SECURITY: fix dirkeys
- read-only demo server at https://a.ocv.me/pub/demo/
- docker image ╱ similar software ╱ client testbed
there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2026-07-06)
⚠️ ATTN: this release fixes a dirkey vulnerability
in volumes with both dirkeys and filekeys enabled (default-disabled), a valid filekey could be converted into a dirkey, granting read-access to the containing folder
recent important news
- v1.20.17 (2026-07-06) fixed a vuln when a volume has both filekeys and dirkeys enabled
- v1.20.17 (2026-07-06) introduced csp nonces, possibly breaking some javascript-based plugins
🧪 new features
- enforce csp nonces on javascript (additional xss defense) d3b9599
- this could possibly break some aftermarket javascript-based plugins (--js-browser / --html-head)
- now probably safe to disable the markdown/logue sandboxes (--no-sb-md /
--no-sb-lg) in most deployments, avoiding #230
- sandbox ffmpeg/ffprobe in bwrap to defend against future FFmpeg vulns efa43f8 85be3b8
- doesn't work in docker / podman, so
initcfgin the images have use-bwrap: n to disable it db68353 - doesn't work in prisonparty either... pain peko
- doesn't work in docker / podman, so
- #1535 cbz-reader: go-to-page (thx @romfir!) 12d877b
- volflags
plainreadmeandplainloguesto show readmes/logues as plaintext 9fa950b - volflags for
no_readmeandno_logues(previously global-only) 379c0aa - u2c: new mode to calculate wark from data on stdin 90639de
- #1504
--ftp-banner8242e69
🩹 bugfixes
- GHSA-x5pq-m9p8-f4vx (dir/filekey confusion) (thx @poolcritter!) e407553
- fix resuming xbu-relocated partial uploads 5beecd6
- fix resuming partial uploads after server restart 22c3a3d
- openbsd: fix signal masking for custom signals a00bc93
- #1119 #1528 fix directory sort-order edgecases (thx @NecRaul!) d33d113
- #1526 fix --rotf-tz; was effectively volflag-only (thx @NecRaul!) e017b1b
🔧 other changes
- ffmpeg: remove lots of obscure codecs and formats for improved security 4c82030
- textfile-editor: some tweaks to the autobackup feature;
- option --md-nhist to limit the number of old versions to keep 34c856e
- browsing old versions is now default-disabled; --show-hist reenables it fa1499a
- #1512 web-ui: if mkdir fails because folder already exists, then just cd into it 5dbff4a
- #1519 sftp: reduce excessive spam from portscanners 8c4e931
- make database corruption more obvious on startup (usually due to broken server filesystem/hardware) be31a74
- docker:
- #1532 add LABELs for version and creationtime 32d074f
- updated the image compatibility matrix c3eb9ec
- the
ivimage is no longer available for arm32 / armv6 6e75faa
- the
🌠 fun facts
- contains patches powered by seventhrun - the ill shit + the rest of basschasers2 on the Oslo-Bergen line, 1110 masl
- to those who celebrate, happy 6/7
💾 what to download?
| download link | is it good? | description |
|---|---|---|
| copyparty-sfx.py | ✅ the best 👍 | runs anywhere! only needs python |
| copyparty-en.py | ✅ also good | same but english-only, no i18n |
| a docker image | it's ok | good if you prefer docker 🐋 |
| copyparty.exe | ⚠️ acceptable | for win8 or later; built-in thumbnailer |
| u2c.exe | ⚠️ acceptable | CLI uploader as a win7+ exe (video) |
| copyparty.pyz | ⚠️ acceptable | similar to the regular sfx, mostly worse |
| copyparty-en.pyz | ⚠️ acceptable | english-only, no smb-server |
| copyparty32.exe | ⛔️ dangerous | for win7 -- never expose to the internet! |
| cpp-winpe64.exe | ⛔️ dangerous | runs on 64bit WinPE, otherwise useless |
| bootable usb | ┐(゚∀゚)┌ | a surprisingly useful joke (x86_64) |
- except for u2c.exe, all of the options above are mostly equivalent
- the zip and tar.gz files below are just source code
- python packages are available at PyPI