9001/copyparty v1.11.0

You Can (Not) Proceed

on GitHub

this release was made possible by stoltzekleiven, kvikklunsj, and tako

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

no vulnerabilities since 2023-07-23

• there is a discord server with an @everyone in case of future important updates
• v1.8.7 (2023-07-23) - CVE-2023-38501 - reflected XSS
• v1.8.2 (2023-07-14) - CVE-2023-37474 - path traversal (first CVE)

new features

• #62 support for identity providers and automatically creating volumes for each user/group ("home folders")
  • login with passkeys / fido2 / webauthn / yubikey / ldap / active directory / oauth / many other single-sign-on contraptions
  • documentation and examples could still use some help (I did my best)
• #77 UI to cancel unfinished uploads (available in the 🧯 unpost tab) 3f05b66
  • the user's IP and username must match the upload by default; can be changed with global-option / volflag u2abort
• new volflag sparse to pretend sparse files are supported even if the filesystem doesn't 8785d2f
  • gives drastically better performance when writing to s3 buckets through juicefs/geesefs
  • only for when you know the filesystem can deal with it (so juicefs/geesefs is OK, but definitely not fat32)
• --xff-src and --ipa now support CIDR notation (but the old syntax still works) b377791
• ux:
  • #74 option to use custom fonts 263adec 6cc7101 8016e67
  • option to disable autoplay when page url contains a song hash 8413ed6
    • good if you're using copyparty to listen to music at the office and the office policy is to have the webbrowser automatically restart to install updates, meaning your coworkers are suddenly and involuntarily enjoying some loud af jcore while you're asleep at home

bugfixes

• don't panic if cloudflare (or another reverse-proxy) decides to hijack json responses and replace them with html 7741870
• #73 the fancy markdown editor was incompatible with caddy (a reverse-proxy) ac96fd9
• media player could get confused if neighboring folders had songs with the same filenames 206af8f
• benign race condition in the config reloader (could only be triggered by admins and/or SIGUSR1) 096de50
• running tftp with optimizations enabled would cause issues for --ipa b377791
• cosmetic tftp bugs 115020b
• ux:
  • up2k rendering glitch if the last couple uploads were dupes 547a486
  • up2k rendering glitch when switching between readonly/writeonly folders 51a83b0
  • markdown editor preview was glitchy on tiny screens e558260

other changes

• add a sharex v12.1 config example 2527e90
• make it easier to discover/diagnose issues with docker and/or reverse-proxy config d744f3f
• stop recommending the use of --xff-src=any in the log messages 7f08f10
• ux:
  • remove the k304 togglebutton in the controlpanel by default 1c011ff
  • mention that a full restart is required for [global] config changes to take effect 0c03921
• docs e78af02
  • how to use copyparty with amazon aws s3
  • faq: http/https confusion caused by incorrectly configured cloudflare
  • #76 docker: ftp-server howto
• copyparty.exe: updated pyinstaller to 6.5.0 bdbcbbb

⚠️ not the latest version!