PyPI - copyparty - Versions diffs - 1.16.5__py3-none-any.whl → 1.16.7__py3-none-any.whl - Mend

copyparty 1.16.5py3-none-any.whl → 1.16.7py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (38) hide show

copyparty/__init__.py +3 -0
copyparty/__main__.py +4 -1
copyparty/__version__.py +2 -2
copyparty/authsrv.py +33 -20
copyparty/fsutil.py +4 -4
copyparty/httpcli.py +273 -83
copyparty/httpsrv.py +6 -9
copyparty/mtag.py +4 -4
copyparty/smbd.py +1 -1
copyparty/sutil.py +1 -1
copyparty/tcpsrv.py +3 -3
copyparty/tftpd.py +1 -1
copyparty/th_cli.py +3 -3
copyparty/th_srv.py +6 -6
copyparty/u2idx.py +3 -3
copyparty/up2k.py +92 -87
copyparty/util.py +13 -13
copyparty/web/a/u2c.py +1 -1
copyparty/web/browser.html +1 -1
copyparty/web/browser.js.gz +0 -0
copyparty/web/md.html +2 -2
copyparty/web/mde.html +2 -2
copyparty/web/rups.css.gz +0 -0
copyparty/web/rups.html +50 -0
copyparty/web/rups.js.gz +0 -0
copyparty/web/shares.css.gz +0 -0
copyparty/web/shares.html +6 -3
copyparty/web/splash.html +2 -1
copyparty/web/splash.js.gz +0 -0
copyparty/web/svcs.html +1 -1
copyparty/web/up2k.js.gz +0 -0
copyparty/web/util.js.gz +0 -0
{copyparty-1.16.5.dist-info → copyparty-1.16.7.dist-info}/METADATA +14 -2
{copyparty-1.16.5.dist-info → copyparty-1.16.7.dist-info}/RECORD +38 -35
{copyparty-1.16.5.dist-info → copyparty-1.16.7.dist-info}/LICENSE +0 -0
{copyparty-1.16.5.dist-info → copyparty-1.16.7.dist-info}/WHEEL +0 -0
{copyparty-1.16.5.dist-info → copyparty-1.16.7.dist-info}/entry_points.txt +0 -0
{copyparty-1.16.5.dist-info → copyparty-1.16.7.dist-info}/top_level.txt +0 -0

copyparty/httpcli.py CHANGED Viewed

@@ -141,6 +141,14 @@ A_FILE = os.stat_result(
     (0o644, -1, -1, 1, 1000, 1000, 8, 0x39230101, 0x39230101, 0x39230101)
 )
+RE_CC = re.compile(r"[\x00-\x1f]")  # search always faster
+RE_HSAFE = re.compile(r"[\x00-\x1f<>\"'&]")  # search always much faster
+RE_HOST = re.compile(r"[^][0-9a-zA-Z.:_-]")  # search faster <=17ch
+RE_MHOST = re.compile(r"^[][0-9a-zA-Z.:_-]+$")  # match faster >=18ch
+RE_K = re.compile(r"[^0-9a-zA-Z_-]")  # search faster <=17ch
+UPARAM_CC_OK = set("doc move tree".split())
 class HttpCli(object):
     """
@@ -384,6 +392,15 @@ class HttpCli(object):
                     self.host = self.headers.get("x-forwarded-host") or self.host
                     trusted_xff = True
+        m = RE_HOST.search(self.host)
+        if m and self.host != self.args.name:
+            zs = self.host
+            t = "malicious user; illegal Host header; req(%r) host(%r) => %r"
+            self.log(t % (self.req, zs, zs[m.span()[0] :]), 1)
+            self.cbonk(self.conn.hsrv.gmal, zs, "bad_host", "illegal Host header")
+            self.terse_reply(b"illegal Host header", 400)
+            return False
         if self.is_banned():
             return False
@@ -429,6 +446,16 @@ class HttpCli(object):
                 self.loud_reply(t, status=400)
                 return False
+        ptn_cc = RE_CC
+        m = ptn_cc.search(self.req)
+        if m:
+            zs = self.req
+            t = "malicious user; Cc in req0 %r => %r"
+            self.log(t % (zs, zs[m.span()[0] :]), 1)
+            self.cbonk(self.conn.hsrv.gmal, zs, "cc_r0", "Cc in req0")
+            self.terse_reply(b"", 500)
+            return False
         # split req into vpath + uparam
         uparam = {}
         if "?" not in self.req:
@@ -441,8 +468,8 @@ class HttpCli(object):
             self.trailing_slash = vpath.endswith("/")
             vpath = undot(vpath)
-            ptn = self.conn.hsrv.ptn_cc
-            k_safe = self.conn.hsrv.uparam_cc_ok
+            re_k = RE_K
+            k_safe = UPARAM_CC_OK
             for k in arglist.split("&"):
                 if "=" in k:
                     k, zs = k.split("=", 1)
@@ -452,6 +479,14 @@ class HttpCli(object):
                 else:
                     sv = ""
+                m = re_k.search(k)
+                if m:
+                    t = "malicious user; bad char in query key; req(%r) qk(%r) => %r"
+                    self.log(t % (self.req, k, k[m.span()[0] :]), 1)
+                    self.cbonk(self.conn.hsrv.gmal, self.req, "bc_q", "illegal qkey")
+                    self.terse_reply(b"", 500)
+                    return False
                 k = k.lower()
                 uparam[k] = sv
@@ -459,23 +494,32 @@ class HttpCli(object):
                     continue
                 zs = "%s=%s" % (k, sv)
-                m = ptn.search(zs)
+                m = ptn_cc.search(zs)
                 if not m:
                     continue
-                hit = zs[m.span()[0] :]
-                t = "malicious user; Cc in query [{}] => [{!r}]"
-                self.log(t.format(self.req, hit), 1)
+                t = "malicious user; Cc in query; req(%r) qp(%r) => %r"
+                self.log(t % (self.req, zs, zs[m.span()[0] :]), 1)
                 self.cbonk(self.conn.hsrv.gmal, self.req, "cc_q", "Cc in query")
                 self.terse_reply(b"", 500)
                 return False
+            if "k" in uparam:
+                m = RE_K.search(uparam["k"])
+                if m:
+                    zs = uparam["k"]
+                    t = "malicious user; illegal filekey; req(%r) k(%r) => %r"
+                    self.log(t % (self.req, zs, zs[m.span()[0] :]), 1)
+                    self.cbonk(self.conn.hsrv.gmal, zs, "bad_k", "illegal filekey")
+                    self.terse_reply(b"illegal filekey", 400)
+                    return False
         if self.is_vproxied:
             if vpath.startswith(self.args.R):
                 vpath = vpath[len(self.args.R) + 1 :]
             else:
-                t = "incorrect --rp-loc or webserver config; expected vpath starting with [{}] but got [{}]"
-                self.log(t.format(self.args.R, vpath), 1)
+                t = "incorrect --rp-loc or webserver config; expected vpath starting with %r but got %r"
+                self.log(t % (self.args.R, vpath), 1)
         self.ouparam = uparam.copy()
@@ -513,7 +557,7 @@ class HttpCli(object):
             return self.tx_qr()
         if relchk(self.vpath) and (self.vpath != "*" or self.mode != "OPTIONS"):
-            self.log("invalid relpath [{}]".format(self.vpath))
+            self.log("illegal relpath; req(%r) => %r" % (self.req, "/" + self.vpath))
             self.cbonk(self.conn.hsrv.gmal, self.req, "bad_vp", "invalid relpaths")
             return self.tx_404() and self.keepalive
@@ -593,7 +637,7 @@ class HttpCli(object):
                     self.uname = idp_usr
                     self.html_head += "<script>var is_idp=1</script>\n"
                 else:
-                    self.log("unknown username: [%s]" % (idp_usr), 1)
+                    self.log("unknown username: %r" % (idp_usr,), 1)
         if self.args.ipu and self.uname == "*":
             self.uname = self.conn.ipu_iu[self.conn.ipu_nm.map(self.ip)]
@@ -658,7 +702,7 @@ class HttpCli(object):
                 origin = self.headers.get("origin", "<?>")
                 proto = "https://" if self.is_https else "http://"
                 guess = "modifying" if (origin and host) else "stripping"
-                t = "cors-reject %s because request-header Origin='%s' does not match request-protocol '%s' and host '%s' based on request-header Host='%s' (note: if this request is not malicious, check if your reverse-proxy is accidentally %s request headers, in particular 'Origin', for example by running copyparty with --ihead='*' to show all request headers)"
+                t = "cors-reject %s because request-header Origin=%r does not match request-protocol %r and host %r based on request-header Host=%r (note: if this request is not malicious, check if your reverse-proxy is accidentally %s request headers, in particular 'Origin', for example by running copyparty with --ihead='*' to show all request headers)"
                 self.log(t % (self.mode, origin, proto, self.host, host, guess), 3)
                 raise Pebkac(403, "rejected by cors-check")
@@ -704,7 +748,7 @@ class HttpCli(object):
                 if pex.code != 404 or self.do_log:
                     self.log(
-                        "http%d: %s\033[0m, %s" % (pex.code, msg, self.vpath),
+                        "http%d: %s\033[0m, %r" % (pex.code, msg, "/" + self.vpath),
                         6 if em.startswith("client d/c ") else 3,
                     )
@@ -866,12 +910,12 @@ class HttpCli(object):
         for k, zs in list(self.out_headers.items()) + self.out_headerlist:
             response.append("%s: %s" % (k, zs))
+        ptn_cc = RE_CC
         for zs in response:
-            m = self.conn.hsrv.ptn_cc.search(zs)
+            m = ptn_cc.search(zs)
             if m:
-                hit = zs[m.span()[0] :]
-                t = "malicious user; Cc in out-hdr {!r} => [{!r}]"
-                self.log(t.format(zs, hit), 1)
+                t = "malicious user; Cc in out-hdr; req(%r) hdr(%r) => %r"
+                self.log(t % (self.req, zs, zs[m.span()[0] :]), 1)
                 self.cbonk(self.conn.hsrv.gmal, zs, "cc_hdr", "Cc in out-hdr")
                 raise Pebkac(999)
@@ -997,7 +1041,7 @@ class HttpCli(object):
         if not kv:
             return ""
-        r = ["%s=%s" % (k, quotep(zs)) if zs else k for k, zs in kv.items()]
+        r = ["%s=%s" % (quotep(k), quotep(zs)) if zs else k for k, zs in kv.items()]
         return "?" + "&amp;".join(r)
     def ourlq(self)  :
@@ -1113,6 +1157,8 @@ class HttpCli(object):
                 logmsg += " [\033[36m" + rval + "\033[0m]"
             self.log(logmsg)
+            if "%" in self.req:
+                self.log(" `-- %r" % (self.vpath,))
         # "embedded" resources
         if self.vpath.startswith(".cpr"):
@@ -1147,8 +1193,8 @@ class HttpCli(object):
                     return self.tx_res(res_path)
             if res_path != undot(res_path):
-                t = "malicious user; attempted path traversal [{}] => [{}]"
-                self.log(t.format(self.vpath, res_path), 1)
+                t = "malicious user; attempted path traversal; req(%r) vp(%r) => %r"
+                self.log(t % (self.req, "/" + self.vpath, res_path), 1)
                 self.cbonk(self.conn.hsrv.gmal, self.req, "trav", "path traversal")
             self.tx_404()
@@ -1159,11 +1205,11 @@ class HttpCli(object):
             return True
         if not self.can_read and not self.can_write and not self.can_get:
-            t = "@{} has no access to [{}]"
+            t = "@%s has no access to %r"
             if "on403" in self.vn.flags:
                 t += " (on403)"
-                self.log(t.format(self.uname, self.vpath))
+                self.log(t % (self.uname, "/" + self.vpath))
                 ret = self.on40x(self.vn.flags["on403"], self.vn, self.rem)
                 if ret == "true":
                     return True
@@ -1182,7 +1228,7 @@ class HttpCli(object):
                 if self.vpath:
                     ptn = self.args.nonsus_urls
                     if not ptn or not ptn.search(self.vpath):
-                        self.log(t.format(self.uname, self.vpath))
+                        self.log(t % (self.uname, "/" + self.vpath))
                     return self.tx_404(True)
@@ -1226,6 +1272,9 @@ class HttpCli(object):
             if "dls" in self.uparam:
                 return self.tx_dls()
+            if "ru" in self.uparam:
+                return self.tx_rups()
         if "h" in self.uparam:
             return self.tx_mounts()
@@ -1288,8 +1337,8 @@ class HttpCli(object):
         pw = self.ouparam.get("pw")
         if pw:
-            q_pw = "?pw=%s" % (pw,)
-            a_pw = "&pw=%s" % (pw,)
+            q_pw = "?pw=%s" % (html_escape(pw, True, True),)
+            a_pw = "&pw=%s" % (html_escape(pw, True, True),)
             for i in hits:
                 i["rp"] += a_pw if "?" in i["rp"] else q_pw
         else:
@@ -1376,6 +1425,8 @@ class HttpCli(object):
     def handle_propfind(self)  :
         if self.do_log:
             self.log("PFIND %s @%s" % (self.req, self.uname))
+            if "%" in self.req:
+                self.log("  `-- %r" % (self.vpath,))
         if self.args.no_dav:
             raise Pebkac(405, "WebDAV is disabled in server config")
@@ -1426,14 +1477,14 @@ class HttpCli(object):
         if depth == "infinity":
             # allow depth:0 from unmapped root, but require read-axs otherwise
             if not self.can_read and (self.vpath or self.asrv.vfs.realpath):
-                t = "depth:infinity requires read-access in /%s"
-                t = t % (self.vpath,)
+                t = "depth:infinity requires read-access in %r"
+                t = t % ("/" + self.vpath,)
                 self.log(t, 3)
                 raise Pebkac(401, t)
             if not stat.S_ISDIR(topdir["st"].st_mode):
-                t = "depth:infinity can only be used on folders; /%s is 0o%o"
-                t = t % (self.vpath, topdir["st"])
+                t = "depth:infinity can only be used on folders; %r is 0o%o"
+                t = t % ("/" + self.vpath, topdir["st"])
                 self.log(t, 3)
                 raise Pebkac(400, t)
@@ -1459,7 +1510,7 @@ class HttpCli(object):
         elif depth == "0" or not stat.S_ISDIR(st.st_mode):
             # propfind on a file; return as topdir
             if not self.can_read and not self.can_get:
-                self.log("inaccessible: [%s]" % (self.vpath,))
+                self.log("inaccessible: %r" % ("/" + self.vpath,))
                 raise Pebkac(401, "authenticate")
         elif depth == "1":
@@ -1486,7 +1537,7 @@ class HttpCli(object):
             raise Pebkac(412, t.format(depth, t2))
         if not self.can_read and not self.can_write and not fgen:
-            self.log("inaccessible: [%s]" % (self.vpath,))
+            self.log("inaccessible: %r" % ("/" + self.vpath,))
             raise Pebkac(401, "authenticate")
         fgen = itertools.chain([topdir], fgen)
@@ -1557,12 +1608,14 @@ class HttpCli(object):
     def handle_proppatch(self)  :
         if self.do_log:
             self.log("PPATCH %s @%s" % (self.req, self.uname))
+            if "%" in self.req:
+                self.log("   `-- %r" % (self.vpath,))
         if self.args.no_dav:
             raise Pebkac(405, "WebDAV is disabled in server config")
         if not self.can_write:
-            self.log("{} tried to proppatch [{}]".format(self.uname, self.vpath))
+            self.log("%s tried to proppatch %r" % (self.uname, "/" + self.vpath))
             raise Pebkac(401, "authenticate")
         from xml.etree import ElementTree as ET
@@ -1609,13 +1662,15 @@ class HttpCli(object):
     def handle_lock(self)  :
         if self.do_log:
             self.log("LOCK %s @%s" % (self.req, self.uname))
+            if "%" in self.req:
+                self.log(" `-- %r" % (self.vpath,))
         if self.args.no_dav:
             raise Pebkac(405, "WebDAV is disabled in server config")
         # win7+ deadlocks if we say no; just smile and nod
         if not self.can_write and "Microsoft-WebDAV" not in self.ua:
-            self.log("{} tried to lock [{}]".format(self.uname, self.vpath))
+            self.log("%s tried to lock %r" % (self.uname, "/" + self.vpath))
             raise Pebkac(401, "authenticate")
         from xml.etree import ElementTree as ET
@@ -1644,7 +1699,7 @@ class HttpCli(object):
         token = str(uuid.uuid4())
-        if not lk.find(r"./{DAV:}depth"):
+        if lk.find(r"./{DAV:}depth") is None:
             depth = self.headers.get("depth", "infinity")
             lk.append(mktnod("D:depth", depth))
@@ -1674,12 +1729,14 @@ class HttpCli(object):
     def handle_unlock(self)  :
         if self.do_log:
             self.log("UNLOCK %s @%s" % (self.req, self.uname))
+            if "%" in self.req:
+                self.log("   `-- %r" % (self.vpath,))
         if self.args.no_dav:
             raise Pebkac(405, "WebDAV is disabled in server config")
         if not self.can_write and "Microsoft-WebDAV" not in self.ua:
-            self.log("{} tried to lock [{}]".format(self.uname, self.vpath))
+            self.log("%s tried to lock %r" % (self.uname, "/" + self.vpath))
             raise Pebkac(401, "authenticate")
         self.send_headers(None, 204)
@@ -1691,6 +1748,8 @@ class HttpCli(object):
         if self.do_log:
             self.log("MKCOL %s @%s" % (self.req, self.uname))
+            if "%" in self.req:
+                self.log("  `-- %r" % (self.vpath,))
         try:
             return self._mkdir(self.vpath, True)
@@ -1742,6 +1801,8 @@ class HttpCli(object):
     def handle_options(self)  :
         if self.do_log:
             self.log("OPTIONS %s @%s" % (self.req, self.uname))
+            if "%" in self.req:
+                self.log("    `-- %r" % (self.vpath,))
         oh = self.out_headers
         oh["Allow"] = ", ".join(self.conn.hsrv.mallow)
@@ -1757,10 +1818,14 @@ class HttpCli(object):
     def handle_delete(self)  :
         self.log("DELETE %s @%s" % (self.req, self.uname))
+        if "%" in self.req:
+            self.log("   `-- %r" % (self.vpath,))
         return self.handle_rm([])
     def handle_put(self)  :
-        self.log("PUT %s @%s" % (self.req, self.uname))
+        self.log("PUT  %s @%s" % (self.req, self.uname))
+        if "%" in self.req:
+            self.log(" `-- %r" % (self.vpath,))
         if not self.can_write:
             t = "user %s does not have write-access under /%s"
@@ -1779,6 +1844,8 @@ class HttpCli(object):
     def handle_post(self)  :
         self.log("POST %s @%s" % (self.req, self.uname))
+        if "%" in self.req:
+            self.log(" `-- %r" % (self.vpath,))
         if self.headers.get("expect", "").lower() == "100-continue":
             try:
@@ -1823,7 +1890,7 @@ class HttpCli(object):
             if "save" in opt:
                 post_sz, _, _, _, path, _ = self.dump_to_file(False)
-                self.log("urlform: {} bytes, {}".format(post_sz, path))
+                self.log("urlform: %d bytes, %r" % (post_sz, path))
             elif "print" in opt:
                 reader, _ = self.get_body_reader()
                 buf = b""
@@ -1834,8 +1901,8 @@ class HttpCli(object):
                 if buf:
                     orig = buf.decode("utf-8", "replace")
-                    t = "urlform_raw {} @ {}\n  {}\n"
-                    self.log(t.format(len(orig), self.vpath, orig))
+                    t = "urlform_raw %d @ %r\n  %r\n"
+                    self.log(t % (len(orig), "/" + self.vpath, orig))
                     try:
                         zb = unquote(buf.replace(b"+", b" "))
                         plain = zb.decode("utf-8", "replace")
@@ -1861,8 +1928,8 @@ class HttpCli(object):
                                     plain,
                                 )
-                        t = "urlform_dec {} @ {}\n  {}\n"
-                        self.log(t.format(len(plain), self.vpath, plain))
+                        t = "urlform_dec %d @ %r\n  %r\n"
+                        self.log(t % (len(plain), "/" + self.vpath, plain))
                     except Exception as ex:
                         self.log(repr(ex))
@@ -2110,7 +2177,7 @@ class HttpCli(object):
             try:
                 ext = self.conn.hsrv.magician.ext(path)
             except Exception as ex:
-                self.log("filetype detection failed for [{}]: {}".format(path, ex), 6)
+                self.log("filetype detection failed for %r: %s" % (path, ex), 6)
                 ext = None
             if ext:
@@ -2210,8 +2277,8 @@ class HttpCli(object):
     def handle_stash(self, is_put )  :
         post_sz, sha_hex, sha_b64, remains, path, url = self.dump_to_file(is_put)
         spd = self._spd(post_sz)
-        t = "{} wrote {}/{} bytes to {}  # {}"
-        self.log(t.format(spd, post_sz, remains, path, sha_b64[:28]))  # 21
+        t = "%s wrote %d/%d bytes to %r  # %s"
+        self.log(t % (spd, post_sz, remains, path, sha_b64[:28]))  # 21
         ac = self.uparam.get(
             "want", self.headers.get("accept", "").lower().split(";")[-1]
@@ -2241,7 +2308,7 @@ class HttpCli(object):
         flags  ,
     )  :
         now = time.time()
-        t = "bad-chunk:  %.3f  %s  %s  %d  %s  %s  %s"
+        t = "bad-chunk:  %.3f  %s  %s  %d  %s  %s  %r"
         t = t % (now, bad_sha, good_sha, ofs, self.ip, self.uname, ap)
         self.log(t, 5)
@@ -2380,7 +2447,7 @@ class HttpCli(object):
             body = json.loads(json_buf.decode(enc, "replace"))
             try:
                 zds = {k: v for k, v in body.items()}
-                zds["hash"] = "%d chunks" % (len(body["hash"]))
+                zds["hash"] = "%d chunks" % (len(body["hash"]),)
             except:
                 zds = body
             t = "POST len=%d type=%s ip=%s user=%s req=%r json=%s"
@@ -2424,7 +2491,7 @@ class HttpCli(object):
                 if not bos.path.isdir(dst):
                     bos.makedirs(dst)
             except OSError as ex:
-                self.log("makedirs failed [{}]".format(dst))
+                self.log("makedirs failed %r" % (dst,))
                 if not bos.path.isdir(dst):
                     if ex.errno == errno.EACCES:
                         raise Pebkac(500, "the server OS denied write-access")
@@ -2449,7 +2516,7 @@ class HttpCli(object):
             # strip common suffix (uploader's folder structure)
             vp_req, vp_vfs = vroots(self.vpath, vjoin(dbv.vpath, vrem))
             if not ret["purl"].startswith(vp_vfs):
-                t = "share-mapping failed; req=[%s] dbv=[%s] vrem=[%s] n1=[%s] n2=[%s] purl=[%s]"
+                t = "share-mapping failed; req=%r dbv=%r vrem=%r n1=%r n2=%r purl=%r"
                 zt = (self.vpath, dbv.vpath, vrem, vp_req, vp_vfs, ret["purl"])
                 raise Pebkac(500, t % zt)
             ret["purl"] = vp_req + ret["purl"][len(vp_vfs) :]
@@ -2498,13 +2565,13 @@ class HttpCli(object):
             # search by query params
             q = body["q"]
             n = body.get("n", self.args.srch_hits)
-            self.log("qj: {} |{}|".format(q, n))
+            self.log("qj: %r |%d|" % (q, n))
             hits, taglist, trunc = idx.search(self.uname, vols, q, n)
             msg = len(hits)
         idx.p_end = time.time()
         idx.p_dur = idx.p_end - t0
-        self.log("q#: {} ({:.2f}s)".format(msg, idx.p_dur))
+        self.log("q#: %r (%.2fs)" % (msg, idx.p_dur))
         order = []
         for t in self.args.mte:
@@ -2615,7 +2682,7 @@ class HttpCli(object):
                 t = "your client is sending %d bytes which is too much (server expected %d bytes at most)"
                 raise Pebkac(400, t % (remains, maxsize))
-            t = "writing %s %s+%d #%d+%d %s"
+            t = "writing %r %s+%d #%d+%d %s"
             chunkno = cstart0[0] // chunksize
             zs = " ".join([chashes[0][:15]] + [x[:9] for x in chashes[1:]])
             self.log(t % (path, cstart0, remains, chunkno, len(chashes), zs))
@@ -2727,7 +2794,7 @@ class HttpCli(object):
         cinf = self.headers.get("x-up2k-stat", "")
         spd = self._spd(postsize)
-        self.log("{:70} thank {}".format(spd, cinf))
+        self.log("%70s thank %r" % (spd, cinf))
         self.reply(b"thank")
         return True
@@ -2806,7 +2873,7 @@ class HttpCli(object):
                 logpwd = "%" + ub64enc(zb[:12]).decode("ascii")
             if pwd != "x":
-                self.log("invalid password: {}".format(logpwd), 3)
+                self.log("invalid password: %r" % (logpwd,), 3)
                 self.cbonk(self.conn.hsrv.gpwd, pwd, "pw", "invalid passwords")
             msg = "naw dude"
@@ -2841,7 +2908,7 @@ class HttpCli(object):
         rem = sanitize_vpath(rem, "/")
         fn = vfs.canonical(rem)
         if not fn.startswith(vfs.realpath):
-            self.log("invalid mkdir [%s] [%s]" % (self.gctx, vpath), 1)
+            self.log("invalid mkdir %r %r" % (self.gctx, vpath), 1)
             raise Pebkac(422)
         if not nullwrite:
@@ -3006,9 +3073,9 @@ class HttpCli(object):
                         elif bos.path.exists(abspath):
                             try:
                                 wunlink(self.log, abspath, vfs.flags)
-                                t = "overwriting file with new upload: %s"
+                                t = "overwriting file with new upload: %r"
                             except:
-                                t = "toctou while deleting for ?replace: %s"
+                                t = "toctou while deleting for ?replace: %r"
                             self.log(t % (abspath,))
                 else:
                     open_args = {}
@@ -3091,7 +3158,7 @@ class HttpCli(object):
                     f, tnam = ren_open(tnam, "wb", self.args.iobuf, **open_args)
                     try:
                         tabspath = os.path.join(fdir, tnam)
-                        self.log("writing to {}".format(tabspath))
+                        self.log("writing to %r" % (tabspath,))
                         sz, sha_hex, sha_b64 = copier(
                             p_data, f, hasher, max_sz, self.args.s_wr_slp
                         )
@@ -3276,7 +3343,7 @@ class HttpCli(object):
             jmsg["files"].append(jpart)
         vspd = self._spd(sz_total, False)
-        self.log("{} {}".format(vspd, msg))
+        self.log("%s %r" % (vspd, msg))
         suf = ""
         if not nullwrite and self.args.write_uplog:
@@ -3537,7 +3604,7 @@ class HttpCli(object):
         if req == zs:
             return True
-        t = "wrong dirkey, want %s, got %s\n  vp: %s\n  ap: %s"
+        t = "wrong dirkey, want %s, got %s\n  vp: %r\n  ap: %r"
         self.log(t % (zs, req, self.req, ap), 6)
         return False
@@ -3565,7 +3632,7 @@ class HttpCli(object):
         if req == zs:
             return True
-        t = "wrong filekey, want %s, got %s\n  vp: %s\n  ap: %s"
+        t = "wrong filekey, want %s, got %s\n  vp: %r\n  ap: %r"
         self.log(t % (zs, req, self.req, ap), 6)
         return False
@@ -3613,6 +3680,7 @@ class HttpCli(object):
         return logues, readmes
     def _expand(self, txt , phs )  :
+        ptn_hsafe = RE_HSAFE
         for ph in phs:
             if ph.startswith("hdr."):
                 sv = str(self.headers.get(ph[4:], ""))
@@ -3627,10 +3695,10 @@ class HttpCli(object):
             elif ph == "srv.htime":
                 sv = datetime.now(UTC).strftime("%Y-%m-%d, %H:%M:%S")
             else:
-                self.log("unknown placeholder in server config: [%s]" % (ph), 3)
+                self.log("unknown placeholder in server config: [%s]" % (ph,), 3)
                 continue
-            sv = self.conn.hsrv.ptn_hsafe.sub("_", sv)
+            sv = ptn_hsafe.sub("_", sv)
             txt = txt.replace("{{%s}}" % (ph,), sv)
         return txt
@@ -3784,7 +3852,7 @@ class HttpCli(object):
                 self.pipes.set(req_path, job)
             except Exception as ex:
                 if getattr(ex, "errno", 0) != errno.ENOENT:
-                    self.log("will not pipe [%s]; %s" % (ap_data, ex), 6)
+                    self.log("will not pipe %r; %s" % (ap_data, ex), 6)
                 ptop = None
         #
@@ -4072,7 +4140,7 @@ class HttpCli(object):
             if lower >= data_end:
                 if data_end:
                     t = "pipe: uploader is too slow; aborting download at %.2f MiB"
-                    self.log(t % (data_end / M))
+                    self.log(t % (data_end / M,))
                     raise Pebkac(416, "uploader is too slow")
                 raise Pebkac(416, "no data available yet; please retry in a bit")
@@ -4216,7 +4284,7 @@ class HttpCli(object):
         cdis = "attachment; filename=\"{}.{}\"; filename*=UTF-8''{}.{}"
         cdis = cdis.format(afn, ext, ufn, ext)
-        self.log(cdis)
+        self.log(repr(cdis))
         self.send_headers(None, mime=mime, headers={"Content-Disposition": cdis})
         fgen = vn.zipgen(
@@ -4878,9 +4946,9 @@ class HttpCli(object):
                 raise Pebkac(500, "sqlite3 not found on server; unpost is disabled")
             raise Pebkac(500, "server busy, cannot unpost; please retry in a bit")
-        filt = self.uparam.get("filter") or ""
-        lm = "ups [{}]".format(filt)
-        self.log(lm)
+        zs = self.uparam.get("filter") or ""
+        filt = re.compile(zs, re.I) if zs else None
+        lm = "ups %r" % (zs,)
         if self.args.shr and self.vpath.startswith(self.args.shr1):
             shr_dbv, shr_vrem = self.vn.get_dbv(self.rem)
@@ -4921,13 +4989,18 @@ class HttpCli(object):
             nfk, fk_alg = fk_vols.get(vol) or (0, 0)
-            q = "select sz, rd, fn, at from up where ip=? and at>?"
+            n = 2000
+            q = "select sz, rd, fn, at from up where ip=? and at>? order by at desc"
             for sz, rd, fn, at in cur.execute(q, (self.ip, lim)):
                 vp = "/" + "/".join(x for x in [vol.vpath, rd, fn] if x)
-                if filt and filt not in vp:
+                if filt and not filt.search(vp):
                     continue
-                rv = {"vp": quotep(vp), "sz": sz, "at": at, "nfk": nfk}
+                n -= 1
+                if not n:
+                    break
+                rv = {"vp": vp, "sz": sz, "at": at, "nfk": nfk}
                 if nfk:
                     rv["ap"] = vol.canonical(vjoin(rd, fn))
                     rv["fk_alg"] = fk_alg
@@ -4938,8 +5011,12 @@ class HttpCli(object):
                     ret = ret[:2000]
         ret.sort(key=lambda x: x["at"], reverse=True)  # type: ignore
-        n = 0
-        for rv in ret[:11000]:
+        if len(ret) > 2000:
+            ret = ret[:2000]
+        for rv in ret:
+            rv["vp"] = quotep(rv["vp"])
             nfk = rv.pop("nfk")
             if not nfk:
                 continue
@@ -4956,12 +5033,6 @@ class HttpCli(object):
             )
             rv["vp"] += "?k=" + fk[:nfk]
-            n += 1
-            if n > 2000:
-                break
-        ret = ret[:2000]
         if shr_dbv:
             # translate vpaths from share-target to share-url
             # to satisfy access checks
@@ -4984,6 +5055,126 @@ class HttpCli(object):
         self.reply(jtxt.encode("utf-8", "replace"), mime="application/json")
         return True
+    def tx_rups(self)  :
+        if self.args.no_ups_page:
+            raise Pebkac(500, "listing of recent uploads is disabled in server config")
+        idx = self.conn.get_u2idx()
+        if not idx or not hasattr(idx, "p_end"):
+            if not HAVE_SQLITE3:
+                raise Pebkac(500, "sqlite3 not found on server; recent-uploads n/a")
+            raise Pebkac(500, "server busy, cannot list recent uploads; please retry")
+        sfilt = self.uparam.get("filter") or ""
+        filt = re.compile(sfilt, re.I) if sfilt else None
+        lm = "ru %r" % (sfilt,)
+        self.log(lm)
+        ret   = []
+        t0 = time.time()
+        allvols = [
+            x
+            for x in self.asrv.vfs.all_vols.values()
+            if "e2d" in x.flags and ("*" in x.axs.uread or self.uname in x.axs.uread)
+        ]
+        fk_vols = {
+            vol: (vol.flags["fk"], 2 if "fka" in vol.flags else 1)
+            for vol in allvols
+            if "fk" in vol.flags and "*" not in vol.axs.uread
+        }
+        for vol in allvols:
+            cur = idx.get_cur(vol)
+            if not cur:
+                continue
+            nfk, fk_alg = fk_vols.get(vol) or (0, 0)
+            adm = "*" in vol.axs.uadmin or self.uname in vol.axs.uadmin
+            dots = "*" in vol.axs.udot or self.uname in vol.axs.udot
+            n = 1000
+            q = "select sz, rd, fn, ip, at from up where at>0 order by at desc"
+            for sz, rd, fn, ip, at in cur.execute(q):
+                vp = "/" + "/".join(x for x in [vol.vpath, rd, fn] if x)
+                if filt and not filt.search(vp):
+                    continue
+                if not dots and "/." in vp:
+                    continue
+                rv = {
+                    "vp": vp,
+                    "sz": sz,
+                    "ip": ip,
+                    "at": at,
+                    "nfk": nfk,
+                    "adm": adm,
+                }
+                if nfk:
+                    rv["ap"] = vol.canonical(vjoin(rd, fn))
+                    rv["fk_alg"] = fk_alg
+                ret.append(rv)
+                if len(ret) > 2000:
+                    ret.sort(key=lambda x: x["at"], reverse=True)  # type: ignore
+                    ret = ret[:1000]
+                n -= 1
+                if not n:
+                    break
+        ret.sort(key=lambda x: x["at"], reverse=True)  # type: ignore
+        if len(ret) > 1000:
+            ret = ret[:1000]
+        for rv in ret:
+            rv["vp"] = quotep(rv["vp"])
+            nfk = rv.pop("nfk")
+            if not nfk:
+                continue
+            alg = rv.pop("fk_alg")
+            ap = rv.pop("ap")
+            try:
+                st = bos.stat(ap)
+            except:
+                continue
+            fk = self.gen_fk(
+                alg, self.args.fk_salt, ap, st.st_size, 0 if ANYWIN else st.st_ino
+            )
+            rv["vp"] += "?k=" + fk[:nfk]
+        if self.args.ups_when:
+            for rv in ret:
+                adm = rv.pop("adm")
+                if not adm:
+                    rv["ip"] = "(You)" if rv["ip"] == self.ip else "(?)"
+        else:
+            for rv in ret:
+                adm = rv.pop("adm")
+                if not adm:
+                    rv["ip"] = "(You)" if rv["ip"] == self.ip else "(?)"
+                    rv["at"] = 0
+        if self.is_vproxied:
+            for v in ret:
+                v["vp"] = self.args.SR + v["vp"]
+        now = time.time()
+        self.log("%s #%d %.2fsec" % (lm, len(ret), now - t0))
+        ret2 = {"now": int(now), "filter": sfilt, "ups": ret}
+        jtxt = json.dumps(ret2, separators=(",\n", ": "))
+        if "j" in self.ouparam:
+            self.reply(jtxt.encode("utf-8", "replace"), mime="application/json")
+            return True
+        html = self.j2s("rups", this=self, v=jtxt)
+        self.reply(html.encode("utf-8"), status=200)
+        return True
     def tx_shares(self)  :
         if self.uname == "*":
             self.loud_reply("you're not logged in")
@@ -5689,7 +5880,7 @@ class HttpCli(object):
                 linf = stats.get(fn) or bos.lstat(fspath)
                 inf = bos.stat(fspath) if stat.S_ISLNK(linf.st_mode) else linf
             except:
-                self.log("broken symlink: {}".format(repr(fspath)))
+                self.log("broken symlink: %r" % (fspath,))
                 continue
             is_dir = stat.S_ISDIR(inf.st_mode)
@@ -5803,8 +5994,7 @@ class HttpCli(object):
                     erd_efn = s3enc(idx.mem_cur, rd, fn)
                     r = icur.execute(q, erd_efn)
                 except:
-                    t = "tag read error, {}/{}\n{}"
-                    self.log(t.format(rd, fn, min_ex()))
+                    self.log("tag read error, %r / %r\n%s" % (rd, fn, min_ex()))
                     break
             tags = {k: v for k, v in r}
@@ -5924,10 +6114,10 @@ class HttpCli(object):
                     if doc.lower().endswith(".md") and "exp" in vn.flags:
                         doctxt = self._expand(doctxt, vn.flags.get("exp_md") or [])
                 else:
-                    self.log("doc 2big: [{}]".format(doc), c=6)
+                    self.log("doc 2big: %r" % (doc,), 6)
                     doctxt = "( size of textfile exceeds serverside limit )"
             else:
-                self.log("doc 404: [{}]".format(doc), c=6)
+                self.log("doc 404: %r" % (doc,), 6)
                 doctxt = "( textfile not found )"
             if doctxt is not None:

copyparty 1.16.5__py3-none-any.whl → 1.16.7__py3-none-any.whl

copyparty 1.16.5py3-none-any.whl → 1.16.7py3-none-any.whl