Lees weergave

↗️

what? nohtml is evolving!

✇Copyparty
Door: 9001

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2026-03-08)

⚠️ ATTN: this release fixes a vulnerability

GHSA-m6hv-x64c-27mm the nohtml volflag did not prevent javascript inside SVG images from executing -- a malicious user with write-access could upload an SVG file which would execute as javascript when someone opens it 1c9f894

recent important news

🧪 new features

  • version-checker (thx @icxes!) c6965f0
    • default-disabled; you must choose a URL to grab security advisories from to enable it
    • periodically checks the security advisories and shows a warning in the controlpanel if you're running a vulnerable version
    • can optionally panic and shutdown the server if you prefer that
    • man, the timing on this though... absolute cinema

🩹 bugfixes

🔧 other changes

  • #1316 Chinese translation got a huge makeover (thx @satgo1546 and @lxdlam!) b015274
  • #1324 better rclone advice on the connect-page 8941701
  • static website resources, previously served from /.cpr/ have moved to /.cpr/w/ for easier configuration of allowlists in reverseproxies and authentication middlewares 753ff54

🌠 fun facts

  • according to the SVG spec, images being able to execute javascript is a feature and intentional behavior... what a concept!

⚠️ not the latest version!

  •  
  • ↗️
↗️

fix login (ノ ゚ヮ゚)ノ ~┻━┻

✇Copyparty
Door: 9001

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2026-02-25)

recent important news

🩹 bugfixes

🔧 other changes

  • warn that config-reload doesn't do global-options a29037a

🌠 fun facts

  • rushing out a cve-fix in the wee hours of the morning before the 9-5 is a great idea that never goes wrong
    • 10/10 will probably do again

⚠️ not the latest version!

  •  
  • ↗️
↗️

SECURITY: XSS fix

✇Copyparty
Door: 9001

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2026-02-25)

⚠️ ATTN: this release fixes an XSS vulnerability

GHSA-62cr-6wp5-q43h could let an attacker execute arbitrary JS by tricking you into clicking a malicious link 31b2801

known issue: login broken, fix roughly 8pm UTC tonight

🔧 other changes

⚠️ not the latest version!

  •  
  • ↗️
↗️

no265

✇Copyparty
Door: 9001

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2025-09-07)

🧪 new features

🩹 bugfixes

🔧 other changes

  • due to legal reasons, the docker-images and bootable flashdrive are now unable to create thumbnails of HEVC/h265 videos and heif/heic images 1bec91d
    • this primarily means photos/videos taken with iphones (and maybe some samsung phones)
    • on the bright side, this has made the docker-images much smaller; ac is now half the size it used to be, and iv / dj are each 97 MiB smaller

🌠 fun facts

  • if you wanna see your car doing its best impression of a frictionless spherical cow, I can warmly (heh) recommend the icy snowcoated countryroads of viken this weekend

⚠️ not the latest version!

  •  
  • ↗️
↗️

fika

✇Copyparty
Door: 9001

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2025-09-07)

🧪 new features

  • now possible to upload/delete files while the filesystem-indexer is still busy d44ea24 0ca4c1b
    • global-option fika decides which actions to allow while still indexing; default is upload+copy+delete
    • full deduplication is only guaranteed if this option is set blank, as dupes are allowed while indexing
  • #1266 browsers can request thumbnails as jxl images, and view jxl files in the gallery (thx @intelfx!) b2711e0 720c83b 93ffc65 a65a30b a7a25de 59de5e2 16403d8 48c1017 0e8913c
    • only works in browsers which support jxl, which is FINALLY happening (sure took a while)
    • some notes on memory/RAM usage though -- it is fine on Alpine Linux, so docker is also fine, just don't enable mimalloc
      • jxl can be disabled with global-option th-no-jxl if necessary on baremetal deployments until libvips fixes this
  • #1265 audioplayer can "skip silence" now (thx @icxes!) 6694998
  • #1287 opensearch support for opds (thx @philips!) 84e687a
  • #1276 option rw-edit is the list of file-extensions that can be edited as textfiles with only permissions read+write (default is md like before); all other files still require read+write+delete 312f48e d692838
  • #1288 option to customize the links copied when selecting files and pressing ctrl-c (thx @icxes!) e5d0a05
  • docker: add env-var DI_PREPARTY to run an arbitrary script during startup, for customizations and such bf01ca4

🩹 bugfixes

  • #1279 the textfile-viewer would refuse to load huge documents when hotlinked f02e9cf
  • #1280 the custom rightclick-menu was enabled in the textfile viewer fc8a4b8
  • #1262 logtail now works on windows; would previously take an exclusive-lock on the monitored file, as windows does by default a368fc6

🔧 other changes

  • volumes are hidden from the treeview if the name starts with a dot 76041fd
  • #1277 descript.ion files no longer require the e2d and e2t options to be enabled 4cb4e82
  • chunked PUT-uploads are now terminated if they exceed a configured size limit dfadb5a
  • #1282 improved compatibility with GraalPy (thx @vgskye!) e8609b8
  • #1292 #1296 updated Esperanto translation (thx @slashdevslashurandom!) 418bf2f 914f84c
  • thumbnails: use libvips as fallback for rawpy 27ae2e1
    • libvips doesn't support .arw files (sony) yet, so still need rawpy
  • make server config slightly easier:
    • improve xff warnings 96aeb89
    • warn if config-values are quoted 598df44
    • lowercase headernames in configs fd09638

🌠 fun facts

  • the fika option sends the filesystem-indexer on a coffee break
  • exci wants me to mention aoi yuuki here for some reason :^) so here's gekisou gungnir

⚠️ not the latest version!

  •  
  • ↗️
↗️

one safeguard too many

✇Copyparty
Door: 9001

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2025-09-07)

🧪 new features

  • #1264 now possible to grant the get permission when creating a share 95b827f
    • the button was already there, but until now it did nothing

🩹 bugfixes

  • a safeguard (24141b4) added in v1.20.5 was too strict and would block requests from certain reverseproxies, specifically anything that adds X-Forwarded-HTTP-Version 72224d2

⚠️ not the latest version!

  •  
  • ↗️
↗️

fast again

✇Copyparty
Door: 9001

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2025-09-07)

🧪 new features

🩹 bugfixes

🔧 other changes

  • fast again! ed6a8d5
    • replaced the connection:close band-aid added in v1.20.4 with a proper fix that doesn't make things slower behind reverseproxies
    • I've tried everything I can think of (with nginx as reverseproxy) and can't notice any difference in behavior, but please let me know if this breaks anything for you 🙏
  • #1245 updated Portuguese translation (thx @000yesnt!) 69fa1d1
  • #1259 OpenRC: add command to test config (thx @lotsospaghetti!) 79273a7
  • #1257 removed the nth global-option because it was never implemented (thx @stackxp!) 22cdc0f
  • syntax highlighter: added languages nasm + nix, removed autohotkey + cmake b20d325

🌠 fun facts

  • http/1.1 still tends to be faster than http/2 and http/3 for large transfers which is the main reason copyparty hasn't made the change
    • eh, not really a fun fact I suppose ┐( ´ w `)┌

⚠️ not the latest version!

  •  
  • ↗️
↗️

a fresh pair of sock(et)s

✇Copyparty
Door: 9001

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2025-09-07)

🩹 bugfixes

  • #1235 rightclick-menu: fix creating new files/folders in gridview (thx @SpaceXCheeseWheel!) ffca67f
  • #1231 fix http desync if the urlform global-option was changed to get
    • this initial fix only applies when reverse-proxied, in which case copyparty will now always connection:close (don't reuse tcp/uds connections), as giving each client a fresh socket helps avoid all such issues e1eff21 b4fddbc
    • the expected performance impact from this change is near-zero for real use, even if benchmarks show a 40% reduction in requests/sec in the absolute-worst-case (burst of cheap requests)
    • a future version will also fix this issue for non-proxied clients

🔧 other changes

⚠️ not the latest version!

  •  
  • ↗️
↗️

dillo approves

✇Copyparty
Door: 9001

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2025-09-07)

🧪 new features

  • send-message-to-serverlog now also available as url-parameter ?smsg=foo 6dcb1ef
    • option smsg configures which HTTP-methods to allow; can be set to GET,POST but default is only POST because GET is dangerous (CSRF)

🩹 bugfixes

  • #1227 dillo was not able to login because dillo is more standards-compliant than every other browser (nice) b4df8fa
  • a web-scraper which got banned for making malicious requests could remain banned for one request longer than intended (wait why did I fix this) ba67b27
  • ?ls was still a bit jank 0a3a807

🌠 fun facts

  • this 6AM release was powered by void/mournfinale
  • was going to name the release "dilla på dillo" but somehow google-translate thinks that means "fuck on fuck" which would have been inappropriate

⚠️ not the latest version!

  •  
  • ↗️
↗️

xattrs + range-select

✇Copyparty
Door: 9001

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2025-09-07)

recent important news

🧪 new features

  • #1212, #1214 range-select in the grid-view by click-and-drag (thx @icxes!) 3e3228e 72c5940
  • #134 xattrs (linux extended file attributes) can now be indexed and searchable 8240ef6
  • rightclick-menu:
  • option to override the domain in certain links, so copyparty returns an external URL even if you're accessing it by a LAN address:
  • new option vol-nospawn (volflag nospawn) to not automatically create the volume's folder on the server's HDD if it doesn't exist
  • new option vol-or-crash (volflag assert_root) to intentionally crash on startup if a volume's folder doesn't already exist on the server HDD
  • new option --flo to tweak the log-format used by the -lo option for logging to a file 826e84c
  • #1197 u2c (commandline uploader): give up and crash if server is offline for longer than 3 minutes (configurable) 67c5d8d

🩹 bugfixes

  • #1203 configured chmod/chown rules were not applied when a file was being deduped bef0772
  • the unlistc* volflags could not be specified for single-file volumes 2664891
  • the defensive renaming of uploaded readmes/logues would assume the default filenames, not considering the recently added option to customize these names c17c3be
  • #1191 the ipu option can once again be used to reject connections from certain IP-ranges caf831f
    • this was a regression in v1.19.21 causing the server to crash on startup if such a config was attempted
  • some empty folders could be created during startup in certain server-configs with nested volumes 4e67b46
  • api: trying to ?ls nested virtual folders could return an error 6675039
  • ui/ux:
    • #1179 improve errormessage if audio transcoding fails 7357d46
    • ensure a trailing slash when viewing a folder with the h permission; good for relative links in html-files

🔧 other changes

  • #1193, #1194: NixOS improvements (thx @toast003!) 9d223d6 d5a8a34
  • truncate huge errormessages from ffmpeg so the log doesn't get flooded 3aebfab
  • ui/ux:
    • the dl button (to download selected files individually) now skips folders, since that never worked bc24604
    • #1200 add html classes to make custom styling easier c46cd7f
    • rephrase errormessages from see serverlog to see fileserver log
  • docs:
    • mention in the readme that uploading files from a deeply nested folder using a webbrowser on Windows can fail because browsers don't handle the max-pathlen limitation of Windows optimally (not a copyparty-specific issue, but still hits us)

🌠 fun facts

⚠️ not the latest version!

  •  
  • ↗️
↗️

sftp fixes

✇Copyparty
Door: 9001

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2025-09-07)

recent important news

🧪 new features

🩹 bugfixes

  • various SFTP fixes (i blame the single tschunk on day 3):
    • #1170 be more lenient regarding stat permissions 9030828
    • #1170 deletes could return EPERM when ENOENT was more appropriate 8c9e101
    • #1170 files would be created with an extremely restrictive chmod 2f4a30b
      • certified octal moment
    • write-only folders could return ENOENT 6c41bac
  • #1177 disk-usage quotas became incompatible with shares in v1.20.0 038af50
  • appending to existing files with ?apnd was possible in volumes with non-reflink dedup, where it could propagate to deduped copies of the file 738a419
    • (was only possible for users with write+delete perms, so at least it couldn't be used for nefarious purposes)
  • rightclick-menu: "copy link" would strip filekeys 3a16d34

🔧 other changes

  • copyparty.exe: updated pillow to 12.1.0 a9ae6d5

🌠 fun facts

  • tschunk is the sound a hacker makes as they faceplant onto the table after having one too many

⚠️ not the latest version!

  •  
  • ↗️
↗️

sftp is fine too

✇Copyparty
Door: 9001

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2025-09-07)

recent important news

🧪 new features

  • sftp server 4714c2f ec7ea30
  • #1135 right-click menu (thx @stackxp and @Scotsguy!) 82c4960 05a4472
  • PUT can now append to existing files 63d8e5a
    • new option apnd-who to configure who is allowed to do that
  • #1128 added option to skip uploading a file if the filename is already taken on the server (thx @Scotsguy!) fa32e15
  • #1127 descript.ion now also works for folders 2c26aec
  • in file listings, up_by and up_ip (uploader info) can now be displayed for non-admin users by adding them to the mte option 7bfd370
  • #1120 display the disk-space quota instead of the underlying HDD size (thx @rabid-dev!) 511dc01 e0845b2
  • option to skip dotfiles/dotfolders when using download-as-zip 7d7a151
  • #1124 button to skip files with a filename collision when copying/moving files 85639ad
  • #1151 u2c (commandline uploader): option to use basic-auth instead of the PW header (thx @Le0Developer!) 120fdfb
  • the name of the pw url-param and http-header can be changed f81d80b
    • mainly to force basic-auth, but perhaps also for other purposes
    • changing these will break support for many clients, so you probably want to keep the default

🩹 bugfixes

  • image-viewer:
    • images now scale properly when rotated while the zoom feature is enabled c0e167f
    • the current image rotation will now be applied to the next image as well 485c60c c82a3cb
  • groups announced by an IdP will now also apply for native (copyparty-config) users f08cb25
  • windows: download-as-zip would flatten everything to a single folder 2d1d295
  • #1157 dirkeys did not work in grid-view d1ddcb1
  • #1123 the ui-notree option to simplify the UI would simplify a bit too much 4c73704
  • don't add the trailing slash to a volume in the controlpanel when the volume is a file 80a3749
    • the link couldn't be clicked on Windows CE 4.20 using Internet Explorer 4.01

🔧 other changes

  • #1158 updated german translation (thx @Scotsguy!) 3bf80c8
  • the dotfiles button now also toggles showing unlisted files e55e5a4
  • /?h&ls (the api to list volumes) now includes the user's permissions for each volume 1f6e811
  • #1142 new option dav-port to open a dedicated port for webdav clients 4642d32
    • workaround for certain clients which pretend to be webbrowsers
  • #1147 workaround for a buggy browser-extension 8551472
  • detect (and panic) when a webbrowser has failed to load one of the javascript files af3f777
    • replaces the confusing errormessage resulting from half of the code missing

🌠 fun facts

⚠️ not the latest version!

  •  
  • ↗️
↗️

bad apple x2

✇Copyparty
Door: 9001

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2025-09-07)

recent important news

🧪 new features

  • #1080 new translation: Vietnamese (thx @thatfrozenfrog and @khoidauminh!) b60eb3f d4a9787
  • #1110 add option xf-proto-fb to support reverseproxies which do not provide an x-forwarded-proto header 9c64788
    • and improve the rproxy config guidance message in the serverlog c8f3b4e
    • and show a warning in the controlpanel if misconfiguration is detected c8f3b4e
  • #1109 add option --ipar, reverseproxy-aware alternative to --ipa 3368421
    • its purpose is rejecting connections from unexpected/unwanted IPs/subnets
  • option idp-chsub can be used to replace spaces in IdP usernames/groupnames 5e1d9a5
  • #1029 indicate password max-length in ui 8d46cf1

🩹 bugfixes

  • #1111 apple gave us coal for xmas this year 0b6d2d2
    • workaround for a new bug in safari (iOS and Macos) where it would randomly show a login-popup
  • #1113 the @acct group was unavailable in groupless IdP setups b6c2ec1

🌠 fun facts

⚠️ not the latest version!

  •  
  • ↗️
↗️

merikuri

✇Copyparty
Door: 9001

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2025-09-07)

recent important news

🧪 new features

  • #1068 #1089 add options to customize which textfiles (readme/prologue/epilogue) to embed above/below directory listings 14bef85
    • prologues, epilogues, readmes, preadmes (global-options and/or volflags) accept a comma-separated list of filenames to look for
  • #1092 add option th-qv to change the thumbnail quality a1cbac0
    • also found and enabled a size-optimization for libvips, so:
  • #1092 automatically delete and rebuild thumbnails if thumbnailer-config is changed ca6c4de
  • #1049 add option log-date to display dates in logs 965a4a6
  • #1047 rss-feed: title/description of each entry is now a template-string which can reference arbitrary metadata properties (thx @djjeane!) 5e85e3d
  • extend the ramdisk safeguard to also prevent moving files into ephemeral storage fa91822
    • would previously prevent creating new files, but this was another potential source for confusion (thx coworker!)
  • now possible to customize the thank you for playing ban-message ce2eeba
  • #964 option to change the default value of the Cache-Control response-header 3bc0bf1

🩹 bugfixes

  • #1010 correctly replace illegal characters in filenames according to underlying filesystem ba017f7
    • for example, uploading a folder named COMPLE:X into an exFAT flashdrive on linux is now possible
    • and, to make that possible, filesystem-detection now sees the true filesystem behind FUSE (for example ntfs-3g) 3bbed1b
  • audio-playback would skip into the next folder rather than play the rest of the current one if the folder was sufficiently massive 8e2fb05
  • #1094 fix ipu with idp users 594ec39
  • commandline uploader: fix termsize detection on windows 7d526ea
  • #1104 the rss feature now complains loudly if e2d is not enabled (because that was always necessary but not obvious) 9219540
  • ui/ux:
    • #1102 the option to cosmetically hide server info did not apply for all themes e440578
    • the metadata-property date (default-disabled) was renamed to tdate to avoid colliding with the last-modified timestamp if enabled fecc3fd
  • docs:

🔧 other changes

  • add a loud warning in logs if X-Forwarded-Proto is not added by the reverseproxy ad45de9 1b222fb
    • almost did the same for X-Forwarded-Host too before realizing that's generally not a thing
  • #1038 creating a blank chpw.json before starting copyparty is now supported and no longer crashes on startup efc6a09
  • #1105 better feedback in the login ui (thx @stackxp!) 08474db
  • mtag/audio-key.py: replaced the melodic key detector since ffmpeg-8 / alpine-3.23 broke it 67ddc64
  • updated deps:
    • webdeps: dompurify-3.3.1 e0b04d9
    • copyparty.exe: python-3.13.11 9e64fe0

🌠 fun facts

⚠️ not the latest version!

  •  
  • ↗️
↗️

tadaimback

✇Copyparty
Door: 9001

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2025-09-07)

recent important news

🧪 new features

  • hooks now behave more usefully/predictably; 889bd32
    • hooks returning 0 will run the next hook (if any), and let the initiating action proceed if no other hooks object
    • hooks returning 100 will stop processing successive hooks, but return success, letting the initiating action proceed
    • hooks returning anything else will stop processing successive hooks (like the documentation always said) and also fail the initiating action (if hook is checked)
    • zmq hooks can now respond with json, doing relocations and all that stuff
  • new mtag plugin, geotag.py: read image geotags with exiftool (demo) 1c15c0d ac085b8
  • #972 markdown-links are rewritten to open in the markdown-viewer 278a0d8
  • #794 add json beautifier / minifier
  • #1058 ui-option and server-config to force download instead of showing files inline a9174e5
  • option stats-u to grant access to prometheus-metrics based on username, not just permissions b427d78

🩹 bugfixes

  • #1003 u2c.py (commandline uploader) did not install correctly on archlinux and/or pypi 9385dae
  • #1035 uploader could fail to initialize if: 98701b7
    • the mt button (webworkers) was enabled in the settings tab
    • and the network was severely strained during intial page load
  • possible deadlock on shutdown if thumbnailer queue was hella busy fb9f044
  • #971 windows: fix deadlock on startup if trying to use a nonexistant driveletter as a volume 945b227
  • #1022 js-panic if audio playback is set to stay-in-folder a28503e
  • links to ongoing file transfers in the controlpanel could 404 (thx @Habetdin!) 77f74dd f4d67ff
  • video scrubbing on iOS dba7c5d
  • #1054 audio volume slider could skip one percent (thx @shermanhlc!) ca6d3a5
  • detect invalid config:
    • #959 panic if ipu user doesn't exist 79e1078
    • panic if share config overlaps with a volume cedfc44
  • #943

🔧 other changes

  • the "new-markdown" feature was repurposed into "new-file", accepting any file extension 7d62335
  • #1023 the option to grant delete-access when creating a share was removed due to never having been implemented in the backend 04ac7fb
  • #1012 rephrased the controlpanel login-text when logged in to avoid confusion 7a29140
  • add hints that the serverlog is a good place to look in some situations c424a55
  • all thumbnail types and combinations can now be pregenerated a359b89
  • #1030 add debug if cfssl is misbehaving ec00dc1
  • #871 grid volflag is applied during navigation if user has not set a preference a9378a8
  • cosmetic:
    • show column number in markdown editor b9aacba
    • reduced grid margins in theme2 e469bc9
    • reduced redirect delay after logging in f7e7b03
    • controlpanel greeting in some fail-early responses acde21d
    • update hooks to ignore the new upload-queue-empty message 3f4b79f
  • docs:
  • nixos:
  • copyparty.exe: update to python 3.13.10, pillow 12.0 cdffde7

🌠 fun facts

⚠️ not the latest version!

  •  
  • ↗️
↗️

november

✇Copyparty
Door: 9001

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2025-09-07)

recent important news

🧪 new features

  • #961 the /?shares listing now shows the list of filenames for each share 2cc53ea

🩹 bugfixes

  • #967 per-volume md/lg sandbox rules are now applied during navigation db60951
    • if a volume has no-sb-lg or no-sb-md set then it'll apply when navigating into that volume, and vice-versa

⚠️ not the latest version!

  •  
  • ↗️
↗️

copyparty.eu マークII

✇Copyparty
Door: 9001

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2025-09-07)

recent important news

🩹 bugfixes

  • fix building the archlinux package e3524d8

⚠️ not the latest version!

  •  
  • ↗️
↗️

copyparty.eu

✇Copyparty
Door: 9001

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2025-09-07)

recent important news

🧪 new features

  • #949 when all uploads have finished, the client (both the browser and u2c) sends a message to the server saying it's done db87ea5
  • #941 copyparty-en.pyz, yet another copyparty variant, with enterprise-friendly tweaks:
    • does not include the smb-server, so antivirus doesn't think it's malware 7f5810f
    • english-only, because antivirus apparently hates certain translations too 7f5810f
    • renamed the webdav-config .bat to .txt because clearly only one of those are "dangerous" b624a38
  • show volumes with permssion h in the navpane fff7291
  • #937 global-option --notooltips to default-disable tooltips a325353

🩹 bugfixes

  • #948 fix the u2c --dr option when the server is running on windows d3dd345
  • fix crash on startup when using volflags unlistc* and the parent folder is not a volume cdd5e78
  • og / opengraph / discord-embed fixes:
    • using the h permission could result in unexpected 404 c9e45c1
    • a single-file volume could make filenames in its parent volume unintentionally visible 36ab77e
      • this would only happen when combined with --og
  • fix some harmless warnings from single-file volumes b1efc00
  • fix filesize-colors in selected rows 1c17b63

🔧 other changes

⚠️ not the latest version!

  •  
  • ↗️
↗️

read:cbz + re:ftp

✇Copyparty
Door: 9001

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2025-09-07)

recent important news

🧪 new features

  • #916 view cbz manga/comics in the browser (thx @Scotsguy!) 8ef6dda
  • #845 users/groups can be subtracted from a broader access grant b4fda5f
    • for example *,-@acct hides a volume from everyone who's logged in
  • reflink dedup is now available in most python versions, not just 3.14 and newer f2caab6
    • much better and safer than symlink/hardlink-based dedup, but only works with a few filesystems
  • #905 option to magnify images/videos to fill the screen 66dc8b5
  • #921 #685 xm hooks can see the selected files (thx @carson-coder!) 6c024db 3364448
  • #927 textfiles can now be viewed with the ?doc= suffix with just the g permission dbb7870
  • #742 new volflag nodupem to prevent dupes from being moved into a volume; the stronger alternative to nodupe which only prevents uploads f55d834
  • audioplayer: show embedded coverart as fallback for cover.jpg in OS widgets 9746b4e
  • #928 option to hide certain ui-elements, either with volflags or url-params 98da5cc
  • #911 users can now avoid autoban according to permissions 6f02812
  • verbosity and permssion options for ?stack 677fd8e
    • default is now admin-only; previously it was "admin or read+write"

🩹 bugfixes

🔧 other changes

🌠 fun facts

  • looks like i'll be in Japan november 7~26 and then at CCC for newyears!
    • wait, I never made stickers... orz

⚠️ not the latest version!

  •  
  • ↗️
↗️

FULLBURST

✇Copyparty
Door: 9001

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2025-09-07)

recent important news

🧪 new features

🩹 bugfixes

  • web-ui: only show generic http errors if nothing better is available 0453b7a
  • #860 epub-thumbnailer errors are less noisy now 4177c1d
  • the ui-filesz option can have a trailing hyphen now 2248705
  • hide "create share" button while inside a share c5f1229

🔧 other changes

  • #460 example config for running the podman images as a systemd service (thx @danloveg!) 7fc379a
  • #886 nixos: option to specify unix-user/group to run as (thx @2Kaleb!) 31f1b53
  • #895 mention the ?v suffix to open mediafiles in the mediaplayer f8e1981
  • ignore 403s from /favicon.png (samsung-android)
  • docker: shrink the min image from 45 to 33 MiB a8f53d5
  • #887 add missing entries in --licenses 805a705
  • #887 various vendored python libraries can now be ripped out and replaced with system-libs:

🌠 fun facts

⚠️ not the latest version!

  •  
  • ↗️
↗️

merry christmas

✇Copyparty
Door: 9001

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2025-09-07)

recent important news

🧪 new features

  • #184 add various human-readable formats for filesizes 234edde
  • search for files by their identifier ("wark"/checksum) 4e38e40
    • and those are displayed in file-listings now too 456addf
  • PUT-upload with header Replace will overwrite any existing files 397ed56
  • xbu/xau hooks can reject uploads with a custom message df0fa9d
  • #855 mDNS options to change the announced http/https port a3d9506
  • #473 #383 custom favicons per-volume (.ico/png/gif/svg) 470b504
    • doesn't seem to work in internet explorer... ah whatever, go next

🩹 bugfixes

  • #849 create IdP-db for --idp-store when necessary 80ca785
  • #859 cbz-thumbnailing had an accidental dependency on FFmpeg 983865d
  • docs: misleading markdown-expansion example e187df2

🔧 other changes

  • #851 show a huge warning when copyparty accidentally detects a failing HDD and/or filesystem-corruption during indexing 6912e86 eb5d767
  • #870 improved discord video embeds (thx @tsuza!) f0ecb08
  • #858 prefer reflinks (not hardlinks) in the -ss security option 57650a2
  • improved controlpanel action-buttons layout 9f46e4d

🌠 fun facts

padoru padoru padoru

⚠️ not the latest version!

  •  
  • ↗️
↗️

Voile, the Magic Library

✇Copyparty
Door: 9001

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2025-09-07)

recent important news

🧪 new features

🩹 bugfixes

  • #842 could not navpane into webroot if webroot is unmapped 0941fd4
  • upload-resume becomes funky when the OS/network is overloaded to the point where it starts dropping connections left and right -- the issue was reported on discord and I don't have a good way to reproduce it, but these changes may help and/or fix it:
    • b136a5b panic and drop chunk reservations if client or connection glitches out
    • 38df223 also drop reservations if subchunk logic hits an edgecase

🔧 other changes

🌠 fun facts

⚠️ not the latest version!

  •  
  • ↗️
↗️

conlangparty

✇Copyparty
Door: 9001

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2025-09-07)

recent important news

🧪 new features

🩹 bugfixes

  • #837 sharing an entire HDD on Windows (v1.19.9 regression) 6a24432
    • sharing your whole 【Dドライブ】 is once again possible
      • TLNote: Dドライブ means "D:\ drive"
      • if you can't upgrade, a workaround is global-option casechk: n
  • /?ls on an unmapped root didn't give a sensible response; now it should be okay except it won't have a cfg field 8f6194f

🔧 other changes

🌠 fun facts

  • the esperanto translation was the final straw; copyparty-sfx.py is now 1 MiB large
    • copyparty-en.py is still a comfy 759 KiB

⚠️ not the latest version!

  •  
  • ↗️
↗️

ftp fix

✇Copyparty
Door: 9001

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2025-09-07)

recent important news

🩹 bugfixes

  • #827 ftp on servers with unmapped root broke in v1.19.9 280815f

⚠️ not the latest version!

  •  
  • ↗️
↗️

ramdisk kinshi

✇Copyparty
Door: 9001

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2025-09-07)

recent important news

🧪 new features

  • prevent uploading into ramdisks by default 59a0122 538a205
    • safeguard against misconfigured docker containers, where certain parts of the vfs has not been mapped to actual storage, for example /w/music is but /w/ itself isn't
    • can be disabled with wram (global-option and/or volflag), mainly for ephemeral servers
  • #799 nixos: groups can be specified (thx @AnyTimeTraveler!) ee5f319
  • the logspam from the filesystem indexer can be reduced/disabled 478f1c7
    • new options scan-st-r, scan-pr-r, scan-pr-s

🩹 bugfixes

  • #809 medialinks (#af-badf00d) would fail on the very first pageload from a new browser 5996a58
  • #806 instructions for running on iOS was bad (thx @GhelloZ!) 35326a6

🔧 other changes

  • copyparty32.exe is now english-only, to save space 669b107
  • version info on startup indicates free-threading or not 6559152
  • docs: explain the daw option better a043d7c

⚠️ not the latest version!

  •  
  • ↗️
↗️

case-sensitivity, give or take

✇Copyparty
Door: 9001

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2025-09-07)

recent important news

🧪 new features

  • #781 case-sensitive behavior is now simulated on Windows/Macos/Fat32/NTFS 8b66874
    • avoids some of the scary issues associated with case-insensitive filesystems
    • unfortunately this is expensive and may be noticeably slower in large folders; disable the safeguard with casechk: n if you know you don't need it
  • #789 case-insensitive search for unicode filenames/paths (thx @km-clay!) e2aa8fc ecd18ad
    • default-disabled because it is somewhat expensive; enable with global-option srch-icase
  • CB-1 add --qr-stdout and --qr-stderr to show qr-code even with -q d7887f3

🩹 bugfixes

  • #775 the basic-uploader didn't accept empty files 25749b4
  • opt-out from index.html with ?v did not work as documented 3d09bec
  • Windows: dedup could get rejected by the filesystem if the origin file had a timestamp from the cambrian era e09f3c9
  • webdav would incorrectly return an error for Depth:0 on an unmapped root 3a2381f
  • markdown-editor would waste another http roundtrip on certain documents 14b7e51
  • --help didn't render if terminal was non-UTF8 3f45492

🔧 other changes

  • #788 fixed a hotkey typo in the imageviewer (thx @tkroo!) 5c1a43c
  • #778 improved polish translation (thx @daimond113!) 52438bc
  • #798 debian: fixed an issue in the systemd script (thx @Beethoven-n, and congrats on commit number 4000!) dfd9e00
  • media-tag conductor is no longer mapped to circle (album-artist) 9c9e405
  • "download-selection-as-zip" now produces a better filename, sel-FOLDERNAME.zip instead of FIRSTFILE.zip 8f58762
  • detect and warn if IdP volumes are misconfigured in a particular way 83bd197

🌠 fun facts

  • the themesong of this release is KO3 - Give it up? because that's what the car mechanic got to enjoy when i forgot to unplug the flashdrive before handing in the shitbox for service

⚠️ not the latest version!

  •  
  • ↗️
↗️

SECURITY: fix single-file shares

✇Copyparty
Door: 9001

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2025-09-07)

⚠️ ATTN: this release fixes CVE-2025-58753, an issue with shares

  • when a share is created for just one or more files inside a folder, it was possible to access the other files inside that folder by guessing the filenames
  • it was not possible to descend into subdirectories in this manner; only the sibling files were accessible
  • NOTE: this does NOT affect filekeys; this is specifically regarding the shr global-option

recent important news

🧪 new features

  • #761 IdP: option to replace the login/logout links and buttons with redirects into an IdP UI 09f2299
  • #726 disk-usage and server-version can be selectively hidden according to user permissions 19a4c45
  • option --shr-who / volflag shr_who decides who is able to create a share of that volume edafa15
  • #751 nixos: add globalExtraConfig to specify repeatable config parameters (thx @xvrqt!) 09e3018
  • some very small speedups (mainly u2c and ancient python versions) 74821a3
  • #759 #393 total folder size now decreases when files inside are deleted 96b109b
    • would previously require a reindex to get back on track

🩹 bugfixes

  • fix GHSA-pxvw-4w88-6x95 by fencing fileshares to just the shared files e0a92ba
  • #397 prevent hinting at valid passwords, even if they cannot be used to authenticate with 7a4ee4d
  • #747 disable some features if /tmp must be used for runtime config e6755aa
    • the config-folder will now also be created with chmod 700 (accessible by owner only)
  • #733 #298 fix hotkeys on non-qwerty keyboard layouts (dvorak etc.) e798a9a
  • #539 ftp-server: support clients which never does a CWD b049631
  • ignore the plaintext session-cookie on https; fixes some confusing behavior when switching from https to http c71128f
  • og-ua would prevent clients matching the pattern from accessing fullsize files
  • og-ua was only possible to set globally; the og_ua volflag was ignored 422f8f6
  • uds / unix-domain-sockets got wrong permissions when rm-sck was used e270fe6
  • #727 macos: support running from config-files 230a146
  • #539 avoid issues if someone uploads a file with a last-modified timestamp from year -9999999999999 eeb7738
  • using the spacebar to pause a video was jank on chrome bfcb6ea
  • block the next-song hotkey while a folder is loading f7e08ed
  • #748 fix rare js-panic when an action is aborted aaeec11
  • #738 bubbleparty: use /bin/bash (thx @ckastner!) 0469b5a

🔧 other changes

  • partyfuse: nice speedup by caching readdir too 06d2654
  • partyfuse: explain usage with usernames 1cdb388
  • connect-page: better examples when usernames enabled 3bdef75
  • docker: fix image annotations ab56238

🌠 fun facts

⚠️ not the latest version!

  •  
  • ↗️
↗️

chdir

✇Copyparty
Door: 9001

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2025-07-30)

recent important news

🧪 new features

  • new option chdir to change the PWD (process working-directory) before volumes are mapped 14555d5

🩹 bugfixes

  • fix using empty folders as statefile storage (v1.19.6 made this a bit too strict) 0d96786
  • holding I/K to scroll through folders quickly now works better 914686e

🔧 other changes

  • #717 docker: fix the image repo metadata (thx @EmilyxFox!) 6f08711
  • docker: change $HOME to /state 01cf20a d1f7522
    • and use the new chdir option to preserve old config-file semantics 14555d5
    • helps avoid statefiles accidentally landing in /w as a consequence of misconfiguration

🌠 fun facts

⚠️ not the latest version!

  •  
  • ↗️
↗️

auth-precedence

✇Copyparty
Door: 9001

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2025-07-30)

recent important news

🧪 new features

  • #673 add Portuguese translation (thx anonymous!) 4b8c221
    • ...and enable the Polish translation (whoops) 8f235be
  • #689 add option to control authentication priority/precedence 543b7ea
  • url-parameter ?dl forces file download instead of displaying in-browser 48d6224
  • #533 more ways to make the QR-code always-visible in the console 2848941
  • #695 option to log invalid xml from clients 28b93d7
  • #552 configurable markdown newline behavior 0491123
    • and tweak the styling of monospace in links 6850344

🩹 bugfixes

  • #628 FTP-server now accepts connections from IPv6 link-local addresses 978801d
  • incorrect assumption that all IPv6 link-local addresses start with fe80 d39c74c
  • ftp: fix file rename d40f061
  • u2c: couldn't upload files located at the very top of the unix file hierarchy 599e82f
  • #699 markdown-editor: fix panic if the table-formatter is executed on something that isn't a table 4c042b3

🔧 other changes

  • #696 a volume can be one single file, not just folders aa1c921
  • #442 strongly prefer XDG_CONFIG_HOME as config location 3547255
  • #691 album-art collected from audio-files can now become folder thumbnails 0b50fde
  • allow spaces in more of the comma-separated options d30240b
  • docs:

⚠️ not the latest version!

  •  
  • ↗️
❌