 arch=("any")
@ -24,7 +24,7 @@ optdepends=("ffmpeg: thumbnails for videos, images (slower) and audio, music tag
 )
 source=("https://github.com/9001/${pkgname}/releases/download/v${pkgver}/${pkgname}-${pkgver}.tar.gz")
 backup=("etc/${pkgname}/copyparty.conf" )
-sha256sums=("6b1d8d3043b8b1899cb1fb140dcac87b7bcda52ba6566f0d8ec8c0c143966ef0")
+sha256sums=("a651df2ab768ebdf2f41b7ff1e1fec788ae8a34848ce228c189f2d0f566c9fd9")

 build() {
    cd "${srcdir}/${pkgname}-${pkgver}/copyparty/web"
--- a/contrib/package/makedeb-mpr/PKGBUILD
+++ b/contrib/package/makedeb-mpr/PKGBUILD
@ -2,7 +2,7 @@


 pkgname=copyparty
-pkgver=1.20.8
+pkgver=1.20.10
 pkgrel=1
 pkgdesc="File server with accelerated resumable uploads, dedup, WebDAV, SFTP, FTP, TFTP, zeroconf, media indexer, thumbnails++"
 arch=("any")
@ -21,7 +21,7 @@ optdepends=("ffmpeg: thumbnails for videos, images (slower) and audio, music tag
 )
 source=("https://github.com/9001/${pkgname}/releases/download/v${pkgver}/${pkgname}-${pkgver}.tar.gz")
 backup=("/etc/${pkgname}.d/init" )
-sha256sums=("6b1d8d3043b8b1899cb1fb140dcac87b7bcda52ba6566f0d8ec8c0c143966ef0")
+sha256sums=("a651df2ab768ebdf2f41b7ff1e1fec788ae8a34848ce228c189f2d0f566c9fd9")

 build() {
    cd "${srcdir}/${pkgname}-${pkgver}/copyparty/web"
--- a/contrib/package/nix/copyparty/pin.json
+++ b/contrib/package/nix/copyparty/pin.json
@ -1,5 +1,5 @@
 {
-    "url": "https://github.com/9001/copyparty/releases/download/v1.20.8/copyparty-1.20.8.tar.gz",
-    "version": "1.20.8",
-    "hash": "sha256-ax2NMEO4sYmcsfsUDcrIe3vNpSumVm8NjsjAwUOWbvA="
+    "url": "https://github.com/9001/copyparty/releases/download/v1.20.10/copyparty-1.20.10.tar.gz",
+    "version": "1.20.10",
+    "hash": "sha256-plHfKrdo698vQbf/Hh/seIroo0hIziKMGJ8tD1Zsn9k="
 }
--- a/copyparty/version.py
+++ b/copyparty/version.py
@ -1,6 +1,6 @@
 # coding: utf-8

-VERSION = (1, 20, 9)
+VERSION = (1, 20, 10)
 CODENAME = "sftp is fine too"
 BUILD_DT = (2026, 2, 25)

--- a/copyparty/httpcli.py
+++ b/copyparty/httpcli.py
@ -650,8 +650,8 @@ class HttpCli(object):
            if len(zso) > self.args.cookie_cmax:
                self.loud_reply("cookie header too big", status=400)
                return False
-            zsll = [x.split("=", 1) for x in zso.split(";") if "=" in x]
-            cookies = {k.strip(): unescape_cookie(zs, k) for k, zs in zsll}
+            zsll = [x.lstrip().split("=", 1) for x in zso.split(";") if "=" in x]
+            cookies = {k.rstrip(): unescape_cookie(zs.strip(), k) for k, zs in zsll}
            cookie_pw = cookies.get("cppws" if self.is_https else "cppwd") or ""
            if "b" in cookies and "b" not in uparam:
                uparam["b"] = cookies["b"]
--- a/copyparty/svchub.py
+++ b/copyparty/svchub.py
@ -1439,7 +1439,7 @@ class SvcHub(object):
                self.log("root", "ssdp startup failed;\n" + min_ex(), 3)

    def reload(self, rescan_all_vols: bool, up2k: bool) -> str:
-        t = "config has been reloaded"
+        t = "users, volumes, and volflags have been reloaded"
        with self.reload_mutex:
            self.log("root", "reloading config")
            self.asrv.reload(9 if up2k else 4)
@ -1449,6 +1449,7 @@ class SvcHub(object):
                t += "; volumes are now reinitializing"
            else:
                self.log("root", "reload done")
+            t += "\n\nchanges to global options (if any) require a restart of copyparty to take effect"
            self.broker.reload()
        return t

--- a/copyparty/web/browser.js
+++ b/copyparty/web/browser.js
@ -10041,7 +10041,7 @@ var mpss = (function() {
 			vthresh: afilt.sscv[0],
 			sthresh: afilt.sscv[1],
 			etresh: afilt.sscv[2],
-			sspeed: Math.min(8.0, Math.max(0.15, afilt.sscv[3])),
+			sspeed: clamp(afilt.sscv[3], 0.15, 8.0),
 			rspeed: 0.2,
 			loopInterval: 25,
 		};
--- a/docs/changelog.md
+++ b/docs/changelog.md
@ -1,3 +1,16 @@
+▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀  
+# 2026-0225-0834  `v1.20.9`  SECURITY: XSS fix
+
+## ⚠️ ATTN: this release fixes an XSS vulnerability
+
+[GHSA-62cr-6wp5-q43h](https://github.com/9001/copyparty/security/advisories/GHSA-62cr-6wp5-q43h) could let an attacker execute arbitrary JS by tricking you into clicking a malicious link 31b2801f
+
+## 🔧 other changes
+
+* webdav: [dav-port](https://copyparty.eu/cli/#g-dav-port) can be used as an alternative to [daw](https://copyparty.eu/cli/#g-daw) d21242fc
+
+
+
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀  
 # 2026-0222-1507  `v1.20.8`  no265
Author	SHA1	Message	Date
exci	7c60adc69c	audioplayer: s-s: use clamp from util (#1313 )	2026-02-25 17:07:45 +00:00
ed	d3260b27a6	update pkgs to 1.20.10	2026-02-25 15:37:31 +00:00
ed	e2ace1dab7	v1.20.10	2026-02-25 15:33:12 +00:00
ed	a29037a0e2	warn that reload doesn't do global-options	2026-02-25 15:27:03 +00:00
ed	ecdfd2d1ab	fix cookie OWS; v1.20.9 broke login	2026-02-25 15:24:51 +00:00
ed	00ab7888d7	update pkgs to 1.20.9	2026-02-25 08:39:42 +00:00