❌

Normale weergave

Ontvangen β€” 8 September 2025 ⏭

SECURITY: fix single-file shares

βœ‡Copyparty
Door: 9001
20 September 2025 om 01:19

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2025-09-07)

⚠️ ATTN: this release fixes CVE-2025-58753, an issue with shares

  • when a share is created for just one or more files inside a folder, it was possible to access the other files inside that folder by guessing the filenames
  • it was not possible to descend into subdirectories in this manner; only the sibling files were accessible
  • NOTE: this does NOT affect filekeys; this is specifically regarding the shr global-option

recent important news

πŸ§ͺ new features

  • #761 IdP: option to replace the login/logout links and buttons with redirects into an IdP UI 09f2299
  • #726 disk-usage and server-version can be selectively hidden according to user permissions 19a4c45
  • option --shr-who / volflag shr_who decides who is able to create a share of that volume edafa15
  • #751 nixos: add globalExtraConfig to specify repeatable config parameters (thx @xvrqt!) 09e3018
  • some very small speedups (mainly u2c and ancient python versions) 74821a3
  • #759 #393 total folder size now decreases when files inside are deleted 96b109b
    • would previously require a reindex to get back on track

🩹 bugfixes

  • fix GHSA-pxvw-4w88-6x95 by fencing fileshares to just the shared files e0a92ba
  • #397 prevent hinting at valid passwords, even if they cannot be used to authenticate with 7a4ee4d
  • #747 disable some features if /tmp must be used for runtime config e6755aa
    • the config-folder will now also be created with chmod 700 (accessible by owner only)
  • #733 #298 fix hotkeys on non-qwerty keyboard layouts (dvorak etc.) e798a9a
  • #539 ftp-server: support clients which never does a CWD b049631
  • ignore the plaintext session-cookie on https; fixes some confusing behavior when switching from https to http c71128f
  • og-ua would prevent clients matching the pattern from accessing fullsize files
  • og-ua was only possible to set globally; the og_ua volflag was ignored 422f8f6
  • uds / unix-domain-sockets got wrong permissions when rm-sck was used e270fe6
  • #727 macos: support running from config-files 230a146
  • #539 avoid issues if someone uploads a file with a last-modified timestamp from year -9999999999999 eeb7738
  • using the spacebar to pause a video was jank on chrome bfcb6ea
  • block the next-song hotkey while a folder is loading f7e08ed
  • #748 fix rare js-panic when an action is aborted aaeec11
  • #738 bubbleparty: use /bin/bash (thx @ckastner!) 0469b5a

πŸ”§ other changes

  • partyfuse: nice speedup by caching readdir too 06d2654
  • partyfuse: explain usage with usernames 1cdb388
  • connect-page: better examples when usernames enabled 3bdef75
  • docker: fix image annotations ab56238

🌠 fun facts

⚠️ not the latest version!

  •  
  • ↗️
Ontvangen β€” 28 Augustus 2025 ⏭

chdir

βœ‡Copyparty
Door: 9001
8 September 2025 om 02:02

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2025-07-30)

recent important news

πŸ§ͺ new features

  • new option chdir to change the PWD (process working-directory) before volumes are mapped 14555d5

🩹 bugfixes

  • fix using empty folders as statefile storage (v1.19.6 made this a bit too strict) 0d96786
  • holding I/K to scroll through folders quickly now works better 914686e

πŸ”§ other changes

  • #717 docker: fix the image repo metadata (thx @EmilyxFox!) 6f08711
  • docker: change $HOME to /state 01cf20a d1f7522
    • and use the new chdir option to preserve old config-file semantics 14555d5
    • helps avoid statefiles accidentally landing in /w as a consequence of misconfiguration

🌠 fun facts

⚠️ not the latest version!

  •  
  • ↗️

auth-precedence

βœ‡Copyparty
Door: 9001
28 Augustus 2025 om 22:57

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2025-07-30)

recent important news

πŸ§ͺ new features

  • #673 add Portuguese translation (thx anonymous!) 4b8c221
    • ...and enable the Polish translation (whoops) 8f235be
  • #689 add option to control authentication priority/precedence 543b7ea
  • url-parameter ?dl forces file download instead of displaying in-browser 48d6224
  • #533 more ways to make the QR-code always-visible in the console 2848941
  • #695 option to log invalid xml from clients 28b93d7
  • #552 configurable markdown newline behavior 0491123
    • and tweak the styling of monospace in links 6850344

🩹 bugfixes

  • #628 FTP-server now accepts connections from IPv6 link-local addresses 978801d
  • incorrect assumption that all IPv6 link-local addresses start with fe80 d39c74c
  • ftp: fix file rename d40f061
  • u2c: couldn't upload files located at the very top of the unix file hierarchy 599e82f
  • #699 markdown-editor: fix panic if the table-formatter is executed on something that isn't a table 4c042b3

πŸ”§ other changes

  • #696 a volume can be one single file, not just folders aa1c921
  • #442 strongly prefer XDG_CONFIG_HOME as config location 3547255
  • #691 album-art collected from audio-files can now become folder thumbnails 0b50fde
  • allow spaces in more of the comma-separated options d30240b
  • docs:

⚠️ not the latest version!

  •  
  • ↗️
Ontvangen β€” 22 Augustus 2025 ⏭

it runs on iOS

βœ‡Copyparty
Door: 9001
28 Augustus 2025 om 22:57

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2025-07-30)

recent important news

πŸ§ͺ new features

  • #328 run copyparty on iPhones; see install on iOS in the readme ca98d54
    • cannot run in the background, doesn't have full access to your files, and is slightly buggy, but it works
    • running on android gives you a much better experience
  • save the qr-code to a file (txt/svg/png) 202ddea

🩹 bugfixes

πŸ”§ other changes

⚠️ not the latest version!

  •  
  • ↗️
Ontvangen β€” 17 Augustus 2025 ⏭

take two (fix cfg vols)

βœ‡Copyparty
Door: 9001
23 Augustus 2025 om 19:56

this release is a hotfix for #624; v1.19.2 broke volumes defined in config files

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2025-07-30)

recent important news

ℹ️ this upgrade is a one-way ticket

  • your up2k database (.hist/up2k.db), used by the e2d filesystem indexing feature, will be upgraded to a new format which older copyparty versions cannot read. A backup of each database will be created automatically, named up2k.db.bak.SOMETHING.v5. If you need to downgrade to a previous version: Shutdown copyparty, delete these files: up2k.db up2k.db-shm up2k.db-wal and then copy up2k.db.bak.*.v5 to up2k.db

πŸ§ͺ new features

  • new translations:
  • #581 new theme: phi95 (thx @varphi-online!) d8662ae
  • #567 .raw image thumbnails (thx @ar-nelson!) 0177a9b
    • available in docker-images iv and dj
  • #561 epub thumbnails (thx @Scotsguy!) 9435e6b
  • #252 music thumbnails use embdded coverart if available 98d117b
    • thumbnails folder .hist/th must be deleted to take effect
  • #530 show username of uploaders in file listings; requires a (admin) permission 4df033e
  • #604 a new group @acct which automatically contains all known usernames 68907ea
  • controlpanel has a dedicated "logout all sessions" button, similar to the logout-link in the browser f4a3fba
  • #397 accounts can be restricted to certian IPs 62e072a
  • #504 automatic login through tailscale auth a4649d1
  • #533 sticky qr-code with --qr-pin 1 1ebe06f
  • #572 button to abort copy/move 715d374
  • #618 "download selected files" didn't work on firefox 52 (winxp) dcc6b1b
  • max number of cookies to allow can be configured 6303eff
    • good if you have too many selfhosted services on one domain (but will beware of the spec-mandataed max length of the cookie field!)

🩹 bugfixes

  • fix xvol/xdev edgecases:
  • #573 ftp: attempting an upload into read-only folder no longer kills the connection 3aa8b7a
  • #306 adjust navpane for --rp-loc (location-based proxying)
  • #556 more sensible config expansion order f4727f8
  • the video player now stays fullscreen between videos 782e2f1
  • heif thumbnailing with libvips

πŸ”§ other changes

  • #253 build nix-packages from source (thx @toast003, @chinponya!) 187cae2
  • #616 logfiles will have a plaintext severity column if --no-ansi d4cf42e
  • #598 separate option --ac-convt for audio transcoding timeout d562305
  • #596 users with a blank password gets a strong random-generated one 7f44875
  • copyparty.exe: upgrade to python 3.13.7

⚠️ not the latest version!

  •  
  • ↗️
Ontvangen β€” 16 Augustus 2025 ⏭

archlinux fix

βœ‡Copyparty
Door: 9001
18 Augustus 2025 om 01:25

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2025-07-30)

recent important news

πŸ§ͺ new features

🩹 bugfixes

  • #539 FTP glitches when running on windows 8ba9887
  • #555 global-config didn't load through PRTY_CONFIG (thx @icxes!) 074e106
  • macos: could take a while to establish webdav connection from finder a01870b
  • ux:
    • dropdown colors 347cf6a
    • case-sensitivity in filters e5e8229
    • iOS being too enthusiastic about using saved passwords 03acd65

⚠️ not the latest version!

  •  
  • ↗️

usernames

βœ‡Copyparty
Door: 9001
10 Augustus 2025 om 15:47

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2025-07-30)

recent important news

πŸ§ͺ new features

  • #511 login with username and password (not just password) can now optionally be enabled with --usernames 346515c
    • if you have enabled password hashing (ah-alg: argon2 or similar) then you will need to hash your passwords again after enabling usernames, hashing them as username:password:
  • #468 add Greek translation (thx @chamdim!) 50f4618 392abd0
  • #471 add Czech translation (thx @kubakubakuba!) c955658
  • #515 support systemd socket acivation (thx @mati1210!) 9b9d2a9
  • #523 add QR-code to the connectpage bcc3b15
  • #513 optional EOL-conversion for texteditor 8b31ed8
  • controlpanel refresh-button now toggles automatic refresh 7ae84de

🩹 bugfixes

  • fix stuck uploads when the up2k database (e2d) is not enabled 4a04356
    • if more than 60'000 files were uploaded and there were several dupes of some files, they could get stuck and never upload
    • upload performance is improved remarkably by enabling e2d so such huge uploads non-e2d had not been tested in a long time
  • #467 #470 fix ui-crash when exporting links of all uploaded files to clipboard (thx @geekalaa!) 0df1901
  • #487 fix ui-crash when the location url-part is // 0f55a1a
  • fix viewing .MD files (8a0746c)

πŸ”§ other changes

  • when a reverse-proxy is detected, force explicit configuration of --rproxy to obtain correct client IP 3f8cb7e
    • a bit inconvenient, but helps prevent potentially-dangerous misconfiguration
    • the necessary configuration changes are explained in the serverlog (you can't miss it)
    • thanks to @person4268 for pointing out that there was room for improvements!
  • failed login attempts now only log a sha512 hash of the provided password
    • to see login-attempts with incorrect passwords as plaintext like before, log-badpwd: 1
  • #502 add systemd user services and templated services (thx @icxes!) 34d98e9
  • #475 improve helptext for multivalue global-options c2ac57a
  • #475 add chungus.conf, massive extensive nonsensical demo config b664ebb
  • try to detect proxies with incorrect caching behavior 9e980bb
  • recent-uploads now support ie9 a57f7cc
  • languages and themes are now dropdowns a9ee4f2
  • copyparty.exe: upgrade python to 3.13.6 a98360f
  • introduce copyparty-en.py, english-only edition of copyparty-sfx.py to save space 33497e6

πŸ—Ώ known issues

  • the copyparty.pyz in this release is english-only, and does not include the translations -- they got lost in transit while adjusting the buildscripts to make copyparty-en.py

⚠️ not the latest version!

  •  
  • ↗️

idp speedboost

βœ‡Copyparty
Door: 9001
8 Augustus 2025 om 14:16

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2025-07-30)

recent important news

πŸ§ͺ new features

🩹 bugfixes

  • #412 fix PUT-uploads into volumes with nosub volflag 47fa4a9
  • #435 ignore spurious exceptions from browser extensions 39e5582
  • #449 IPv6 QR-Code didn't include port 66a5bf3
  • #295 do not force d2d in blank vfs (introduced in v1.18.3) 848315c

πŸ”§ other changes

⚠️ not the latest version!

  •  
  • ↗️

fix Denial-of-Service

βœ‡Copyparty
Door: 9001
8 Augustus 2025 om 14:16

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2025-07-30)

⚠️ ATTN: this release fixes a Denial-of-Service vuln

CVE-2025-54796: an unauthenticated user could make the server grind to a halt by accessing a particular URL

recent important news

πŸ§ͺ new features

🩹 bugfixes

πŸ”§ other changes

  • ack was changed to continue 4fa7be2

🌠 fun facts

  • the translations have made the sfx size balloon from 766 to 845 KiB in under a week... nice! keep em coming πŸŽ‰

⚠️ not the latest version!

  •  
  • ↗️

sfx hotfix

βœ‡Copyparty
Door: 9001
8 Augustus 2025 om 14:15

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2025-07-28)

recent important news

  • v1.18.7 (2025-07-30) (PREVIOUS RELEASE) fixed XSS in the recent-uploads page
  • v1.15.0 (2024-09-08) changed upload deduplication to be default-disabled
  • v1.14.3 (2024-08-30) fixed a bug that was introduced in v1.13.8 (2024-08-13); this bug could lead to data loss -- see the v1.14.3 release-notes for details

🩹 bugfixes

  • #354 fix copyparty-sfx.py failing to start on certain versions of python c17ce48

⚠️ not the latest version!

  •  
  • ↗️

SECURITY: fix another XSS

βœ‡Copyparty
Door: 9001
31 Juli 2025 om 11:20

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2025-07-30)

⚠️ ATTN: this release fixes an XSS vulnerability

GHSA-8mx2-rjh8-q3jq, could let an attacker execute arbitrary JS by tricking you into clicking a malicious URL

Soon there won't be many of these left, surely. Huge thanks to @Ju0x for finding and reporting this.

recent important news

πŸ§ͺ new features

🩹 bugfixes

πŸ”§ other changes

  • shares: the config POST-target is now always the webroot (for ease of IdP configuration) fb7cbc4
  • unlist: now applies to the navpane too fbf17be
  • windows: show disk-usage as well, not just disk-free 5c6341e
  • #228 nix-pkg improvements (thx @dtomvan!) 4915b14
  • docker-compose: ensure logs appear in realtime 3cde1f3
  • mention that IdP-volumes and users can now be persisted 6069bc9
  • #316 explain a scary-looking thing in the code 053de61

⚠️ not the latest version!

  •  
  • ↗️

reflink-dedup

βœ‡Copyparty
Door: 9001
31 Juli 2025 om 11:19

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2025-07-28)

recent important news

  • v1.18.5 (2025-07-28) (PREVIOUS RELEASE) fixed XSS in display of media tags
  • v1.15.0 (2024-09-08) changed upload deduplication to be default-disabled
  • v1.14.3 (2024-08-30) fixed a bug that was introduced in v1.13.8 (2024-08-13); this bug could lead to data loss -- see the v1.14.3 release-notes for details

πŸ§ͺ new features

  • #201 add support for reflink-based dedup on cow filesystems df9feab
    • combine --dedup with --reflink to enable, or volflags with same name
    • a better and safer alternative to the other dedup approaches (symlink/hardlink), but only possible to use in some cases:
      • needs linux 5.3 or newer, python 3.14 or newer, btrfs/xfs/zfs
      • not available in the docker images yet; needs a new version of python, so maybe next alpine release (november/december 2025)
  • ratelimit password changes to impede bruteforcing a2601fd
    • limit is set by --ban-pwc (default is 5 changes in 60min)

🩹 bugfixes

πŸ”§ other changes

⚠️ not the latest version!

  •  
  • ↗️

SECURITY: fix XSS in media tags

βœ‡Copyparty
Door: 9001
31 Juli 2025 om 11:19

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2025-07-28)

⚠️ ATTN: this release fixes an XSS vulnerability

GHSA-9q4r-x2hj-jmvr, exploitable in two different ways, could let an attacker execute arbitrary javascript on other users:

  • either: tricking someone into clicking a malicious URL to load and execute javascript
  • or: uploading a malicious audio file to the server, affecting any successive visitors

so, with new and curious eyes on the project, we are starting off with a bang. Huge thanks to @altperfect for finding and reporting this earlier today.

recent important news

πŸ§ͺ new features

  • #214 option to stop playback after one song, and/or at end of folder 6bb27e6

🩹 bugfixes

πŸ”§ other changes

  • #189 the SameSite cookie parameter now defaults to Strict, increasing CSRF protection ca6d0b8
    • new option --cookie-lax reverts to previous value Lax
  • docker: add FTPS support b419984

⚠️ not the latest version!

  •  
  • ↗️

Landmarks

βœ‡Copyparty
Door: 9001
28 Juli 2025 om 01:57

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2025-02-25)

recent important news

  • v1.16.15 (2025-02-25) fixed low-severity xss when uploading maliciously-named files
  • v1.15.0 (2024-09-08) changed upload deduplication to be default-disabled
  • v1.14.3 (2024-08-30) fixed a bug that was introduced in v1.13.8 (2024-08-13); this bug could lead to data loss -- see the v1.14.3 release-notes for details

πŸ§ͺ new features

  • #182 Landmarks edba7ff
    • detects that a storage backend is glitching out and disengage the up2k-database as a precaution
  • #183 quickdelete 21a96bc
    • new togglebutton qdel in the UI which reduces the number of deletion confirmations by one
    • global-option --qdel=0 which can bring it all the way to zero (good luck)

🩹 bugfixes

  • fix unpost in recently created shares 2d322dd
  • fix filekeys on windows df6d4df

⚠️ not the latest version!

  •  
  • ↗️

drop the umask

βœ‡Copyparty
Door: 9001
25 Juli 2025 om 21:07

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2025-02-25)

recent important news

  • v1.16.15 (2025-02-25) fixed low-severity xss when uploading maliciously-named files
  • v1.15.0 (2024-09-08) changed upload deduplication to be default-disabled
  • v1.14.3 (2024-08-30) fixed a bug that was introduced in v1.13.8 (2024-08-13); this bug could lead to data loss -- see the v1.14.3 release-notes for details

πŸ§ͺ new features

  • #181 the default chmod (unix-permissions) of new files and folders can now be changed 9921c43
    • --chmod-d or volflag chmod_d sets directory permissions; default is 755
    • --chmod-f or volflag chmod_f sets file permissions; default is usually 644 (OS-defined)
    • see --help-chmod which explains the numbers

🩹 bugfixes

  • #179 couldn't combine --shr (shares) and --xvol (symlink-guard) 0f0f8d9
  • #180 gallery buttons could still be clicked when faded-out 8c32b0e
  • rss-feeds were slightly busted when combined with rp-loc (location-based proxying) 56d3bcf
  • music-playback within search-results no longer jumps into the next folder at end-of-list 9bc4c5d
  • video-playback on iOS now behaves like on all other platforms 78605d9
    • (it would force-switch into fullscreen because that's their default)

⚠️ not the latest version!

  •  
  • ↗️
❌