v1.9.11

contrib/package/arch/PKGBUILD

@@ -1,6 +1,6 @@
 # Maintainer: icxes <dev.null@need.moe>
 pkgname=copyparty
-pkgver="1.9.8"
+pkgver="1.9.10"
 pkgrel=1
 pkgdesc="Portable file sharing hub"
 arch=("any")
@@ -20,7 +20,7 @@ optdepends=("ffmpeg: thumbnails for videos, images (slower) and audio, music tag
 )
 source=("https://github.com/9001/${pkgname}/releases/download/v${pkgver}/${pkgname}-${pkgver}.tar.gz")
 backup=("etc/${pkgname}.d/init" )
-sha256sums=("ae8510f02f0b52d6fec4a22e95dd739ccffc4c39eb86abfd5c5feb836860c366")
+sha256sums=("76e544b0d019ea35284abfd336b9bcd145dbe323509b1d7adba1902db8d8ad85")
 
 build() {
     cd "${srcdir}/${pkgname}-${pkgver}"

contrib/package/nix/copyparty/pin.json

@@ -1,5 +1,5 @@
 {
-    "url": "https://github.com/9001/copyparty/releases/download/v1.9.8/copyparty-sfx.py",
-    "version": "1.9.8",
-    "hash": "sha256-j64rMm3znrfN3c+vpFQloEAyp8PVna67kzjpunk0byw="
+    "url": "https://github.com/9001/copyparty/releases/download/v1.9.10/copyparty-sfx.py",
+    "version": "1.9.10",
+    "hash": "sha256-MDanRrJTmjYb95E81JG5NZXTPSq+2NQNYrUwNvR6Tk8="
 }

copyparty/__main__.py

@@ -1046,6 +1046,7 @@ def add_logging(ap):
     ap2.add_argument("--ansi", action="store_true", help="force colors; overrides environment-variable NO_COLOR")
     ap2.add_argument("--no-voldump", action="store_true", help="do not list volumes and permissions on startup")
     ap2.add_argument("--log-tdec", metavar="N", type=int, default=3, help="timestamp resolution / number of timestamp decimals")
+    ap2.add_argument("--log-badpwd", metavar="N", type=int, default=1, help="log passphrase of failed login attempts: 0=terse, 1=plaintext, 2=hashed")
     ap2.add_argument("--log-conn", action="store_true", help="debug: print tcp-server msgs")
     ap2.add_argument("--log-htp", action="store_true", help="debug: print http-server threadpool scaling")
     ap2.add_argument("--ihead", metavar="HEADER", type=u, action='append', help="dump incoming header")

copyparty/__version__.py

@@ -1,8 +1,8 @@
 # coding: utf-8
 
-VERSION = (1, 9, 9)
+VERSION = (1, 9, 11)
 CODENAME = "prometheable"
-BUILD_DT = (2023, 10, 8)
+BUILD_DT = (2023, 10, 9)
 
 S_VERSION = ".".join(map(str, VERSION))
 S_BUILD_DT = "{0:04d}-{1:02d}-{2:02d}".format(*BUILD_DT)

copyparty/httpcli.py

@@ -7,6 +7,7 @@ import calendar
 import copy
 import errno
 import gzip
+import hashlib
 import itertools
 import json
 import os
@@ -131,6 +132,7 @@ class HttpCli(object):
         self.mode = " "
         self.req = " "
         self.http_ver = " "
+        self.hint = ""
         self.host = " "
         self.ua = " "
         self.is_rclone = False
@@ -142,6 +144,7 @@ class HttpCli(object):
         self.rem = " "
         self.vpath = " "
         self.vpaths = " "
+        self.trailing_slash = True
         self.uname = " "
         self.pw = " "
         self.rvol = [" "]
@@ -159,22 +162,17 @@ class HttpCli(object):
         self.can_get = False
         self.can_upget = False
         self.can_admin = False
+        self.out_headerlist: list[tuple[str, str]] = []
+        self.out_headers: dict[str, str] = {}
+        self.html_head = " "
         # post
         self.parser: Optional[MultipartParser] = None
         # end placeholders
 
         self.bufsz = 1024 * 32
-        self.hint = ""
-        self.trailing_slash = True
-        self.out_headerlist: list[tuple[str, str]] = []
-        self.out_headers = {
-            "Vary": "Origin, PW, Cookie",
-            "Cache-Control": "no-store, max-age=0",
-        }
         h = self.args.html_head
         if self.args.no_robots:
             h = META_NOBOTS + (("\n" + h) if h else "")
-            self.out_headers["X-Robots-Tag"] = "noindex, nofollow"
         self.html_head = h
 
     def log(self, msg: str, c: Union[int, str] = 0) -> None:
@@ -223,10 +221,12 @@ class HttpCli(object):
 
     def run(self) -> bool:
         """returns true if connection can be reused"""
-        self.keepalive = False
-        self.is_https = False
-        self.headers = {}
-        self.hint = ""
+        self.out_headers = {
+            "Vary": "Origin, PW, Cookie",
+            "Cache-Control": "no-store, max-age=0",
+        }
+        if self.args.no_robots:
+            self.out_headers["X-Robots-Tag"] = "noindex, nofollow"
 
         if self.is_banned():
             return False
@@ -264,8 +264,8 @@ class HttpCli(object):
             h = {"WWW-Authenticate": 'Basic realm="a"'} if ex.code == 401 else {}
             try:
                 self.loud_reply(unicode(ex), status=ex.code, headers=h, volsan=True)
-                return self.keepalive
             except:
+                pass
             return False
 
         self.ua = self.headers.get("user-agent", "")
@@ -2123,7 +2123,15 @@ class HttpCli(object):
             msg = "login ok"
             dur = int(60 * 60 * self.args.logout)
         else:
-            self.log("invalid password: {}".format(pwd), 3)
+            logpwd = pwd
+            if self.args.log_badpwd == 0:
+                logpwd = ""
+            elif self.args.log_badpwd == 2:
+                zb = hashlib.sha512(pwd.encode("utf-8", "replace")).digest()
+                logpwd = "%" + base64.b64encode(zb[:12]).decode("utf-8")
+
+            self.log("invalid password: {}".format(logpwd), 3)
+
             g = self.conn.hsrv.gpwd
             if g.lim:
                 bonk, ip = g.bonk(self.ip, pwd)

copyparty/web/browser.js

@@ -7284,7 +7284,7 @@ function sandbox(tgt, rules, cls, html) {
 	html = '<html class="iframe ' + document.documentElement.className + '"><head><style>' + globalcss() +
 		'</style><base target="_parent"></head><body id="b" class="logue ' + cls + '">' + html +
 		'<script>' + env + '</script>' + sandboxjs() +
-		'<script>var d=document.documentElement,' +
+		'<script>var d=document.documentElement,TS="' + TS + '",' +
 		'loc=new URL("' + location.href.split('?')[0] + '");' +
 		'function say(m){window.parent.postMessage(m,"*")};' +
 		'setTimeout(function(){var its=0,pih=-1,f=function(){' +

copyparty/web/util.js

@@ -364,7 +364,7 @@ function import_js(url, cb, ecb) {
     var head = document.head || document.getElementsByTagName('head')[0];
     var script = mknod('script');
     script.type = 'text/javascript';
-    script.src = url;
+    script.src = url + '?_=' + (window.TS || 'a');
     script.onload = cb;
     script.onerror = ecb || function () {
         var m = 'Failed to load module:\n' + url;

docs/changelog.md

@@ -1,3 +1,27 @@
+▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀  
+# 2023-1008-2051  `v1.9.10`  badpwd
+
+## new features
+* argument `--log-badpwd` specifies how to log invalid login attempts;
+  * `0` = just a warning with no further information
+  * `1` = log incorrect password in plaintext (default)
+  * `2` = log sha512 hash of the incorrect password
+  * `1` and `2` are convenient for stuff like setting up autoban triggers for common passwords using fail2ban or similar
+
+## bugfixes
+* none!
+  * the formerly mentioned caching-directives bug turned out to be unreachable... oh well, better safe than sorry
+
+
+
+▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀  
+# 2023-1007-2229  `v1.9.9`  fix cross-volume dedup moves
+
+## bugfixes
+* v1.6.2 introduced a bug which, when moving files between volumes, could cause the move operation to abort when it encounters a deduplicated file
+
+
+
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀  
 # 2023-1006-1750  `v1.9.8`  static filekeys