there is a discord server with an @everyone in case of future important updates
v1.8.7 (2023-07-23) - CVE-2023-38501 - reflected XSS
v1.8.2 (2023-07-14) - CVE-2023-37474 - path traversal (first CVE)
- all serverlogs reviewed so far (5 public servers) showed no signs of exploitation

new features

iPhones and iPads are now able to...
- 9986136 play entire albums while the screen is off without the music randomly stopping
  - apple keeps breaking AudioContext in new and interesting ways; time to give up (no more equalizer)
- 1c0d978 perform search queries and execude js code
  - by translating smart-quotes into regular ' and " characters
python 3.12 support
- technically a bugfix since it was added a year ago way before the first py3.12 alpha was released but turns out i botched it, oh well
filter error messages so they never include the filesystem path where copyparty's python files reside
print more context in server logs if someone hits an unexpected permission-denied

bugfixes

found some iffy stuff combing over the code but, as far as I can tell, luckily none of these were dangerous:

URL normalization was a bit funky, but it appears everything access-control-related was unaffected
some url parameters were double-decoded, causing the unpost filtering and file renaming to fail if the values contained %
clients could cause the server to return an invalid cache-control header, but newlines and control-characters got rejected correctly
minor cosmetics / qol fixes:
- reduced flickering on page load in chrome
- fixed some console spam in search results
- markdown documents now have the same line-height in directory listings and the editor