SECURITY: fix dirkeys
6 Juli 2026 om 22:21
- read-only demo server at https://a.ocv.me/pub/demo/
- docker image β± similar software β± client testbed
there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2026-07-06)
β οΈ ATTN: this release fixes a dirkey vulnerability
in volumes with both dirkeys and filekeys enabled (default-disabled), a valid filekey could be converted into a dirkey, granting read-access to the containing folder
recent important news
- v1.20.17 (2026-07-06) fixed a vuln when a volume has both filekeys and dirkeys enabled
- v1.20.17 (2026-07-06) introduced csp nonces, possibly breaking some javascript-based plugins
π§ͺ new features
- enforce csp nonces on javascript (additional xss defense) d3b9599
- this could possibly break some aftermarket javascript-based plugins (--js-browser / --html-head)
- now probably safe to disable the markdown/logue sandboxes (--no-sb-md /
--no-sb-lg) in most deployments, avoiding #230
- sandbox ffmpeg/ffprobe in bwrap to defend against future FFmpeg vulns efa43f8 85be3b8
- doesn't work in docker / podman, so
initcfgin the images have use-bwrap: n to disable it db68353 - doesn't work in prisonparty either... pain peko
- doesn't work in docker / podman, so
- #1535 cbz-reader: go-to-page (thx @romfir!) 12d877b
- volflags
plainreadmeandplainloguesto show readmes/logues as plaintext 9fa950b - volflags for
no_readmeandno_logues(previously global-only) 379c0aa - u2c: new mode to calculate wark from data on stdin 90639de
- #1504
--ftp-banner8242e69
π©Ή bugfixes
- GHSA-x5pq-m9p8-f4vx (dir/filekey confusion) (thx @poolcritter!) e407553
- fix resuming xbu-relocated partial uploads 5beecd6
- fix resuming partial uploads after server restart 22c3a3d
- openbsd: fix signal masking for custom signals a00bc93
- #1119 #1528 fix directory sort-order edgecases (thx @NecRaul!) d33d113
- #1526 fix --rotf-tz; was effectively volflag-only (thx @NecRaul!) e017b1b
π§ other changes
- ffmpeg: remove lots of obscure codecs and formats for improved security 4c82030
- textfile-editor: some tweaks to the autobackup feature;
- option --md-nhist to limit the number of old versions to keep 34c856e
- browsing old versions is now default-disabled; --show-hist reenables it fa1499a
- #1512 web-ui: if mkdir fails because folder already exists, then just cd into it 5dbff4a
- #1519 sftp: reduce excessive spam from portscanners 8c4e931
- make database corruption more obvious on startup (usually due to broken server filesystem/hardware) be31a74
- docker:
- #1532 add LABELs for version and creationtime 32d074f
- updated the image compatibility matrix c3eb9ec
- the
ivimage is no longer available for arm32 / armv6 6e75faa
- the
π fun facts
- contains patches powered by seventhrun - the ill shit + the rest of basschasers2 on the Oslo-Bergen line, 1110 masl
- to those who celebrate, happy 6/7
πΎ what to download?
| download link | is it good? | description |
|---|---|---|
| copyparty-sfx.py | β the best π | runs anywhere! only needs python |
| copyparty-en.py | β also good | same but english-only, no i18n |
| a docker image | it's ok | good if you prefer docker π |
| copyparty.exe | β οΈ acceptable | for win8 or later; built-in thumbnailer |
| u2c.exe | β οΈ acceptable | CLI uploader as a win7+ exe (video) |
| copyparty.pyz | β οΈ acceptable | similar to the regular sfx, mostly worse |
| copyparty-en.pyz | β οΈ acceptable | english-only, no smb-server |
| copyparty32.exe | βοΈ dangerous | for win7 -- never expose to the internet! |
| cpp-winpe64.exe | βοΈ dangerous | runs on 64bit WinPE, otherwise useless |
| bootable usb | β(οΎβοΎ)β | a surprisingly useful joke (x86_64) |
- except for u2c.exe, all of the options above are mostly equivalent
- the zip and tar.gz files below are just source code
- python packages are available at PyPI