Skip to content

Releases: 9001/copyparty

fix low-severity vuln

25 Feb 01:29
@9001 9001
v1.16.15
a011139
Compare
Choose a tag to compare
fix low-severity vuln Latest
Latest

⚠️ this fixes a minor vulnerability; CVE-score 3.6/10

GHSA-m2jw-cj8v-937r aka CVE-2025-27145 could let an attacker run arbitrary javascript by tricking an authenticated user into uploading files with malicious filenames

  • ...but it required some clever social engineering, and is not likely to be a cause for concern... ah, better safe than sorry

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2025-02-25)

recent important news

  • v1.15.0 (2024-09-08) changed upload deduplication to be default-disabled
  • v1.14.3 (2024-08-30) fixed a bug that was introduced in v1.13.8 (2024-08-13); this bug could lead to data loss -- see the v1.14.3 release-notes for details

🧪 new features

  • nothing this time

🩹 bugfixes

  • fix GHSA-m2jw-cj8v-937r / CVE-2025-27145 in 438ea6c
    • when trying to upload an empty files by dragging it into the browser, the filename would be rendered as HTML, allowing javascript injection if the filename was malicious
    • issue discovered and reported by @JayPatel48 (thx!)
  • related issues in errorhandling of uploads 499ae1c 36866f1
    • these all had the same consequences as the GHSA above, but a network outage was necessary to trigger them
      • which would probably have the lucky side-effect of blocking the javascript download, nice
  • paranoid fixing of probably-not-even-issues 3adbb2f
  • fix some markdown / texteditor bugs 407531b
    • only indicate file-versions for markdown files in listings, since it's tricky to edit non-textfiles otherwise
    • CTRL-C followed by CTRL-V and CTRL-Z in a single-line file would make a character fall off
    • ensure safety of extensions

🔧 other changes

  • readme:
    • mention support for running the server on risc-v 6d102fc
    • mention that the sony psp can browse and upload 598a29a

💾 what to download?

download link is it good? description
copyparty-sfx.py ✅ the best 👍 runs anywhere! only needs python
a docker image it's ok good if you prefer docker 🐋
copyparty.exe ⚠️ acceptable for win8 or later; built-in thumbnailer
u2c.exe ⚠️ acceptable CLI uploader as a win7+ exe (video)
copyparty.pyz ⚠️ acceptable similar to the regular sfx, mostly worse
copyparty32.exe ⛔️ dangerous for win7 -- never expose to the internet!
cpp-winpe64.exe ⛔️ dangerous runs on 64bit WinPE, otherwise useless
  • except for u2c.exe, all of the options above are mostly equivalent
  • the zip and tar.gz files below are just source code
  • python packages are available at PyPI

Contributors

JayPatel48
Assets 8
Loading

overwrite by upload

19 Feb 23:37
@9001 9001
v1.16.14
cdedcc2
Compare
Choose a tag to compare
overwrite by upload

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2023-07-23)

recent important news

  • v1.15.0 (2024-09-08) changed upload deduplication to be default-disabled
  • v1.14.3 (2024-08-30) fixed a bug that was introduced in v1.13.8 (2024-08-13); this bug could lead to data loss -- see the v1.14.3 release-notes for details

🧪 new features

  • #139 overwrite existing files by uploading over them e9f78ea
    • default-disabled; a new togglebutton in the upload-UI configures it
    • can optionally compare last-modified-time and only overwrite older files
  • GDPR compliance (maybe/probably) 4be0d42

🩹 bugfixes

  • some cosmetic volflag stuff, all harmless b190e67
    • disabling a volflag foo with -foo shows a warning that -foo was not a recognized volflag, but it still does the right thing
    • some volflags give the "unrecognized volflag, will ignore" warning, but not to worry, they still work just fine:
      • xz to allow serverside xz-compression of uploaded files
  • the option to customize the loader-spinner would glitch out during the initial page load 7d7d5d6

🔧 other changes

⚠️ not the latest version!

Loading

configure with confidence

13 Feb 21:50
@9001 9001
v1.16.13
cddedd3
Compare
Choose a tag to compare
configure with confidence

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2023-07-23)

recent important news

  • v1.15.0 (2024-09-08) changed upload deduplication to be default-disabled
  • v1.14.3 (2024-08-30) fixed a bug that was introduced in v1.13.8 (2024-08-13); this bug could lead to data loss -- see the v1.14.3 release-notes for details

🧪 new features

  • make the config-parser more helpful regarding volflags a255db7
    • if an unrecognized volflag is specified, print a warning instead of silently ignoring it
    • understand volflag-names with Uppercase and/or kebab-case (dashes), and not just snake_case (underscores)
    • improve --help-flags to mention and explain all available flags
  • #136 WebDAV: support COPY 62ee7f6
    • also support overwrite of existing target files (default-enabled according to the spec)
      • the user must have the delete-permission to actually replace files
  • option to specify custom icons for certain file extensions 7e4702c
  • option to replace the loading-spinner animation 685f086

🩹 bugfixes

  • #136 WebDAV fixes 62ee7f6
    • COPY/MOVE/MKCOL: challenge clients to provide the password as necessary
      • most clients only need this in PROPFIND, but KDE-Dolphin is more picky
    • MOVE: support webdav:// Destination prefix as used by Dolphin, probably others
  • #136 WebDAV: improve support for KDE-Dolphin as client 9d76902
    • it masquerades as a graphical browser yet still expects 401, so special-case it with a useragent scan

🔧 other changes

  • Docker-only: quick hacky fix for the musl CVE until the official fix is out 4d6626b
    • the docker images will be rebuilt when musl-1.2.5-r9.apk is released, in 6~24h or so
      • the docker images have been rebuilt with the proper fix
    • until then, there is no support for reading korean XML files when running in docker

🗿 known issues

  • some cosmetic volflag stuff, all harmless
    • disabling a volflag foo with -foo shows a warning that -foo was not a recognized volflag, but it still does the right thing
    • some volflags give the "unrecognized volflag, will ignore" warning, but not to worry, they still work just fine:
      • xz to allow serverside xz-compression of uploaded files

⚠️ not the latest version!

Loading

RTT

10 Feb 00:06
@9001 9001
v1.16.12
ddec22d
Compare
Choose a tag to compare
RTT

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2023-07-23)

recent important news

  • v1.15.0 (2024-09-08) changed upload deduplication to be default-disabled
  • v1.14.3 (2024-08-30) fixed a bug that was introduced in v1.13.8 (2024-08-13); this bug could lead to data loss -- see the v1.14.3 release-notes for details

🧪 new features

🩹 bugfixes

  • improve iPad detection so they get opus instead of mp3 12dcea4

🔧 other changes

  • safeguard against accidental config loss cd71b50
    • while no copyparty servers have ended up in this unfortunate situation yet (afaik), be proactive and borrow some experience from other docker-based services
  • readme: improve config examples 32e9085
  • improve serverlog entries regarding 403s b020fd4
  • #132 mention fuse permissions in readme d9d2a09
  • traefik-example: fix disconnect during big uploads 6a9ffe7
  • try to show an appropriate warning for media that the browser doesn't support playing 4ef3526
    • was an attempt at detecting iphones failing to play high-color-precision webm files, but safari doesn't seem to realize itself that playback has failed, ah well
  • copyparty.exe: update to python 3.12.9
  • update deps: dompurify 3.2.4

⚠️ not the latest version!

Contributors

coderofsalvation
Loading

fix no-acode

27 Jan 02:05
@9001 9001
v1.16.11
c7caecf
Compare
Choose a tag to compare
fix no-acode

been too long since the last monday release huh...

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2023-07-23)

recent important news

  • v1.15.0 (2024-09-08) changed upload deduplication to be default-disabled
  • v1.14.3 (2024-08-30) fixed a bug that was introduced in v1.13.8 (2024-08-13); this bug could lead to data loss -- see the v1.14.3 release-notes for details

🧪 new features

  • u2c (commandline uploader): print download-links for uploaded files 1fe3036
    • -u prints a list after all uploads finished
    • -ud print during upload, after each file
    • -uf a.txt writes them to a.txt

🩹 bugfixes

  • previous ver broke --no-acode (disable audio transcoding) by showing javascript errors 54a7256
    • reported on discord (thx)

🔧 other changes

  • nah

⚠️ not the latest version!

Loading

iOS9 is fine too

25 Jan 18:48
@9001 9001
v1.16.10
1dace72
Compare
Choose a tag to compare
iOS9 is fine too

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2023-07-23)

recent important news

  • v1.15.0 (2024-09-08) changed upload deduplication to be default-disabled
  • v1.14.3 (2024-08-30) fixed a bug that was introduced in v1.13.8 (2024-08-13); this bug could lead to data loss -- see the v1.14.3 release-notes for details

🧪 new features

  • support audio playback on really old apple devices c9eba39
    • will now transcode to mp3 when necessary, since iOS didn't support opus-in-caf before iOS 11
  • support audio playback on future apple devices 28c9de3 95390b6
    • iOS 17.5 introduced support for opus-in-weba (like webp just audio instead) and, unlike caf, this intentionally supports vbr-opus (awesome)
    • ...but the current code in iOS is too buggy, so this new format is default-disabled and we'll stick to caf for now fff38f4
  • ZeroMQ event-hooks can reject uploads 3a5c1d9
  • chat with ZeroMQ event-hooks from javascript cdd3b67
    • replies from ZMQ REP servers are included in the msg-to-log responses
    • which makes this joke possible f38c754

🩹 bugfixes

  • nope

🔧 other changes

  • option to restrict the recent-uploads listing to admins-only b8b5214

⚠️ not the latest version!

Loading

ZeroMQ says hello

22 Jan 23:56
@9001 9001
v1.16.9
c4cbc32
Compare
Choose a tag to compare
ZeroMQ says hello

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2023-07-23)

recent important news

  • v1.15.0 (2024-09-08) changed upload deduplication to be default-disabled
  • v1.14.3 (2024-08-30) fixed a bug that was introduced in v1.13.8 (2024-08-13); this bug could lead to data loss -- see the v1.14.3 release-notes for details

🧪 new features

  • event-hooks can send zeromq / zmq / 0mq messages; see readme or --help-hooks for examples d9db153
  • new volflags to specify the allow-tag of the markdown/logue sandbox, to allow fullscreen and such (see --help-flags) 6a0aaaf
  • new volflag nosparse for possibly-better performance in very rare and specific scenarios 917380d
    • only enable this if you're uploading to s3 or something like that, and do plenty of benchmarking to make sure that it actually improved performance instead of making it worse

🩹 bugfixes

  • restrict max-length of filekeys to 72 characters e0cac6f
  • the hash-calculator mode of the commandline uploader produced incorrect whole-file hashes 4c04798
    • each chunk (--chs) was okay, but the final sum was not

🔧 other changes

  • selftest the xml-parser on startup with malicious xml b2e8bf6
    • just in case a future python-version suddenly makes it unsafe somehow
  • disable some features if a dangerously misconfigured reverseproxy is detected 3f84b0a
  • the download-as-zip feature now defaults to utf8 filenames 1231ce1

⚠️ not the latest version!

Loading

android boost

11 Jan 16:50
@9001 9001
v1.16.8
cc0cc8c
Compare
Choose a tag to compare
android boost

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2023-07-23)

recent important news

  • v1.15.0 (2024-09-08) changed upload deduplication to be default-disabled
  • v1.14.3 (2024-08-30) fixed a bug that was introduced in v1.13.8 (2024-08-13); this bug could lead to data loss -- see the v1.14.3 release-notes for details

🧪 new features

  • 10x faster file hashing in android-chrome ec50788
    • on a recent pixel, speed went from 13 to 139 MiB/s
    • android's sandboxing makes small reads expensive, so do bigger reads instead
      • so the browser-tab will use more RAM on android now, maybe around 200 MiB
      • this only affects chrome-based browsers on android, not firefox
  • PUT/multipart uploads: request-header Accept: json makes it return json instead of html, just like ?j ce0e5be
  • add config examples for ishare, a MacOS screenshot utility inspired by ShareX 0c0d6b2
    • also includes a bug-workaround for ishare#107 - copyparty will now include a toplevel json property fileurl in the response if exactly one file was uploaded
    • the connect-page generates an appropriate copyparty.iscu for ishare; it looks like this

🩹 bugfixes

  • fix a potential upload deadlock when...
    • ...the database (-e2d) is not enabled for any volume, and...
    • ...either the shares feature, or user-changeable passwords, is enabled 9e542cf
  • when loading the partial-uploads registry on startup, a cosmetic desync could occur 467acb4

🔧 other changes

⚠️ not the latest version!

Contributors

wuast94
Loading

an idp fix for xmas

23 Dec 18:35
@9001 9001
v1.16.7
c0dacbc
Compare
Choose a tag to compare
an idp fix for xmas

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2023-07-23)

recent important news

  • v1.15.0 (2024-09-08) changed upload deduplication to be default-disabled
  • v1.14.3 (2024-08-30) fixed a bug that was introduced in v1.13.8 (2024-08-13); this bug could lead to data loss -- see the v1.14.3 release-notes for details

☃️🎄 there is still time 🎅🎁

❄️❄️❄️ please enjoy some appropriate music -- you'll probably like this more than the idp thing honestly ❄️❄️❄️

🧪 new features

  • more improvements to the recent-uploads feature 87598dc
    • move html rendering to clientside
      • any changes to the filter-text applies in real-time
      • loads 50% faster, reduces server-load by 30%
      • inhibits search engines from indexing it

🩹 bugfixes

  • using idp without e2d could mess with uploads dd6e9ea
  • u2c (commandline uploader): fix window title 946a8c5
  • mDNS/SSDP: fix incorrect log colors when multiple primary IPs are lost 552897a

🔧 other changes

  • ui: make it more obvious that the volume-control is a volume-control 7f04437
  • copyparty.exe: update deps (jinja2, markupsafe, pyinstaller) c0dacbc
  • improve safety of custom plugins 988a722
    • if you've made your own plugins which expect certain values (host-header, filekeys) to be html-safe, then you'll want to upgrade
    • also fixes rss-feed xml if password contains special characters

⚠️ not the latest version!

Loading

merry \x58mas

19 Dec 01:20
@9001 9001
v1.16.6
e2dec25
Compare
Choose a tag to compare
merry \x58mas

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2023-07-23)

recent important news

  • v1.15.0 (2024-09-08) changed upload deduplication to be default-disabled
  • v1.14.3 (2024-08-30) fixed a bug that was introduced in v1.13.8 (2024-08-13); this bug could lead to data loss -- see the v1.14.3 release-notes for details

☃️🎄 it is time 🎅🎁

❄️❄️❄️ please enjoy some appropriate music (trust me on this one, you won't regret it) ❄️❄️❄️

🧪 new features

  • list of recent uploads eaa4b04
    • new button in the controlpanel; can be disabled with --no-ups-page
    • only users with the dot-permission can see dotfiles
    • only admins can see uploader-ip and upload-times
      • enable --ups-when to let all users see upload-times
  • #125 log decoded request-URLs 73f7249
    • non-ascii filenames would make the accesslog a wall of %E5%B9%BB%E6%83%B3%E9%83%B7 so print the decoded URL in addition to the original one, which is left as-is for debugging purposes

🩹 bugfixes

  • #126 improve dotfile handling 4c4e48b
    • was impossible to delete a folder which contained hidden files if the user did not have the permission to see hidden files
    • would also affect moving, renaming, copying folders, in which case the dotfiles would not be carried over to the new location
    • now, dotfiles are always deleted, and always moved/copied into a new destination, on the condition that this is safe -- if the user has the dotfile permission in the target loocation but not in the source location, the dotfiles will be left behind to avoid accidentally making then browsable
  • ux: cosmetic eta/idle-timer fixes 01a3eb2

🔧 other changes

  • warn on ambiguous comments in config files da5ad2a
  • avoid writing mojibake to the log 3051b13
    • use \x-encoding for unprintable text

⚠️ not the latest version!

Loading