copyparty 1.16.1__tar.gz → 1.16.3__tar.gz

{copyparty-1.16.1 → copyparty-1.16.3}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: copyparty
-Version: 1.16.1
+Version: 1.16.3
 Summary:   Portable file server with accelerated resumable uploads, deduplication, WebDAV, FTP, zeroconf, media indexer, video thumbnails, audio transcoding, and write-only folders
 Author-email: ed <copyparty@ocv.me>
 License: MIT
@@ -1152,11 +1152,12 @@ using the GUI  (winXP or later):
   * on winXP only, click the `Sign up for online storage` hyperlink instead and put the URL there
   * providing your password as the username is recommended; the password field can be anything or empty
 
-known client bugs:
+the webdav client that's built into windows has the following list of bugs; you can avoid all of these by connecting with rclone instead:
 * win7+ doesn't actually send the password to the server when reauthenticating after a reboot unless you first try to login with an incorrect password and then switch to the correct password
   * or just type your password into the username field instead to get around it entirely
 * connecting to a folder which allows anonymous read will make writing impossible, as windows has decided it doesn't need to login
   * workaround: connect twice; first to a folder which requires auth, then to the folder you actually want, and leave both of those mounted
+  * or set the server-option `--dav-auth` to force password-auth for all webdav clients
 * win7+ may open a new tcp connection for every file and sometimes forgets to close them, eventually needing a reboot
   * maybe NIC-related (??), happens with win10-ltsc on e1000e but not virtio
 * windows cannot access folders which contain filenames with invalid unicode or forbidden characters (`<>:"/\|?*`), or names ending with `.`
@@ -1323,7 +1324,7 @@ note:
 
 ### exclude-patterns
 
-to save some time,  you can provide a regex pattern for filepaths to only index by filename/path/size/last-modified (and not the hash of the file contents) by setting `--no-hash \.iso$` or the volflag `:c,nohash=\.iso$`, this has the following consequences:
+to save some time,  you can provide a regex pattern for filepaths to only index by filename/path/size/last-modified (and not the hash of the file contents) by setting `--no-hash '\.iso$'` or the volflag `:c,nohash=\.iso$`, this has the following consequences:
 * initial indexing is way faster, especially when the volume is on a network disk
 * makes it impossible to [file-search](#file-search)
 * if someone uploads the same file contents, the upload will not be detected as a dupe, so it will not get symlinked or rejected
@@ -1334,6 +1335,8 @@ similarly, you can fully ignore files/folders using `--no-idx [...]` and `:c,noi
 
 if you set `--no-hash [...]` globally, you can enable hashing for specific volumes using flag `:c,nohash=`
 
+to exclude certain filepaths from search-results, use `--srch-excl` or volflag `srch_excl` instead of `--no-idx`, for example `--srch-excl 'password|logs/[0-9]'`
+
 ### filesystem guards
 
 avoid traversing into other filesystems  using `--xdev` / volflag `:c,xdev`, skipping any symlinks or bind-mounts to another HDD for example

{copyparty-1.16.1 → copyparty-1.16.3}/README.md

@@ -1097,11 +1097,12 @@ using the GUI  (winXP or later):
   * on winXP only, click the `Sign up for online storage` hyperlink instead and put the URL there
   * providing your password as the username is recommended; the password field can be anything or empty
 
-known client bugs:
+the webdav client that's built into windows has the following list of bugs; you can avoid all of these by connecting with rclone instead:
 * win7+ doesn't actually send the password to the server when reauthenticating after a reboot unless you first try to login with an incorrect password and then switch to the correct password
   * or just type your password into the username field instead to get around it entirely
 * connecting to a folder which allows anonymous read will make writing impossible, as windows has decided it doesn't need to login
   * workaround: connect twice; first to a folder which requires auth, then to the folder you actually want, and leave both of those mounted
+  * or set the server-option `--dav-auth` to force password-auth for all webdav clients
 * win7+ may open a new tcp connection for every file and sometimes forgets to close them, eventually needing a reboot
   * maybe NIC-related (??), happens with win10-ltsc on e1000e but not virtio
 * windows cannot access folders which contain filenames with invalid unicode or forbidden characters (`<>:"/\|?*`), or names ending with `.`
@@ -1268,7 +1269,7 @@ note:
 
 ### exclude-patterns
 
-to save some time,  you can provide a regex pattern for filepaths to only index by filename/path/size/last-modified (and not the hash of the file contents) by setting `--no-hash \.iso$` or the volflag `:c,nohash=\.iso$`, this has the following consequences:
+to save some time,  you can provide a regex pattern for filepaths to only index by filename/path/size/last-modified (and not the hash of the file contents) by setting `--no-hash '\.iso$'` or the volflag `:c,nohash=\.iso$`, this has the following consequences:
 * initial indexing is way faster, especially when the volume is on a network disk
 * makes it impossible to [file-search](#file-search)
 * if someone uploads the same file contents, the upload will not be detected as a dupe, so it will not get symlinked or rejected
@@ -1279,6 +1280,8 @@ similarly, you can fully ignore files/folders using `--no-idx [...]` and `:c,noi
 
 if you set `--no-hash [...]` globally, you can enable hashing for specific volumes using flag `:c,nohash=`
 
+to exclude certain filepaths from search-results, use `--srch-excl` or volflag `srch_excl` instead of `--no-idx`, for example `--srch-excl 'password|logs/[0-9]'`
+
 ### filesystem guards
 
 avoid traversing into other filesystems  using `--xdev` / volflag `:c,xdev`, skipping any symlinks or bind-mounts to another HDD for example

{copyparty-1.16.1 → copyparty-1.16.3}/copyparty/__main__.py

@@ -1116,6 +1116,8 @@ def add_zc_mdns(ap):
     ap2.add_argument("--zm6", action="store_true", help="IPv6 only")
     ap2.add_argument("--zmv", action="store_true", help="verbose mdns")
     ap2.add_argument("--zmvv", action="store_true", help="verboser mdns")
+    ap2.add_argument("--zm-no-pe", action="store_true", help="mute parser errors (invalid incoming MDNS packets)")
+    ap2.add_argument("--zm-nwa-1", action="store_true", help="disable workaround for avahi-bug #379 (corruption in Avahi's mDNS reflection feature)")
     ap2.add_argument("--zms", metavar="dhf", type=u, default="", help="list of services to announce -- d=webdav h=http f=ftp s=smb -- lowercase=plaintext uppercase=TLS -- default: all enabled services except http/https (\033[32mDdfs\033[0m if \033[33m--ftp\033[0m and \033[33m--smb\033[0m is set, \033[32mDd\033[0m otherwise)")
     ap2.add_argument("--zm-ld", metavar="PATH", type=u, default="", help="link a specific folder for webdav shares")
     ap2.add_argument("--zm-lh", metavar="PATH", type=u, default="", help="link a specific folder for http shares")
@@ -1308,7 +1310,7 @@ def add_logging(ap):
     ap2.add_argument("--log-htp", action="store_true", help="debug: print http-server threadpool scaling")
     ap2.add_argument("--ihead", metavar="HEADER", type=u, action='append', help="print request \033[33mHEADER\033[0m; [\033[32m*\033[0m]=all")
     ap2.add_argument("--ohead", metavar="HEADER", type=u, action='append', help="print response \033[33mHEADER\033[0m; [\033[32m*\033[0m]=all")
-    ap2.add_argument("--lf-url", metavar="RE", type=u, default=r"^/\.cpr/|\?th=[wj]$|/\.(_|ql_|DS_Store$|localized$)", help="dont log URLs matching regex \033[33mRE\033[0m")
+    ap2.add_argument("--lf-url", metavar="RE", type=u, default=r"^/\.cpr/|[?&]th=[wjp]|/\.(_|ql_|DS_Store$|localized$)", help="dont log URLs matching regex \033[33mRE\033[0m")
 
 
 def add_admin(ap):
@@ -1393,6 +1395,7 @@ def add_db_general(ap, hcores):
     ap2.add_argument("--db-act", metavar="SEC", type=float, default=10.0, help="defer any scheduled volume reindexing until \033[33mSEC\033[0m seconds after last db write (uploads, renames, ...)")
     ap2.add_argument("--srch-time", metavar="SEC", type=int, default=45, help="search deadline -- terminate searches running for more than \033[33mSEC\033[0m seconds")
     ap2.add_argument("--srch-hits", metavar="N", type=int, default=7999, help="max search results to allow clients to fetch; 125 results will be shown initially")
+    ap2.add_argument("--srch-excl", metavar="PTN", type=u, default="", help="regex: exclude files from search results if the file-URL matches \033[33mPTN\033[0m (case-sensitive). Example: [\033[32mpassword|logs/[0-9]\033[0m] any URL containing 'password' or 'logs/DIGIT' (volflag=srch_excl)")
     ap2.add_argument("--dotsrch", action="store_true", help="show dotfiles in search results (volflags: dotsrch | nodotsrch)")
 
 
@@ -1449,6 +1452,8 @@ def add_ui(ap, retry):
     ap2.add_argument("--themes", metavar="NUM", type=int, default=8, help="number of themes installed")
     ap2.add_argument("--au-vol", metavar="0-100", type=int, default=50, choices=range(0, 101), help="default audio/video volume percent")
     ap2.add_argument("--sort", metavar="C,C,C", type=u, default="href", help="default sort order, comma-separated column IDs (see header tooltips), prefix with '-' for descending. Examples: \033[32mhref -href ext sz ts tags/Album tags/.tn\033[0m (volflag=sort)")
+    ap2.add_argument("--nsort", action="store_true", help="default-enable natural sort of filenames with leading numbers (volflag=nsort)")
+    ap2.add_argument("--hsortn", metavar="N", type=int, default=2, help="number of sorting rules to include in media URLs by default (volflag=hsortn)")
     ap2.add_argument("--unlist", metavar="REGEX", type=u, default="", help="don't show files matching \033[33mREGEX\033[0m in file list. Purely cosmetic! Does not affect API calls, just the browser. Example: [\033[32m\\.(js|css)$\033[0m] (volflag=unlist)")
     ap2.add_argument("--favico", metavar="TXT", type=u, default="c 000 none" if retry else "🎉 000 none", help="\033[33mfavicon-text\033[0m [ \033[33mforeground\033[0m [ \033[33mbackground\033[0m ] ], set blank to disable")
     ap2.add_argument("--mpmc", metavar="URL", type=u, default="", help="change the mediaplayer-toggle mouse cursor; URL to a folder with {2..5}.png inside (or disable with [\033[32m.\033[0m])")

{copyparty-1.16.1 → copyparty-1.16.3}/copyparty/__version__.py

@@ -1,8 +1,8 @@
 # coding: utf-8
 
-VERSION = (1, 16, 1)
+VERSION = (1, 16, 3)
 CODENAME = "COPYparty"
-BUILD_DT = (2024, 11, 15)
+BUILD_DT = (2024, 12, 4)
 
 S_VERSION = ".".join(map(str, VERSION))
 S_BUILD_DT = "{0:04d}-{1:02d}-{2:02d}".format(*BUILD_DT)

{copyparty-1.16.1 → copyparty-1.16.3}/copyparty/authsrv.py

@@ -360,6 +360,8 @@ class VFS(object):
         self.ahtml   = {}
         self.aadmin   = {}
         self.adot   = {}
+        self.js_ls = {}
+        self.js_htm = ""
 
         if realpath:
             rp = realpath + ("" if realpath.endswith(os.sep) else os.sep)
@@ -1871,6 +1873,7 @@ class AuthSrv(object):
                 ["no_hash", "nohash"],
                 ["no_idx", "noidx"],
                 ["og_ua", "og_ua"],
+                ["srch_excl", "srch_excl"],
             ]:
                 if vf in vol.flags:
                     ptn = re.compile(vol.flags.pop(vf))
@@ -2077,6 +2080,22 @@ class AuthSrv(object):
                 self.log(t.format(mtp), 1)
                 errors = True
 
+        for vol in vfs.all_vols.values():
+            re1  = vol.flags.get("srch_excl")
+            excl = [re1.pattern] if re1 else []
+
+            vpaths = []
+            vtop = vol.vpath
+            for vp2 in vfs.all_vols.keys():
+                if vp2.startswith((vtop + "/").lstrip("/")) and vtop != vp2:
+                    vpaths.append(re.escape(vp2[len(vtop) :].lstrip("/")))
+            if vpaths:
+                excl.append("^(%s)/" % ("|".join(vpaths),))
+
+            vol.flags["srch_re_dots"] = re.compile("|".join(excl or ["^$"]))
+            excl.extend([r"^\.", r"/\."])
+            vol.flags["srch_re_nodot"] = re.compile("|".join(excl))
+
         have_daw = False
         for vol in vfs.all_nodes.values():
             daw = vol.flags.get("daw") or self.args.daw
@@ -2297,6 +2316,70 @@ class AuthSrv(object):
             cur.close()
             db.close()
 
+        self.js_ls = {}
+        self.js_htm = {}
+        for vn in self.vfs.all_nodes.values():
+            vf = vn.flags
+            vn.js_ls = {
+                "idx": "e2d" in vf,
+                "itag": "e2t" in vf,
+                "dnsort": "nsort" in vf,
+                "dhsortn": vf["hsortn"],
+                "dsort": vf["sort"],
+                "dcrop": vf["crop"],
+                "dth3x": vf["th3x"],
+                "u2ts": vf["u2ts"],
+                "frand": bool(vf.get("rand")),
+                "lifetime": vf.get("lifetime") or 0,
+                "unlist": vf.get("unlist") or "",
+            }
+            js_htm = {
+                "s_name": self.args.bname,
+                "have_up2k_idx": "e2d" in vf,
+                "have_acode": not self.args.no_acode,
+                "have_shr": self.args.shr,
+                "have_zip": not self.args.no_zip,
+                "have_mv": not self.args.no_mv,
+                "have_del": not self.args.no_del,
+                "have_unpost": int(self.args.unpost),
+                "have_emp": self.args.emp,
+                "sb_md": "" if "no_sb_md" in vf else (vf.get("md_sbf") or "y"),
+                "txt_ext": self.args.textfiles.replace(",", " "),
+                "def_hcols": list(vf.get("mth") or []),
+                "unlist0": vf.get("unlist") or "",
+                "dgrid": "grid" in vf,
+                "dgsel": "gsel" in vf,
+                "dnsort": "nsort" in vf,
+                "dhsortn": vf["hsortn"],
+                "dsort": vf["sort"],
+                "dcrop": vf["crop"],
+                "dth3x": vf["th3x"],
+                "dvol": self.args.au_vol,
+                "idxh": int(self.args.ih),
+                "themes": self.args.themes,
+                "turbolvl": self.args.turbo,
+                "u2j": self.args.u2j,
+                "u2sz": self.args.u2sz,
+                "u2ts": vf["u2ts"],
+                "frand": bool(vf.get("rand")),
+                "lifetime": vn.js_ls["lifetime"],
+                "u2sort": self.args.u2sort,
+            }
+            vn.js_htm = json.dumps(js_htm)
+
+        vols = list(vfs.all_nodes.values())
+        if enshare:
+            vols.append(shv)
+            vols.extend(list(shv.nodes.values()))
+
+        for vol in vols:
+            dbv = vol.get_dbv("")[0]
+            vol.js_ls = vol.js_ls or dbv.js_ls or {}
+            vol.js_htm = vol.js_htm or dbv.js_htm or "{}"
+
+            zs = str(vol.flags.get("tcolor") or self.args.tcolor)
+            vol.flags["tcolor"] = zs.lstrip("#")
+
     def load_sessions(self, quiet=False)  :
         # mutex me
         if self.args.no_ses:

{copyparty-1.16.1 → copyparty-1.16.3}/copyparty/cfg.py

@@ -42,6 +42,7 @@ def vf_bmap()   :
         "magic",
         "no_sb_md",
         "no_sb_lg",
+        "nsort",
         "og",
         "og_no_head",
         "og_s_title",
@@ -69,6 +70,7 @@ def vf_vmap()   :
     }
     for k in (
         "dbd",
+        "hsortn",
         "html_head",
         "lg_sbf",
         "md_sbf",
@@ -190,6 +192,7 @@ flagcats = {
         "xvol": "do not follow symlinks leaving the volume root",
         "dotsrch": "show dotfiles in search results",
         "nodotsrch": "hide dotfiles in search results (default)",
+        "srch_excl": "exclude search results with URL matching this regex",
     },
     'database, audio tags\n"mte", "mth", "mtp", "mtm" all work the same as -mte, -mth, ...': {
         "mtp=.bpm=f,audio-bpm.py": 'uses the "audio-bpm.py" program to\ngenerate ".bpm" tags from uploads (f = overwrite tags)',

{copyparty-1.16.1 → copyparty-1.16.3}/copyparty/httpcli.py

@@ -14,6 +14,7 @@ import re
 import socket
 import stat
 import string
+import sys
 import threading  # typechk
 import time
 import uuid
@@ -76,6 +77,7 @@ from .util import (
     html_escape,
     humansize,
     ipnorm,
+    justcopy,
     load_resource,
     loadpy,
     log_reloc,
@@ -120,6 +122,8 @@ if not hasattr(socket, "AF_UNIX"):
 
 _ = (argparse, threading)
 
+USED4SEC = {"usedforsecurity": False} if sys.version_info > (3, 9) else {}
+
 NO_CACHE = {"Cache-Control": "no-cache"}
 
 ALL_COOKIES = "k304 no304 js idxh dots cppwd cppws".split()
@@ -133,6 +137,10 @@ READMES = [[0, ["preadme.md", "PREADME.md"]], [1, ["readme.md", "README.md"]]]
 
 RSS_SORT = {"m": "mt", "u": "at", "n": "fn", "s": "sz"}
 
+A_FILE = os.stat_result(
+    (0o644, -1, -1, 1, 1000, 1000, 8, 0x39230101, 0x39230101, 0x39230101)
+)
+
 
 class HttpCli(object):
     """
@@ -243,7 +251,6 @@ class HttpCli(object):
         ka["ts"] = self.conn.hsrv.cachebuster()
         ka["lang"] = self.args.lang
         ka["favico"] = self.args.favico
-        ka["s_name"] = self.args.bname
         ka["s_doctitle"] = self.args.doctitle
         ka["tcolor"] = self.vn.flags["tcolor"]
 
@@ -700,7 +707,7 @@ class HttpCli(object):
 
                 if pex.code != 404 or self.do_log:
                     self.log(
-                        "%s\033[0m, %s" % (msg, self.vpath),
+                        "http%d: %s\033[0m, %s" % (pex.code, msg, self.vpath),
                         6 if em.startswith("client d/c ") else 3,
                     )
 
@@ -1239,7 +1246,7 @@ class HttpCli(object):
             self.log("RSS  %s @%s" % (self.req, self.uname))
 
         if not self.can_read:
-            return self.tx_404()
+            return self.tx_404(True)
 
         vn = self.vn
         if not vn.flags.get("rss"):
@@ -1409,17 +1416,19 @@ class HttpCli(object):
         vst = os.stat_result((16877, -1, -1, 1, 1000, 1000, 8, zi, zi, zi))
 
         try:
-            topdir = {"vp": "", "st": bos.stat(tap)}
+            st = bos.stat(tap)
         except OSError as ex:
             if ex.errno not in (errno.ENOENT, errno.ENOTDIR):
                 raise
             raise Pebkac(404)
 
+        topdir = {"vp": "", "st": st}
         fgen   = []
 
         depth = self.headers.get("depth", "infinity").lower()
         if depth == "infinity":
-            if not self.can_read:
+            # allow depth:0 from unmapped root, but require read-axs otherwise
+            if not self.can_read and (self.vpath or self.asrv.vfs.realpath):
                 t = "depth:infinity requires read-access in /%s"
                 t = t % (self.vpath,)
                 self.log(t, 3)
@@ -1450,6 +1459,12 @@ class HttpCli(object):
                 wrap=False,
             )
 
+        elif depth == "0" or not stat.S_ISDIR(st.st_mode):
+            # propfind on a file; return as topdir
+            if not self.can_read and not self.can_get:
+                self.log("inaccessible: [%s]" % (self.vpath,))
+                raise Pebkac(401, "authenticate")
+
         elif depth == "1":
             _, vfs_ls, vfs_virt = vn.ls(
                 rem,
@@ -1468,15 +1483,12 @@ class HttpCli(object):
             fgen = [{"vp": vp, "st": st} for vp, st in vfs_ls]
             fgen += [{"vp": v, "st": vst} for v in vfs_virt]
 
-        elif depth == "0":
-            pass
-
         else:
             t = "invalid depth value '{}' (must be either '0' or '1'{})"
             t2 = " or 'infinity'" if self.args.dav_inf else ""
             raise Pebkac(412, t.format(depth, t2))
 
-        if not self.can_read and not self.can_write and not self.can_get and not fgen:
+        if not self.can_read and not self.can_write and not fgen:
             self.log("inaccessible: [%s]" % (self.vpath,))
             raise Pebkac(401, "authenticate")
 
@@ -1755,7 +1767,7 @@ class HttpCli(object):
 
         if not self.can_write:
             t = "user %s does not have write-access under /%s"
-            raise Pebkac(403, t % (self.uname, self.vn.vpath))
+            raise Pebkac(403 if self.pw else 401, t % (self.uname, self.vn.vpath))
 
         if not self.args.no_dav and self._applesan():
             return self.headers.get("content-length") == "0"
@@ -2046,10 +2058,31 @@ class HttpCli(object):
                 # small toctou, but better than clobbering a hardlink
                 wunlink(self.log, path, vfs.flags)
 
+        hasher = None
+        copier = hashcopy
+        if "ck" in self.ouparam or "ck" in self.headers:
+            zs = self.ouparam.get("ck") or self.headers.get("ck") or ""
+            if not zs or zs == "no":
+                copier = justcopy
+            elif zs == "md5":
+                hasher = hashlib.md5(**USED4SEC)
+            elif zs == "sha1":
+                hasher = hashlib.sha1(**USED4SEC)
+            elif zs == "sha256":
+                hasher = hashlib.sha256(**USED4SEC)
+            elif zs in ("blake2", "b2"):
+                hasher = hashlib.blake2b(**USED4SEC)
+            elif zs in ("blake2s", "b2s"):
+                hasher = hashlib.blake2s(**USED4SEC)
+            elif zs == "sha512":
+                pass
+            else:
+                raise Pebkac(500, "unknown hash alg")
+
         f, fn = ren_open(fn, *open_a, **params)
         try:
             path = os.path.join(fdir, fn)
-            post_sz, sha_hex, sha_b64 = hashcopy(reader, f, None, 0, self.args.s_wr_slp)
+            post_sz, sha_hex, sha_b64 = copier(reader, f, hasher, 0, self.args.s_wr_slp)
         finally:
             f.close()
 
@@ -2286,8 +2319,8 @@ class HttpCli(object):
             # kinda silly but has the least side effects
             return self.handle_new_md()
 
-        if act == "bput":
-            return self.handle_plain_upload(file0)
+        if act in ("bput", "uput"):
+            return self.handle_plain_upload(file0, act == "uput")
 
         if act == "tput":
             return self.handle_text_upload()
@@ -2898,13 +2931,41 @@ class HttpCli(object):
         )
 
     def handle_plain_upload(
-        self, file0     
+        self,
+        file0     ,
+        nohash ,
     )  :
         assert self.parser
         nullwrite = self.args.nw
         vfs, rem = self.asrv.vfs.get(self.vpath, self.uname, False, True)
         self._assert_safe_rem(rem)
 
+        halg = "sha512"
+        hasher = None
+        copier = hashcopy
+        if nohash:
+            halg = ""
+            copier = justcopy
+        elif "ck" in self.ouparam or "ck" in self.headers:
+            halg = self.ouparam.get("ck") or self.headers.get("ck") or ""
+            if not halg or halg == "no":
+                copier = justcopy
+                halg = ""
+            elif halg == "md5":
+                hasher = hashlib.md5(**USED4SEC)
+            elif halg == "sha1":
+                hasher = hashlib.sha1(**USED4SEC)
+            elif halg == "sha256":
+                hasher = hashlib.sha256(**USED4SEC)
+            elif halg in ("blake2", "b2"):
+                hasher = hashlib.blake2b(**USED4SEC)
+            elif halg in ("blake2s", "b2s"):
+                hasher = hashlib.blake2s(**USED4SEC)
+            elif halg == "sha512":
+                pass
+            else:
+                raise Pebkac(500, "unknown hash alg")
+
         upload_vpath = self.vpath
         lim = vfs.get_dbv(rem)[0].lim
         fdir_base = vfs.canonical(rem)
@@ -3034,8 +3095,8 @@ class HttpCli(object):
                     try:
                         tabspath = os.path.join(fdir, tnam)
                         self.log("writing to {}".format(tabspath))
-                        sz, sha_hex, sha_b64 = hashcopy(
-                            p_data, f, None, max_sz, self.args.s_wr_slp
+                        sz, sha_hex, sha_b64 = copier(
+                            p_data, f, hasher, max_sz, self.args.s_wr_slp
                         )
                         if sz == 0:
                             raise Pebkac(400, "empty files in post")
@@ -3167,10 +3228,15 @@ class HttpCli(object):
             jmsg["error"] = errmsg
             errmsg = "ERROR: " + errmsg
 
+        if halg:
+            file_fmt = '{0}: {1} // {2} // {3} bytes // <a href="/{4}">{5}</a> {6}\n'
+        else:
+            file_fmt = '{3} bytes // <a href="/{4}">{5}</a> {6}\n'
+
         for sz, sha_hex, sha_b64, ofn, lfn, ap in files:
             vsuf = ""
             if (self.can_read or self.can_upget) and "fk" in vfs.flags:
-                st = bos.stat(ap)
+                st = A_FILE if nullwrite else bos.stat(ap)
                 alg = 2 if "fka" in vfs.flags else 1
                 vsuf = "?k=" + self.gen_fk(
                     alg,
@@ -3185,7 +3251,8 @@ class HttpCli(object):
 
             vpath = "{}/{}".format(upload_vpath, lfn).strip("/")
             rel_url = quotep(self.args.RS + vpath) + vsuf
-            msg += 'sha512: {} // {} // {} bytes // <a href="/{}">{}</a> {}\n'.format(
+            msg += file_fmt.format(
+                halg,
                 sha_hex[:56],
                 sha_b64,
                 sz,
@@ -3201,13 +3268,14 @@ class HttpCli(object):
                     self.host,
                     rel_url,
                 ),
-                "sha512": sha_hex[:56],
-                "sha_b64": sha_b64,
                 "sz": sz,
                 "fn": lfn,
                 "fn_orig": ofn,
                 "path": rel_url,
             }
+            if halg:
+                jpart[halg] = sha_hex[:56]
+                jpart["sha_b64"] = sha_b64
             jmsg["files"].append(jpart)
 
         vspd = self._spd(sz_total, False)
@@ -4600,6 +4668,18 @@ class HttpCli(object):
         if "th" in self.ouparam:
             return self.tx_svg("e" + pt[:3])
 
+        # most webdav clients will not send credentials until they
+        # get 401'd, so send a challenge if we're Absolutely Sure
+        # that the client is not a graphical browser
+        if (
+            rc == 403
+            and not self.pw
+            and not self.ua.startswith("Mozilla/")
+            and "sec-fetch-site" not in self.headers
+        ):
+            rc = 401
+            self.out_headers["WWW-Authenticate"] = 'Basic realm="a"'
+
         t = t.format(self.args.SR)
         qv = quotep(self.vpaths) + self.ourlq()
         html = self.j2s(
@@ -5240,7 +5320,7 @@ class HttpCli(object):
             st = bos.stat(abspath)
         except:
             if "on404" not in vn.flags:
-                return self.tx_404()
+                return self.tx_404(not self.can_read)
 
             ret = self.on40x(vn.flags["on404"], vn, rem)
             if ret == "true":
@@ -5251,9 +5331,9 @@ class HttpCli(object):
                 try:
                     st = bos.stat(abspath)
                 except:
-                    return self.tx_404()
+                    return self.tx_404(not self.can_read)
             else:
-                return self.tx_404()
+                return self.tx_404(not self.can_read)
 
         if rem.startswith(".hist/up2k.") or (
             rem.endswith("/dir.txt") and rem.startswith(".hist/th/")
@@ -5380,13 +5460,13 @@ class HttpCli(object):
                     vrem = vjoin(vrem, fn)
                     abspath = ap2
                     break
-            elif self.vpath.rsplit("/", 1)[1] in ("index.htm", "index.html"):
+            elif self.vpath.rsplit("/", 1)[-1] in ("index.htm", "index.html"):
                 fk_pass = True
 
         if not is_dir and (self.can_read or self.can_get):
             if not self.can_read and not fk_pass and "fk" in vn.flags:
                 if not use_filekey:
-                    return self.tx_404()
+                    return self.tx_404(True)
 
             if add_og and not abspath.lower().endswith(".md"):
                 if og_ua or self.host not in self.headers.get("referer", ""):
@@ -5474,61 +5554,28 @@ class HttpCli(object):
             is_js = False
 
         vf = vn.flags
-        unlist = vf.get("unlist", "")
         ls_ret = {
             "dirs": [],
             "files": [],
             "taglist": [],
             "srvinf": srv_infot,
             "acct": self.uname,
-            "idx": e2d,
-            "itag": e2t,
-            "dsort": vf["sort"],
-            "dcrop": vf["crop"],
-            "dth3x": vf["th3x"],
-            "u2ts": vf["u2ts"],
-            "lifetime": vn.flags.get("lifetime") or 0,
-            "frand": bool(vn.flags.get("rand")),
-            "unlist": unlist,
             "perms": perms,
+            "cfg": vn.js_ls,
         }
         cgv = {
             "ls0": None,
             "acct": self.uname,
             "perms": perms,
-            "u2ts": vf["u2ts"],
-            "lifetime": ls_ret["lifetime"],
-            "frand": bool(vn.flags.get("rand")),
-            "def_hcols": [],
-            "have_emp": self.args.emp,
-            "have_up2k_idx": e2d,
-            "have_acode": (not self.args.no_acode),
-            "have_mv": (not self.args.no_mv),
-            "have_del": (not self.args.no_del),
-            "have_zip": (not self.args.no_zip),
-            "have_shr": self.args.shr,
-            "have_unpost": int(self.args.unpost),
-            "sb_md": "" if "no_sb_md" in vf else (vf.get("md_sbf") or "y"),
-            "dgrid": "grid" in vf,
-            "dgsel": "gsel" in vf,
-            "dsort": vf["sort"],
-            "dcrop": vf["crop"],
-            "dth3x": vf["th3x"],
-            "dvol": self.args.au_vol,
-            "themes": self.args.themes,
-            "turbolvl": self.args.turbo,
-            "u2j": self.args.u2j,
-            "u2sz": self.args.u2sz,
-            "idxh": int(self.args.ih),
-            "u2sort": self.args.u2sort,
         }
         j2a = {
+            "cgv1": vn.js_htm,
             "cgv": cgv,
             "vpnodes": vpnodes,
             "files": [],
             "ls0": None,
             "taglist": [],
-            "have_tags_idx": e2t,
+            "have_tags_idx": int(e2t),
             "have_b_u": (self.can_write and self.uparam.get("b") == "u"),
             "sb_lg": "" if "no_sb_lg" in vf else (vf.get("lg_sbf") or "y"),
             "url_suf": url_suf,
@@ -5899,17 +5946,12 @@ class HttpCli(object):
                 "dirs": dirs,
                 "files": files,
                 "taglist": taglist,
-                "unlist": unlist,
             }
             j2a["files"] = []
         else:
             j2a["files"] = dirs + files
 
         j2a["taglist"] = taglist
-        j2a["txt_ext"] = self.args.textfiles.replace(",", " ")
-
-        if "mth" in vn.flags:
-            j2a["def_hcols"] = list(vn.flags["mth"])
 
         if add_og and "raw" not in self.uparam:
             j2a["this"] = self

{copyparty-1.16.1 → copyparty-1.16.3}/copyparty/httpsrv.py

@@ -132,7 +132,7 @@ class HttpSrv(object):
         dls    = {}  # state
         self.dli = self.tdli = dli
         self.dls = self.tdls = dls
-        self.iiam = '<img src="%s.cpr/iiam.gif" />' % (self.args.SRS,)
+        self.iiam = '<img src="%s.cpr/iiam.gif?cache=i" />' % (self.args.SRS,)
 
         self.bound   = set()
         self.name = "hsrv" + nsuf