• 1 Post
  • 26 Comments
Joined 2 years ago
cake
Cake day: June 20th, 2023

help-circle
  • so uhh, sorry for the late response to this – was going to reply much earlier, but then suddenly it became more timely than ever…

    the good news is, I’m fairly confident in how it handles the filesystem and permissions, preventing unauthorized access to files.

    but the part I’m a bit less sure about is sanitizing user data; the kind of vulnerabilities where someone uploads a malicious file and bad stuff happens if you then open that file in a certain way, or someone sends you a malicious link and trick you into clicking it – in other words, the kind of vulnerabilities which require the attacker to have a certain level of access already, or that requires tricking you into doing something.

    …and with version 1.18.5 released just now, we got a prime example of exactly one of those. Really unfortunate timing, but it’s a blessing to have so many new and curious eyes on it to spot these sooner rather than later. It is what it is.


  • the intention with that statement was that seafile, by default, places all the files inside its own proprietary file container thing, where the files are not easily accessible from the server’s actual filesystem, using regular linux utilities. My knowledge of seafile is really minimal, so this could be wrong – in which case I’ll fix that right away! or, at the very least, try to clarify what I meant to avoid this confusion.

    in case you happen to know – are you aware if it’s possible to use Seafile while having it just place all the files and folders on the disk like any other program would?





  • No worries, good question :>

    The problem with bidirectional filesync is that it’s an absolutely massive can of worms, very easy to mess up, and the consequences of messing up are usually the worst kind (loss of data). There’s an insane amount of edgecases to keep in mind, and you need to get every edgecase right every single time, otherwise you might wipe someone’s vacation photos, or suddenly downgrade someone’s keepass database to an older version… And stuff like syncing multiple devices to the same server makes it balloon further.

    I’ve started becoming more confident in copyparty’s filesystem-index database, but it’s still just a hint/guideline, with the filesystem being the only source of truth – it’s still not something I’d trust with tracking sync-state against one or more clients.

    The bigger guys who offer bidirectional sync (nextcloud, syncthing, etc.) have spent years perfecting their logic, so I’d like to leave this in their capable hands.




  • sooo this is one of the things that started with someone saying “wouldn’t it be funny if…”

    if you open copyparty-sfx.py in a text editor, you’ll see how – but please make sure to use an editor which is able to handle about 600 KiB of comments which contain invalid utf8 / binary garbage 😁

    I ended up rolling my own packer since I wanted optimal encoding efficiency, and everything I could find would do stuff like base85 or ucs2 tricks, but it turns out python is perfectly happy with binary garbage in comments if you declare that the file is latin-1 so it realizes all hope is lost :D

    the only drawback of the sfx.py is that it needs to extract to $TEMP before running, so that’s the slight advantage of the zipapp (the .pyz alternative), but that suffers from some performance reduction in return, and is more hermetic (doesn’t let you swap out the bundled dependencies with fresh versions as easily if necessary)


  • I have a hunch that the true answer, to be honest, is “no” – at least with the current UI as it is. I’ve come to terms with not being the best at making intuitive user interfaces, so I went all-in on making it poweruser-friendly and efficiency instead.

    Yeah, there’s the android app for sending files to the server, and it’ll always send files to the same folder, so that part should be pretty solid. But actually grabbing files from the server, perhaps not so much. Not sure I’d risk it, but I’ll leave the decision to you hehe

    I’m not aware of any user-friendly android/iOS apps for connecting to a webdav / ftps / sftp server, but if those exist, then that would probably have been a good option!



  • Yep! Depending on what your home connection looks like, you have a few options:

    if you are lucky enough to have your own private IP-address and are able to open ports, then you’re almost done already – you can put copyparty on some port (or keep the default 3923), and then anyone could connect to it by going to https://your.ip.address:3923/

    (with this approach, you will want to create your own HTTPS certificate so the traffic is properly encrypted – the best option here is to get a domain and get a certificate for the domain)

    however, if you are behind CGNAT, meaning your internet provider has given you a shared IP-address, then people cannot connect directly to your home-PC. One way around that issue is by setting up a machine somewhere on the internet which bridges the gap back home to your PC. Cloudflare offers this as service, and this is explained in the copyparty readme – see the “at home” section for one way to do that.

    if you are against using Cloudflare for idealistic reasons (they are becoming quite powerful since they run a whole lot of the internet), then you can set up a cheap VPS which serves the same purpose. That’s my setup, and how you are accessing the copyparty demo server right now – I have the cheapest VPS you can get from Hetzner. The VPS is running nginx, and it forwards the traffic to my homeserver through an SSH tunnel. I haven’t documented this approach in the copyparty readme, but I have a feeling a lot of other people have :>





  • BTRFS and ZFS support real deduplication via copy on write, and would eliminate all current disadvantages of symlink and hardlink deduplication. It just works.

    yeah that’s a good point, I’ll add an option to take advantage of this if you know you’re running on a filesystem where that works as intended.

    Why have it be one huge python source file?

    oh don’t worry, it’s all separate files during development – there’s a build-stage which bundles everything up into a single file for distribution. But thanks for the concern :D





  • If all you need is basic remote file storage such as a samba server, and especially if you need samba in particular, then your current solution is probably a better fit for you.

    Copyparty’s main selling points is the large number of features in one package, and being pretty good at receiving file uploads (usually faster than other alternatives), but it does not have good samba support. Instead of samba, copyparty has WebDAV support, so you can still connect to it from your file manager – but the performance will be different; depending on your access pattern and the type of files, it could be faster or slower than samba.