copyparty 1.19.16__tar.gz → 1.19.17__tar.gz

{copyparty-1.19.16 → copyparty-1.19.17}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: copyparty
-Version: 1.19.16
+Version: 1.19.17
 Summary:   Portable file server with accelerated resumable uploads, deduplication, WebDAV, FTP, zeroconf, media indexer, video thumbnails, audio transcoding, and write-only folders
 Author-email: ed <copyparty@ocv.me>
 License: MIT
@@ -588,6 +588,9 @@ examples:
 
 if you want to grant access to all users who are logged in, the group `acct` will always contain all known users, so for example `-v /mnt/music:music:r,@acct`
 
+* to do the opposite, granting access to everyone who is NOT logged in. `*,-@acct` does the trick, for example `-v /srv/welcome:welcome:r,*,-@acct`
+* single users can also be subtracted from a group: `@admins,-james`
+
 anyone trying to bruteforce a password gets banned according to `--ban-pw`; default is 24h ban for 9 failed attempts in 1 hour
 
 and if you want to use config files instead of commandline args (good!) then here's the same examples as a configfile; save it as `foobar.conf` and use it like this: `python copyparty-sfx.py -c foobar.conf`
@@ -1558,7 +1561,12 @@ tweaking the ui
   * to sort in music order (album, track, artist, title) with filename as fallback, you could `--sort tags/Circle,tags/.tn,tags/Artist,tags/Title,href`
   * to sort by upload date, first enable showing the upload date in the listing with `-e2d -mte +.up_at` and then `--sort tags/.up_at`
 
-see [./docs/rice](./docs/rice) for more, including how to add stuff (css/`<meta>`/...) to the html `<head>` tag, or to add your own translation
+see [./docs/rice](./docs/rice) for more, including:
+* how to [hide ui-elements](./docs/rice/README.md#hide-ui-elements)
+* [custom fonts](./docs/rice/README.md#custom-fonts)
+* [custom loading-spinner](./docs/rice/README.md#boring-loader-spinner)
+* adding stuff (css/`<meta>`/...) [to the html `<head>` tag](./docs/rice/README.md#head)
+* [adding your own translation](./docs/rice/README.md#translations)
 
 
 ## opengraph

{copyparty-1.19.16 → copyparty-1.19.17}/README.md

@@ -523,6 +523,9 @@ examples:
 
 if you want to grant access to all users who are logged in, the group `acct` will always contain all known users, so for example `-v /mnt/music:music:r,@acct`
 
+* to do the opposite, granting access to everyone who is NOT logged in. `*,-@acct` does the trick, for example `-v /srv/welcome:welcome:r,*,-@acct`
+* single users can also be subtracted from a group: `@admins,-james`
+
 anyone trying to bruteforce a password gets banned according to `--ban-pw`; default is 24h ban for 9 failed attempts in 1 hour
 
 and if you want to use config files instead of commandline args (good!) then here's the same examples as a configfile; save it as `foobar.conf` and use it like this: `python copyparty-sfx.py -c foobar.conf`
@@ -1493,7 +1496,12 @@ tweaking the ui
   * to sort in music order (album, track, artist, title) with filename as fallback, you could `--sort tags/Circle,tags/.tn,tags/Artist,tags/Title,href`
   * to sort by upload date, first enable showing the upload date in the listing with `-e2d -mte +.up_at` and then `--sort tags/.up_at`
 
-see [./docs/rice](./docs/rice) for more, including how to add stuff (css/`<meta>`/...) to the html `<head>` tag, or to add your own translation
+see [./docs/rice](./docs/rice) for more, including:
+* how to [hide ui-elements](./docs/rice/README.md#hide-ui-elements)
+* [custom fonts](./docs/rice/README.md#custom-fonts)
+* [custom loading-spinner](./docs/rice/README.md#boring-loader-spinner)
+* adding stuff (css/`<meta>`/...) [to the html `<head>` tag](./docs/rice/README.md#head)
+* [adding your own translation](./docs/rice/README.md#translations)
 
 
 ## opengraph

{copyparty-1.19.16 → copyparty-1.19.17}/copyparty/__init__.py

@@ -97,6 +97,25 @@ web/splash.html
 web/splash.js
 web/svcs.html
 web/svcs.js
+web/tl/chi.js
+web/tl/cze.js
+web/tl/deu.js
+web/tl/epo.js
+web/tl/fin.js
+web/tl/fra.js
+web/tl/grc.js
+web/tl/ita.js
+web/tl/kor.js
+web/tl/nld.js
+web/tl/nno.js
+web/tl/nor.js
+web/tl/pol.js
+web/tl/por.js
+web/tl/rus.js
+web/tl/spa.js
+web/tl/swe.js
+web/tl/tur.js
+web/tl/ukr.js
 web/ui.css
 web/up2k.js
 web/util.js

{copyparty-1.19.16 → copyparty-1.19.17}/copyparty/__main__.py

@@ -641,8 +641,11 @@ def get_sects():
             if no accounts or volumes are configured,
             current folder will be read/write for everyone
 
-            the group @acct will always have every user with an account
-            (the name of that group can be changed with --grp-all)
+            the group \033[33m@acct\033[0m will always have every user with an account
+            (the name of that group can be changed with \033[32m--grp-all\033[0m)
+
+            to hide a volume from authenticated users, specify \033[33m*,-@acct\033[0m
+            to subtract \033[33m@acct\033[0m from \033[33m*\033[0m (can subtract users from groups too)
 
             consider the config file for more flexible account/volume management,
             including dynamic reload at runtime (and being more readable w)
@@ -664,12 +667,12 @@ def get_sects():
 
             send the password in the '\033[36mPW\033[0m' http-header:
               \033[36mPW: \033[35mhunter2\033[0m
-            or if you have \033[33m--accounts\033[0m enabled,
+            or if you have \033[33m--usernames\033[0m enabled,
               \033[36mPW: \033[35med:hunter2\033[0m
 
             send the password in the URL itself:
               \033[36mhttp://127.0.0.1:3923/\033[35m?pw=hunter2\033[0m
-            or if you have \033[33m--accounts\033[0m enabled,
+            or if you have \033[33m--usernames\033[0m enabled,
               \033[36mhttp://127.0.0.1:3923/\033[35m?pw=ed:hunter2\033[0m
 
             use basic-authentication:
@@ -1166,6 +1169,7 @@ def add_general(ap, nc, srvname):
     ap2.add_argument("--rmagic", action="store_true", help="do expensive analysis to improve accuracy of returned mimetypes; will make file-downloads, rss, and webdav slower (volflag=rmagic)")
     ap2.add_argument("--license", action="store_true", help="show licenses and exit")
     ap2.add_argument("--version", action="store_true", help="show versions and exit")
+    ap2.add_argument("--versionb", action="store_true", help="show version and exit")
 
 
 def add_qr(ap, tty):
@@ -1233,6 +1237,7 @@ def add_upload(ap):
     ap2.add_argument("--hardlink-only", action="store_true", help="do not fallback to symlinks when a hardlink cannot be made (volflag=hardlinkonly)")
     ap2.add_argument("--reflink", action="store_true", help="enable reflink-based dedup; will fallback on full copies when that is impossible (non-CoW filesystem) (volflag=reflink)")
     ap2.add_argument("--no-dupe", action="store_true", help="reject duplicate files during upload; only matches within the same volume (volflag=nodupe)")
+    ap2.add_argument("--no-dupe-m", action="store_true", help="also reject dupes when moving a file into another volume (volflag=nodupem)")
     ap2.add_argument("--no-clone", action="store_true", help="do not use existing data on disk to satisfy dupe uploads; reduces server HDD reads in exchange for much more network load (volflag=noclone)")
     ap2.add_argument("--no-snap", action="store_true", help="disable snapshots -- forget unfinished uploads on shutdown; don't create .hist/up2k.snap files -- abandoned/interrupted uploads must be cleaned up manually")
     ap2.add_argument("--snap-wri", metavar="SEC", type=int, default=300, help="write upload state to ./hist/up2k.snap every \033[33mSEC\033[0m seconds; allows resuming incomplete uploads after a server crash")
@@ -1520,6 +1525,7 @@ def add_optouts(ap):
     ap2.add_argument("--no-pipe", action="store_true", help="disable race-the-beam (lockstep download of files which are currently being uploaded) (volflag=nopipe)")
     ap2.add_argument("--no-tail", action="store_true", help="disable streaming a growing files with ?tail (volflag=notail)")
     ap2.add_argument("--no-db-ip", action="store_true", help="do not write uploader-IP into the database; will also disable unpost, you may want \033[32m--forget-ip\033[0m instead (volflag=no_db_ip)")
+    ap2.add_argument("--no-zls", action="store_true", help="disable browsing the contents of zip/cbz files, does not affect thumbnails")
 
 
 def add_safety(ap):
@@ -1538,6 +1544,7 @@ def add_safety(ap):
     ap2.add_argument("--force-js", action="store_true", help="don't send folder listings as HTML, force clients to use the embedded json instead -- slight protection against misbehaving search engines which ignore \033[33m--no-robots\033[0m")
     ap2.add_argument("--no-robots", action="store_true", help="adds http and html headers asking search engines to not index anything (volflag=norobots)")
     ap2.add_argument("--logout", metavar="H", type=float, default=8086.0, help="logout clients after \033[33mH\033[0m hours of inactivity; [\033[32m0.0028\033[0m]=10sec, [\033[32m0.1\033[0m]=6min, [\033[32m24\033[0m]=day, [\033[32m168\033[0m]=week, [\033[32m720\033[0m]=month, [\033[32m8760\033[0m]=year)")
+    ap2.add_argument("--dont-ban", metavar="TXT", type=u, default="no", help="anyone at this accesslevel or above will not get banned: [\033[32mav\033[0m]=admin-in-volume, [\033[32maa\033[0m]=has-admin-anywhere, [\033[32mrw\033[0m]=read-write, [\033[32mauth\033[0m]=authenticated, [\033[32many\033[0m]=disable-all-bans, [\033[32mno\033[0m]=anyone-can-get-banned")
     ap2.add_argument("--ban-pw", metavar="N,W,B", type=u, default="9,60,1440", help="more than \033[33mN\033[0m wrong passwords in \033[33mW\033[0m minutes = ban for \033[33mB\033[0m minutes; disable with [\033[32mno\033[0m]")
     ap2.add_argument("--ban-pwc", metavar="N,W,B", type=u, default="5,60,1440", help="more than \033[33mN\033[0m password-changes in \033[33mW\033[0m minutes = ban for \033[33mB\033[0m minutes; disable with [\033[32mno\033[0m]")
     ap2.add_argument("--ban-404", metavar="N,W,B", type=u, default="50,60,1440", help="hitting more than \033[33mN\033[0m 404's in \033[33mW\033[0m minutes = ban for \033[33mB\033[0m minutes; only affects users who cannot see directory listings because their access is either g/G/h")
@@ -1602,12 +1609,14 @@ def add_admin(ap):
     ap2 = ap.add_argument_group("admin panel options")
     ap2.add_argument("--no-reload", action="store_true", help="disable ?reload=cfg (reload users/volumes/volflags from config file)")
     ap2.add_argument("--no-rescan", action="store_true", help="disable ?scan (volume reindexing)")
-    ap2.add_argument("--no-stack", action="store_true", help="disable ?stack (list all stacks)")
+    ap2.add_argument("--no-stack", action="store_true", help="disable ?stack (list all stacks); same as --stack-who=no")
     ap2.add_argument("--no-ups-page", action="store_true", help="disable ?ru (list of recent uploads)")
     ap2.add_argument("--no-up-list", action="store_true", help="don't show list of incoming files in controlpanel")
     ap2.add_argument("--dl-list", metavar="LVL", type=int, default=2, help="who can see active downloads in the controlpanel? [\033[32m0\033[0m]=nobody, [\033[32m1\033[0m]=admins, [\033[32m2\033[0m]=everyone")
     ap2.add_argument("--ups-who", metavar="LVL", type=int, default=2, help="who can see recent uploads on the ?ru page? [\033[32m0\033[0m]=nobody, [\033[32m1\033[0m]=admins, [\033[32m2\033[0m]=everyone (volflag=ups_who)")
     ap2.add_argument("--ups-when", action="store_true", help="let everyone see upload timestamps on the ?ru page, not just admins")
+    ap2.add_argument("--stack-who", metavar="LVL", type=u, default="a", help="who can see the ?stack page (list of threads)? [\033[32mno\033[0m]=nobody, [\033[32ma\033[0m]=admins, [\033[32mrw\033[0m]=read+write, [\033[32mall\033[0m]=everyone")
+    ap2.add_argument("--stack-v", action="store_true", help="verbose ?stack")
 
 
 def add_thumbnail(ap):
@@ -1805,6 +1814,15 @@ def add_ui(ap, retry ):
     ap2.add_argument("--lg-sba", metavar="TXT", type=u, default="", help="the value of the iframe 'allow' attribute for prologue/epilogue docs (volflag=lg_sba); see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy#iframes")
     ap2.add_argument("--no-sb-md", action="store_true", help="don't sandbox README/PREADME.md documents (volflags: no_sb_md | sb_md)")
     ap2.add_argument("--no-sb-lg", action="store_true", help="don't sandbox prologue/epilogue docs (volflags: no_sb_lg | sb_lg); enables non-js support")
+    ap2.add_argument("--ui-nombar", action="store_true", help="hide top-menu in the UI (volflag=ui_nombar)")
+    ap2.add_argument("--ui-noacci", action="store_true", help="hide account-info in the UI (volflag=ui_noacci)")
+    ap2.add_argument("--ui-nosrvi", action="store_true", help="hide server-info in the UI (volflag=ui_nosrvi)")
+    ap2.add_argument("--ui-nonav", action="store_true", help="hide navpane+breadcrumbs (volflag=ui_nonav)")
+    ap2.add_argument("--ui-notree", action="store_true", help="hide navpane in the UI (volflag=ui_nonav)")
+    ap2.add_argument("--ui-nocpla", action="store_true", help="hide cpanel-link in the UI (volflag=ui_nocpla)")
+    ap2.add_argument("--ui-nolbar", action="store_true", help="hide link-bar in the UI (volflag=ui_nolbar)")
+    ap2.add_argument("--ui-noctxb", action="store_true", help="hide context-buttons in the UI (volflag=ui_noctxb)")
+    ap2.add_argument("--ui-norepl", action="store_true", help="hide repl-button in the UI (volflag=ui_norepl)")
     ap2.add_argument("--have-unlistc", action="store_true", help=argparse.SUPPRESS)
 
 
@@ -1932,15 +1950,19 @@ def run_argparse(
 
 
 def main(argv  = None)  :
+    if argv is None:
+        argv = sys.argv
+
+    if "--versionb" in argv:
+        print(S_VERSION)
+        sys.exit(0)
+
     time.strptime("19970815", "%Y%m%d")  # python#7980
     if WINDOWS:
         os.system("rem")  # enables colors
 
     init_E(E)
 
-    if argv is None:
-        argv = sys.argv
-
     f = '\033[36mcopyparty v{} "\033[35m{}\033[36m" ({})\n{}\033[0;36m\n   sqlite {} | jinja {} | pyftpd {} | tftp {}\n\033[0m'
     f = f.format(
         S_VERSION,
@@ -2067,7 +2089,7 @@ def main(argv  = None)  :
 
     # propagate implications
     for k1, k2 in IMPLICATIONS:
-        if getattr(al, k1):
+        if getattr(al, k1, None):
             setattr(al, k2, True)
 
     # propagate unplications

{copyparty-1.19.16 → copyparty-1.19.17}/copyparty/__version__.py

@@ -1,8 +1,8 @@
 # coding: utf-8
 
-VERSION = (1, 19, 16)
+VERSION = (1, 19, 17)
 CODENAME = "usernames"
-BUILD_DT = (2025, 10, 5)
+BUILD_DT = (2025, 10, 17)
 
 S_VERSION = ".".join(map(str, VERSION))
 S_BUILD_DT = "{0:04d}-{1:02d}-{2:02d}".format(*BUILD_DT)

{copyparty-1.19.16 → copyparty-1.19.17}/copyparty/authsrv.py

@@ -1961,9 +1961,18 @@ class AuthSrv(object):
             axs_key = "u" + perm
             for vp, vol in vfs.all_vols.items():
                 zx = getattr(vol.axs, axs_key)
-                if "*" in zx:
+                if "*" in zx and "-@acct" not in zx:
                     for usr in unames:
                         zx.add(usr)
+                for zs in list(zx):
+                    if zs.startswith("-"):
+                        zx.discard(zs)
+                        zs = zs[1:]
+                        zx.discard(zs)
+                        if zs.startswith("@"):
+                            zs = zs[1:]
+                            for zs in grps.get(zs) or []:
+                                zx.discard(zs)
 
             # aread,... = dict[uname, list[volnames] or []]
             umap   = {x: [] for x in unames}
@@ -2577,6 +2586,15 @@ class AuthSrv(object):
                     for x in drop:
                         vol.flags.pop(x)
 
+            zi = vol.flags.get("lifetime") or 0
+            zi2 = time.time() // (86400 * 365)
+            zi3 = zi2 * 86400 * 365
+            if zi < 0 or zi > zi3:
+                t = "the lifetime of volume [/%s] (%d) exceeds max value (%d years; %d)"
+                t = t % (vol.vpath, zi, zi2, zi3)
+                self.log(t, 1)
+                raise Exception(t)
+
             # verify tags mentioned by -mt[mp] are used by -mte
             local_mtp = {}
             local_only_mtp = {}
@@ -2743,9 +2761,13 @@ class AuthSrv(object):
                 ["uadmin", "uadmin"],
             ]:
                 u = list(sorted(getattr(zv.axs, attr)))
-                u = ["*"] if "*" in u else u
-                u = ", ".join("\033[35meverybody\033[0m" if x == "*" else x for x in u)
-                u = u if u else "\033[36m--none--\033[0m"
+                if u == ["*"] and acct:
+                    u = ["\033[35monly-anonymous\033[0m"]
+                elif "*" in u:
+                    u = ["\033[35meverybody\033[0m"]
+                if not u:
+                    u = ["\033[36m--none--\033[0m"]
+                u = ", ".join(u)
                 t += "\n|  {}:  {}".format(txt, u)
 
             if "e2d" in zv.flags:
@@ -2857,8 +2879,6 @@ class AuthSrv(object):
 
         if have_reflink:
             t = "WARNING: Reflink-based dedup was requested, but %s. This will not work; files will be full copies instead."
-            if sys.version_info < (3, 14):
-                self.log(t % "your python version is not new enough", 1)
             if not sys.platform.startswith("linux"):
                 self.log(t % "your OS is not Linux", 1)
 
@@ -3016,6 +3036,7 @@ class AuthSrv(object):
                 "have_shr": self.args.shr,
                 "shr_who": vf["shr_who"],
                 "have_zip": not self.args.no_zip,
+                "have_zls": not self.args.no_zls,
                 "have_mv": not self.args.no_mv,
                 "have_del": not self.args.no_del,
                 "have_unpost": int(self.args.unpost),
@@ -3052,6 +3073,10 @@ class AuthSrv(object):
                 "lifetime": vn.js_ls["lifetime"],
                 "u2sort": self.args.u2sort,
             }
+            zs = "ui_noacci ui_nocpla ui_noctxb ui_nolbar ui_nombar ui_nonav ui_notree ui_norepl ui_nosrvi"
+            for zs in zs.split():
+                if vf.get(zs):
+                    js_htm[zs] = 1
             vn.js_htm = json_hesc(json.dumps(js_htm))
 
         vols = list(vfs.all_nodes.values())

{copyparty-1.19.16 → copyparty-1.19.17}/copyparty/bos/bos.py

@@ -99,7 +99,11 @@ def utime(
 
 
 def utime_c(
-    log  , p , ts , follow_symlinks  = True, throw  = False
+    log  ,
+    p ,
+    ts ,
+    follow_symlinks  = True,
+    throw  = False,
 )  :
     clamp = 0
     ov = ts

{copyparty-1.19.16 → copyparty-1.19.17}/copyparty/cfg.py

@@ -19,6 +19,7 @@ def vf_bmap()   :
         "no_clone": "noclone",
         "no_dirsz": "nodirsz",
         "no_dupe": "nodupe",
+        "no_dupe_m": "nodupem",
         "no_forget": "noforget",
         "no_pipe": "nopipe",
         "no_robots": "norobots",
@@ -58,6 +59,15 @@ def vf_bmap()   :
         "rm_partial",
         "rmagic",
         "rss",
+        "ui_noacci",
+        "ui_nocpla",
+        "ui_nolbar",
+        "ui_nombar",
+        "ui_nonav",
+        "ui_notree",
+        "ui_norepl",
+        "ui_nosrvi",
+        "ui_noctxb",
         "wo_up_readme",
         "wram",
         "xdev",
@@ -189,6 +199,7 @@ flagcats = {
         "safededup": "verify on-disk data before using it for dedup",
         "noclone": "take dupe data from clients, even if available on HDD",
         "nodupe": "rejects existing files (instead of linking/cloning them)",
+        "nodupem": "rejects existing files during moves as well",
         "chmod_d=755": "unix-permission for new dirs/folders",
         "chmod_f=644": "unix-permission for new files",
         "uid=573": "change owner of new files/folders to unix-user 573",
@@ -325,6 +336,15 @@ flagcats = {
         "md_sba": "value of iframe allow-prop for markdown-sandbox",
         "lg_sba": "value of iframe allow-prop for *logue-sandbox",
         "nohtml": "return html and markdown as text/html",
+        "ui_noacci": "hide account-info in the UI",
+        "ui_nocpla": "hide cpanel-link in the UI",
+        "ui_nolbar": "hide link-bar in the UI",
+        "ui_nombar": "hide top-menu in the UI",
+        "ui_nonav": "hide navpane+breadcrumbs in the UI",
+        "ui_notree": "hide navpane in the UI",
+        "ui_norepl": "hide repl-button in the UI",
+        "ui_nosrvi": "hide server-info in the UI",
+        "ui_noctxb": "hide context-buttons in the UI",
     },
     "opengraph (discord embeds)": {
         "og": "enable OG (disables hotlinking)",

{copyparty-1.19.16 → copyparty-1.19.17}/copyparty/ftpd.py

@@ -247,7 +247,7 @@ class FtpFs(AbstractedFS):
 
         if w and need_unlink:
             if td >= -1 and td <= self.args.ftp_wt:
-                # within permitted timeframe; unlink and accept
+                # within permitted timeframe; allow overwrite or resume
                 do_it = True
             elif self.args.no_del or self.args.ftp_no_ow:
                 # file too old, or overwrite not allowed; reject
@@ -264,7 +264,9 @@ class FtpFs(AbstractedFS):
             if not do_it:
                 raise FSE("File already exists")
 
-            wunlink(self.log, ap, VF_CAREFUL)
+            # Don't unlink file for append mode
+            elif "a" not in mode:
+                wunlink(self.log, ap, VF_CAREFUL)
 
         ret = open(fsenc(ap), mode, self.args.iobuf)
         if w and "fperms" in vfs.flags:
@@ -505,7 +507,7 @@ class FtpHandler(FTPHandler):
                 0,
                 self.cli_ip,
                 time.time(),
-                "",
+                None,
             )
             t = hr.get("rejectmsg") or ""
             if t or not hr:

{copyparty-1.19.16 → copyparty-1.19.17}/copyparty/httpcli.py

@@ -270,7 +270,7 @@ class HttpCli(object):
         tpl = self.conn.hsrv.j2[name]
         ka["r"] = self.args.SR if self.is_vproxied else ""
         ka["ts"] = self.conn.hsrv.cachebuster()
-        ka["lang"] = self.args.lang
+        ka["lang"] = self.cookies.get("cplng") or self.args.lang
         ka["favico"] = self.args.favico
         ka["s_doctitle"] = self.args.doctitle
         ka["tcolor"] = self.vn.flags["tcolor"]
@@ -857,6 +857,16 @@ class HttpCli(object):
             return self.conn.iphash.s(self.ip)
 
     def cbonk(self, g , v , reason , descr )  :
+        cond = self.args.dont_ban
+        if (
+            cond == "any"
+            or (cond == "auth" and self.uname != "*")
+            or (cond == "aa" and self.avol)
+            or (cond == "av" and self.can_admin)
+            or (cond == "rw" and self.can_read and self.can_write)
+        ):
+            return False
+
         self.conn.hsrv.nsus += 1
         if not g.lim:
             return False
@@ -881,7 +891,7 @@ class HttpCli(object):
             0,
             self.ip,
             time.time(),
-            reason,
+            [reason, reason],
         ):
             self.log("client banned: %s" % (descr,), 1)
             self.conn.hsrv.bans[ip] = bonk
@@ -1516,6 +1526,64 @@ class HttpCli(object):
         self.log("rss: %d hits, %d bytes" % (len(hits), len(bret)))
         return True
 
+    def tx_zls(self, abspath)  :
+        if self.do_log:
+            self.log("zls %s @%s" % (self.req, self.uname))
+        if self.args.no_zls:
+            raise Pebkac(405, "zip browsing is disabled in server config")
+
+        import zipfile
+
+        try:
+            with zipfile.ZipFile(abspath, "r") as zf:
+                filelist = [{"fn": f.filename} for f in zf.infolist()]
+                ret = json.dumps(filelist).encode("utf-8", "replace")
+                self.reply(ret, mime="application/json")
+                return True
+        except (zipfile.BadZipfile, RuntimeError):
+            raise Pebkac(404, "requested file is not a valid zip file")
+
+    def tx_zget(self, abspath)  :
+        maxsz = 1024 * 1024 * 64
+
+        inner_path = self.uparam.get("zget")
+        if not inner_path:
+            raise Pebkac(405, "inner path is required")
+        if self.do_log:
+            self.log(
+                "zget %s \033[35m%s\033[0m @%s" % (self.req, inner_path, self.uname)
+            )
+        if self.args.no_zls:
+            raise Pebkac(405, "zip browsing is disabled in server config")
+
+        import zipfile
+
+        try:
+            with zipfile.ZipFile(abspath, "r") as zf:
+                zi = zf.getinfo(inner_path)
+                if zi.file_size >= maxsz:
+                    raise Pebkac(404, "zip bomb defused")
+                with zf.open(zi, "r") as fi:
+                    self.send_headers(length=zi.file_size, mime=guess_mime(inner_path))
+
+                    sendfile_py(
+                        self.log,
+                        0,
+                        zi.file_size,
+                        fi,
+                        self.s,
+                        self.args.s_wr_sz,
+                        self.args.s_wr_slp,
+                        not self.args.no_poll,
+                        {},
+                        "",
+                    )
+        except KeyError:
+            raise Pebkac(404, "no such file in archive")
+        except (zipfile.BadZipfile, RuntimeError):
+            raise Pebkac(404, "requested file is not a valid zip file")
+        return True
+
     def handle_propfind(self)  :
         if self.do_log:
             self.log("PFIND %s @%s" % (self.req, self.uname))
@@ -2079,7 +2147,7 @@ class HttpCli(object):
                     t = "urlform_raw %d @ %r\n  %r\n"
                     self.log(t % (len(orig), "/" + self.vpath, orig))
                     try:
-                        zb = unquote(buf.replace(b"+", b" "))
+                        zb = unquote(buf.replace(b"+", b" ").replace(b"&", b"\n"))
                         plain = zb.decode("utf-8", "replace")
                         if buf.startswith(b"msg="):
                             plain = plain[4:]
@@ -2100,7 +2168,7 @@ class HttpCli(object):
                                     len(buf),
                                     self.ip,
                                     time.time(),
-                                    plain,
+                                    [plain, orig],
                                 )
 
                         t = "urlform_dec %d @ %r\n  %r\n"
@@ -2259,7 +2327,7 @@ class HttpCli(object):
                 remains,
                 self.ip,
                 at,
-                "",
+                None,
             )
             t = hr.get("rejectmsg") or ""
             if t or not hr:
@@ -2394,7 +2462,7 @@ class HttpCli(object):
                 post_sz,
                 self.ip,
                 at,
-                "",
+                None,
             )
             t = hr.get("rejectmsg") or ""
             if t or not hr:
@@ -3226,7 +3294,7 @@ class HttpCli(object):
                     0,
                     self.ip,
                     time.time(),
-                    "",
+                    None,
                 )
                 t = hr.get("rejectmsg") or ""
                 if t or not hr:
@@ -3398,7 +3466,7 @@ class HttpCli(object):
                         0,
                         self.ip,
                         at,
-                        "",
+                        None,
                     )
                     t = hr.get("rejectmsg") or ""
                     if t or not hr:
@@ -3505,7 +3573,7 @@ class HttpCli(object):
                             sz,
                             self.ip,
                             at,
-                            "",
+                            None,
                         )
                         t = hr.get("rejectmsg") or ""
                         if t or not hr:
@@ -3816,7 +3884,7 @@ class HttpCli(object):
                 0,
                 self.ip,
                 time.time(),
-                "",
+                None,
             )
             t = hr.get("rejectmsg") or ""
             if t or not hr:
@@ -3864,7 +3932,7 @@ class HttpCli(object):
                 sz,
                 self.ip,
                 new_lastmod,
-                "",
+                None,
             )
             t = hr.get("rejectmsg") or ""
             if t or not hr:
@@ -4998,7 +5066,7 @@ class HttpCli(object):
             "edit": "edit" in self.uparam,
             "title": html_escape(self.vpath, crlf=True),
             "lastmod": int(ts_md * 1000),
-            "lang": self.args.lang,
+            "lang": self.cookies.get("cplng") or self.args.lang,
             "favico": self.args.favico,
             "have_emp": int(self.args.emp),
             "md_no_br": int(vn.flags.get("md_no_br") or 0),
@@ -5383,13 +5451,20 @@ class HttpCli(object):
         return self.redirect("", "?h", x.get(), "return to", False)
 
     def tx_stack(self)  :
-        if not self.avol and not [x for x in self.wvol if x in self.rvol]:
+        zs = self.args.stack_who
+        if zs == "all" or (
+            (zs == "a" and self.avol)
+            or (zs == "rw" and [x for x in self.wvol if x in self.rvol])
+        ):
+            pass
+        else:
             raise Pebkac(403, "'stack' not allowed for user " + self.uname)
 
-        if self.args.no_stack:
-            raise Pebkac(403, "the stackdump feature is disabled in server config")
-
-        ret = "<pre>{}\n{}".format(time.time(), html_escape(alltrace()))
+        ret = html_escape(alltrace(self.args.stack_v))
+        if self.args.stack_v:
+            ret = "<pre>%s\n%s" % (time.time(), ret)
+        else:
+            ret = "<pre>%s" % (ret,)
         self.reply(ret.encode("utf-8"))
         return True
 
@@ -6456,14 +6531,23 @@ class HttpCli(object):
             ):
                 return self.tx_md(vn, abspath)
 
+            if "zls" in self.uparam:
+                return self.tx_zls(abspath)
+            if "zget" in self.uparam:
+                return self.tx_zget(abspath)
+
             if not add_og or not og_fn:
-                return self.tx_file(
-                    abspath, None if st.st_size or "nopipe" in vn.flags else vn.realpath
-                )
+                if st.st_size or "nopipe" in vn.flags:
+                    return self.tx_file(abspath, None)
+                else:
+                    return self.tx_file(abspath, vn.get_dbv("")[0].realpath)
 
         elif is_dir and not self.can_read:
             if use_dirkey:
                 is_dk = True
+            elif self.can_get and "doc" in self.uparam:
+                zs = vjoin(self.vpath, self.uparam["doc"]) + "?v"
+                return self.redirect(zs, flavor="redirecting to", use302=True)
             elif not self.can_write:
                 return self.tx_404(True)
 
@@ -6545,6 +6629,7 @@ class HttpCli(object):
             "acct": self.uname,
             "perms": perms,
         }
+        # also see `js_htm` in authsrv.py
         j2a = {
             "cgv1": vn.js_htm,
             "cgv": cgv,

{copyparty-1.19.16 → copyparty-1.19.17}/copyparty/smbd.py

@@ -259,7 +259,7 @@ class SMB(object):
                     0,
                     "1.7.6.2",
                     time.time(),
-                    "",
+                    None,
                 )
                 t = hr.get("rejectmsg") or ""
                 if t or not hr:

{copyparty-1.19.16 → copyparty-1.19.17}/copyparty/svchub.py

@@ -285,6 +285,9 @@ class SvcHub(object):
         ch = "abcdefghijklmnopqrstuvwx"[int(args.theme / 2)]
         args.theme = "{0}{1} {0} {1}".format(ch, bri)
 
+        if args.no_stack:
+            args.stack_who = "no"
+
         if args.nid:
             args.du_who = "no"
         args.du_iwho = n_du_who(args.du_who)