v0.10.22

.vscode/launch.py

@@ -12,7 +12,7 @@ sys.path.insert(0, os.getcwd())
 import jstyleson
 from copyparty.__main__ import main as copyparty
 
-with open(".vscode/launch.json", "r") as f:
+with open(".vscode/launch.json", "r", encoding="utf-8") as f:
     tj = f.read()
 
 oj = jstyleson.loads(tj)

README.md

@@ -9,9 +9,12 @@
 turn your phone or raspi into a portable file server with resumable uploads/downloads using IE6 or any other browser
 
 * server runs on anything with `py2.7` or `py3.3+`
-* *resumable* uploads need `firefox 12+` / `chrome 6+` / `safari 6+` / `IE 10+`
+* browse/upload with IE4 / netscape4.0 on win3.11 (heh)
+* *resumable* uploads need `firefox 34+` / `chrome 41+` / `safari 7+` for full speed
 * code standard: `black`
 
+📷 screenshots: [browser](#the-browser) // [upload](#uploading) // [md-viewer](#markdown-viewer) // [search](#searching) // [fsearch](#file-search) // [zip-DL](#zip-downloads) // [ie4](#browser-support)
+
 
 ## readme toc
 
@@ -20,8 +23,17 @@ turn your phone or raspi into a portable file server with resumable uploads/down
     * [notes](#notes)
     * [status](#status)
 * [bugs](#bugs)
-* [usage](#usage)
+    * [general bugs](#general-bugs)
+    * [not my bugs](#not-my-bugs)
+* [the browser](#the-browser)
+    * [tabs](#tabs)
+    * [hotkeys](#hotkeys)
+    * [tree-mode](#tree-mode)
     * [zip downloads](#zip-downloads)
+    * [uploading](#uploading)
+        * [file-search](#file-search)
+    * [markdown viewer](#markdown-viewer)
+    * [other tricks](#other-tricks)
 * [searching](#searching)
     * [search configuration](#search-configuration)
     * [metadata from audio files](#metadata-from-audio-files)
@@ -29,6 +41,7 @@ turn your phone or raspi into a portable file server with resumable uploads/down
     * [complete examples](#complete-examples)
 * [browser support](#browser-support)
 * [client examples](#client-examples)
+* [up2k](#up2k)
 * [dependencies](#dependencies)
     * [optional gpl stuff](#optional-gpl-stuff)
 * [sfx](#sfx)
@@ -43,19 +56,19 @@ turn your phone or raspi into a portable file server with resumable uploads/down
 
 download [copyparty-sfx.py](https://github.com/9001/copyparty/releases/latest/download/copyparty-sfx.py) and you're all set!
 
-running the sfx without arguments (for example doubleclicking it on Windows) will let anyone access the current folder; see `-h` for help if you want accounts and volumes etc
+running the sfx without arguments (for example doubleclicking it on Windows) will give everyone full access to the current folder; see `-h` for help if you want accounts and volumes etc
 
 you may also want these, especially on servers:
 * [contrib/systemd/copyparty.service](contrib/systemd/copyparty.service) to run copyparty as a systemd service
-* [contrib/nginx/copyparty.conf](contrib/nginx/copyparty.conf) to reverse-proxy behind nginx (for legit https)
+* [contrib/nginx/copyparty.conf](contrib/nginx/copyparty.conf) to reverse-proxy behind nginx (for better https)
 
 
 ## notes
 
 * iPhone/iPad: use Firefox to download files
-* Android-Chrome: set max "parallel uploads" for 200% upload speed (android bug)
-* Android-Firefox: takes a while to select files (in order to avoid the above android-chrome issue)
-* Desktop-Firefox: may use gigabytes of RAM if your connection is great and your files are massive
+* Android-Chrome: increase "parallel uploads" for higher speed (android bug)
+* Android-Firefox: takes a while to select files (their fix for ☝️)
+* Desktop-Firefox: ~~may use gigabytes of RAM if your files are massive~~ *seems to be OK now*
 * paper-printing is affected by dark/light-mode! use lightmode for color, darkmode for grayscale
   * because no browsers currently implement the media-query to do this properly orz
 
@@ -80,8 +93,8 @@ you may also want these, especially on servers:
   * ☑ tree-view
   * ☑ media player
   * ✖ thumbnails
-  * ✖ SPA (browse while uploading)
-    * currently safe using the file-tree on the left only, not folders in the file list
+  * ☑ SPA (browse while uploading)
+    * if you use the file-tree on the left only, not folders in the file list
 * server indexing
   * ☑ locate files by contents
   * ☑ search by name/path/date/size
@@ -98,20 +111,52 @@ summary: it works! you can use it! (but technically not even close to beta)
 * Windows: python 3.7 and older cannot read tags with ffprobe, so use mutagen or upgrade
 * Windows: python 2.7 cannot index non-ascii filenames with `-e2d`
 * Windows: python 2.7 cannot handle filenames with mojibake
+
+## general bugs
+
+* all volumes must exist / be available on startup; up2k (mtp especially) gets funky otherwise
+* cannot mount something at `/d1/d2/d3` unless `d2` exists inside `d1`
 * hiding the contents at url `/d1/d2/d3` using `-v :d1/d2/d3:cd2d` has the side-effect of creating databases (for files/tags) inside folders d1 and d2, and those databases take precedence over the main db at the top of the vfs - this means all files in d2 and below will be reindexed unless you already had a vfs entry at or below d2
 * probably more, pls let me know
 
+## not my bugs
 
-# usage
+* Windows: msys2-python 3.8.6 occasionally throws "RuntimeError: release unlocked lock" when leaving a scoped mutex in up2k
+  * this is an msys2 bug, the regular windows edition of python is fine
+
+
+# the browser
+
+![copyparty-browser-fs8](https://user-images.githubusercontent.com/241032/115978054-65106380-a57d-11eb-98f8-59e3dee73557.png)
+
+
+## tabs
+
+* `[🔎]` search by size, date, path/name, mp3-tags ... see [searching](#searching)
+* `[🚀]` and `[🎈]` are the uploaders, see [uploading](#uploading)
+* `[📂]` mkdir, create directories
+* `[📝]` new-md, create a new markdown document
+* `[📟]` send-msg, either to server-log or into textfiles if `--urlform save`
+* `[⚙️]` client configuration options
+
+
+## hotkeys
 
 the browser has the following hotkeys
-* `0..9` jump to 10%..90%
-* `U/O` skip 10sec back/forward
-* `J/L` prev/next song
 * `I/K` prev/next folder
 * `P` parent folder
+* when playing audio:
+  * `0..9` jump to 10%..90%
+  * `U/O` skip 10sec back/forward
+  * `J/L` prev/next song
+    * `J` also starts playing the folder
 
-you can link a particular timestamp in an audio file by adding it to the URL, such as `&20` / `&20s` / `&1m20` / `&1:20` after the `.../#af-c8960dab`
+
+## tree-mode
+
+by default there's a breadcrumbs path; you can replace this with a tree-browser sidebar thing by clicking the 🌲
+
+click `[-]` and `[+]` to adjust the size, and the `[a]` toggles if the tree should widen dynamically as you go deeper or stay fixed-size
 
 
 ## zip downloads
@@ -130,12 +175,80 @@ the `zip` link next to folders can produce various types of zip/tar files using
 * `zip_crc` will take longer to download since the server has to read each file twice
   * please let me know if you find a program old enough to actually need this
 
+you can also zip a selection of files or folders by clicking them in the browser, that brings up a selection editor and zip button in the bottom right
+
+![copyparty-zipsel-fs8](https://user-images.githubusercontent.com/241032/116008321-372a2e00-a614-11eb-9a4a-4a1fd9074224.png)
+
+## uploading
+
+two upload methods are available in the html client:
+* `🎈 bup`, the basic uploader, supports almost every browser since netscape 4.0
+* `🚀 up2k`, the fancy one
+
+up2k has several advantages:
+* you can drop folders into the browser (files are added recursively)
+* files are processed in chunks, and each chunk is checksummed
+  * uploads resume if they are interrupted (for example by a reboot)
+  * server detects any corruption; the client reuploads affected chunks
+  * the client doesn't upload anything that already exists on the server
+* the last-modified timestamp of the file is preserved
+
+see [up2k](#up2k) for details on how it works
+
+![copyparty-upload-fs8](https://user-images.githubusercontent.com/241032/115978061-680b5400-a57d-11eb-9ef6-cbb5f60aeccc.png)
+
+**protip:** you can avoid scaring away users with [docs/minimal-up2k.html](docs/minimal-up2k.html) which makes it look [much simpler](https://user-images.githubusercontent.com/241032/118311195-dd6ca380-b4ef-11eb-86f3-75a3ff2e1332.png)
+
+the up2k UI is the epitome of polished inutitive experiences:
+* "parallel uploads" specifies how many chunks to upload at the same time
+* `[🏃]` analysis of other files should continue while one is uploading
+* `[💭]` ask for confirmation before files are added to the list
+* `[💤]` sync uploading between other copyparty tabs so only one is active
+* `[🔎]` switch between upload and file-search mode
+
+and then theres the tabs below it,
+* `[ok]` is uploads which completed successfully
+* `[ng]` is the uploads which failed / got rejected (already exists, ...)
+* `[done]` shows a combined list of `[ok]` and `[ng]`, chronological order
+* `[busy]` files which are currently hashing, pending-upload, or uploading
+  * plus up to 3 entries each from `[done]` and `[que]` for context
+* `[que]` is all the files that are still queued
+
+### file-search
+
+![copyparty-fsearch-fs8](https://user-images.githubusercontent.com/241032/116008320-36919780-a614-11eb-803f-04162326a700.png)
+
+in the `[🚀 up2k]` tab, after toggling the `[🔎]` switch green, any files/folders you drop onto the dropzone will be hashed on the client-side. Each hash is sent to the server which checks if that file exists somewhere already
+
+files go into `[ok]` if they exist (and you get a link to where it is), otherwise they land in `[ng]`
+* the main reason filesearch is combined with the uploader is cause the code was too spaghetti to separate it out somewhere else, this is no longer the case but now i've warmed up to the idea too much
+
+adding the same file multiple times is blocked, so if you first search for a file and then decide to upload it, you have to click the `[cleanup]` button to discard `[done]` files
+
+note that since up2k has to read the file twice, `[🎈 bup]` can be up to 2x faster in extreme cases (if your internet connection is faster than the read-speed of your HDD)
+
+up2k has saved a few uploads from becoming corrupted in-transfer already; caught an android phone on wifi redhanded in wireshark with a bitflip, however bup with https would *probably* have noticed as well thanks to tls also functioning as an integrity check
+
+
+## markdown viewer
+
+![copyparty-md-read-fs8](https://user-images.githubusercontent.com/241032/115978057-66419080-a57d-11eb-8539-d2be843991aa.png)
+
+* the document preview has a max-width which is the same as an A4 paper when printed
+
+
+## other tricks
+
+* you can link a particular timestamp in an audio file by adding it to the URL, such as `&20` / `&20s` / `&1m20` / `&t=1:20` after the `.../#af-c8960dab`
+
 
 # searching
 
+![copyparty-search-fs8](https://user-images.githubusercontent.com/241032/115978060-6772bd80-a57d-11eb-81d3-174e869b72c3.png)
+
 when started with `-e2dsa` copyparty will scan/index all your files. This avoids duplicates on upload, and also makes the volumes searchable through the web-ui:
 * make search queries by `size`/`date`/`directory-path`/`filename`, or...
-* drag/drop a local file to see if the same contents exist somewhere on the server (you get the URL if it does)
+* drag/drop a local file to see if the same contents exist somewhere on the server, see [file-search](#file-search)
 
 path/name queries are space-separated, AND'ed together, and words are negated with a `-` prefix, so for example:
 * path: `shibayan -bossa` finds all files where one of the folders contain `shibayan` but filters out any results where `bossa` exists somewhere in the path
@@ -192,6 +305,10 @@ copyparty can invoke external programs to collect additional metadata for files
 * `-mtp key=f,t5,~/bin/audio-key.py` uses `~/bin/audio-key.py` to get the `key` tag, replacing any existing metadata tag (`f,`), aborting if it takes longer than 5sec (`t5,`)
 * `-v ~/music::r:cmtp=.bpm=~/bin/audio-bpm.py:cmtp=key=f,t5,~/bin/audio-key.py` both as a per-volume config wow this is getting ugly
 
+*but wait, there's more!* `-mtp` can be used for non-audio files as well using the `a` flag: `ay` only do audio files, `an` only do non-audio files, or `ad` do all files (d as in dontcare) 
+
+* `-mtp ext=an,~/bin/file-ext.py` runs `~/bin/file-ext.py` to get the `ext` tag only if file is not audio (`an`)
+
 
 ## complete examples
 
@@ -201,6 +318,8 @@ copyparty can invoke external programs to collect additional metadata for files
 
 # browser support
 
+![copyparty-ie4-fs8](https://user-images.githubusercontent.com/241032/118192791-fb31fe00-b446-11eb-9647-898ea8efc1f7.png)
+
 `ie` = internet-explorer, `ff` = firefox, `c` = chrome, `iOS` = iPhone/iPad, `Andr` = Android
 
 | feature         | ie6 | ie9 | ie10 | ie11 | ff 52 | c 49 | iOS | Andr |
@@ -225,14 +344,18 @@ copyparty can invoke external programs to collect additional metadata for files
 * `*2` using a wasm decoder which can sometimes get stuck and consumes a bit more power
 
 quick summary of more eccentric web-browsers trying to view a directory index:
-* safari (14.0.3/macos) is chrome with janky wasm, so playing opus can deadlock the javascript engine
-* safari (14.0.1/iOS) same as macos, except it recovers from the deadlocks if you poke it a bit
-* links (2.21/macports) can browse, login, upload/mkdir/msg
-* lynx (2.8.9/macports) can browse, login, upload/mkdir/msg
-* w3m (0.5.3/macports) can browse, login, upload at 100kB/s, mkdir/msg
-* netsurf (3.10/arch) is basically ie6 with much better css (javascript has almost no effect)
-* netscape 4.0 and 4.5 can browse (text is yellow on white), upload with `?b=u`
-* SerenityOS (22d13d8) hits a page fault, works with `?b=u`, file input not-impl, url params are multiplying
+
+| browser | will it blend |
+| ------- | ------------- |
+| **safari** (14.0.3/macos) | is chrome with janky wasm, so playing opus can deadlock the javascript engine |
+| **safari** (14.0.1/iOS)   | same as macos, except it recovers from the deadlocks if you poke it a bit |
+| **links** (2.21/macports) | can browse, login, upload/mkdir/msg |
+| **lynx** (2.8.9/macports) | can browse, login, upload/mkdir/msg |
+| **w3m** (0.5.3/macports)  | can browse, login, upload at 100kB/s, mkdir/msg |
+| **netsurf** (3.10/arch)   | is basically ie6 with much better css (javascript has almost no effect) | 
+| **ie4** and **netscape** 4.0  | can browse (text is yellow on white), upload with `?b=u` |
+| **SerenityOS** (22d13d8)  | hits a page fault, works with `?b=u`, file input not-impl, url params are multiplying |
+
 
 # client examples
 
@@ -258,6 +381,22 @@ copyparty returns a truncated sha512sum of your PUT/POST as base64; you can gene
     b512 <movie.mkv
 
 
+# up2k
+
+quick outline of the up2k protocol, see [uploading](#uploading) for the web-client
+* the up2k client splits a file into an "optimal" number of chunks
+  * 1 MiB each, unless that becomes more than 256 chunks
+  * tries 1.5M, 2M, 3, 4, 6, ... until <= 256 chunks or size >= 32M
+* client posts the list of hashes, filename, size, last-modified
+* server creates the `wark`, an identifier for this upload
+  * `sha512( salt + filesize + chunk_hashes )`
+  * and a sparse file is created for the chunks to drop into
+* client uploads each chunk
+  * header entries for the chunk-hash and wark
+  * server writes chunks into place based on the hash
+* client does another handshake with the hashlist; server replies with OK or a list of chunks to reupload
+
+
 # dependencies
 
 * `jinja2` (is built into the SFX)
@@ -274,14 +413,14 @@ copyparty returns a truncated sha512sum of your PUT/POST as base64; you can gene
 
 some bundled tools have copyleft dependencies, see [./bin/#mtag](bin/#mtag)
 
-these are standalone and will never be imported / evaluated by copyparty
+these are standalone programs and will never be imported / evaluated by copyparty
 
 
 # sfx
 
-currently there are two self-contained binaries:
-* [copyparty-sfx.py](https://github.com/9001/copyparty/releases/latest/download/copyparty-sfx.py) -- pure python, works everywhere
-* [copyparty-sfx.sh](https://github.com/9001/copyparty/releases/latest/download/copyparty-sfx.sh) -- smaller, but only for linux and macos
+currently there are two self-contained "binaries":
+* [copyparty-sfx.py](https://github.com/9001/copyparty/releases/latest/download/copyparty-sfx.py) -- pure python, works everywhere, **recommended**
+* [copyparty-sfx.sh](https://github.com/9001/copyparty/releases/latest/download/copyparty-sfx.sh) -- smaller, but only for linux and macos, kinda deprecated
 
 launch either of them (**use sfx.py on systemd**) and it'll unpack and run copyparty, assuming you have python installed of course
 
@@ -349,6 +488,7 @@ roughly sorted by priority
   * terminate client on bad data
 * `os.copy_file_range` for up2k cloning
 * support pillow-simd
+* single sha512 across all up2k chunks? maybe
 * figure out the deal with pixel3a not being connectable as hotspot
   * pixel3a having unpredictable 3sec latency in general :||||
 

bin/mtag/file-ext.py

@@ -0,0 +1,9 @@
+#!/usr/bin/env python
+
+import sys
+
+"""
+example that just prints the file extension
+"""
+
+print(sys.argv[1].split(".")[-1])

copyparty/__init__.py

@@ -16,12 +16,17 @@ if platform.system() == "Windows":
 VT100 = not WINDOWS or WINDOWS >= [10, 0, 14393]
 # introduced in anniversary update
 
+ANYWIN = WINDOWS or sys.platform in ["msys"]
+
 MACOS = platform.system() == "Darwin"
 
 
 class EnvParams(object):
     def __init__(self):
         self.mod = os.path.dirname(os.path.realpath(__file__))
+        if self.mod.endswith("__init__"):
+            self.mod = os.path.dirname(self.mod)
+
         if sys.platform == "win32":
             self.cfg = os.path.normpath(os.environ["APPDATA"] + "/copyparty")
         elif sys.platform == "darwin":

copyparty/__main__.py

@@ -237,16 +237,15 @@ def run_argparse(argv, formatter):
     ap.add_argument("-a", metavar="ACCT", type=str, action="append", help="add account")
     ap.add_argument("-v", metavar="VOL", type=str, action="append", help="add volume")
     ap.add_argument("-q", action="store_true", help="quiet")
-    ap.add_argument("--log-conn", action="store_true", help="print tcp-server msgs")
     ap.add_argument("-ed", action="store_true", help="enable ?dots")
     ap.add_argument("-emp", action="store_true", help="enable markdown plugins")
     ap.add_argument("-mcr", metavar="SEC", type=int, default=60, help="md-editor mod-chk rate")
     ap.add_argument("-nw", action="store_true", help="disable writes (benchmark)")
     ap.add_argument("-nih", action="store_true", help="no info hostname")
     ap.add_argument("-nid", action="store_true", help="no info disk-usage")
+    ap.add_argument("--dotpart", action="store_true", help="dotfile incomplete uploads")
     ap.add_argument("--no-zip", action="store_true", help="disable download as zip/tar")
-    ap.add_argument("--no-sendfile", action="store_true", help="disable sendfile (for debugging)")
-    ap.add_argument("--no-scandir", action="store_true", help="disable scandir (for debugging)")
+    ap.add_argument("--sparse", metavar="MiB", type=int, default=4, help="up2k min.size threshold (mswin-only)")
     ap.add_argument("--urlform", metavar="MODE", type=str, default="print,get", help="how to handle url-forms")
     ap.add_argument("--salt", type=str, default="hunter2", help="up2k file-hash salt")
 
@@ -273,6 +272,13 @@ def run_argparse(argv, formatter):
     ap2.add_argument("--ssl-dbg", action="store_true", help="dump some tls info")
     ap2.add_argument("--ssl-log", metavar="PATH", help="log master secrets")
 
+    ap2 = ap.add_argument_group('debug options')
+    ap2.add_argument("--log-conn", action="store_true", help="print tcp-server msgs")
+    ap2.add_argument("--no-sendfile", action="store_true", help="disable sendfile")
+    ap2.add_argument("--no-scandir", action="store_true", help="disable scandir")
+    ap2.add_argument("--ihead", metavar="HEADER", action='append', help="dump incoming header")
+    ap2.add_argument("--lf-url", metavar="RE", type=str, default=r"^/\.cpr/", help="dont log URLs matching")
+    
     return ap.parse_args(args=argv[1:])
     # fmt: on
 

copyparty/__version__.py

@@ -1,8 +1,8 @@
 # coding: utf-8
 
-VERSION = (0, 10, 10)
+VERSION = (0, 10, 22)
 CODENAME = "zip it"
-BUILD_DT = (2021, 4, 19)
+BUILD_DT = (2021, 5, 18)
 
 S_VERSION = ".".join(map(str, VERSION))
 S_BUILD_DT = "{0:04d}-{1:02d}-{2:02d}".format(*BUILD_DT)

copyparty/authsrv.py

@@ -141,7 +141,12 @@ class VFS(object):
         real.sort()
         if not rem:
             for name, vn2 in sorted(self.nodes.items()):
-                if uname in vn2.uread or "*" in vn2.uread:
+                if (
+                    uname in vn2.uread
+                    or "*" in vn2.uread
+                    or uname in vn2.uwrite
+                    or "*" in vn2.uwrite
+                ):
                     virt_vis[name] = vn2
 
             # no vfs nodes in the list of real inodes
@@ -241,6 +246,7 @@ class AuthSrv(object):
         self.args = args
         self.log_func = log_func
         self.warn_anonwrite = warn_anonwrite
+        self.line_ctr = 0
 
         if WINDOWS:
             self.re_vol = re.compile(r"^([a-zA-Z]:[\\/][^:]*|[^:]*):([^:]*):(.*)$")
@@ -266,7 +272,9 @@ class AuthSrv(object):
     def _parse_config_file(self, fd, user, mread, mwrite, mflags, mount):
         vol_src = None
         vol_dst = None
+        self.line_ctr = 0
         for ln in [x.decode("utf-8").strip() for x in fd]:
+            self.line_ctr += 1
             if not ln and vol_src is not None:
                 vol_src = None
                 vol_dst = None
@@ -296,7 +304,12 @@ class AuthSrv(object):
                 mflags[vol_dst] = {}
                 continue
 
+            if len(ln) > 1:
                 lvl, uname = ln.split(" ")
+            else:
+                lvl = ln
+                uname = "*"
+
             self._read_vol_str(
                 lvl, uname, mread[vol_dst], mwrite[vol_dst], mflags[vol_dst]
             )
@@ -374,7 +387,12 @@ class AuthSrv(object):
         if self.args.c:
             for cfg_fn in self.args.c:
                 with open(cfg_fn, "rb") as f:
+                    try:
                         self._parse_config_file(f, user, mread, mwrite, mflags, mount)
+                    except:
+                        m = "\n\033[1;31m\nerror in config file {} on line {}:\n\033[0m"
+                        print(m.format(cfg_fn, self.line_ctr))
+                        raise
 
         if not mount:
             # -h says our defaults are CWD at root and read/write for everyone

copyparty/httpcli.py

@@ -13,7 +13,7 @@ import ctypes
 from datetime import datetime
 import calendar
 
-from .__init__ import E, PY2, WINDOWS
+from .__init__ import E, PY2, WINDOWS, ANYWIN
 from .util import *  # noqa  # pylint: disable=unused-wildcard-import
 from .szip import StreamZip
 from .star import StreamTar
@@ -100,6 +100,16 @@ class HttpCli(object):
             self.ip = v.split(",")[0]
             self.log_src = self.conn.set_rproxy(self.ip)
 
+        if self.args.ihead:
+            keys = self.args.ihead
+            if "*" in keys:
+                keys = list(sorted(self.headers.keys()))
+
+            for k in keys:
+                v = self.headers.get(k)
+                if v is not None:
+                    self.log("[H] {}: \033[33m[{}]".format(k, v), 6)
+
         # split req into vpath + uparam
         uparam = {}
         if "?" not in self.req:
@@ -120,29 +130,35 @@ class HttpCli(object):
                 else:
                     uparam[k.lower()] = False
 
+        self.ouparam = {k: v for k, v in uparam.items()}
+
+        cookies = self.headers.get("cookie") or {}
+        if cookies:
+            cookies = [x.split("=", 1) for x in cookies.split(";") if "=" in x]
+            cookies = {k.strip(): unescape_cookie(v) for k, v in cookies}
+            for kc, ku in [["cppwd", "pw"], ["b", "b"]]:
+                if kc in cookies and ku not in uparam:
+                    uparam[ku] = cookies[kc]
+
         self.uparam = uparam
+        self.cookies = cookies
         self.vpath = unquotep(vpath)
 
-        pwd = None
-        if "cookie" in self.headers:
-            cookies = self.headers["cookie"].split(";")
-            for k, v in [x.split("=", 1) for x in cookies]:
-                if k.strip() != "cppwd":
-                    continue
-
-                pwd = unescape_cookie(v)
-                break
-
-        pwd = uparam.get("pw", pwd)
+        pwd = uparam.get("pw")
         self.uname = self.auth.iuser.get(pwd, "*")
         if self.uname:
             self.rvol = self.auth.vfs.user_tree(self.uname, readable=True)
             self.wvol = self.auth.vfs.user_tree(self.uname, writable=True)
 
         ua = self.headers.get("user-agent", "")
-        if ua.startswith("rclone/"):
+        self.is_rclone = ua.startswith("rclone/")
+        if self.is_rclone:
             uparam["raw"] = False
             uparam["dots"] = False
+            uparam["b"] = False
+            cookies["b"] = False
+
+        self.do_log = not self.conn.lf_url or not self.conn.lf_url.match(self.req)
 
         try:
             if self.mode in ["GET", "HEAD"]:
@@ -182,10 +198,8 @@ class HttpCli(object):
         self.out_headers.update(headers)
 
         # default to utf8 html if no content-type is set
-        try:
-            mime = mime or self.out_headers["Content-Type"]
-        except KeyError:
-            mime = "text/html; charset=UTF-8"
+        if not mime:
+            mime = self.out_headers.get("Content-Type", "text/html; charset=UTF-8")
 
         self.out_headers["Content-Type"] = mime
 
@@ -220,7 +234,14 @@ class HttpCli(object):
         removing anything in rm, adding pairs in add
         """
 
-        kv = {k: v for k, v in self.uparam.items() if k not in rm}
+        if self.is_rclone:
+            return ""
+
+        kv = {
+            k: v
+            for k, v in self.uparam.items()
+            if k not in rm and self.cookies.get(k) != v
+        }
         kv.update(add)
         if not kv:
             return ""
@@ -228,7 +249,26 @@ class HttpCli(object):
         r = ["{}={}".format(k, quotep(v)) if v else k for k, v in kv.items()]
         return "?" + "&".join(r)
 
+    def redirect(
+        self, vpath, suf="", msg="aight", flavor="go to", click=True, use302=False
+    ):
+        html = self.j2(
+            "msg",
+            h2='<a href="/{}">{} /{}</a>'.format(
+                quotep(vpath) + suf, flavor, html_escape(vpath, crlf=True) + suf
+            ),
+            pre=msg,
+            click=click,
+        ).encode("utf-8", "replace")
+
+        if use302:
+            h = {"Location": "/" + vpath, "Cache-Control": "no-cache"}
+            self.reply(html, status=302, headers=h)
+        else:
+            self.reply(html)
+
     def handle_get(self):
+        if self.do_log:
             logmsg = "{:4} {}".format(self.mode, self.req)
 
             if "range" in self.headers:
@@ -250,23 +290,27 @@ class HttpCli(object):
             return self.tx_tree()
 
         # conditional redirect to single volumes
-        if self.vpath == "" and not self.uparam:
+        if self.vpath == "" and not self.ouparam:
             nread = len(self.rvol)
             nwrite = len(self.wvol)
             if nread + nwrite == 1 or (self.rvol == self.wvol and nread == 1):
                 if nread == 1:
-                    self.vpath = self.rvol[0]
+                    vpath = self.rvol[0]
                 else:
-                    self.vpath = self.wvol[0]
+                    vpath = self.wvol[0]
 
-                self.absolute_urls = True
+                if self.vpath != vpath:
+                    self.redirect(vpath, flavor="redirecting to", use302=True)
+                    return True
 
-        # go home if verboten
         self.readable, self.writable = self.conn.auth.vfs.can_access(
             self.vpath, self.uname
         )
         if not self.readable and not self.writable:
+            if self.vpath:
                 self.log("inaccessible: [{}]".format(self.vpath))
+                raise Pebkac(404)
+
             self.uparam = {"h": False}
 
         if "h" in self.uparam:
@@ -276,7 +320,9 @@ class HttpCli(object):
         return self.tx_browser()
 
     def handle_options(self):
+        if self.do_log:
             self.log("OPTIONS " + self.req)
+
         self.send_headers(
             None,
             204,
@@ -534,7 +580,7 @@ class HttpCli(object):
             self.log("qj: " + repr(vbody))
             hits = idx.fsearch(vols, body)
             msg = repr(hits)
-            taglist = []
+            taglist = {}
         else:
             # search by query params
             self.log("qj: " + repr(body))
@@ -626,7 +672,7 @@ class HttpCli(object):
             self.loud_reply(x, status=500)
             return False
 
-        if not WINDOWS and num_left == 0:
+        if not ANYWIN and num_left == 0:
             times = (int(time.time()), int(lastmod))
             self.log("no more chunks, setting times {}".format(times))
             try:
@@ -645,13 +691,16 @@ class HttpCli(object):
 
         if pwd in self.auth.iuser:
             msg = "login ok"
+            dt = datetime.utcfromtimestamp(time.time() + 60 * 60 * 24 * 365)
+            exp = dt.strftime("%a, %d %b %Y %H:%M:%S GMT")
         else:
             msg = "naw dude"
             pwd = "x"  # nosec
+            exp = "Fri, 15 Aug 1997 01:00:00 GMT"
 
-        h = {"Set-Cookie": "cppwd={}; Path=/; SameSite=Lax".format(pwd)}
+        ck = "cppwd={}; Path=/; Expires={}; SameSite=Lax".format(pwd, exp)
         html = self.j2("msg", h1=msg, h2='<a href="/">ack</a>', redir="/")
-        self.reply(html.encode("utf-8"), headers=h)
+        self.reply(html.encode("utf-8"), headers={"Set-Cookie": ck})
         return True
 
     def handle_mkdir(self):
@@ -680,14 +729,7 @@ class HttpCli(object):
                 raise Pebkac(500, "mkdir failed, check the logs")
 
         vpath = "{}/{}".format(self.vpath, sanitized).lstrip("/")
-        esc_paths = [quotep(vpath), html_escape(vpath)]
-        html = self.j2(
-            "msg",
-            h2='<a href="/{}">go to /{}</a>'.format(*esc_paths),
-            pre="aight",
-            click=True,
-        )
-        self.reply(html.encode("utf-8", "replace"))
+        self.redirect(vpath)
         return True
 
     def handle_new_md(self):
@@ -714,15 +756,7 @@ class HttpCli(object):
                 f.write(b"`GRUNNUR`\n")
 
         vpath = "{}/{}".format(self.vpath, sanitized).lstrip("/")
-        html = self.j2(
-            "msg",
-            h2='<a href="/{}?edit">go to /{}?edit</a>'.format(
-                quotep(vpath), html_escape(vpath)
-            ),
-            pre="aight",
-            click=True,
-        )
-        self.reply(html.encode("utf-8", "replace"))
+        self.redirect(vpath, "?edit")
         return True
 
     def handle_plain_upload(self):
@@ -741,7 +775,9 @@ class HttpCli(object):
 
                 if p_file and not nullwrite:
                     fdir = os.path.join(vfs.realpath, rem)
-                    fname = sanitize_fn(p_file)
+                    fname = sanitize_fn(
+                        p_file, bad=[".prologue.html", ".epilogue.html"]
+                    )
 
                     if not os.path.isdir(fsenc(fdir)):
                         raise Pebkac(404, "that folder does not exist")
@@ -761,7 +797,7 @@ class HttpCli(object):
                         if sz == 0:
                             raise Pebkac(400, "empty files in post")
 
-                        files.append([sz, sha512_hex])
+                        files.append([sz, sha512_hex, p_file, fname])
                         self.conn.hsrv.broker.put(
                             False, "up2k.hash_file", vfs.realpath, vfs.flags, rem, fname
                         )
@@ -770,12 +806,16 @@ class HttpCli(object):
                 except Pebkac:
                     if fname != os.devnull:
                         fp = os.path.join(fdir, fname)
+                        fp2 = fp
+                        if self.args.dotpart:
+                            fp2 = os.path.join(fdir, "." + fname)
+
                         suffix = ".PARTIAL"
                         try:
-                            os.rename(fsenc(fp), fsenc(fp + suffix))
+                            os.rename(fsenc(fp), fsenc(fp2 + suffix))
                         except:
-                            fp = fp[: -len(suffix)]
-                            os.rename(fsenc(fp), fsenc(fp + suffix))
+                            fp2 = fp2[: -len(suffix) - 1]
+                            os.rename(fsenc(fp), fsenc(fp2 + suffix))
 
                     raise
 
@@ -792,10 +832,13 @@ class HttpCli(object):
             errmsg = "ERROR: " + errmsg
             status = "ERROR"
 
-        msg = "{0} // {1} bytes // {2:.3f} MiB/s\n".format(status, sz_total, spd)
+        msg = "{} // {} bytes // {:.3f} MiB/s\n".format(status, sz_total, spd)
 
-        for sz, sha512 in files:
-            msg += "sha512: {0} // {1} bytes\n".format(sha512[:56], sz)
+        for sz, sha512, ofn, lfn in files:
+            vpath = self.vpath + "/" + lfn
+            msg += 'sha512: {} // {} bytes // <a href="/{}">{}</a>\n'.format(
+                sha512[:56], sz, quotep(vpath), html_escape(ofn, crlf=True)
+            )
             # truncated SHA-512 prevents length extension attacks;
             # using SHA-512/224, optionally SHA-512/256 = :64
 
@@ -803,32 +846,13 @@ class HttpCli(object):
         self.log("{} {}".format(vspd, msg))
 
         if not nullwrite:
-            # TODO this is bad
             log_fn = "up.{:.6f}.txt".format(t0)
             with open(log_fn, "wb") as f:
-                f.write(
-                    (
-                        "\n".join(
-                            unicode(x)
-                            for x in [
-                                ":".join(unicode(x) for x in [self.ip, self.addr[1]]),
-                                msg.rstrip(),
-                            ]
-                        )
-                        + "\n"
-                        + errmsg
-                        + "\n"
-                    ).encode("utf-8")
-                )
+                ft = "{}:{}".format(self.ip, self.addr[1])
+                ft = "{}\n{}\n{}\n".format(ft, msg.rstrip(), errmsg)
+                f.write(ft.encode("utf-8"))
 
-        html = self.j2(
-            "msg",
-            h2='<a href="/{}">return to /{}</a>'.format(
-                quotep(self.vpath), html_escape(self.vpath)
-            ),
-            pre=msg,
-        )
-        self.reply(html.encode("utf-8", "replace"))
+        self.redirect(self.vpath, msg=msg, flavor="return to", click=False)
         self.parser.drop()
         return True
 
@@ -928,13 +952,14 @@ class HttpCli(object):
         return True
 
     def _chk_lastmod(self, file_ts):
+        date_fmt = "%a, %d %b %Y %H:%M:%S GMT"
         file_dt = datetime.utcfromtimestamp(file_ts)
-        file_lastmod = file_dt.strftime("%a, %d %b %Y %H:%M:%S GMT")
+        file_lastmod = file_dt.strftime(date_fmt)
 
         cli_lastmod = self.headers.get("if-modified-since")
         if cli_lastmod:
             try:
-                cli_dt = time.strptime(cli_lastmod, "%a, %d %b %Y %H:%M:%S GMT")
+                cli_dt = time.strptime(cli_lastmod, date_fmt)
                 cli_ts = calendar.timegm(cli_dt)
                 return file_lastmod, int(file_ts) > int(cli_ts)
             except Exception as ex:
@@ -1093,7 +1118,9 @@ class HttpCli(object):
         logmsg += unicode(status) + logtail
 
         if self.mode == "HEAD" or not do_send:
+            if self.do_log:
                 self.log(logmsg)
+
             return True
 
         ret = True
@@ -1107,7 +1134,9 @@ class HttpCli(object):
             logmsg += " \033[31m" + unicode(upper - remains) + "\033[0m"
 
         spd = self._spd((upper - lower) - remains)
+        if self.do_log:
             self.log("{},  {}".format(logmsg, spd))
+
         return ret
 
     def tx_zip(self, fmt, uarg, vn, rem, items, dots):
@@ -1181,17 +1210,16 @@ class HttpCli(object):
         template = self.j2(tpl)
 
         st = os.stat(fsenc(fs_path))
-        # sz_md = st.st_size
         ts_md = st.st_mtime
 
         st = os.stat(fsenc(html_path))
         ts_html = st.st_mtime
 
-        # TODO dont load into memory ;_;
-        #   (trivial fix, count the &'s)
-        with open(fsenc(fs_path), "rb") as f:
-            md = f.read().replace(b"&", b"&amp;")
-            sz_md = len(md)
+        sz_md = 0
+        for buf in yieldfile(fs_path):
+            sz_md += len(buf)
+            for c, v in [[b"&", 4], [b"<", 3], [b">", 3]]:
+                sz_md += (len(buf) - len(buf.replace(c, b""))) * v
 
         file_ts = max(ts_md, ts_html)
         file_lastmod, do_send = self._chk_lastmod(file_ts)
@@ -1199,32 +1227,43 @@ class HttpCli(object):
         self.out_headers["Cache-Control"] = "no-cache"
         status = 200 if do_send else 304
 
+        boundary = "\roll\tide"
         targs = {
             "edit": "edit" in self.uparam,
-            "title": html_escape(self.vpath),
+            "title": html_escape(self.vpath, crlf=True),
             "lastmod": int(ts_md * 1000),
             "md_plug": "true" if self.args.emp else "false",
             "md_chk_rate": self.args.mcr,
-            "md": "",
+            "md": boundary,
         }
-        sz_html = len(template.render(**targs).encode("utf-8"))
-        self.send_headers(sz_html + sz_md, status)
+        html = template.render(**targs).encode("utf-8")
+        html = html.split(boundary.encode("utf-8"))
+        if len(html) != 2:
+            raise Exception("boundary appears in " + html_path)
+
+        self.send_headers(sz_md + len(html[0]) + len(html[1]), status)
 
         logmsg += unicode(status)
         if self.mode == "HEAD" or not do_send:
+            if self.do_log:
                 self.log(logmsg)
+
             return True
 
-        # TODO jinja2 can stream this right?
-        targs["md"] = md.decode("utf-8", "replace")
-        html = template.render(**targs).encode("utf-8")
         try:
-            self.s.sendall(html)
+            self.s.sendall(html[0])
+            for buf in yieldfile(fs_path):
+                self.s.sendall(html_bescape(buf))
+
+            self.s.sendall(html[1])
+
         except:
             self.log(logmsg + " \033[31md/c\033[0m")
             return False
 
+        if self.do_log:
             self.log(logmsg + " " + unicode(len(html)))
+
         return True
 
     def tx_mounts(self):
@@ -1300,7 +1339,7 @@ class HttpCli(object):
                 else:
                     vpath += "/" + node
 
-                vpnodes.append([quotep(vpath) + "/", html_escape(node)])
+                vpnodes.append([quotep(vpath) + "/", html_escape(node, crlf=True)])
 
         vn, rem = self.auth.vfs.get(
             self.vpath, self.uname, self.readable, self.writable
@@ -1311,6 +1350,94 @@ class HttpCli(object):
             # print(abspath)
             raise Pebkac(404)
 
+        srv_info = []
+
+        try:
+            if not self.args.nih:
+                srv_info.append(unicode(socket.gethostname()).split(".")[0])
+        except:
+            self.log("#wow #whoa")
+
+        try:
+            # some fuses misbehave
+            if not self.args.nid:
+                if WINDOWS:
+                    bfree = ctypes.c_ulonglong(0)
+                    ctypes.windll.kernel32.GetDiskFreeSpaceExW(
+                        ctypes.c_wchar_p(abspath), None, None, ctypes.pointer(bfree)
+                    )
+                    srv_info.append(humansize(bfree.value) + " free")
+                else:
+                    sv = os.statvfs(abspath)
+                    free = humansize(sv.f_frsize * sv.f_bfree, True)
+                    total = humansize(sv.f_frsize * sv.f_blocks, True)
+
+                    srv_info.append(free + " free")
+                    srv_info.append(total)
+        except:
+            pass
+
+        srv_info = "</span> /// <span>".join(srv_info)
+
+        perms = []
+        if self.readable:
+            perms.append("read")
+        if self.writable:
+            perms.append("write")
+
+        url_suf = self.urlq()
+        is_ls = "ls" in self.uparam
+        ts = ""  # "?{}".format(time.time())
+
+        tpl = "browser"
+        if "b" in self.uparam:
+            tpl = "browser2"
+
+        logues = ["", ""]
+        for n, fn in enumerate([".prologue.html", ".epilogue.html"]):
+            fn = os.path.join(abspath, fn)
+            if os.path.exists(fsenc(fn)):
+                with open(fsenc(fn), "rb") as f:
+                    logues[n] = f.read().decode("utf-8")
+
+        ls_ret = {
+            "dirs": [],
+            "files": [],
+            "taglist": [],
+            "srvinf": srv_info,
+            "perms": perms,
+            "logues": logues,
+        }
+        j2a = {
+            "vdir": quotep(self.vpath),
+            "vpnodes": vpnodes,
+            "files": [],
+            "ts": ts,
+            "perms": json.dumps(perms),
+            "taglist": [],
+            "tag_order": [],
+            "have_up2k_idx": ("e2d" in vn.flags),
+            "have_tags_idx": ("e2t" in vn.flags),
+            "have_zip": (not self.args.no_zip),
+            "have_b_u": (self.writable and self.uparam.get("b") == "u"),
+            "url_suf": url_suf,
+            "logues": logues,
+            "title": html_escape(self.vpath, crlf=True),
+            "srv_info": srv_info,
+        }
+        if not self.readable:
+            if is_ls:
+                ret = json.dumps(ls_ret)
+                self.reply(ret.encode("utf-8", "replace"), mime="application/json")
+                return True
+
+            if not os.path.isdir(fsenc(abspath)):
+                raise Pebkac(404)
+
+            html = self.j2(tpl, **j2a)
+            self.reply(html.encode("utf-8", "replace"))
+            return True
+
         if not os.path.isdir(fsenc(abspath)):
             if abspath.endswith(".md") and "raw" not in self.uparam:
                 return self.tx_md(abspath)
@@ -1354,15 +1481,11 @@ class HttpCli(object):
         if rem == ".hist":
             hidden = ["up2k."]
 
-        is_ls = "ls" in self.uparam
-
         icur = None
         if "e2t" in vn.flags:
             idx = self.conn.get_u2idx()
             icur = idx.get_cur(vn.realpath)
 
-        url_suf = self.urlq()
-
         dirs = []
         files = []
         for fn in vfs_ls:
@@ -1394,7 +1517,7 @@ class HttpCli(object):
                     margin = '<a href="{}?zip">zip</a>'.format(quotep(href))
             elif fn in hist:
                 margin = '<a href="{}.hist/{}">#{}</a>'.format(
-                    base, html_escape(hist[fn][2], quote=True), hist[fn][0]
+                    base, html_escape(hist[fn][2], quote=True, crlf=True), hist[fn][0]
                 )
             else:
                 margin = "-"
@@ -1453,91 +1576,21 @@ class HttpCli(object):
             for f in dirs:
                 f["tags"] = {}
 
-        srv_info = []
-
-        try:
-            if not self.args.nih:
-                srv_info.append(unicode(socket.gethostname()).split(".")[0])
-        except:
-            self.log("#wow #whoa")
-            pass
-
-        try:
-            # some fuses misbehave
-            if not self.args.nid:
-                if WINDOWS:
-                    bfree = ctypes.c_ulonglong(0)
-                    ctypes.windll.kernel32.GetDiskFreeSpaceExW(
-                        ctypes.c_wchar_p(abspath), None, None, ctypes.pointer(bfree)
-                    )
-                    srv_info.append(humansize(bfree.value) + " free")
-                else:
-                    sv = os.statvfs(abspath)
-                    free = humansize(sv.f_frsize * sv.f_bfree, True)
-                    total = humansize(sv.f_frsize * sv.f_blocks, True)
-
-                    srv_info.append(free + " free")
-                    srv_info.append(total)
-        except:
-            pass
-
-        srv_info = "</span> /// <span>".join(srv_info)
-
-        perms = []
-        if self.readable:
-            perms.append("read")
-        if self.writable:
-            perms.append("write")
-
-        logues = ["", ""]
-        for n, fn in enumerate([".prologue.html", ".epilogue.html"]):
-            fn = os.path.join(abspath, fn)
-            if os.path.exists(fsenc(fn)):
-                with open(fsenc(fn), "rb") as f:
-                    logues[n] = f.read().decode("utf-8")
-
         if is_ls:
             [x.pop(k) for k in ["name", "dt"] for y in [dirs, files] for x in y]
-            ret = {
-                "dirs": dirs,
-                "files": files,
-                "srvinf": srv_info,
-                "perms": perms,
-                "logues": logues,
-                "taglist": taglist,
-            }
-            ret = json.dumps(ret)
+            ls_ret["dirs"] = dirs
+            ls_ret["files"] = files
+            ls_ret["taglist"] = taglist
+            ret = json.dumps(ls_ret)
             self.reply(ret.encode("utf-8", "replace"), mime="application/json")
             return True
 
-        ts = ""
-        # ts = "?{}".format(time.time())
+        j2a["files"] = dirs + files
+        j2a["logues"] = logues
+        j2a["taglist"] = taglist
+        if "mte" in vn.flags:
+            j2a["tag_order"] = json.dumps(vn.flags["mte"].split(","))
 
-        dirs.extend(files)
-
-        tpl = "browser"
-        if "b" in self.uparam:
-            tpl = "browser2"
-
-        html = self.j2(
-            tpl,
-            vdir=quotep(self.vpath),
-            vpnodes=vpnodes,
-            files=dirs,
-            ts=ts,
-            perms=json.dumps(perms),
-            taglist=taglist,
-            tag_order=json.dumps(
-                vn.flags["mte"].split(",") if "mte" in vn.flags else []
-            ),
-            have_up2k_idx=("e2d" in vn.flags),
-            have_tags_idx=("e2t" in vn.flags),
-            have_zip=(not self.args.no_zip),
-            have_b_u=(self.writable and self.uparam.get("b") == "u"),
-            url_suf=url_suf,
-            logues=logues,
-            title=html_escape(self.vpath),
-            srv_info=srv_info,
-        )
+        html = self.j2(tpl, **j2a)
         self.reply(html.encode("utf-8", "replace"))
         return True

copyparty/httpconn.py

@@ -1,6 +1,7 @@
 # coding: utf-8
 from __future__ import print_function, unicode_literals
 
+import re
 import os
 import sys
 import time
@@ -38,6 +39,7 @@ class HttpConn(object):
         self.workload = 0
         self.u2idx = None
         self.log_func = hsrv.log
+        self.lf_url = re.compile(self.args.lf_url) if self.args.lf_url else None
         self.set_rproxy()
 
     def set_rproxy(self, ip=None):

copyparty/szip.py

@@ -87,7 +87,7 @@ def gen_hdr(h_pos, fn, sz, lastmod, utf8, crc32, pre_crc):
     ret += struct.pack("<LL", vsz, vsz)
 
     # windows support (the "?" replace below too)
-    fn = sanitize_fn(fn, "/")
+    fn = sanitize_fn(fn, ok="/")
     bfn = fn.encode("utf-8" if utf8 else "cp437", "replace").replace(b"?", b"_")
 
     z64_len = len(z64v) * 8 + 4 if z64v else 0

copyparty/up2k.py

@@ -16,7 +16,7 @@ import traceback
 import subprocess as sp
 from copy import deepcopy
 
-from .__init__ import WINDOWS
+from .__init__ import WINDOWS, ANYWIN
 from .util import (
     Pebkac,
     Queue,
@@ -79,7 +79,7 @@ class Up2k(object):
             if self.sqlite_ver < (3, 9):
                 self.no_expr_idx = True
 
-        if WINDOWS:
+        if ANYWIN:
             # usually fails to set lastmod too quickly
             self.lastmod_q = Queue()
             thr = threading.Thread(target=self._lastmodder)
@@ -511,6 +511,7 @@ class Up2k(object):
 
     def _run_all_mtp(self):
         t0 = time.time()
+        self.mtp_audio = {}
         self.mtp_force = {}
         self.mtp_parsers = {}
         for ptop, flags in self.flags.items():
@@ -527,8 +528,9 @@ class Up2k(object):
 
         entags = self.entags[ptop]
 
-        force = {}
-        timeout = {}
+        audio = {}  # [r]equire [n]ot [d]ontcare
+        force = {}  # bool
+        timeout = {}  # int
         parsers = {}
         for parser in self.flags[ptop]["mtp"]:
             orig = parser
@@ -536,6 +538,8 @@ class Up2k(object):
             if tag not in entags:
                 continue
 
+            audio[tag] = "y"
+
             while True:
                 try:
                     bp = os.path.expanduser(parser)
@@ -549,6 +553,10 @@ class Up2k(object):
                     arg, parser = parser.split(",", 1)
                     arg = arg.lower()
 
+                    if arg.startswith("a"):
+                        audio[tag] = arg[1:]
+                        continue
+
                     if arg == "f":
                         force[tag] = True
                         continue
@@ -563,6 +571,8 @@ class Up2k(object):
                     self.log("invalid argument: " + orig, 1)
                     return
 
+        # todo audio/force => parser attributes
+        self.mtp_audio[ptop] = audio
         self.mtp_force[ptop] = force
         self.mtp_parsers[ptop] = parsers
 
@@ -596,8 +606,8 @@ class Up2k(object):
                     have = cur.execute(q, (w,)).fetchall()
                     have = [x[0] for x in have]
 
-                    if ".dur" not in have and ".dur" in entags:
-                        # skip non-audio
+                    parsers = self._get_parsers(ptop, have)
+                    if not parsers:
                         to_delete[w] = True
                         n_left -= 1
                         continue
@@ -605,10 +615,7 @@ class Up2k(object):
                     if w in in_progress:
                         continue
 
-                    task_parsers = {
-                        k: v for k, v in parsers.items() if k in force or k not in have
-                    }
-                    jobs.append([task_parsers, None, w, abspath])
+                    jobs.append([parsers, None, w, abspath])
                     in_progress[w] = True
 
             done = self._flush_mpool(wcur)
@@ -667,13 +674,32 @@ class Up2k(object):
             wcur.close()
             cur.close()
 
-    def _start_mpool(self):
-        if WINDOWS and False:
-            nah = open(os.devnull, "wb")
-            wmic = "processid={}".format(os.getpid())
-            wmic = ["wmic", "process", "where", wmic, "call", "setpriority"]
-            sp.call(wmic + ["below normal"], stdout=nah, stderr=nah)
+    def _get_parsers(self, ptop, have):
+        try:
+            all_parsers = self.mtp_parsers[ptop]
+        except:
+            return {}
 
+        audio = self.mtp_audio[ptop]
+        force = self.mtp_force[ptop]
+        entags = self.entags[ptop]
+        parsers = {}
+        for k, v in all_parsers.items():
+            if ".dur" in entags:
+                if ".dur" in have:
+                    # is audio, require non-audio?
+                    if audio[k] == "n":
+                        continue
+                # is not audio, require audio?
+                elif audio[k] == "y":
+                    continue
+
+            parsers[k] = v
+
+        parsers = {k: v for k, v in parsers.items() if k in force or k not in have}
+        return parsers
+
+    def _start_mpool(self):
         # mp.pool.ThreadPool and concurrent.futures.ThreadPoolExecutor
         # both do crazy runahead so lets reinvent another wheel
         nw = os.cpu_count() if hasattr(os, "cpu_count") else 4
@@ -698,12 +724,6 @@ class Up2k(object):
 
         mpool.join()
         done = self._flush_mpool(wcur)
-        if WINDOWS and False:
-            nah = open(os.devnull, "wb")
-            wmic = "processid={}".format(os.getpid())
-            wmic = ["wmic", "process", "where", wmic, "call", "setpriority"]
-            sp.call(wmic + ["below normal"], stdout=nah, stderr=nah)
-
         return done
 
     def _tag_thr(self, q):
@@ -903,7 +923,7 @@ class Up2k(object):
             if cj["ptop"] not in self.registry:
                 raise Pebkac(410, "location unavailable")
 
-        cj["name"] = sanitize_fn(cj["name"])
+        cj["name"] = sanitize_fn(cj["name"], bad=[".prologue.html", ".epilogue.html"])
         cj["poke"] = time.time()
         wark = self._get_wark(cj)
         now = time.time()
@@ -1110,8 +1130,9 @@ class Up2k(object):
 
             atomic_move(src, dst)
 
-            if WINDOWS:
-                self.lastmod_q.put([dst, (int(time.time()), int(job["lmod"]))])
+            if ANYWIN:
+                a = [dst, job["size"], (int(time.time()), int(job["lmod"]))]
+                self.lastmod_q.put(a)
 
             # legit api sware 2 me mum
             if self.idx_wark(
@@ -1209,9 +1230,23 @@ class Up2k(object):
         #    raise Exception("aaa")
 
         tnam = job["name"] + ".PARTIAL"
+        if self.args.dotpart:
+            tnam = "." + tnam
+
         suffix = ".{:.6f}-{}".format(job["t0"], job["addr"])
         with ren_open(tnam, "wb", fdir=pdir, suffix=suffix) as f:
             f, job["tnam"] = f["orz"]
+            if (
+                ANYWIN
+                and self.args.sparse
+                and self.args.sparse * 1024 * 1024 <= job["size"]
+            ):
+                fp = os.path.join(pdir, job["tnam"])
+                try:
+                    sp.check_call(["fsutil", "sparse", "setflag", fp])
+                except:
+                    self.log("could not sparse [{}]".format(fp), 3)
+
             f.seek(job["size"] - 1)
             f.write(b"e")
 
@@ -1223,13 +1258,19 @@ class Up2k(object):
 
             # self.log("lmod: got {}".format(len(ready)))
             time.sleep(5)
-            for path, times in ready:
+            for path, sz, times in ready:
                 self.log("lmod: setting times {} on {}".format(times, path))
                 try:
                     os.utime(fsenc(path), times)
                 except:
                     self.log("lmod: failed to utime ({}, {})".format(path, times))
 
+                if self.args.sparse and self.args.sparse * 1024 * 1024 <= sz:
+                    try:
+                        sp.check_call(["fsutil", "sparse", "setflag", path, "0"])
+                    except:
+                        self.log("could not unsparse [{}]".format(path), 3)
+
     def _snapshot(self):
         persist_interval = 30  # persist unfinished uploads index every 30 sec
         discard_interval = 21600  # drop unfinished uploads after 6 hours inactivity
@@ -1299,13 +1340,9 @@ class Up2k(object):
             abspath = os.path.join(ptop, rd, fn)
             tags = self.mtag.get(abspath)
             ntags1 = len(tags)
-            if self.mtp_parsers.get(ptop, {}):
-                parser = {
-                    k: v
-                    for k, v in self.mtp_parsers[ptop].items()
-                    if k in self.mtp_force[ptop] or k not in tags
-                }
-                tags.update(self.mtag.get_bin(parser, abspath))
+            parsers = self._get_parsers(ptop, tags)
+            if parsers:
+                tags.update(self.mtag.get_bin(parsers, abspath))
 
             with self.mutex:
                 cur = self.cur[ptop]

copyparty/util.py

@@ -16,7 +16,7 @@ import mimetypes
 import contextlib
 import subprocess as sp  # nosec
 
-from .__init__ import PY2, WINDOWS
+from .__init__ import PY2, WINDOWS, ANYWIN
 from .stolen import surrogateescape
 
 FAKE_MP = False
@@ -49,6 +49,7 @@ HTTPCODE = {
     200: "OK",
     204: "No Content",
     206: "Partial Content",
+    302: "Found",
     304: "Not Modified",
     400: "Bad Request",
     403: "Forbidden",
@@ -576,12 +577,12 @@ def undot(path):
     return "/".join(ret)
 
 
-def sanitize_fn(fn, ok=""):
+def sanitize_fn(fn, ok="", bad=[]):
     if "/" not in ok:
         fn = fn.replace("\\", "/").split("/")[-1]
 
-    if WINDOWS:
-        for bad, good in [x for x in [
+    if ANYWIN:
+        remap = [
             ["<", "＜"],
             [">", "＞"],
             [":", "："],
@@ -591,10 +592,11 @@ def sanitize_fn(fn, ok=""):
             ["|", "｜"],
             ["?", "？"],
             ["*", "＊"],
-        ] if x[0] not in ok]:
-            fn = fn.replace(bad, good)
+        ]
+        for a, b in [x for x in remap if x[0] not in ok]:
+            fn = fn.replace(a, b)
 
-        bad = ["con", "prn", "aux", "nul"]
+        bad.extend(["con", "prn", "aux", "nul"])
         for n in range(1, 10):
             bad += "com{0} lpt{0}".format(n).split(" ")
 
@@ -615,17 +617,24 @@ def exclude_dotfiles(filepaths):
     return [x for x in filepaths if not x.split("/")[-1].startswith(".")]
 
 
-def html_escape(s, quote=False):
+def html_escape(s, quote=False, crlf=False):
     """html.escape but also newlines"""
-    s = (
-        s.replace("&", "&amp;")
-        .replace("<", "&lt;")
-        .replace(">", "&gt;")
-        .replace("\r", "&#13;")
-        .replace("\n", "&#10;")
-    )
+    s = s.replace("&", "&amp;").replace("<", "&lt;").replace(">", "&gt;")
     if quote:
         s = s.replace('"', "&quot;").replace("'", "&#x27;")
+    if crlf:
+        s = s.replace("\r", "&#13;").replace("\n", "&#10;")
+
+    return s
+
+
+def html_bescape(s, quote=False, crlf=False):
+    """html.escape but bytestrings"""
+    s = s.replace(b"&", b"&amp;").replace(b"<", b"&lt;").replace(b">", b"&gt;")
+    if quote:
+        s = s.replace(b'"', b"&quot;").replace(b"'", b"&#x27;")
+    if crlf:
+        s = s.replace(b"\r", b"&#13;").replace(b"\n", b"&#10;")
 
     return s
 

copyparty/web/browser.css

@@ -6,7 +6,7 @@ html,body,tr,th,td,#files,a {
 	background: none;
 	font-weight: inherit;
 	font-size: inherit;
-	padding: none;
+	padding: 0;
 	border: none;
 }
 html {
@@ -68,7 +68,7 @@ a, #files tbody div a:last-child {
 	color: #999;
 	font-weight: normal;
 }
-#files tr+tr:hover {
+#files tr:hover {
 	background: #1c1c1c;
 }
 #files thead th {
@@ -90,8 +90,6 @@ a, #files tbody div a:last-child {
 #files td {
 	margin: 0;
 	padding: 0 .5em;
-}
-#files td {
 	border-bottom: 1px solid #111;
 }
 #files td+td+td {
@@ -187,6 +185,16 @@ a, #files tbody div a:last-child {
 	background: #925;
 	border-color: #c37;
 }
+#files tr.sel a {
+	color: #fff;
+}
+#files tr.sel a.play {
+	color: #fc5;
+}
+#files tr.sel a.play.act {
+	color: #fff;
+	text-shadow: 0 0 1px #fff;
+}
 #blocked {
 	position: fixed;
 	top: 0;
@@ -273,29 +281,48 @@ a, #files tbody div a:last-child {
 	padding: .2em 0 0 .07em;
 	color: #fff;
 }
-#wzip {
+#wzip, #wnp {
 	display: none;
 	margin-right: .3em;
 	padding-right: .3em;
 	border-right: .1em solid #555;
 }
+#wnp a {
+	position: relative;
+	font-size: .47em;
+	margin: 0 .1em;
+	top: -.4em;
+}
+#wnp a+a {
+	margin-left: .33em;
+}
 #wtoggle,
 #wtoggle * {
 	line-height: 1em;
 }
+#wtoggle.np {
+	width: 5.5em;
+}
 #wtoggle.sel {
 	width: 6.4em;
 }
-#wtoggle.sel #wzip {
+#wtoggle.sel #wzip,
+#wtoggle.np #wnp {
 	display: inline-block;
 }
-#wtoggle.sel #wzip a {
+#wtoggle.sel.np #wnp {
+	display: none;
+}
+#wzip a {
 	font-size: .4em;
 	padding: 0 .3em;
 	margin: -.3em .2em;
 	position: relative;
 	display: inline-block;
 }
+#wzip a+a {
+	margin-left: .8em;
+}
 #wtoggle.sel #wzip #selzip {
 	top: -.6em;
 	padding: .4em .3em;
@@ -343,10 +370,10 @@ a, #files tbody div a:last-child {
 	width: calc(100% - 10.5em);
 	background: rgba(0,0,0,0.2);
 }
-@media (min-width: 90em) {
+@media (min-width: 80em) {
 	#barpos,
 	#barbuf {
-		width: calc(100% - 24em);
+		width: calc(100% - 21em);
 		left: 9.8em;
 		top: .7em;
 		height: 1.6em;
@@ -356,6 +383,9 @@ a, #files tbody div a:last-child {
 		bottom: -3.2em;
 		height: 3.2em;
 	}
+	#pvol {
+		max-width: 9em;
+	}
 }
 
 
@@ -407,6 +437,7 @@ a, #files tbody div a:last-child {
 	padding: .3em .6em;
 	border-radius: .3em;
 	border-width: .15em 0;
+	white-space: nowrap;
 }
 .opbox {
 	background: #2d2d2d;
@@ -487,9 +518,6 @@ input[type="checkbox"]:checked+label {
 	border-collapse: collapse;
 	width: 100%;
 }
-#files td div a:last-child {
-	width: 100%;
-}
 #wrap {
 	margin-top: 2em;
 }
@@ -499,7 +527,6 @@ input[type="checkbox"]:checked+label {
 	left: 0;
 	bottom: 0;
 	top: 7em;
-	padding-top: .2em;
 	overflow-y: auto;
 	-ms-scroll-chaining: none;
 	overscroll-behavior-y: none;
@@ -508,9 +535,7 @@ input[type="checkbox"]:checked+label {
 #thx_ff {
 	padding: 5em 0;
 }
-#tree::-webkit-scrollbar-track {
-	background: #333;
-}
+#tree::-webkit-scrollbar-track,
 #tree::-webkit-scrollbar {
 	background: #333;
 }
@@ -549,6 +574,7 @@ input[type="checkbox"]:checked+label {
 #detree {
 	padding: .3em .5em;
 	font-size: 1.5em;
+	line-height: 1.5em;
 }
 #tree ul,
 #tree li {
@@ -685,6 +711,15 @@ input[type="checkbox"]:checked+label {
 	font-family: monospace, monospace;
 	line-height: 2em;
 }
+#pvol,
+#barbuf,
+#barpos,
+#u2conf label {
+	-webkit-user-select: none;
+	-moz-user-select: none;
+	-ms-user-select: none;
+	user-select: none;
+}
 
 
 
@@ -704,7 +739,7 @@ html.light #srch_form {
 }
 html.light #ops a.act {
 	box-shadow: 0 .2em .2em #ccc;
-	background: #f7f7f7;
+	background: #fff;
 	border-color: #07a;
 	padding-top: .4em;
 }
@@ -761,7 +796,7 @@ html.light #files {
 html.light #files thead th {
 	background: #eee;
 }
-html.light #files tr+tr td {
+html.light #files tr td {
 	border-top: 1px solid #ddd;
 }
 html.light #files td {
@@ -785,8 +820,12 @@ html.light tr.play td {
 html.light tr.play a {
 	color: #406;
 }
+html.light #files th:hover .cfg,
+html.light #files th.min .cfg {
+	background: #ccc;
+}
 html.light #files > thead > tr > th.min span {
-	background: linear-gradient(90deg, rgba(68,68,68,0), rgba(68,68,68,0.2) 70%, rgba(68,68,68,0.5));
+	background: linear-gradient(90deg, rgba(204,204,204,0), rgba(204,204,204,0.5) 70%, #ccc);
 }
 html.light #blocked {
 	background: #eee;
@@ -808,6 +847,9 @@ html.light #files tr.sel td {
 html.light #files tr.sel a {
 	color: #fff;
 }
+html.light #files tr.sel a.play.act {
+	color: #fb0;
+}
 html.light input[type="checkbox"] + label {
 	color: #333;
 }
@@ -855,3 +897,13 @@ html.light #files tr.sel a:hover {
 	color: #000;
 	background: #fff;
 }
+html.light #tree {
+	scrollbar-color: #a70 #ddd;
+}
+html.light #tree::-webkit-scrollbar-track,
+html.light #tree::-webkit-scrollbar {
+	background: #ddd;
+}
+#tree::-webkit-scrollbar-thumb {
+	background: #da0;
+}

copyparty/web/browser.html

@@ -21,7 +21,7 @@
         {%- endif %}
         <a href="#" data-perm="write" data-dest="bup" data-desc="bup: basic uploader, even supports netscape 4.0">🎈</a>
         <a href="#" data-perm="write" data-dest="mkdir" data-desc="mkdir: create a new directory">📂</a>
-        <a href="#" data-perm="write" data-dest="new_md" data-desc="new-md: create a new markdown document">📝</a>
+        <a href="#" data-perm="read write" data-dest="new_md" data-desc="new-md: create a new markdown document">📝</a>
         <a href="#" data-perm="write" data-dest="msg" data-desc="msg: send a message to the server log">📟</a>
         <a href="#" data-dest="cfg" data-desc="configuration options">⚙️</a>
         <div id="opdesc"></div>
@@ -114,22 +114,7 @@
     <div id="srv_info"><span>{{ srv_info }}</span></div>
     {%- endif %}
 
-    <div id="widget">
-        <div id="wtoggle">
-            <span id="wzip">
-                <a href="#" id="selall">sel.<br />all</a>
-                <a href="#" id="selinv">sel.<br />inv.</a>
-                <a href="#" id="selzip">zip</a>
-            </span><a
-                href="#" id="wtico">♫</a>
-        </div>
-        <div id="widgeti">
-            <div id="pctl"><a href="#" id="bprev">⏮</a><a href="#" id="bplay">▶</a><a href="#" id="bnext">⏭</a></div>
-            <canvas id="pvol" width="288" height="38"></canvas>
-            <canvas id="barpos"></canvas>
-            <canvas id="barbuf"></canvas>
-        </div>
-    </div>
+    <div id="widget"></div>
 
     <script>
         var tag_order_cfg = {{ tag_order }};

copyparty/web/browser.js

@@ -7,9 +7,31 @@ function dbg(msg) {
 }
 
 
+// add widget buttons
+ebi('widget').innerHTML = (
+	'<div id="wtoggle">' +
+	'<span id="wzip"><a' +
+	' href="#" id="selall">sel.<br />all</a><a' +
+	' href="#" id="selinv">sel.<br />inv.</a><a' +
+	' href="#" id="selzip">zip</a>' +
+	'</span><span id="wnp"><a' +
+	' href="#" id="npirc">📋irc</a><a' +
+	' href="#" id="nptxt">📋txt</a>' +
+	'</span><a' +
+	'	href="#" id="wtico">♫</a>' +
+	'</div>' +
+	'<div id="widgeti">' +
+	'	<div id="pctl"><a href="#" id="bprev">⏮</a><a href="#" id="bplay">▶</a><a href="#" id="bnext">⏭</a></div>' +
+	'	<canvas id="pvol" width="288" height="38"></canvas>' +
+	'	<canvas id="barpos"></canvas>' +
+	'	<canvas id="barbuf"></canvas>' +
+	'</div>'
+);
+
+
 // extract songs + add play column
 function MPlayer() {
-	this.id = new Date().getTime();
+	this.id = Date.now();
 	this.au = null;
 	this.au_native = null;
 	this.au_ogvjs = null;
@@ -17,15 +39,17 @@ function MPlayer() {
 	this.tracks = {};
 	this.order = [];
 
-	var re_audio = /\.(opus|ogg|m4a|aac|mp3|wav|flac)$/i;
-	var trs = document.querySelectorAll('#files tbody tr');
-	for (var a = 0, aa = trs.length; a < aa; a++) {
-		var tds = trs[a].getElementsByTagName('td');
-		var link = tds[1].getElementsByTagName('a');
-		link = link[link.length - 1];
-		var url = link.getAttribute('href');
+	var re_audio = /\.(opus|ogg|m4a|aac|mp3|wav|flac)$/i,
+		trs = QSA('#files tbody tr');
+
+	for (var a = 0, aa = trs.length; a < aa; a++) {
+		var tds = trs[a].getElementsByTagName('td'),
+			link = tds[1].getElementsByTagName('a');
+
+		link = link[link.length - 1];
+		var url = link.getAttribute('href'),
+			m = re_audio.exec(url);
 
-		var m = re_audio.exec(url);
 		if (m) {
 			var tid = link.getAttribute('id');
 			this.order.push(tid);
@@ -54,8 +78,9 @@ function MPlayer() {
 	};
 
 	this.read_order = function () {
-		var order = [];
-		var links = document.querySelectorAll('#files>tbody>tr>td:nth-child(1)>a');
+		var order = [],
+			links = QSA('#files>tbody>tr>td:nth-child(1)>a');
+
 		for (var a = 0, aa = links.length; a < aa; a++) {
 			var tid = links[a].getAttribute('id');
 			if (!tid || tid.indexOf('af-') !== 0)
@@ -73,12 +98,14 @@ makeSortable(ebi('files'), mp.read_order.bind(mp));
 
 // toggle player widget
 var widget = (function () {
-	var ret = {};
-	var widget = ebi('widget');
-	var wtico = ebi('wtico');
-	var touchmode = false;
-	var side_open = false;
-	var was_paused = true;
+	var ret = {},
+		widget = ebi('widget'),
+		wtico = ebi('wtico'),
+		nptxt = ebi('nptxt'),
+		npirc = ebi('npirc'),
+		touchmode = false,
+		side_open = false,
+		was_paused = true;
 
 	ret.open = function () {
 		if (side_open)
@@ -107,159 +134,199 @@ var widget = (function () {
 			ebi('bplay').innerHTML = paused ? '▶' : '⏸';
 		}
 	};
-	var click_handler = function (e) {
+	wtico.onclick = function (e) {
 		if (!touchmode)
 			ret.toggle(e);
 
 		return false;
 	};
-	wtico.onclick = click_handler;
+	npirc.onclick = nptxt.onclick = function (e) {
+		ev(e);
+		var th = ebi('files').tHead.rows[0].cells,
+			tr = QS('#files tr.play').cells,
+			irc = this.getAttribute('id') == 'npirc',
+			ck = irc ? '06' : '',
+			cv = irc ? '07' : '',
+			m = ck + 'np: ';
+
+		for (var a = 1, aa = th.length; a < aa; a++) {
+			var tk = a == 1 ? '' : th[a].getAttribute('name').split('/').slice(-1)[0];
+			var tv = tr[a].getAttribute('html') || tr[a].textContent;
+			m += tk + '(' + cv + tv + ck + ') // ';
+		}
+
+		m += '[' + cv + s2ms(mp.au.currentTime) + ck + '/' + cv + s2ms(mp.au.duration) + ck + ']';
+
+		var o = document.createElement('input');
+		o.style.cssText = 'position:fixed;top:45%;left:48%;padding:1em;z-index:9';
+		o.value = m;
+		document.body.appendChild(o);
+		o.focus();
+		o.select();
+		document.execCommand("copy");
+		o.value = 'copied to clipboard ';
+		setTimeout(function () {
+			document.body.removeChild(o);
+		}, 500);
+	};
 	return ret;
 })();
 
 
+function canvas_cfg(can) {
+	var r = {},
+		b = can.getBoundingClientRect(),
+		mul = window.devicePixelRatio || 1;
+
+	r.w = b.width;
+	r.h = b.height;
+	can.width = r.w * mul;
+	can.height = r.h * mul;
+
+	r.can = can;
+	r.ctx = can.getContext('2d');
+	r.ctx.scale(mul, mul);
+	return r;
+}
+
+
+function glossy_grad(can, hsl) {
+	var g = can.ctx.createLinearGradient(0, 0, 0, can.h),
+		s = [0, 0.49, 0.50, 1];
+
+	for (var a = 0; a < hsl.length; a++)
+		g.addColorStop(s[a], 'hsl(' + hsl[a] + ')');
+
+	return g;
+}
+
+
 // buffer/position bar
 var pbar = (function () {
-	var r = {};
-	r.bcan = ebi('barbuf');
-	r.pcan = ebi('barpos');
-	r.bctx = r.bcan.getContext('2d');
-	r.pctx = r.pcan.getContext('2d');
+	var r = {},
+		gradh = -1,
+		grad;
 
-	var bctx = r.bctx;
-	var pctx = r.pctx;
-	var scale = (window.devicePixelRatio || 1) / (
-		bctx.webkitBackingStorePixelRatio ||
-		bctx.mozBackingStorePixelRatio ||
-		bctx.msBackingStorePixelRatio ||
-		bctx.oBackingStorePixelRatio ||
-		bctx.BackingStorePixelRatio || 1);
-
-	var gradh = 0;
-	var grad = null;
+	function onresize() {
+		r.buf = canvas_cfg(ebi('barbuf'));
+		r.pos = canvas_cfg(ebi('barpos'));
+		r.drawbuf();
+		r.drawpos();
+	}
 
 	r.drawbuf = function () {
 		if (!mp.au)
 			return;
 
-		var cs = getComputedStyle(r.bcan);
-		var sw = parseInt(cs['width']);
-		var sh = parseInt(cs['height']);
-		var sm = sw * 1.0 / mp.au.duration;
+		var bc = r.buf,
+			bctx = bc.ctx,
+			sm = bc.w * 1.0 / mp.au.duration;
 
-		r.bcan.width = (sw * scale);
-		r.bcan.height = (sh * scale);
-		bctx.setTransform(scale, 0, 0, scale, 0, 0);
-
-		if (!grad || gradh != sh) {
-			grad = bctx.createLinearGradient(0, 0, 0, sh);
-			grad.addColorStop(0, 'hsl(85,35%,42%)');
-			grad.addColorStop(0.49, 'hsl(85,40%,49%)');
-			grad.addColorStop(0.50, 'hsl(85,37%,47%)');
-			grad.addColorStop(1, 'hsl(85,35%,42%)');
-			gradh = sh;
+		if (gradh != bc.h) {
+			gradh = bc.h;
+			grad = glossy_grad(bc, [
+				'85,35%,42%',
+				'85,40%,49%',
+				'85,37%,47%',
+				'85,35%,42%'
+			]);
 		}
 		bctx.fillStyle = grad;
-		bctx.clearRect(0, 0, sw, sh);
+		bctx.clearRect(0, 0, bc.w, bc.h);
 		for (var a = 0; a < mp.au.buffered.length; a++) {
-			var x1 = sm * mp.au.buffered.start(a);
-			var x2 = sm * mp.au.buffered.end(a);
-			bctx.fillRect(x1, 0, x2 - x1, sh);
+			var x1 = sm * mp.au.buffered.start(a),
+				x2 = sm * mp.au.buffered.end(a);
+
+			bctx.fillRect(x1, 0, x2 - x1, bc.h);
 		}
 	};
+
 	r.drawpos = function () {
-		if (!mp.au)
-			return;
+		if (!mp.au || isNaN(mp.au.duration) || isNaN(mp.au.currentTime))
+			return;  // not-init || unsupp-codec
 
-		var cs = getComputedStyle(r.bcan);
-		var sw = parseInt(cs['width']);
-		var sh = parseInt(cs['height']);
-		var sm = sw * 1.0 / mp.au.duration;
-
-		r.pcan.width = (sw * scale);
-		r.pcan.height = (sh * scale);
-		pctx.setTransform(scale, 0, 0, scale, 0, 0);
-		pctx.clearRect(0, 0, sw, sh);
+		var bc = r.buf,
+			pc = r.pos,
+			pctx = pc.ctx,
+			sm = bc.w * 1.0 / mp.au.duration;
 
+		pctx.clearRect(0, 0, pc.w, pc.h);
 		pctx.fillStyle = 'rgba(204,255,128,0.15)';
 		for (var p = 1, mins = mp.au.duration / 10; p <= mins; p++)
-			pctx.fillRect(Math.floor(sm * p * 10), 0, 2, sh);
+			pctx.fillRect(Math.floor(sm * p * 10), 0, 2, pc.h);
 
 		pctx.fillStyle = '#9b7';
 		pctx.fillStyle = 'rgba(192,255,96,0.5)';
 		for (var p = 1, mins = mp.au.duration / 60; p <= mins; p++)
-			pctx.fillRect(Math.floor(sm * p * 60), 0, 2, sh);
+			pctx.fillRect(Math.floor(sm * p * 60), 0, 2, pc.h);
 
-		var w = 8;
-		var x = sm * mp.au.currentTime;
-		pctx.fillStyle = '#573'; pctx.fillRect((x - w / 2) - 1, 0, w + 2, sh);
-		pctx.fillStyle = '#dfc'; pctx.fillRect((x - w / 2), 0, 8, sh);
+		var w = 8,
+			x = sm * mp.au.currentTime;
+
+		pctx.fillStyle = '#573'; pctx.fillRect((x - w / 2) - 1, 0, w + 2, pc.h);
+		pctx.fillStyle = '#dfc'; pctx.fillRect((x - w / 2), 0, 8, pc.h);
 
 		pctx.fillStyle = '#fff';
 		pctx.font = '1em sans-serif';
-		var txt = s2ms(mp.au.duration);
-		var tw = pctx.measureText(txt).width;
-		pctx.fillText(txt, sw - (tw + 8), sh / 3 * 2);
+		var txt = s2ms(mp.au.duration),
+			tw = pctx.measureText(txt).width;
+
+		pctx.fillText(txt, pc.w - (tw + 8), pc.h / 3 * 2);
 
 		txt = s2ms(mp.au.currentTime);
 		tw = pctx.measureText(txt).width;
-		var gw = pctx.measureText("88:88::").width;
-		var xt = x < sw / 2 ? (x + 8) : (Math.min(sw - gw, x - 8) - tw);
-		pctx.fillText(txt, xt, sh / 3 * 2);
+		var gw = pctx.measureText("88:88::").width,
+			xt = x < pc.w / 2 ? (x + 8) : (Math.min(pc.w - gw, x - 8) - tw);
+
+		pctx.fillText(txt, xt, pc.h / 3 * 2);
 	};
+
+	window.addEventListener('resize', onresize);
+	onresize();
 	return r;
 })();
 
 
 // volume bar
 var vbar = (function () {
-	var r = {};
-	r.can = ebi('pvol');
-	r.ctx = r.can.getContext('2d');
+	var r = {},
+		gradh = -1,
+		can, ctx, w, h, grad1, grad2;
 
-	var bctx = r.ctx;
-	var scale = (window.devicePixelRatio || 1) / (
-		bctx.webkitBackingStorePixelRatio ||
-		bctx.mozBackingStorePixelRatio ||
-		bctx.msBackingStorePixelRatio ||
-		bctx.oBackingStorePixelRatio ||
-		bctx.BackingStorePixelRatio || 1);
-
-	var gradh = 0;
-	var grad1 = null;
-	var grad2 = null;
+	function onresize() {
+		r.can = canvas_cfg(ebi('pvol'));
+		can = r.can.can;
+		ctx = r.can.ctx;
+		w = r.can.w;
+		h = r.can.h;
+		r.draw();
+	}
 
 	r.draw = function () {
-		var cs = getComputedStyle(r.can);
-		var sw = parseInt(cs['width']);
-		var sh = parseInt(cs['height']);
-
-		r.can.width = (sw * scale);
-		r.can.height = (sh * scale);
-		bctx.setTransform(scale, 0, 0, scale, 0, 0);
-
-		if (!grad1 || gradh != sh) {
-			gradh = sh;
-
-			grad1 = bctx.createLinearGradient(0, 0, 0, sh);
-			grad1.addColorStop(0, 'hsl(50,45%,42%)');
-			grad1.addColorStop(0.49, 'hsl(50,50%,49%)');
-			grad1.addColorStop(0.50, 'hsl(50,47%,47%)');
-			grad1.addColorStop(1, 'hsl(50,45%,42%)');
-
-			grad2 = bctx.createLinearGradient(0, 0, 0, sh);
-			grad2.addColorStop(0, 'hsl(205,10%,16%)');
-			grad2.addColorStop(0.49, 'hsl(205,15%,20%)');
-			grad2.addColorStop(0.50, 'hsl(205,13%,18%)');
-			grad2.addColorStop(1, 'hsl(205,10%,16%)');
+		if (gradh != h) {
+			gradh = h;
+			grad1 = glossy_grad(r.can, [
+				'50,45%,42%',
+				'50,50%,49%',
+				'50,47%,47%',
+				'50,45%,42%'
+			]);
+			grad2 = glossy_grad(r.can, [
+				'205,10%,16%',
+				'205,15%,20%',
+				'205,13%,18%',
+				'205,10%,16%'
+			]);
 		}
-		bctx.fillStyle = grad2; bctx.fillRect(0, 0, sw, sh);
-		bctx.fillStyle = grad1; bctx.fillRect(0, 0, sw * mp.vol, sh);
+		ctx.fillStyle = grad2; ctx.fillRect(0, 0, w, h);
+		ctx.fillStyle = grad1; ctx.fillRect(0, 0, w * mp.vol, h);
 	};
+	window.addEventListener('resize', onresize);
+	onresize();
 
 	var rect;
 	function mousedown(e) {
-		rect = r.can.getBoundingClientRect();
+		rect = can.getBoundingClientRect();
 		mousemove(e);
 	}
 	function mousemove(e) {
@@ -267,34 +334,34 @@ var vbar = (function () {
 			e = e.changedTouches[0];
 		}
 		else if (e.buttons === 0) {
-			r.can.onmousemove = null;
+			can.onmousemove = null;
 			return;
 		}
 
-		var x = e.clientX - rect.left;
-		var mul = x * 1.0 / rect.width;
+		var x = e.clientX - rect.left,
+			mul = x * 1.0 / rect.width;
+
 		if (mul > 0.98)
 			mul = 1;
 
 		mp.setvol(mul);
 		r.draw();
 	}
-	r.can.onmousedown = function (e) {
+	can.onmousedown = function (e) {
 		if (e.button !== 0)
 			return;
 
-		r.can.onmousemove = mousemove;
+		can.onmousemove = mousemove;
 		mousedown(e);
 	};
-	r.can.onmouseup = function (e) {
+	can.onmouseup = function (e) {
 		if (e.button === 0)
-			r.can.onmousemove = null;
+			can.onmousemove = null;
 	};
 	if (window.Touch) {
-		r.can.ontouchstart = mousedown;
-		r.can.ontouchmove = mousemove;
+		can.ontouchstart = mousedown;
+		can.ontouchmove = mousemove;
 	}
-	r.draw();
 	return r;
 })();
 
@@ -358,8 +425,9 @@ function song_skip(n) {
 			return play(0);
 		}
 
-		var rect = pbar.pcan.getBoundingClientRect();
-		var x = e.clientX - rect.left;
+		var rect = pbar.buf.can.getBoundingClientRect(),
+			x = e.clientX - rect.left;
+
 		seek_au_mul(x * 1.0 / rect.width);
 	};
 })();
@@ -367,8 +435,9 @@ function song_skip(n) {
 
 // periodic tasks
 (function () {
-	var nth = 0;
-	var last_skip_url = '';
+	var nth = 0,
+		last_skip_url = '';
+
 	var progress_updater = function () {
 		if (!mp.au) {
 			widget.paused(true);
@@ -389,8 +458,9 @@ function song_skip(n) {
 
 			// switch to next track if approaching the end
 			if (last_skip_url != mp.au.src) {
-				var pos = mp.au.currentTime;
-				var len = mp.au.duration;
+				var pos = mp.au.currentTime,
+					len = mp.au.duration;
+
 				if (pos > 0 && pos > len - 0.1) {
 					last_skip_url = mp.au.src;
 					song_skip(1);
@@ -496,6 +566,7 @@ function play(tid, seek, call_depth) {
 		clmod(trs[a], 'play');
 	}
 	ebi(oid).parentElement.parentElement.className += ' play';
+	clmod(ebi('wtoggle'), 'np', 1);
 
 	try {
 		if (attempt_play)
@@ -532,8 +603,8 @@ function play(tid, seek, call_depth) {
 
 // event from the audio object if something breaks
 function evau_error(e) {
-	var err = '';
-	var eplaya = (e && e.target) || (window.event && window.event.srcElement);
+	var err = '',
+		eplaya = (e && e.target) || (window.event && window.event.srcElement);
 
 	switch (eplaya.error.code) {
 		case eplaya.error.MEDIA_ERR_ABORTED:
@@ -563,8 +634,9 @@ function evau_error(e) {
 
 // show a fullscreen message
 function show_modal(html) {
-	var body = document.body || document.getElementsByTagName('body')[0];
-	var div = document.createElement('div');
+	var body = document.body || document.getElementsByTagName('body')[0],
+		div = mknod('div');
+
 	div.setAttribute('id', 'blocked');
 	div.innerHTML = html;
 	unblocked();
@@ -586,10 +658,10 @@ function autoplay_blocked(seek) {
 		'<div id="blk_play"><a href="#" id="blk_go"></a></div>' +
 		'<div id="blk_abrt"><a href="#" id="blk_na">Cancel<br />(show file list)</a></div>');
 
-	var go = ebi('blk_go');
-	var na = ebi('blk_na');
+	var go = ebi('blk_go'),
+		na = ebi('blk_na'),
+		fn = mp.tracks[mp.au.tid].split(/\//).pop();
 
-	var fn = mp.tracks[mp.au.tid].split(/\//).pop();
 	fn = uricom_dec(fn.replace(/\+/g, ' '))[0];
 
 	go.textContent = 'Play "' + fn + '"';
@@ -625,7 +697,7 @@ function autoplay_blocked(seek) {
 
 
 function tree_neigh(n) {
-	var links = document.querySelectorAll('#treeul li>a+a');
+	var links = QSA('#treeul li>a+a');
 	if (!links.length) {
 		alert('switch to the tree for that');
 		return;
@@ -651,7 +723,7 @@ function tree_neigh(n) {
 
 
 function tree_up() {
-	var act = document.querySelector('#treeul a.hl');
+	var act = QS('#treeul a.hl');
 	if (!act) {
 		alert('switch to the tree for that');
 		return;
@@ -714,7 +786,7 @@ document.onkeydown = function (e) {
 	];
 	var oldcfg = [];
 
-	if (document.querySelector('#srch_form.tags')) {
+	if (QS('#srch_form.tags')) {
 		sconf.push(["tags",
 			["tags", "tags", "tags contains &nbsp; (^=start, end=$)", "46"]
 		]);
@@ -723,13 +795,15 @@ document.onkeydown = function (e) {
 		]);
 	}
 
-	var trs = [];
-	var orig_html = null;
+	var trs = [],
+		orig_html = null;
+
 	for (var a = 0; a < sconf.length; a++) {
 		var html = ['<tr><td><br />' + sconf[a][0] + '</td>'];
 		for (var b = 1; b < 3; b++) {
-			var hn = "srch_" + sconf[a][b][0];
-			var csp = (sconf[a].length == 2) ? 2 : 1;
+			var hn = "srch_" + sconf[a][b][0],
+				csp = (sconf[a].length == 2) ? 2 : 1;
+
 			html.push(
 				'<td colspan="' + csp + '"><input id="' + hn + 'c" type="checkbox">\n' +
 				'<label for="' + hn + 'c">' + sconf[a][b][2] + '</label>\n' +
@@ -747,7 +821,7 @@ document.onkeydown = function (e) {
 	}
 	ebi('srch_form').innerHTML = html.join('\n');
 
-	var o = document.querySelectorAll('#op_search input');
+	var o = QSA('#op_search input');
 	for (var a = 0; a < o.length; a++) {
 		o[a].oninput = ev_search_input;
 	}
@@ -758,28 +832,30 @@ document.onkeydown = function (e) {
 		o.style.color = err ? '#f09' : '#c90';
 	}
 
-	var search_timeout;
-	var search_in_progress = 0;
+	var search_timeout,
+		search_in_progress = 0;
 
 	function ev_search_input() {
-		var v = this.value;
-		var id = this.getAttribute('id');
+		var v = this.value,
+			id = this.getAttribute('id');
+
 		if (id.slice(-1) == 'v') {
 			var chk = ebi(id.slice(0, -1) + 'c');
 			chk.checked = ((v + '').length > 0);
 		}
 		clearTimeout(search_timeout);
-		var now = new Date().getTime();
-		if (now - search_in_progress > 30 * 1000)
+		if (Date.now() - search_in_progress > 30 * 1000)
 			search_timeout = setTimeout(do_search, 200);
 	}
 
 	function do_search() {
-		search_in_progress = new Date().getTime();
+		search_in_progress = Date.now();
 		srch_msg(false, "searching...");
 		clearTimeout(search_timeout);
-		var params = {};
-		var o = document.querySelectorAll('#op_search input[type="text"]');
+
+		var params = {},
+			o = QSA('#op_search input[type="text"]');
+
 		for (var a = 0; a < o.length; a++) {
 			var chk = ebi(o[a].getAttribute('id').slice(0, -1) + 'c');
 			if (!chk.checked)
@@ -792,7 +868,7 @@ document.onkeydown = function (e) {
 		xhr.open('POST', '/?srch', true);
 		xhr.setRequestHeader('Content-Type', 'text/plain');
 		xhr.onreadystatechange = xhr_search_results;
-		xhr.ts = new Date().getTime();
+		xhr.ts = Date.now();
 		xhr.send(JSON.stringify(params));
 	}
 
@@ -906,7 +982,6 @@ var treectl = (function () {
 		treesz = icfg_get('treesz', 16);
 
 	treesz = Math.min(Math.max(treesz, 4), 50);
-	console.log('treesz [' + treesz + ']');
 
 	function entree(e) {
 		ev(e);
@@ -965,7 +1040,7 @@ var treectl = (function () {
 		}
 		else {
 			var top = Math.max(0, parseInt(wrap.offsetTop)),
-				treeh = (winh - atop) - 4;
+				treeh = winh - atop;
 
 			tree.style.top = top + 'px';
 			tree.style.height = treeh < 10 ? '' : treeh + 'px';
@@ -982,12 +1057,13 @@ var treectl = (function () {
 		if (!entreed || treectl.hidden)
 			return;
 
-		var q = '#tree';
-		var nq = 0;
+		var q = '#tree',
+			nq = 0;
+
 		while (dyn) {
 			nq++;
 			q += '>ul>li';
-			if (!document.querySelector(q))
+			if (!QS(q))
 				break;
 		}
 		var w = treesz + nq;
@@ -1001,7 +1077,7 @@ var treectl = (function () {
 		xhr.top = top;
 		xhr.dst = dst;
 		xhr.rst = rst;
-		xhr.ts = new Date().getTime();
+		xhr.ts = Date.now();
 		xhr.open('GET', dst + '?tree=' + top, true);
 		xhr.onreadystatechange = recvtree;
 		xhr.send();
@@ -1026,10 +1102,11 @@ var treectl = (function () {
 
 		var top = this.top == '.' ? this.dst : this.top,
 			name = uricom_dec(top.split('/').slice(-2)[0])[0],
-			rtop = top.replace(/^\/+/, "");
+			rtop = top.replace(/^\/+/, ""),
+			res;
 
 		try {
-			var res = JSON.parse(this.responseText);
+			res = JSON.parse(this.responseText);
 		}
 		catch (ex) {
 			return;
@@ -1045,7 +1122,7 @@ var treectl = (function () {
 				esc(top) + '">' + esc(name) +
 				"</a>\n<ul>\n" + html + "</ul>";
 
-			var links = document.querySelectorAll('#treeul a+a');
+			var links = QSA('#treeul a+a');
 			for (var a = 0, aa = links.length; a < aa; a++) {
 				if (links[a].getAttribute('href') == top) {
 					var o = links[a].parentNode;
@@ -1054,21 +1131,22 @@ var treectl = (function () {
 				}
 			}
 		}
-		document.querySelector('#treeul>li>a+a').textContent = '[root]';
+		QS('#treeul>li>a+a').textContent = '[root]';
 		despin('#tree');
 		reload_tree();
 		onresize();
 	}
 
 	function reload_tree() {
-		var cdir = get_evpath();
-		var links = document.querySelectorAll('#treeul a+a');
+		var cdir = get_evpath(),
+			links = QSA('#treeul a+a');
+
 		for (var a = 0, aa = links.length; a < aa; a++) {
 			var href = links[a].getAttribute('href');
 			links[a].setAttribute('class', href == cdir ? 'hl' : '');
 			links[a].onclick = treego;
 		}
-		links = document.querySelectorAll('#treeul li>a:first-child');
+		links = QSA('#treeul li>a:first-child');
 		for (var a = 0, aa = links.length; a < aa; a++) {
 			links[a].setAttribute('dst', links[a].nextSibling.getAttribute('href'));
 			links[a].onclick = treegrow;
@@ -1089,7 +1167,7 @@ var treectl = (function () {
 		var xhr = new XMLHttpRequest();
 		xhr.top = url;
 		xhr.hpush = hpush;
-		xhr.ts = new Date().getTime();
+		xhr.ts = Date.now();
 		xhr.open('GET', xhr.top + '?ls', true);
 		xhr.onreadystatechange = recvls;
 		xhr.send();
@@ -1139,12 +1217,13 @@ var treectl = (function () {
 		}
 
 		ebi('srv_info').innerHTML = '<span>' + res.srvinf + '</span>';
-		var nodes = res.dirs.concat(res.files);
-		nodes = sortfiles(nodes);
 
-		var top = this.top;
-		var html = mk_files_header(res.taglist);
+		var top = this.top,
+			nodes = res.dirs.concat(res.files),
+			html = mk_files_header(res.taglist);
+
 		html.push('<tbody>');
+		nodes = sortfiles(nodes);
 		for (var a = 0; a < nodes.length; a++) {
 			var r = nodes[a],
 				ln = ['<tr><td>' + r.lead + '</td><td><a href="' +
@@ -1262,16 +1341,16 @@ var treectl = (function () {
 
 function enspin(sel) {
 	despin(sel);
-	var d = document.createElement('div');
+	var d = mknod('div');
 	d.setAttribute('class', 'dumb_loader_thing');
 	d.innerHTML = '🌲';
-	var tgt = document.querySelector(sel);
+	var tgt = QS(sel);
 	tgt.insertBefore(d, tgt.childNodes[0]);
 }
 
 
 function despin(sel) {
-	var o = document.querySelectorAll(sel + '>.dumb_loader_thing');
+	var o = QSA(sel + '>.dumb_loader_thing');
 	for (var a = o.length - 1; a >= 0; a--)
 		o[a].parentNode.removeChild(o[a]);
 }
@@ -1280,27 +1359,28 @@ function despin(sel) {
 function apply_perms(perms) {
 	perms = perms || [];
 
-	var o = document.querySelectorAll('#ops>a[data-perm]');
-	for (var a = 0; a < o.length; a++)
-		o[a].style.display = 'none';
-
-	for (var a = 0; a < perms.length; a++) {
-		o = document.querySelectorAll('#ops>a[data-perm="' + perms[a] + '"]');
-		for (var b = 0; b < o.length; b++)
-			o[b].style.display = 'inline';
+	var o = QSA('#ops>a[data-perm], #u2footfoot');
+	for (var a = 0; a < o.length; a++) {
+		var display = 'inline';
+		var needed = o[a].getAttribute('data-perm').split(' ');
+		for (var b = 0; b < needed.length; b++) {
+			if (!has(perms, needed[b])) {
+				display = 'none';
+			}
+		}
+		o[a].style.display = display;
 	}
 
-	var act = document.querySelector('#ops>a.act');
-	if (act) {
-		var areq = act.getAttribute('data-perm');
-		if (areq && !has(perms, areq))
+	var act = QS('#ops>a.act');
+	if (act && act.style.display === 'none')
 		goto();
-	}
 
 	document.body.setAttribute('perms', perms.join(' '));
 
-	var have_write = has(perms, "write");
-	var tds = document.querySelectorAll('#u2conf td');
+	var have_write = has(perms, "write"),
+		have_read = has(perms, "read"),
+		tds = QSA('#u2conf td');
+
 	for (var a = 0; a < tds.length; a++) {
 		tds[a].style.display =
 			(have_write || tds[a].getAttribute('data-perm') == 'read') ?
@@ -1309,13 +1389,19 @@ function apply_perms(perms) {
 
 	if (window['up2k'])
 		up2k.set_fsearch();
+
+	ebi('widget').style.display = have_read ? '' : 'none';
+	ebi('files').style.display = have_read ? '' : 'none';
+	if (!have_read)
+		goto('up2k');
 }
 
 
 function find_file_col(txt) {
-	var tds = ebi('files').tHead.getElementsByTagName('th');
-	var i = -1;
-	var min = false;
+	var i = -1,
+		min = false,
+		tds = ebi('files').tHead.getElementsByTagName('th');
+
 	for (var a = 0; a < tds.length; a++) {
 		var spans = tds[a].getElementsByTagName('span');
 		if (spans.length && spans[0].textContent == txt) {
@@ -1340,8 +1426,9 @@ function mk_files_header(taglist) {
 		'<th name="sz" sort="int"><span>Size</span></th>'
 	];
 	for (var a = 0; a < taglist.length; a++) {
-		var tag = taglist[a];
-		var c1 = tag.slice(0, 1).toUpperCase();
+		var tag = taglist[a],
+			c1 = tag.slice(0, 1).toUpperCase();
+
 		tag = c1 + tag.slice(1);
 		if (c1 == '.')
 			tag = '<th name="tags/' + tag + '" sort="int"><span>' + tag.slice(1);
@@ -1363,10 +1450,11 @@ var filecols = (function () {
 	var hidden = jread('filecols', []);
 
 	var add_btns = function () {
-		var ths = document.querySelectorAll('#files th>span');
+		var ths = QSA('#files th>span');
 		for (var a = 0, aa = ths.length; a < aa; a++) {
-			var th = ths[a].parentElement;
-			var is_hidden = has(hidden, ths[a].textContent);
+			var th = ths[a].parentElement,
+				is_hidden = has(hidden, ths[a].textContent);
+
 			th.innerHTML = '<div class="cfg"><a href="#">' +
 				(is_hidden ? '+' : '-') + '</a></div>' + ths[a].outerHTML;
 
@@ -1378,7 +1466,7 @@ var filecols = (function () {
 		add_btns();
 
 		var ohidden = [],
-			ths = document.querySelectorAll('#files th'),
+			ths = QSA('#files th'),
 			ncols = ths.length;
 
 		for (var a = 0; a < ncols; a++) {
@@ -1396,8 +1484,9 @@ var filecols = (function () {
 			clmod(ths[a], 'min', cls)
 		}
 		for (var a = 0; a < ncols; a++) {
-			var cls = has(ohidden, a) ? 'min' : '';
-			var tds = document.querySelectorAll('#files>tbody>tr>td:nth-child(' + (a + 1) + ')');
+			var cls = has(ohidden, a) ? 'min' : '',
+				tds = QSA('#files>tbody>tr>td:nth-child(' + (a + 1) + ')');
+
 			for (var b = 0, bb = tds.length; b < bb; b++) {
 				tds[b].setAttribute('class', cls);
 				if (a < 2)
@@ -1475,9 +1564,9 @@ var mukey = (function () {
 			"6m ", "7m ", "8m ", "9m ", "10m", "11m", "12m", "1m ", "2m ", "3m ", "4m ", "5m "
 		]
 	};
-	var map = {};
+	var map = {},
+		html = [];
 
-	var html = [];
 	for (var k in maps) {
 		if (!maps.hasOwnProperty(k))
 			continue;
@@ -1551,7 +1640,7 @@ var mukey = (function () {
 	ebi('key_' + notation).checked = true;
 	load_notation(notation);
 
-	var o = document.querySelectorAll('#key_notation input');
+	var o = QSA('#key_notation input');
 	for (var a = 0; a < o.length; a++) {
 		o[a].onchange = set_key_notation;
 	}
@@ -1563,7 +1652,7 @@ var mukey = (function () {
 
 
 function addcrc() {
-	var links = document.querySelectorAll(
+	var links = QSA(
 		'#files>tbody>tr>td:first-child+td>' + (
 			ebi('unsearch') ? 'div>a:last-child' : 'a'));
 
@@ -1586,7 +1675,7 @@ function addcrc() {
 		o.setAttribute('class', tt ? '' : 'off');
 	}
 
-	var btns = document.querySelectorAll('#ops, #ops>a');
+	var btns = QSA('#ops, #ops>a');
 	for (var a = 0; a < btns.length; a++) {
 		btns[a].onmouseenter = set_tooltip;
 	}
@@ -1638,7 +1727,7 @@ var arcfmt = (function () {
 
 	function render() {
 		var arg = arcv[arcfmts.indexOf(fmt)],
-			tds = document.querySelectorAll('#files tbody td:first-child a');
+			tds = QSA('#files tbody td:first-child a');
 
 		for (var a = 0, aa = tds.length; a < aa; a++) {
 			var o = tds[a], txt = o.textContent, href = o.getAttribute('href');
@@ -1672,7 +1761,7 @@ var arcfmt = (function () {
 		try_render();
 	}
 
-	var o = document.querySelectorAll('#arc_fmt input');
+	var o = QSA('#arc_fmt input');
 	for (var a = 0; a < o.length; a++) {
 		o[a].onchange = change_fmt;
 	}
@@ -1685,8 +1774,9 @@ var arcfmt = (function () {
 
 var msel = (function () {
 	function getsel() {
-		var names = [];
-		var links = document.querySelectorAll('#files tbody tr.sel td:nth-child(2) a');
+		var names = [],
+			links = QSA('#files tbody tr.sel td:nth-child(2) a');
+
 		for (var a = 0, aa = links.length; a < aa; a++)
 			names.push(links[a].getAttribute('href').replace(/\/$/, "").split('/').slice(-1));
 
@@ -1703,7 +1793,7 @@ var msel = (function () {
 	}
 	function evsel(e, fun) {
 		ev(e);
-		var trs = document.querySelectorAll('#files tbody tr');
+		var trs = QSA('#files tbody tr');
 		for (var a = 0, aa = trs.length; a < aa; a++)
 			clmod(trs[a], 'sel', fun);
 		selui();
@@ -1716,10 +1806,11 @@ var msel = (function () {
 	};
 	ebi('selzip').onclick = function (e) {
 		ev(e);
-		var names = getsel();
-		var arg = ebi('selzip').getAttribute('fmt');
-		var txt = names.join('\n');
-		var frm = document.createElement('form');
+		var names = getsel(),
+			arg = ebi('selzip').getAttribute('fmt'),
+			txt = names.join('\n'),
+			frm = mknod('form');
+
 		frm.setAttribute('action', '?' + arg);
 		frm.setAttribute('method', 'post');
 		frm.setAttribute('target', '_blank');
@@ -1728,7 +1819,7 @@ var msel = (function () {
 			'<textarea name="files" id="ziptxt"></textarea>';
 		frm.style.display = 'none';
 
-		var oldform = document.querySelector('#widgeti>form');
+		var oldform = QS('#widgeti>form');
 		if (oldform)
 			oldform.parentNode.removeChild(oldform);
 
@@ -1739,7 +1830,7 @@ var msel = (function () {
 		frm.submit();
 	};
 	function render() {
-		var tds = document.querySelectorAll('#files tbody td+td+td');
+		var tds = QSA('#files tbody td+td+td');
 		for (var a = 0, aa = tds.length; a < aa; a++) {
 			tds[a].onclick = seltgl;
 		}
@@ -1770,21 +1861,22 @@ function reload_mp() {
 function reload_browser(not_mp) {
 	filecols.set_style();
 
-	var parts = get_evpath().split('/');
-	var rm = document.querySelectorAll('#path>a+a+a');
+	var parts = get_evpath().split('/'),
+		rm = QSA('#path>a+a+a');
+
 	for (a = rm.length - 1; a >= 0; a--)
 		rm[a].parentNode.removeChild(rm[a]);
 
 	var link = '/';
 	for (var a = 1; a < parts.length - 1; a++) {
 		link += parts[a] + '/';
-		var o = document.createElement('a');
+		var o = mknod('a');
 		o.setAttribute('href', link);
 		o.textContent = uricom_dec(parts[a])[0];
 		ebi('path').appendChild(o);
 	}
 
-	var oo = document.querySelectorAll('#files>tbody>tr>td:nth-child(3)');
+	var oo = QSA('#files>tbody>tr>td:nth-child(3)');
 	for (var a = 0, aa = oo.length; a < aa; a++) {
 		var sz = oo[a].textContent.replace(/ /g, ""),
 			hsz = sz.replace(/\B(?=(\d{3})+(?!\d))/g, " ");

copyparty/web/browser2.html

@@ -6,6 +6,11 @@
     <title>{{ title }}</title>
     <meta http-equiv="X-UA-Compatible" content="IE=edge">
     <meta name="viewport" content="width=device-width, initial-scale=0.8">
+    <style>
+        html{font-family:sans-serif}
+        td{border:1px solid #999;border-width:1px 1px 0 0;padding:0 5px}
+        a{display:block}
+    </style>
 </head>
 
 <body>
@@ -49,7 +54,7 @@
     <div>{{ logues[1] }}</div><br />
     {%- endif %}
     
-    <h2><a href="{{ url_suf }}&amp;h">control-panel</a></h2>
+    <h2><a href="{{ url_suf }}{{ url_suf and '&amp;' or '?' }}h">control-panel</a></h2>
 
 </body>
 </html>

copyparty/web/md.css

@@ -50,6 +50,9 @@ pre code:last-child {
 pre code::before {
 	content: counter(precode);
 	-webkit-user-select: none;
+	-moz-user-select: none;
+	-ms-user-select: none;
+	user-select: none;
 	display: inline-block;
 	text-align: right;
 	font-size: .75em;
@@ -591,12 +594,3 @@ blink {
 		color: #940;
 	}
 }
-
-/*
-*[data-ln]:before {
-	content: attr(data-ln);
-	font-size: .8em;
-	margin: 0 .4em;
-	color: #f0c;
-}
-*/

copyparty/web/md.js

@@ -46,7 +46,7 @@ function statify(obj) {
     var ua = navigator.userAgent;
     if (ua.indexOf(') Gecko/') !== -1 && /Linux| Mac /.exec(ua)) {
         // necessary on ff-68.7 at least
-        var s = document.createElement('style');
+        var s = mknod('style');
         s.innerHTML = '@page { margin: .5in .6in .8in .6in; }';
         console.log(s.innerHTML);
         document.head.appendChild(s);
@@ -175,12 +175,12 @@ function md_plug_err(ex, js) {
         msg = "Line " + ln + ", " + msg;
         var lns = js.split('\n');
         if (ln < lns.length) {
-            o = document.createElement('span');
+            o = mknod('span');
             o.style.cssText = 'color:#ac2;font-size:.9em;font-family:scp;display:block';
             o.textContent = lns[ln - 1];
         }
     }
-    errbox = document.createElement('div');
+    errbox = mknod('div');
     errbox.setAttribute('id', 'md_errbox');
     errbox.style.cssText = 'position:absolute;top:0;left:0;padding:1em .5em;background:#2b2b2b;color:#fc5'
     errbox.textContent = msg;

copyparty/web/md2.css

@@ -119,7 +119,6 @@ html.dark #toast {
 	text-align: center;
 	padding: .6em 0;
 	position: fixed;
-    z-index: 9001;
 	top: 30%;
 	transition: opacity 0.2s ease-in-out;
 	opacity: 1;

copyparty/web/md2.js

@@ -16,7 +16,7 @@ var dom_sbs = ebi('sbs');
 var dom_nsbs = ebi('nsbs');
 var dom_tbox = ebi('toolsbox');
 var dom_ref = (function () {
-    var d = document.createElement('div');
+    var d = mknod('div');
     d.setAttribute('id', 'mtr');
     dom_swrap.appendChild(d);
     d = ebi('mtr');
@@ -71,7 +71,7 @@ var map_src = [];
 var map_pre = [];
 function genmap(dom, oldmap) {
     var find = nlines;
-    while (oldmap && find --> 0) {
+    while (oldmap && find-- > 0) {
         var tmap = genmapq(dom, '*[data-ln="' + find + '"]');
         if (!tmap || !tmap.length)
             continue;
@@ -94,7 +94,7 @@ var nlines = 0;
 var draw_md = (function () {
     var delay = 1;
     function draw_md() {
-        var t0 = new Date().getTime();
+        var t0 = Date.now();
         var src = dom_src.value;
         convert_markdown(src, dom_pre);
 
@@ -110,7 +110,7 @@ var draw_md = (function () {
 
         cls(ebi('save'), 'disabled', src == server_md);
 
-        var t1 = new Date().getTime();
+        var t1 = Date.now();
         delay = t1 - t0 > 100 ? 25 : 1;
     }
 
@@ -252,7 +252,7 @@ function Modpoll() {
         }
 
         console.log('modpoll...');
-        var url = (document.location + '').split('?')[0] + '?raw&_=' + new Date().getTime();
+        var url = (document.location + '').split('?')[0] + '?raw&_=' + Date.now();
         var xhr = new XMLHttpRequest();
         xhr.modpoll = this;
         xhr.open('GET', url, true);
@@ -399,7 +399,7 @@ function save_cb() {
 
 function run_savechk(lastmod, txt, btn, ntry) {
     // download the saved doc from the server and compare
-    var url = (document.location + '').split('?')[0] + '?raw&_=' + new Date().getTime();
+    var url = (document.location + '').split('?')[0] + '?raw&_=' + Date.now();
     var xhr = new XMLHttpRequest();
     xhr.open('GET', url, true);
     xhr.responseType = 'text';
@@ -455,7 +455,7 @@ function toast(autoclose, style, width, msg) {
         ok.parentNode.removeChild(ok);
 
     style = "width:" + width + "em;left:calc(50% - " + (width / 2) + "em);" + style;
-    ok = document.createElement('div');
+    ok = mknod('div');
     ok.setAttribute('id', 'toast');
     ok.setAttribute('style', style);
     ok.innerHTML = msg;
@@ -1049,7 +1049,7 @@ action_stack = (function () {
         var p1 = from.length,
             p2 = to.length;
 
-        while (p1 --> 0 && p2 --> 0)
+        while (p1-- > 0 && p2-- > 0)
             if (from[p1] != to[p2])
                 break;
 
@@ -1142,14 +1142,3 @@ action_stack = (function () {
         _ref: ref
     }
 })();
-
-/*
-ebi('help').onclick = function () {
-    var c1 = getComputedStyle(dom_src).cssText.split(';');
-    var c2 = getComputedStyle(dom_ref).cssText.split(';');
-    var max = Math.min(c1.length, c2.length);
-    for (var a = 0; a < max; a++)
-        if (c1[a] !== c2[a])
-            console.log(c1[a] + '\n' + c2[a]);
-}
-*/

copyparty/web/mde.css

@@ -60,16 +60,6 @@ html .editor-toolbar>button.save.force-save {
 	background: #f97;
 }
 
-/*
-*[data-ln]:before {
-	content: attr(data-ln);
-	font-size: .8em;
-	margin: 0 .4em;
-	color: #f0c;
-}
-.cm-header { font-size: .4em !important }
-*/
-
 
 
 

copyparty/web/mde.js

@@ -71,7 +71,7 @@ var mde = (function () {
 })();
 
 function set_jumpto() {
-    document.querySelector('.editor-preview-side').onclick = jumpto;
+    QS('.editor-preview-side').onclick = jumpto;
 }
 
 function jumpto(ev) {
@@ -94,7 +94,7 @@ function md_changed(mde, on_srv) {
         window.md_saved = mde.value();
 
     var md_now = mde.value();
-    var save_btn = document.querySelector('.editor-toolbar button.save');
+    var save_btn = QS('.editor-toolbar button.save');
 
     if (md_now == window.md_saved)
         save_btn.classList.add('disabled');
@@ -105,7 +105,7 @@ function md_changed(mde, on_srv) {
 }
 
 function save(mde) {
-    var save_btn = document.querySelector('.editor-toolbar button.save');
+    var save_btn = QS('.editor-toolbar button.save');
     if (save_btn.classList.contains('disabled')) {
         alert('there is nothing to save');
         return;
@@ -212,7 +212,7 @@ function save_chk() {
     last_modified = this.lastmod;
     md_changed(this.mde, true);
 
-    var ok = document.createElement('div');
+    var ok = mknod('div');
     ok.setAttribute('style', 'font-size:6em;font-family:serif;font-weight:bold;color:#cf6;background:#444;border-radius:.3em;padding:.6em 0;position:fixed;top:30%;left:calc(50% - 2em);width:4em;text-align:center;z-index:9001;transition:opacity 0.2s ease-in-out;opacity:1');
     ok.innerHTML = 'OK✔️';
     var parent = ebi('m');

copyparty/web/msg.css

@@ -3,7 +3,7 @@ html,body,tr,th,td,#files,a {
 	background: none;
 	font-weight: inherit;
 	font-size: inherit;
-	padding: none;
+	padding: 0;
 	border: none;
 }
 html {

copyparty/web/splash.html

@@ -13,19 +13,23 @@
     <div id="wrap">
         <p>hello {{ this.uname }}</p>
 
+        {%- if rvol %}
         <h1>you can browse these:</h1>
         <ul>
             {% for mp in rvol %}
             <li><a href="/{{ mp }}{{ url_suf }}">/{{ mp }}</a></li>
             {% endfor %}
         </ul>
+        {%- endif %}
 
+        {%- if wvol %}
         <h1>you can upload to:</h1>
         <ul>
             {% for mp in wvol %}
             <li><a href="/{{ mp }}{{ url_suf }}">/{{ mp }}</a></li>
             {% endfor %}
         </ul>
+        {%- endif %}
 
         <h1>login for more:</h1>
         <ul>

copyparty/web/up2k.js

@@ -18,14 +18,14 @@ function goto_up2k() {
 // usually it's undefined but some chromes throw on invoke
 var up2k = null;
 try {
-    crypto.subtle.digest(
-        'SHA-512', new Uint8Array(1)
-    ).then(
-        function (x) { up2k = up2k_init(true) },
-        function (x) { up2k = up2k_init(false) }
+    var cf = crypto.subtle || crypto.webkitSubtle;
+    cf.digest('SHA-512', new Uint8Array(1)).then(
+        function (x) { console.log('sha-ok'); up2k = up2k_init(cf); },
+        function (x) { console.log('sha-ng:', x); up2k = up2k_init(false); }
     );
 }
 catch (ex) {
+    console.log('sha-na:', ex);
     try {
         up2k = up2k_init(false);
     }
@@ -55,7 +55,7 @@ function up2k_flagbus() {
             dbg(who, 'hi me (??)');
             return;
         }
-        flag.act = new Date().getTime();
+        flag.act = Date.now();
         if (what == "want") {
             // lowest id wins, don't care if that's us
             if (who < flag.id) {
@@ -209,7 +209,7 @@ function U2pvis(act, btns) {
     };
 
     this.perc = function (bd, bd0, sz, t0) {
-        var td = new Date().getTime() - t0,
+        var td = Date.now() - t0,
             p = bd * 100.0 / sz,
             nb = bd - bd0,
             spd = nb / (td / 1000),
@@ -219,25 +219,28 @@ function U2pvis(act, btns) {
     };
 
     this.hashed = function (fobj) {
-        var fo = this.tab[fobj.n];
-        var nb = fo.bt * (++fo.nh / fo.cb.length);
-        var p = this.perc(nb, 0, fobj.size, fobj.t1);
+        var fo = this.tab[fobj.n],
+            nb = fo.bt * (++fo.nh / fo.cb.length),
+            p = this.perc(nb, 0, fobj.size, fobj.t1);
+
         fo.hp = '{0}%, {1}, {2} MB/s'.format(
             p[0].toFixed(2), p[1], p[2].toFixed(2)
         );
         if (!this.is_act(fo.in))
             return;
 
-        var obj = ebi('f{0}p'.format(fobj.n));
+        var obj = ebi('f{0}p'.format(fobj.n)),
+            o1 = p[0] - 2, o2 = p[0] - 0.1, o3 = p[0];
+
         obj.innerHTML = fo.hp;
         obj.style.color = '#fff';
-        var o1 = p[0] - 2, o2 = p[0] - 0.1, o3 = p[0];
         obj.style.background = 'linear-gradient(90deg, #025, #06a ' + o1 + '%, #09d ' + o2 + '%, #333 ' + o3 + '%, #333 99%, #777)';
     };
 
     this.prog = function (fobj, nchunk, cbd) {
-        var fo = this.tab[fobj.n];
-        var delta = cbd - fo.cb[nchunk];
+        var fo = this.tab[fobj.n],
+            delta = cbd - fo.cb[nchunk];
+
         fo.cb[nchunk] = cbd;
         fo.bd += delta;
 
@@ -249,10 +252,11 @@ function U2pvis(act, btns) {
         if (!this.is_act(fo.in))
             return;
 
-        var obj = ebi('f{0}p'.format(fobj.n));
+        var obj = ebi('f{0}p'.format(fobj.n)),
+            o1 = p[0] - 2, o2 = p[0] - 0.1, o3 = p[0];
+
         obj.innerHTML = fo.hp;
         obj.style.color = '#fff';
-        var o1 = p[0] - 2, o2 = p[0] - 0.1, o3 = p[0];
         obj.style.background = 'linear-gradient(90deg, #050, #270 ' + o1 + '%, #4b0 ' + o2 + '%, #333 ' + o3 + '%, #333 99%, #777)';
     };
 
@@ -287,24 +291,14 @@ function U2pvis(act, btns) {
         }
     };
 
-    this.bzw_log = function (first, last) {
-        console.log("first %d   head %d   tail %d   last %d", first, this.head, this.tail, last);
-        var trs = document.querySelectorAll('#u2tab>tbody>tr'), msg = [];
-        for (var a = 0; a < trs.length; a++)
-            msg.push(trs[a].getAttribute('id'));
-
-        console.log(msg.join(' '));
-    }
-
     this.bzw = function () {
-        var first = document.querySelector('#u2tab>tbody>tr:first-child');
+        var first = QS('#u2tab>tbody>tr:first-child');
         if (!first)
             return;
 
-        var last = document.querySelector('#u2tab>tbody>tr:last-child');
+        var last = QS('#u2tab>tbody>tr:last-child');
         first = parseInt(first.getAttribute('id').slice(1));
         last = parseInt(last.getAttribute('id').slice(1));
-        //this.bzw_log(first, last);
 
         while (this.head - first > this.wsz) {
             var obj = ebi('f' + (first++));
@@ -315,12 +309,10 @@ function U2pvis(act, btns) {
             if (!obj)
                 this.addrow(last);
         }
-        //this.bzw_log(first, last);
-        //console.log('--');
     };
 
     this.drawcard = function (cat) {
-        var cards = document.querySelectorAll('#u2cards>a>span');
+        var cards = QSA('#u2cards>a>span');
 
         if (cat == "q") {
             cards[4].innerHTML = this.ctr[cat];
@@ -343,9 +335,9 @@ function U2pvis(act, btns) {
 
     this.changecard = function (card) {
         this.act = card;
-        var html = [];
         this.head = -1;
         this.tail = -1;
+        var html = [];
         for (var a = 0; a < this.tab.length; a++) {
             var rt = this.tab[a].in;
             if (this.is_act(rt)) {
@@ -382,7 +374,7 @@ function U2pvis(act, btns) {
         if (as_html)
             return '<tr id="f' + nfile + '">' + ret + '</tr>';
 
-        var obj = document.createElement('tr');
+        var obj = mknod('tr');
         obj.setAttribute('id', 'f' + nfile);
         obj.innerHTML = ret;
         return obj;
@@ -394,7 +386,7 @@ function U2pvis(act, btns) {
     };
 
     var that = this;
-    btns = document.querySelectorAll(btns + '>a[act]');
+    btns = QSA(btns + '>a[act]');
     for (var a = 0; a < btns.length; a++) {
         btns[a].onclick = function (e) {
             ev(e);
@@ -409,10 +401,7 @@ function U2pvis(act, btns) {
 }
 
 
-function up2k_init(have_crypto) {
-    //have_crypto = false;
-    var need_filereader_cache = undefined;
-
+function up2k_init(subtle) {
     // show modal message
     function showmodal(msg) {
         ebi('u2notbtn').innerHTML = msg;
@@ -429,15 +418,18 @@ function up2k_init(have_crypto) {
         ebi('u2notbtn').innerHTML = '';
     }
 
-    var shame = 'your browser <a href="https://www.chromium.org/blink/webcrypto">disables sha512</a> unless you <a href="' + (window.location + '').replace(':', 's:') + '">use https</a>'
-    var is_https = (window.location + '').indexOf('https:') === 0;
+    var suggest_up2k = 'this is the basic uploader; <a href="#" id="u2yea">up2k</a> is better';
+
+    var shame = 'your browser <a href="https://www.chromium.org/blink/webcrypto">disables sha512</a> unless you <a href="' + (window.location + '').replace(':', 's:') + '">use https</a>',
+        is_https = (window.location + '').indexOf('https:') === 0;
+
     if (is_https)
-        // chrome<37 firefox<34 edge<12 ie<11 opera<24 safari<10.1
+        // chrome<37 firefox<34 edge<12 opera<24 safari<7
         shame = 'your browser is impressively ancient';
 
     // upload ui hidden by default, clicking the header shows it
     function init_deps() {
-        if (!have_crypto && !window.asmCrypto) {
+        if (!subtle && !window.asmCrypto) {
             showmodal('<h1>loading sha512.js</h1><h2>since ' + shame + '</h2><h4>thanks chrome</h4>');
             import_js('/.cpr/deps/sha512.js', unmodal);
 
@@ -449,34 +441,43 @@ function up2k_init(have_crypto) {
     }
 
     // show uploader if the user only has write-access
-    if (!ebi('files'))
+    var perms = document.body.getAttribute('perms');
+    if (perms && !has(perms.split(' '), 'read'))
         goto('up2k');
 
-    // shows or clears an error message in the basic uploader ui
-    function setmsg(msg) {
+    // shows or clears a message in the basic uploader ui
+    function setmsg(msg, type) {
         if (msg !== undefined) {
-            ebi('u2err').setAttribute('class', 'err');
+            ebi('u2err').setAttribute('class', type);
             ebi('u2err').innerHTML = msg;
         }
         else {
             ebi('u2err').setAttribute('class', '');
             ebi('u2err').innerHTML = '';
         }
+        if (msg == suggest_up2k) {
+            ebi('u2yea').onclick = function (e) {
+                ev(e);
+                goto('up2k');
+            };
+        }
     }
 
     // switches to the basic uploader with msg as error message
     function un2k(msg) {
-        setmsg(msg);
+        setmsg(msg, 'err');
         return false;
     }
 
     // handle user intent to use the basic uploader instead
     ebi('u2nope').onclick = function (e) {
         ev(e);
-        setmsg();
+        setmsg(suggest_up2k, 'msg');
         goto('bup');
     };
 
+    setmsg(suggest_up2k, 'msg');
+
     if (!String.prototype.format) {
         String.prototype.format = function () {
             var args = arguments;
@@ -487,13 +488,14 @@ function up2k_init(have_crypto) {
         };
     }
 
-    var parallel_uploads = icfg_get('nthread');
-    var multitask = bcfg_get('multitask', true);
-    var ask_up = bcfg_get('ask_up', true);
-    var flag_en = bcfg_get('flag_en', false);
-    var fsearch = bcfg_get('fsearch', false);
+    var parallel_uploads = icfg_get('nthread'),
+        multitask = bcfg_get('multitask', true),
+        ask_up = bcfg_get('ask_up', true),
+        flag_en = bcfg_get('flag_en', false),
+        fsearch = bcfg_get('fsearch', false),
+        fdom_ctr = 0,
+        min_filebuf = 0;
 
-    var fdom_ctr = 0;
     var st = {
         "files": [],
         "todo": {
@@ -543,8 +545,9 @@ function up2k_init(have_crypto) {
         e.stopPropagation();
         e.preventDefault();
 
-        var files;
-        var is_itemlist = false;
+        var files,
+            is_itemlist = false;
+
         if (e.dataTransfer) {
             if (e.dataTransfer.items) {
                 files = e.dataTransfer.items; // DataTransferItemList
@@ -558,9 +561,10 @@ function up2k_init(have_crypto) {
             return alert('no files selected??');
 
         more_one_file();
-        var bad_files = [];
-        var good_files = [];
-        var dirs = [];
+        var bad_files = [],
+            good_files = [],
+            dirs = [];
+
         for (var a = 0; a < files.length; a++) {
             var fobj = files[a];
             if (is_itemlist) {
@@ -645,12 +649,13 @@ function up2k_init(have_crypto) {
 
     function gotallfiles(good_files, bad_files) {
         if (bad_files.length > 0) {
-            var ntot = bad_files.length + good_files.length;
-            var msg = 'These {0} files (of {1} total) were skipped because they are empty:\n'.format(bad_files.length, ntot);
+            var ntot = bad_files.length + good_files.length,
+                msg = 'These {0} files (of {1} total) were skipped because they are empty:\n'.format(bad_files.length, ntot);
+
             for (var a = 0, aa = Math.min(20, bad_files.length); a < aa; a++)
                 msg += '-- ' + bad_files[a] + '\n';
 
-            if (good_files.length - bad_files.length <= 1 && /(android)/i.test(navigator.userAgent))
+            if (good_files.length - bad_files.length <= 1 && ANDROID)
                 msg += '\nFirefox-Android has a bug which prevents selecting multiple files. Try selecting one file at a time. For more info, see firefox bug 1456557';
 
             alert(msg);
@@ -664,9 +669,10 @@ function up2k_init(have_crypto) {
             return;
 
         for (var a = 0; a < good_files.length; a++) {
-            var fobj = good_files[a][0];
-            var now = new Date().getTime();
-            var lmod = fobj.lastModified || now;
+            var fobj = good_files[a][0],
+                now = Date.now(),
+                lmod = fobj.lastModified || now;
+
             var entry = {
                 "n": parseInt(st.files.length.toString()),
                 "t0": now,
@@ -702,7 +708,7 @@ function up2k_init(have_crypto) {
 
     function more_one_file() {
         fdom_ctr++;
-        var elm = document.createElement('div')
+        var elm = mknod('div');
         elm.innerHTML = '<input id="file{0}" type="file" name="file{0}[]" multiple="multiple" />'.format(fdom_ctr);
         ebi('u2form').appendChild(elm);
         ebi('file' + fdom_ctr).addEventListener('change', gotfile, false);
@@ -740,7 +746,7 @@ function up2k_init(have_crypto) {
     function hashing_permitted() {
         if (multitask) {
             var ahead = st.bytes.hashed - st.bytes.uploaded;
-            return ahead < 1024 * 1024 * 128 &&
+            return ahead < 1024 * 1024 * 1024 * 4 &&
                 st.todo.handshake.length + st.busy.handshake.length < 16;
         }
         return handshakes_permitted() && 0 ==
@@ -749,26 +755,23 @@ function up2k_init(have_crypto) {
     }
 
     var tasker = (function () {
-        var mutex = false;
-        var was_busy = false;
+        var tto = null,
+            running = false,
+            was_busy = false;
 
-        function taskerd() {
-            if (mutex)
-                return;
-
-            mutex = true;
-            while (true) {
-                if (false) {
-                    ebi('srv_info').innerHTML =
-                        new Date().getTime() + ", " +
-                        st.todo.hash.length + ", " +
-                        st.todo.handshake.length + ", " +
-                        st.todo.upload.length + ", " +
-                        st.busy.hash.length + ", " +
-                        st.busy.handshake.length + ", " +
-                        st.busy.upload.length;
+        function defer() {
+            running = false;
+            clearTimeout(tto);
+            tto = setTimeout(taskerd, 100);
         }
 
+        function taskerd() {
+            if (running)
+                return;
+
+            clearTimeout(tto);
+            running = true;
+            while (true) {
                 var is_busy = 0 !=
                     st.todo.hash.length +
                     st.todo.handshake.length +
@@ -780,21 +783,16 @@ function up2k_init(have_crypto) {
                 if (was_busy != is_busy) {
                     was_busy = is_busy;
 
-                    if (is_busy)
-                        window.addEventListener("beforeunload", warn_uploader_busy);
-                    else
-                        window.removeEventListener("beforeunload", warn_uploader_busy);
+                    window[(is_busy ? "add" : "remove") +
+                        "EventListener"]("beforeunload", warn_uploader_busy);
                 }
 
                 if (flag) {
                     if (is_busy) {
-                        var now = new Date().getTime();
+                        var now = Date.now();
                         flag.take(now);
-                        if (!flag.ours) {
-                            setTimeout(taskerd, 100);
-                            mutex = false;
-                            return;
-                        }
+                        if (!flag.ours)
+                            return defer();
                     }
                     else if (flag.ours) {
                         flag.give();
@@ -836,11 +834,8 @@ function up2k_init(have_crypto) {
                     mou_ikkai = true;
                 }
 
-                if (!mou_ikkai) {
-                    setTimeout(taskerd, 100);
-                    mutex = false;
-                    return;
-                }
+                if (!mou_ikkai)
+                    return defer();
             }
         }
         taskerd();
@@ -854,47 +849,47 @@ function up2k_init(have_crypto) {
 
     // https://gist.github.com/jonleighton/958841
     function buf2b64(arrayBuffer) {
-        var base64 = '';
-        var encodings = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_';
-        var bytes = new Uint8Array(arrayBuffer);
-        var byteLength = bytes.byteLength;
-        var byteRemainder = byteLength % 3;
-        var mainLength = byteLength - byteRemainder;
-        var a, b, c, d;
-        var chunk;
+        var base64 = '',
+            cset = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_',
+            src = new Uint8Array(arrayBuffer),
+            nbytes = src.byteLength,
+            byteRem = nbytes % 3,
+            mainLen = nbytes - byteRem,
+            a, b, c, d, chunk;
 
-        for (var i = 0; i < mainLength; i = i + 3) {
-            chunk = (bytes[i] << 16) | (bytes[i + 1] << 8) | bytes[i + 2];
+        for (var i = 0; i < mainLen; i = i + 3) {
+            chunk = (src[i] << 16) | (src[i + 1] << 8) | src[i + 2];
             // create 8*3=24bit segment then split into 6bit segments
-            a = (chunk & 16515072) >> 18; // 16515072 = (2^6 - 1) << 18
-            b = (chunk & 258048) >> 12; // 258048   = (2^6 - 1) << 12
-            c = (chunk & 4032) >> 6; // 4032     = (2^6 - 1) << 6
-            d = chunk & 63;               // 63       = 2^6 - 1
+            a = (chunk & 16515072) >> 18; // (2^6 - 1) << 18
+            b = (chunk & 258048) >> 12; // (2^6 - 1) << 12
+            c = (chunk & 4032) >> 6; // (2^6 - 1) << 6
+            d = chunk & 63; // 2^6 - 1
 
             // Convert the raw binary segments to the appropriate ASCII encoding
-            base64 += encodings[a] + encodings[b] + encodings[c] + encodings[d];
+            base64 += cset[a] + cset[b] + cset[c] + cset[d];
         }
 
-        if (byteRemainder == 1) {
-            chunk = bytes[mainLength];
-            a = (chunk & 252) >> 2; // 252 = (2^6 - 1) << 2
-            b = (chunk & 3) << 4; // 3   = 2^2 - 1  (zero 4 LSB)
-            base64 += encodings[a] + encodings[b];//+ '==';
+        if (byteRem == 1) {
+            chunk = src[mainLen];
+            a = (chunk & 252) >> 2; // (2^6 - 1) << 2
+            b = (chunk & 3) << 4; // 2^2 - 1  (zero 4 LSB)
+            base64 += cset[a] + cset[b];//+ '==';
         }
-        else if (byteRemainder == 2) {
-            chunk = (bytes[mainLength] << 8) | bytes[mainLength + 1];
-            a = (chunk & 64512) >> 10; // 64512 = (2^6 - 1) << 10
-            b = (chunk & 1008) >> 4; // 1008  = (2^6 - 1) << 4
-            c = (chunk & 15) << 2; // 15    = 2^4 - 1  (zero 2 LSB)
-            base64 += encodings[a] + encodings[b] + encodings[c];//+ '=';
+        else if (byteRem == 2) {
+            chunk = (src[mainLen] << 8) | src[mainLen + 1];
+            a = (chunk & 64512) >> 10; // (2^6 - 1) << 10
+            b = (chunk & 1008) >> 4; // (2^6 - 1) << 4
+            c = (chunk & 15) << 2; // 2^4 - 1  (zero 2 LSB)
+            base64 += cset[a] + cset[b] + cset[c];//+ '=';
         }
 
         return base64;
     }
 
     function get_chunksize(filesize) {
-        var chunksize = 1024 * 1024;
-        var stepsize = 512 * 1024;
+        var chunksize = 1024 * 1024,
+            stepsize = 512 * 1024;
+
         while (true) {
             for (var mul = 1; mul <= 2; mul++) {
                 var nchunks = Math.ceil(filesize / chunksize);
@@ -907,141 +902,77 @@ function up2k_init(have_crypto) {
         }
     }
 
-    function test_filereader_speed(segm_err) {
-        var f = st.todo.hash[0].fobj,
-            sz = Math.min(2, f.size),
-            reader = new FileReader(),
-            t0, ctr = 0;
-
-        var segm_next = function () {
-            var t = new Date().getTime(),
-                td = t - t0;
-
-            if (++ctr > 2) {
-                need_filereader_cache = td > 50;
-                st.busy.hash.pop();
-                return;
-            }
-            t0 = t;
-            reader.onload = segm_next;
-            reader.onerror = segm_err;
-            reader.readAsArrayBuffer(
-                bobslice.call(f, 0, sz));
-        };
-
-        segm_next();
-    }
-
-    function ensure_rendered(func) {
-        var hidden = false;
-        var keys = ['hidden', 'msHidden', 'webkitHidden'];
-        for (var a = 0; a < keys.length; a++)
-            if (typeof document[keys[a]] !== "undefined")
-                hidden = document[keys[a]];
-
-        if (hidden)
-            return func();
-
-        window.requestAnimationFrame(func);
-    }
-
     function exec_hash() {
-        if (need_filereader_cache === undefined) {
-            st.busy.hash.push(1);
-            return test_filereader_speed(segm_err);
-        }
-
         var t = st.todo.hash.shift();
         st.busy.hash.push(t);
         st.bytes.hashed += t.size;
         t.bytes_uploaded = 0;
-        t.t1 = new Date().getTime();
 
-        var nchunk = 0;
-        var chunksize = get_chunksize(t.size);
-        var nchunks = Math.ceil(t.size / chunksize);
-
-        // android-chrome has 180ms latency on FileReader calls,
-        // detect this and do 32MB at a time
-        var cache_buf = undefined,
-            cache_ofs = 0,
-            subchunks = 2;
-
-        while (subchunks * chunksize <= 32 * 1024 * 1024)
-            subchunks++;
-
-        subchunks--;
-        if (!need_filereader_cache)
-            subchunks = 1;
+        var bpend = 0,
+            nchunk = 0,
+            chunksize = get_chunksize(t.size),
+            nchunks = Math.ceil(t.size / chunksize),
+            hashtab = {};
 
         pvis.setab(t.n, nchunks);
         pvis.move(t.n, 'bz');
 
-        var reader = new FileReader();
-
         var segm_next = function () {
-            if (cache_buf) {
-                return hash_calc();
-            }
-            reader.onload = segm_load;
-            reader.onerror = segm_err;
+            if (nchunk >= nchunks || (bpend > chunksize && bpend >= min_filebuf))
+                return false;
+
+            var reader = new FileReader(),
+                nch = nchunk++,
+                car = nch * chunksize,
+                cdr = car + chunksize,
+                t0 = Date.now();
 
-            var car = nchunk * chunksize;
-            var cdr = car + chunksize * subchunks;
             if (cdr >= t.size)
                 cdr = t.size;
 
+            bpend += cdr - car;
+
+            reader.onload = function (e) {
+                if (!min_filebuf && nch == 1) {
+                    min_filebuf = 1;
+                    var td = Date.now() - t0;
+                    if (td > 50) {
+                        ebi('u2foot').innerHTML += "<p>excessive filereader latency (" + td + " ms), increasing readahead</p>";
+                        min_filebuf = 32 * 1024 * 1024;
+                    }
+                }
+                hash_calc(nch, e.target.result);
+            };
+            reader.onerror = function () {
+                alert('y o u   b r o k e    i t\nerror: ' + reader.error);
+            };
             reader.readAsArrayBuffer(
                 bobslice.call(t.fobj, car, cdr));
+
+            return true;
         };
 
-        var segm_load = function (e) {
-            cache_buf = e.target.result;
-            cache_ofs = 0;
-            hash_calc();
-        };
-
-        var hash_calc = function () {
-            var buf = cache_buf;
-            if (chunksize >= buf.byteLength)
-                cache_buf = undefined;
-            else {
-                var ofs = cache_ofs;
-                var ofs2 = ofs + Math.min(chunksize, cache_buf.byteLength - cache_ofs);
-                cache_ofs = ofs2;
-                buf = new Uint8Array(cache_buf).subarray(ofs, ofs2);
-                if (ofs2 >= cache_buf.byteLength)
-                    cache_buf = undefined;
-            }
-
-            var func = function () {
-                if (have_crypto)
-                    crypto.subtle.digest('SHA-512', buf).then(hash_done);
-                else {
-                    var hasher = new asmCrypto.Sha512();
-                    hasher.process(new Uint8Array(buf));
-                    hasher.finish();
-                    hash_done(hasher.result);
-                }
-            };
-
-            if (cache_buf)
-                ensure_rendered(func);
-            else
-                func();
-        };
+        var hash_calc = function (nch, buf) {
+            while (segm_next());
 
             var hash_done = function (hashbuf) {
-            var hslice = new Uint8Array(hashbuf).subarray(0, 32);
-            var b64str = buf2b64(hslice).replace(/=$/, '');
-            t.hash.push(b64str);
+                var hslice = new Uint8Array(hashbuf).subarray(0, 32),
+                    b64str = buf2b64(hslice).replace(/=$/, '');
 
+                hashtab[nch] = b64str;
+                t.hash.push(nch);
                 pvis.hashed(t);
-            if (++nchunk < nchunks) {
+
+                bpend -= buf.byteLength;
+                if (t.hash.length < nchunks) {
                     return segm_next();
                 }
+                t.hash = [];
+                for (var a = 0; a < nchunks; a++) {
+                    t.hash.push(hashtab[a]);
+                }
 
-            t.t2 = new Date().getTime();
+                t.t2 = Date.now();
                 if (t.n == 0 && window.location.hash == '#dbg') {
                     var spd = (t.size / ((t.t2 - t.t1) / 1000.)) / (1024 * 1024.);
                     alert('{0} ms, {1} MB/s\n'.format(t.t2 - t.t1, spd.toFixed(3)) + t.hash.join('\n'));
@@ -1053,10 +984,17 @@ function up2k_init(have_crypto) {
                 st.todo.handshake.push(t);
             };
 
-        var segm_err = function () {
-            alert('y o u   b r o k e    i t\nerror: ' + reader.error);
+            if (subtle)
+                subtle.digest('SHA-512', buf).then(hash_done);
+            else setTimeout(function () {
+                var hasher = new asmCrypto.Sha512();
+                hasher.process(new Uint8Array(buf));
+                hasher.finish();
+                hash_done(hasher.result);
+            }, 1);
         };
 
+        t.t1 = Date.now();
         segm_next();
     }
 
@@ -1075,8 +1013,9 @@ function up2k_init(have_crypto) {
                 var response = JSON.parse(xhr.responseText);
 
                 if (!response.name) {
-                    var msg = '';
-                    var smsg = '';
+                    var msg = '',
+                        smsg = '';
+
                     if (!response || !response.hits || !response.hits.length) {
                         msg = 'not found on server';
                         smsg = '404';
@@ -1109,10 +1048,11 @@ function up2k_init(have_crypto) {
                     pvis.seth(t.n, 0, linksplit(esc(t.purl + t.name)).join(' '));
                 }
 
-                var chunksize = get_chunksize(t.size);
-                var cdr_idx = Math.ceil(t.size / chunksize) - 1;
-                var cdr_sz = (t.size % chunksize) || chunksize;
-                var cbd = [];
+                var chunksize = get_chunksize(t.size),
+                    cdr_idx = Math.ceil(t.size / chunksize) - 1,
+                    cdr_sz = (t.size % chunksize) || chunksize,
+                    cbd = [];
+
                 for (var a = 0; a <= cdr_idx; a++) {
                     cbd.push(a == cdr_idx ? cdr_sz : chunksize);
                 }
@@ -1133,8 +1073,9 @@ function up2k_init(have_crypto) {
                 pvis.setat(t.n, cbd);
                 pvis.prog(t, 0, cbd[0]);
 
-                var done = true;
-                var msg = '&#x1f3b7;&#x1f41b;';
+                var done = true,
+                    msg = '&#x1f3b7;&#x1f41b;';
+
                 if (t.postlist.length > 0) {
                     for (var a = 0; a < t.postlist.length; a++)
                         st.todo.upload.push({
@@ -1151,10 +1092,12 @@ function up2k_init(have_crypto) {
                 if (done) {
                     t.done = true;
                     st.bytes.uploaded += t.size - t.bytes_uploaded;
-                    var spd1 = (t.size / ((t.t2 - t.t1) / 1000.)) / (1024 * 1024.);
-                    var spd2 = (t.size / ((t.t4 - t.t3) / 1000.)) / (1024 * 1024.);
+                    var spd1 = (t.size / ((t.t2 - t.t1) / 1000.)) / (1024 * 1024.),
+                        spd2 = (t.size / ((t.t4 - t.t3) / 1000.)) / (1024 * 1024.);
+
                     pvis.seth(t.n, 2, 'hash {0}, up {1} MB/s'.format(
                         spd1.toFixed(2), spd2.toFixed(2)));
+
                     pvis.move(t.n, 'ok');
                 }
                 else t.t4 = undefined;
@@ -1221,24 +1164,21 @@ function up2k_init(have_crypto) {
         var upt = st.todo.upload.shift();
         st.busy.upload.push(upt);
 
-        var npart = upt.npart;
-        var t = st.files[upt.nfile];
+        var npart = upt.npart,
+            t = st.files[upt.nfile];
+
+        if (!t.t3)
+            t.t3 = Date.now();
 
         pvis.seth(t.n, 1, "🚀 send");
 
-        var chunksize = get_chunksize(t.size);
-        var car = npart * chunksize;
-        var cdr = car + chunksize;
+        var chunksize = get_chunksize(t.size),
+            car = npart * chunksize,
+            cdr = car + chunksize;
+
         if (cdr >= t.size)
             cdr = t.size;
 
-        var reader = new FileReader();
-
-        reader.onerror = function () {
-            alert('y o u   b r o k e    i t\nerror: ' + reader.error);
-        };
-
-        reader.onload = function (e) {
         var xhr = new XMLHttpRequest();
         xhr.upload.onprogress = function (xev) {
             pvis.prog(t, npart, xev.loaded);
@@ -1251,7 +1191,7 @@ function up2k_init(have_crypto) {
                 st.busy.upload.splice(st.busy.upload.indexOf(upt), 1);
                 t.postlist.splice(t.postlist.indexOf(npart), 1);
                 if (t.postlist.length == 0) {
-                        t.t4 = new Date().getTime();
+                    t.t4 = Date.now();
                     pvis.seth(t.n, 1, 'verifying');
                     st.todo.handshake.unshift(t);
                 }
@@ -1265,7 +1205,6 @@ function up2k_init(have_crypto) {
                         "no further information"));
         };
         xhr.open('POST', t.purl + 'chunkpit.php', true);
-            //xhr.setRequestHeader("X-Up2k-Hash", t.hash[npart].substr(1) + "x");
         xhr.setRequestHeader("X-Up2k-Hash", t.hash[npart]);
         xhr.setRequestHeader("X-Up2k-Wark", t.wark);
         xhr.setRequestHeader('Content-Type', 'application/octet-stream');
@@ -1273,13 +1212,7 @@ function up2k_init(have_crypto) {
             xhr.overrideMimeType('Content-Type', 'application/octet-stream');
 
         xhr.responseType = 'text';
-            xhr.send(e.target.result);
-
-            if (!t.t3)
-                t.t3 = new Date().getTime();
-        };
-
-        reader.readAsArrayBuffer(bobslice.call(t.fobj, car, cdr));
+        xhr.send(bobslice.call(t.fobj, car, cdr));
     }
 
     /////
@@ -1307,20 +1240,24 @@ function up2k_init(have_crypto) {
     onresize();
 
     function desc_show(e) {
-        var msg = this.getAttribute('alt');
-        msg = msg.replace(/\$N/g, "<br />");
-        var cdesc = ebi('u2cdesc');
-        cdesc.innerHTML = msg;
+        var cfg = sread('tooltips');
+        if (cfg !== null && cfg != '1')
+            return;
+
+        var msg = this.getAttribute('alt'),
+            cdesc = ebi('u2cdesc');
+
+        cdesc.innerHTML = msg.replace(/\$N/g, "<br />");
         cdesc.setAttribute('class', 'show');
     }
     function desc_hide(e) {
         ebi('u2cdesc').setAttribute('class', '');
     }
-    var o = document.querySelectorAll('#u2conf *[alt]');
+    var o = QSA('#u2conf *[alt]');
     for (var a = o.length - 1; a >= 0; a--) {
         o[a].parentNode.getElementsByTagName('input')[0].setAttribute('alt', o[a].getAttribute('alt'));
     }
-    var o = document.querySelectorAll('#u2conf *[alt]');
+    var o = QSA('#u2conf *[alt]');
     for (var a = 0; a < o.length; a++) {
         o[a].onfocus = desc_show;
         o[a].onblur = desc_hide;
@@ -1374,15 +1311,22 @@ function up2k_init(have_crypto) {
     }
 
     function set_fsearch(new_state) {
-        var perms = document.body.getAttribute('perms');
-        var read_only = false;
+        var perms = document.body.getAttribute('perms'),
+            fixed = false;
 
         if (!ebi('fsearch')) {
             new_state = false;
         }
-        else if (perms && perms.indexOf('write') === -1) {
+        else if (perms) {
+            perms = perms.split(' ');
+            if (!has(perms, 'write')) {
                 new_state = true;
-            read_only = true;
+                fixed = true;
+            }
+            if (!has(perms, 'read')) {
+                new_state = false;
+                fixed = true;
+            }
         }
 
         if (new_state !== undefined) {
@@ -1391,16 +1335,16 @@ function up2k_init(have_crypto) {
         }
 
         try {
-            document.querySelector('label[for="fsearch"]').style.opacity = read_only ? '0' : '1';
+            QS('label[for="fsearch"]').style.display = QS('#fsearch').style.display = fixed ? 'none' : '';
         }
         catch (ex) { }
 
         try {
-            var fun = fsearch ? 'add' : 'remove';
-            ebi('op_up2k').classList[fun]('srch');
+            var fun = fsearch ? 'add' : 'remove',
+                ico = fsearch ? '🔎' : '🚀',
+                desc = fsearch ? 'Search' : 'Upload';
 
-            var ico = fsearch ? '🔎' : '🚀';
-            var desc = fsearch ? 'Search' : 'Upload';
+            ebi('op_up2k').classList[fun]('srch');
             ebi('u2bm').innerHTML = ico + ' <sup>' + desc + '</sup>';
         }
         catch (ex) { }
@@ -1467,5 +1411,5 @@ function warn_uploader_busy(e) {
 }
 
 
-if (document.querySelector('#op_up2k.act'))
+if (QS('#op_up2k.act'))
     goto_up2k();

copyparty/web/upload.css

@@ -19,6 +19,11 @@
 	color: #f87;
 	padding: .5em;
 }
+#u2err.msg {
+	color: #999;
+	padding: .5em;
+	font-size: .9em;
+}
 #u2btn {
 	color: #eee;
 	background: #555;
@@ -86,12 +91,15 @@
 	font-family: sans-serif;
 	width: auto;
 }
-#u2tab tr+tr:hover td {
+#u2tab tbody tr:hover td {
 	background: #222;
 }
 #u2cards {
-	margin: 2.5em auto -2.5em auto;
+	padding: 1em 0 .3em 1em;
+	margin: 1.5em auto -2.5em auto;
+	white-space: nowrap;
 	text-align: center;
+	overflow: hidden;
 }
 #u2cards.w {
 	width: 45em;
@@ -110,10 +118,15 @@
 	border-radius: 0 .4em 0 0;
 }
 #u2cards a.act {
-	border-width: 1px 1px 0 1px;
+	padding-bottom: .5em;
+	border-width: 1px 1px .1em 1px;
 	border-radius: .3em .3em 0 0;
 	margin-left: -1px;
-	background: transparent;
+	background: linear-gradient(to bottom, #464, #333 80%);
+	box-shadow: 0 -.17em .67em #280;
+	border-color: #7c5 #583 #333 #583;
+	position: relative;
+	color: #fd7;
 }
 #u2cards span {
 	color: #fff;
@@ -134,12 +147,13 @@
 	outline: none;
 }
 #u2conf .txtbox {
-	width: 4em;
+	width: 3em;
 	color: #fff;
 	background: #444;
 	border: 1px solid #777;
 	font-size: 1.2em;
 	padding: .15em 0;
+	height: 1.05em;
 }
 #u2conf .txtbox.err {
 	background: #922;
@@ -151,13 +165,12 @@
 	border-radius: .1em;
 	font-size: 1.5em;
 	padding: .1em 0;
-	margin: 0 -.25em;
+	margin: 0 -1px;
 	width: 1.5em;
 	height: 1em;
 	display: inline-block;
 	position: relative;
-	line-height: 1em;
-	bottom: -.08em;
+	bottom: -0.08em;
 }
 #u2conf input+a {
 	background: #d80;
@@ -168,7 +181,6 @@
 	height: 1em;
 	padding: .4em 0;
 	display: block;
-	user-select: none;
 	border-radius: .25em;
 }
 #u2conf input[type="checkbox"] {
@@ -208,12 +220,13 @@
 	text-align: center;
 	overflow: hidden;
 	margin: 0 -2em;
-	height: 0;
 	padding: 0 1em;
+	height: 0;
 	opacity: .1;
 	transition: all 0.14s ease-in-out;
-	border-radius: .4em;
 	box-shadow: 0 .2em .5em #222;
+	border-radius: .4em;
+	z-index: 1;
 }
 #u2cdesc.show {
 	padding: 1em;
@@ -256,7 +269,10 @@ html.light #u2cards a {
 	background: linear-gradient(to bottom, #eee, #fff);
 }
 html.light #u2cards a.act {
+	color: #037;
 	background: inherit;
+	box-shadow: 0 -.17em .67em #0ad;
+	border-color: #09c #05a #eee #05a;
 }
 html.light #u2conf .txtbox {
 	background: #fff;
@@ -273,3 +289,9 @@ html.light #u2cdesc {
 html.light #op_up2k.srch #u2btn {
 	border-color: #a80;
 }
+html.light #u2foot {
+	color: #000;
+}
+html.light #u2tab tbody tr:hover td {
+	background: #fff;
+}

copyparty/web/upload.html

@@ -36,7 +36,7 @@
 
             <table id="u2conf">
                 <tr>
-                    <td>parallel uploads</td>
+                    <td><br />parallel uploads:</td>
                     <td rowspan="2">
                         <input type="checkbox" id="multitask" />
                         <label for="multitask" alt="continue hashing other files while uploading">🏃</label>
@@ -59,9 +59,9 @@
                 </tr>
                 <tr>
                     <td>
-                        <a href="#" id="nthread_sub">&ndash;</a>
-                        <input class="txtbox" id="nthread" value="2" />
-                        <a href="#" id="nthread_add">+</a>
+                        <a href="#" id="nthread_sub">&ndash;</a><input
+                            class="txtbox" id="nthread" value="2"/><a
+                            href="#" id="nthread_add">+</a><br />&nbsp;
                     </td>
                 </tr>
             </table>
@@ -99,5 +99,5 @@
             </table>
 
             <p id="u2foot"></p>
-            <p id="u2footfoot">( if you don't need lastmod timestamps, resumable uploads or progress bars just use the <a href="#" id="u2nope">basic uploader</a>)</p>
+            <p id="u2footfoot" data-perm="write">( you can use the <a href="#" id="u2nope">basic uploader</a> if you don't need lastmod timestamps, resumable uploads, or progress bars )</p>
     </div>

copyparty/web/util.js

@@ -6,7 +6,8 @@ if (!window['console'])
     };
 
 
-var clickev = window.Touch ? 'touchstart' : 'click';
+var clickev = window.Touch ? 'touchstart' : 'click',
+    ANDROID = /(android)/i.test(navigator.userAgent);
 
 
 // error handler for mobile devices
@@ -49,9 +50,11 @@ function vis_exh(msg, url, lineNo, columnNo, error) {
 }
 
 
-function ebi(id) {
-    return document.getElementById(id);
-}
+var ebi = document.getElementById.bind(document),
+    QS = document.querySelector.bind(document),
+    QSA = document.querySelectorAll.bind(document),
+    mknod = document.createElement.bind(document);
+
 
 function ev(e) {
     e = e || window.event;
@@ -89,7 +92,7 @@ if (!String.startsWith) {
 // https://stackoverflow.com/a/950146
 function import_js(url, cb) {
     var head = document.head || document.getElementsByTagName('head')[0];
-    var script = document.createElement('script');
+    var script = mknod('script');
     script.type = 'text/javascript';
     script.src = url;
 
@@ -274,7 +277,7 @@ function makeSortable(table, cb) {
 
 
 (function () {
-    var ops = document.querySelectorAll('#ops>a');
+    var ops = QSA('#ops>a');
     for (var a = 0; a < ops.length; a++) {
         ops[a].onclick = opclick;
     }
@@ -289,25 +292,25 @@ function opclick(e) {
 
     swrite('opmode', dest || null);
 
-    var input = document.querySelector('.opview.act input:not([type="hidden"])')
+    var input = QS('.opview.act input:not([type="hidden"])')
     if (input)
         input.focus();
 }
 
 
 function goto(dest) {
-    var obj = document.querySelectorAll('.opview.act');
+    var obj = QSA('.opview.act');
     for (var a = obj.length - 1; a >= 0; a--)
         clmod(obj[a], 'act');
 
-    obj = document.querySelectorAll('#ops>a');
+    obj = QSA('#ops>a');
     for (var a = obj.length - 1; a >= 0; a--)
         clmod(obj[a], 'act');
 
     if (dest) {
         var ui = ebi('op_' + dest);
         clmod(ui, 'act', true);
-        document.querySelector('#ops>a[data-dest=' + dest + ']').className += " act";
+        QS('#ops>a[data-dest=' + dest + ']').className += " act";
 
         var fn = window['goto_' + dest];
         if (fn)

docs/example.conf

@@ -32,9 +32,13 @@ r
 
 # and a folder where anyone can upload
 # but nobody can see the contents
+# and set the e2d flag to enable the uploads database
+# and set the nodupe flag to reject duplicate uploads
 /home/ed/inc
 /dump
 w
+c e2d
+c nodupe
 
 # this entire config file can be replaced with these arguments:
 # -u ed:123 -u k:k -v .::r:aed -v priv:priv:rk:aed -v /home/ed/Music:music:r -v /home/ed/inc:dump:w

docs/minimal-up2k.html

@@ -0,0 +1,32 @@
+<!--
+  save this as .epilogue.html inside a write-only folder to declutter the UI,  makes it look like
+  https://user-images.githubusercontent.com/241032/118311195-dd6ca380-b4ef-11eb-86f3-75a3ff2e1332.png
+-->
+
+<style>
+
+    /* make the up2k ui REALLY minimal by hiding a bunch of stuff: */
+
+    #ops, #tree, #path, #wrap>h2:last-child,  /* main tabs and navigators (tree/breadcrumbs) */
+
+    #u2cleanup, #u2conf tr:first-child>td[rowspan]:not(#u2btn_cw),  /* most of the config options */
+
+    #u2cards  /* and the upload progress tabs */
+
+    {display: none !important}  /* do it! */
+
+
+
+    /* add some margins because now it's weird */
+    .opview {margin-top: 2.5em}
+    #op_up2k {margin-top: 3em}
+
+    /* and embiggen the upload button */
+    #u2conf #u2btn, #u2btn {padding:1.5em 0}
+
+    /* adjust the button area a bit */
+    #u2conf.has_btn {width: 35em !important; margin: 5em auto}
+
+</style>
+
+<a href="#" onclick="this.parentNode.innerHTML='';">show advanced options</a>

docs/notes.sh

@@ -171,7 +171,7 @@ Range: bytes=26-         Content-Range: bytes */26
 
 var tsh = [];
 function convert_markdown(md_text, dest_dom) {
-    tsh.push(new Date().getTime());
+    tsh.push(Date.now());
     while (tsh.length > 10)
         tsh.shift();
     if (tsh.length > 1) {

scripts/make-sfx.sh

@@ -117,7 +117,7 @@ cd sfx
 ver=
 git describe --tags >/dev/null 2>/dev/null && {
 	git_ver="$(git describe --tags)";  # v0.5.5-2-gb164aa0
-	ver="$(printf '%s\n' "$git_ver" | sed -r 's/^v//; s/-g?/./g')";
+	ver="$(printf '%s\n' "$git_ver" | sed -r 's/^v//')";
 	t_ver=
 
 	printf '%s\n' "$git_ver" | grep -qE '^v[0-9\.]+$' && {
@@ -163,7 +163,7 @@ find .. -type f \( -name .DS_Store -or -name ._.DS_Store \) -delete
 find .. -type f -name ._\* | while IFS= read -r f; do cmp <(printf '\x00\x05\x16') <(head -c 3 -- "$f") && rm -f -- "$f"; done
 
 echo use smol web deps
-rm -f copyparty/web/deps/*.full.* copyparty/web/{Makefile,splash.js}
+rm -f copyparty/web/deps/*.full.* copyparty/web/Makefile
 
 # it's fine dw
 grep -lE '\.full\.(js|css)' copyparty/web/* |
@@ -199,12 +199,19 @@ find | grep -E '\.(js|css|html)$' | while IFS= read -r f; do
 	tmv "$f"
 done
 
+echo gen tarlist
+for d in copyparty dep-j2; do find $d -type f; done |
+sed -r 's/(.*)\.(.*)/\2 \1/' | LC_ALL=C sort |
+sed -r 's/([^ ]*) (.*)/\2.\1/' | grep -vE '/list1?$' > list1
+
+(grep -vE 'gz$' list1; grep -E 'gz$' list1) >list
+
 echo creating tar
 args=(--owner=1000 --group=1000)
 [ "$OSTYPE" = msys ] &&
 	args=()
 
-tar -cf tar "${args[@]}" --numeric-owner copyparty dep-j2
+tar -cf tar "${args[@]}" --numeric-owner -T list
 
 pc=bzip2
 pe=bz2

scripts/sfx.py

@@ -2,7 +2,8 @@
 # coding: latin-1
 from __future__ import print_function, unicode_literals
 
-import os, sys, time, shutil, threading, tarfile, hashlib, platform, tempfile, traceback
+import re, os, sys, time, shutil, signal, threading, tarfile, hashlib, platform, tempfile, traceback
+import subprocess as sp
 
 """
 run me with any version of python, i will unpack and run copyparty
@@ -26,22 +27,21 @@ CKSUM = None
 STAMP = None
 
 PY2 = sys.version_info[0] == 2
-WINDOWS = sys.platform == "win32"
+WINDOWS = sys.platform in ["win32", "msys"]
 sys.dont_write_bytecode = True
 me = os.path.abspath(os.path.realpath(__file__))
-cpp = None
 
 
-def eprint(*args, **kwargs):
-    kwargs["file"] = sys.stderr
-    print(*args, **kwargs)
+def eprint(*a, **ka):
+    ka["file"] = sys.stderr
+    print(*a, **ka)
 
 
-def msg(*args, **kwargs):
-    if args:
-        args = ["[SFX]", args[0]] + list(args[1:])
+def msg(*a, **ka):
+    if a:
+        a = ["[SFX]", a[0]] + list(a[1:])
 
-    eprint(*args, **kwargs)
+    eprint(*a, **ka)
 
 
 # skip 1
@@ -156,6 +156,9 @@ def encode(data, size, cksum, ver, ts):
                 skip = True
                 continue
 
+            if ln.strip().startswith("# fmt: "):
+                continue
+
             unpk += ln + "\n"
 
         for k, v in [
@@ -209,11 +212,11 @@ def yieldfile(fn):
 
 
 def hashfile(fn):
-    hasher = hashlib.md5()
+    h = hashlib.md5()
     for block in yieldfile(fn):
-        hasher.update(block)
+        h.update(block)
 
-    return hasher.hexdigest()
+    return h.hexdigest()
 
 
 def unpack():
@@ -222,9 +225,10 @@ def unpack():
     tag = "v" + str(STAMP)
     withpid = "{}.{}".format(name, os.getpid())
     top = tempfile.gettempdir()
-    final = os.path.join(top, name)
-    mine = os.path.join(top, withpid)
-    tar = os.path.join(mine, "tar")
+    opj = os.path.join
+    final = opj(top, name)
+    mine = opj(top, withpid)
+    tar = opj(mine, "tar")
 
     try:
         if tag in os.listdir(final):
@@ -233,28 +237,24 @@ def unpack():
     except:
         pass
 
-    nwrite = 0
+    sz = 0
     os.mkdir(mine)
     with open(tar, "wb") as f:
         for buf in get_payload():
-            nwrite += len(buf)
+            sz += len(buf)
             f.write(buf)
 
-    if nwrite != SIZE:
-        t = "\n\n  bad file:\n    expected {} bytes, got {}\n".format(SIZE, nwrite)
-        raise Exception(t)
-
-    cksum = hashfile(tar)
-    if cksum != CKSUM:
-        t = "\n\n  bad file:\n    {} expected,\n    {} obtained\n".format(CKSUM, cksum)
-        raise Exception(t)
+    ck = hashfile(tar)
+    if ck != CKSUM:
+        t = "\n\nexpected {} ({} byte)\nobtained {} ({} byte)\nsfx corrupt"
+        raise Exception(t.format(CKSUM, SIZE, ck, sz))
 
     with tarfile.open(tar, "r:bz2") as tf:
         tf.extractall(mine)
 
     os.remove(tar)
 
-    with open(os.path.join(mine, tag), "wb") as f:
+    with open(opj(mine, tag), "wb") as f:
         f.write(b"h\n")
 
     try:
@@ -272,26 +272,26 @@ def unpack():
     except:
         pass
 
+    for fn in u8(os.listdir(top)):
+        if fn.startswith(name) and fn != withpid:
+            try:
+                old = opj(top, fn)
+                if time.time() - os.path.getmtime(old) > 86400:
+                    shutil.rmtree(old)
+            except:
+                pass
+
     try:
         os.symlink(mine, final)
     except:
         try:
             os.rename(mine, final)
+            return final
         except:
             msg("reloc fail,", mine)
+
     return mine
 
-    for fn in u8(os.listdir(top)):
-        if fn.startswith(name) and fn not in [name, withpid]:
-            try:
-                old = os.path.join(top, fn)
-                if time.time() - os.path.getmtime(old) > 10:
-                    shutil.rmtree(old)
-            except:
-                pass
-
-    return final
-
 
 def get_payload():
     """yields the binary data attached to script"""
@@ -307,37 +307,33 @@ def get_payload():
         if ofs < 0:
             raise Exception("could not find archive marker")
 
-        # start reading from the final b"\n"
+        # start at final b"\n"
         fpos = ofs + len(ptn) - 3
-        # msg("tar found at", fpos)
         f.seek(fpos)
         dpos = 0
-        leftovers = b""
+        rem = b""
         while True:
             rbuf = f.read(1024 * 32)
             if rbuf:
-                buf = leftovers + rbuf
+                buf = rem + rbuf
                 ofs = buf.rfind(b"\n")
                 if len(buf) <= 4:
-                    leftovers = buf
+                    rem = buf
                     continue
 
                 if ofs >= len(buf) - 4:
-                    leftovers = buf[ofs:]
+                    rem = buf[ofs:]
                     buf = buf[:ofs]
                 else:
-                    leftovers = b"\n# "
+                    rem = b"\n# "
             else:
-                buf = leftovers
+                buf = rem
 
             fpos += len(buf) + 1
-            buf = (
-                buf.replace(b"\n# ", b"")
-                .replace(b"\n#r", b"\r")
-                .replace(b"\n#n", b"\n")
-            )
-            dpos += len(buf) - 1
+            for a, b in [[b"\n# ", b""], [b"\n#r", b"\r"], [b"\n#n", b"\n"]]:
+                buf = buf.replace(a, b)
 
+            dpos += len(buf) - 1
             yield buf
 
             if not rbuf:
@@ -361,7 +357,7 @@ def utime(top):
 
 def confirm(rv):
     msg()
-    msg(traceback.format_exc())
+    msg("retcode", rv if rv else traceback.format_exc())
     msg("*** hit enter to exit ***")
     try:
         raw_input() if PY2 else input()
@@ -371,10 +367,8 @@ def confirm(rv):
     sys.exit(rv)
 
 
-def run(tmp, j2ver):
-    global cpp
-
-    msg("jinja2:", j2ver or "bundled")
+def run(tmp, j2):
+    msg("jinja2:", j2 or "bundled")
     msg("sfxdir:", tmp)
     msg()
 
@@ -384,7 +378,6 @@ def run(tmp, j2ver):
 
         fd = os.open(tmp, os.O_RDONLY)
         fcntl.flock(fd, fcntl.LOCK_EX | fcntl.LOCK_NB)
-        tmp = os.readlink(tmp)  # can't flock a symlink, even with O_NOFOLLOW
     except Exception as ex:
         if not WINDOWS:
             msg("\033[31mflock:", repr(ex))
@@ -394,22 +387,39 @@ def run(tmp, j2ver):
     t.start()
 
     ld = [tmp, os.path.join(tmp, "dep-j2")]
-    if j2ver:
+    if j2:
         del ld[-1]
 
+    if any([re.match(r"^-.*j[0-9]", x) for x in sys.argv]):
+        run_s(ld)
+    else:
+        run_i(ld)
+
+
+def run_i(ld):
     for x in ld:
         sys.path.insert(0, x)
 
-    try:
-        from copyparty.__main__ import main as copyparty
+    from copyparty.__main__ import main as p
 
-        copyparty()
+    p()
 
-    except SystemExit as ex:
-        if ex.code:
-            confirm(ex.code)
-    except:
-        confirm(1)
+
+def run_s(ld):
+    # fmt: off
+    c = "import sys,runpy;" + "".join(['sys.path.insert(0,r"' + x + '");' for x in ld]) + 'runpy.run_module("copyparty",run_name="__main__")'
+    c = [str(x) for x in [sys.executable, "-c", c] + list(sys.argv[1:])]
+    # fmt: on
+    msg("\n", c, "\n")
+    p = sp.Popen(c)
+
+    def bye(*a):
+        p.send_signal(signal.SIGINT)
+
+    signal.signal(signal.SIGTERM, bye)
+    p.wait()
+
+    raise SystemExit(p.returncode)
 
 
 def main():
@@ -443,14 +453,23 @@ def main():
 
     # skip 0
 
-    tmp = unpack()
+    tmp = os.path.realpath(unpack())
 
     try:
-        from jinja2 import __version__ as j2ver
+        from jinja2 import __version__ as j2
     except:
-        j2ver = None
+        j2 = None
 
-    run(tmp, j2ver)
+    try:
+        run(tmp, j2)
+    except SystemExit as ex:
+        c = ex.code
+        if c not in [0, -15]:
+            confirm(ex.code)
+    except KeyboardInterrupt:
+        pass
+    except:
+        confirm(0)
 
 
 if __name__ == "__main__":

scripts/speedtest-fs.py

@@ -17,14 +17,15 @@ __license__ = "MIT"
 __url__ = "https://github.com/9001/copyparty/"
 
 
-def get_spd(nbyte, nsec):
+def get_spd(nbyte, nfiles, nsec):
     if not nsec:
-        return "0.000 MB   0.000 sec   0.000 MB/s"
+        return "0.000 MB   0 files   0.000 sec   0.000 MB/s   0.000 f/s"
 
     mb = nbyte / (1024 * 1024.0)
     spd = mb / nsec
+    nspd = nfiles / nsec
 
-    return f"{mb:.3f} MB   {nsec:.3f} sec   {spd:.3f} MB/s"
+    return f"{mb:.3f} MB   {nfiles} files   {nsec:.3f} sec   {spd:.3f} MB/s   {nspd:.3f} f/s"
 
 
 class Inf(object):
@@ -36,6 +37,7 @@ class Inf(object):
         self.mtx_reports = threading.Lock()
 
         self.n_byte = 0
+        self.n_file = 0
         self.n_sec = 0
         self.n_done = 0
         self.t0 = t0
@@ -63,7 +65,8 @@ class Inf(object):
                 continue
 
             msgs = msgs[-64:]
-            msgs = [f"{get_spd(self.n_byte, self.n_sec)}   {x}" for x in msgs]
+            spd = get_spd(self.n_byte, len(self.reports), self.n_sec)
+            msgs = [f"{spd}   {x}" for x in msgs]
             print("\n".join(msgs))
 
     def report(self, fn, n_byte, n_sec):
@@ -131,8 +134,9 @@ def main():
 
     num_threads = 8
     read_sz = 32 * 1024
+    targs = (q, inf, read_sz)
     for _ in range(num_threads):
-        thr = threading.Thread(target=worker, args=(q, inf, read_sz,))
+        thr = threading.Thread(target=worker, args=targs)
         thr.daemon = True
         thr.start()
 
@@ -151,14 +155,14 @@ def main():
     log = inf.reports
     log.sort()
     for nbyte, nsec, fn in log[-64:]:
-        print(f"{get_spd(nbyte, nsec)}   {fn}")
+        spd = get_spd(nbyte, len(log), nsec)
+        print(f"{spd}   {fn}")
 
     print()
     print("\n".join(inf.errors))
 
-    print(get_spd(inf.n_byte, t2 - t0))
+    print(get_spd(inf.n_byte, len(log), t2 - t0))
 
 
 if __name__ == "__main__":
     main()
-

tests/run.py

@@ -0,0 +1,33 @@
+#!/usr/bin/env python3
+
+import sys
+import runpy
+
+host = sys.argv[1]
+sys.argv = sys.argv[:1] + sys.argv[2:]
+sys.path.insert(0, ".")
+
+
+def rp():
+    runpy.run_module("unittest", run_name="__main__")
+
+
+if host == "vmprof":
+    rp()
+
+elif host == "cprofile":
+    import cProfile
+    import pstats
+
+    log_fn = "cprofile.log"
+    cProfile.run("rp()", log_fn)
+    p = pstats.Stats(log_fn)
+    p.sort_stats(pstats.SortKey.CUMULATIVE).print_stats(64)
+
+
+"""
+python3.9 tests/run.py cprofile -v tests/test_httpcli.py
+
+python3.9 -m pip install --user vmprof
+python3.9 -m vmprof --lines -o vmprof.log tests/run.py vmprof -v tests/test_httpcli.py
+"""

tests/test_httpcli.py

@@ -0,0 +1,202 @@
+#!/usr/bin/env python
+# coding: utf-8
+from __future__ import print_function, unicode_literals
+
+import io
+import os
+import time
+import shutil
+import pprint
+import tarfile
+import unittest
+
+from argparse import Namespace
+from copyparty.authsrv import AuthSrv
+from copyparty.httpcli import HttpCli
+
+from tests import util as tu
+
+
+def hdr(query):
+    h = "GET /{} HTTP/1.1\r\nCookie: cppwd=o\r\nConnection: close\r\n\r\n"
+    return h.format(query).encode("utf-8")
+
+
+class Cfg(Namespace):
+    def __init__(self, a=[], v=[], c=None):
+        super(Cfg, self).__init__(
+            a=a,
+            v=v,
+            c=c,
+            ed=False,
+            no_zip=False,
+            no_scandir=False,
+            no_sendfile=True,
+            nih=True,
+            mtp=[],
+            mte="a",
+            **{k: False for k in "e2d e2ds e2dsa e2t e2ts e2tsr".split()}
+        )
+
+
+class TestHttpCli(unittest.TestCase):
+    def test(self):
+        td = os.path.join(tu.get_ramdisk(), "vfs")
+        try:
+            shutil.rmtree(td)
+        except OSError:
+            pass
+
+        os.mkdir(td)
+        os.chdir(td)
+
+        self.dtypes = ["ra", "ro", "rx", "wa", "wo", "wx", "aa", "ao", "ax"]
+        self.can_read = ["ra", "ro", "aa", "ao"]
+        self.can_write = ["wa", "wo", "aa", "ao"]
+        self.fn = "g{:x}g".format(int(time.time() * 3))
+
+        allfiles = []
+        allvols = []
+        for top in self.dtypes:
+            allvols.append(top)
+            allfiles.append("/".join([top, self.fn]))
+            for s1 in self.dtypes:
+                p = "/".join([top, s1])
+                allvols.append(p)
+                allfiles.append(p + "/" + self.fn)
+                allfiles.append(p + "/n/" + self.fn)
+                for s2 in self.dtypes:
+                    p = "/".join([top, s1, "n", s2])
+                    os.makedirs(p)
+                    allvols.append(p)
+                    allfiles.append(p + "/" + self.fn)
+
+        for fp in allfiles:
+            with open(fp, "w") as f:
+                f.write("ok {}\n".format(fp))
+
+        for top in self.dtypes:
+            vcfg = []
+            for vol in allvols:
+                if not vol.startswith(top):
+                    continue
+
+                mode = vol[-2]
+                usr = vol[-1]
+                if usr == "a":
+                    usr = ""
+
+                if "/" not in vol:
+                    vol += "/"
+
+                top, sub = vol.split("/", 1)
+                vcfg.append("{0}/{1}:{1}:{2}{3}".format(top, sub, mode, usr))
+
+            pprint.pprint(vcfg)
+
+            self.args = Cfg(v=vcfg, a=["o:o", "x:x"])
+            self.auth = AuthSrv(self.args, self.log)
+            vfiles = [x for x in allfiles if x.startswith(top)]
+            for fp in vfiles:
+                rok, wok = self.can_rw(fp)
+                furl = fp.split("/", 1)[1]
+                durl = furl.rsplit("/", 1)[0] if "/" in furl else ""
+
+                # file download
+                h, ret = self.curl(furl)
+                res = "ok " + fp in ret
+                print("[{}] {} {} = {}".format(fp, rok, wok, res))
+                if rok != res:
+                    print("\033[33m{}\n# {}\033[0m".format(ret, furl))
+                    self.fail()
+
+                # file browser: html
+                h, ret = self.curl(durl)
+                res = "'{}'".format(self.fn) in ret
+                print(res)
+                if rok != res:
+                    print("\033[33m{}\n# {}\033[0m".format(ret, durl))
+                    self.fail()
+
+                # file browser: json
+                url = durl + "?ls"
+                h, ret = self.curl(url)
+                res = '"{}"'.format(self.fn) in ret
+                print(res)
+                if rok != res:
+                    print("\033[33m{}\n# {}\033[0m".format(ret, url))
+                    self.fail()
+
+                # tar
+                url = durl + "?tar"
+                h, b = self.curl(url, True)
+                # with open(os.path.join(td, "tar"), "wb") as f:
+                #    f.write(b)
+                try:
+                    tar = tarfile.open(fileobj=io.BytesIO(b)).getnames()
+                except:
+                    tar = []
+                tar = ["/".join([y for y in [top, durl, x] if y]) for x in tar]
+                tar = [[x] + self.can_rw(x) for x in tar]
+                tar_ok = [x[0] for x in tar if x[1]]
+                tar_ng = [x[0] for x in tar if not x[1]]
+                self.assertEqual([], tar_ng)
+
+                if durl.split("/")[-1] in self.can_read:
+                    ref = [x for x in vfiles if self.in_dive(top + "/" + durl, x)]
+                    for f in ref:
+                        print("{}: {}".format("ok" if f in tar_ok else "NG", f))
+                    ref.sort()
+                    tar_ok.sort()
+                    self.assertEqual(ref, tar_ok)
+
+                # stash
+                h, ret = self.put(url)
+                res = h.startswith("HTTP/1.1 200 ")
+                self.assertEqual(res, wok)
+
+    def can_rw(self, fp):
+        # lowest non-neutral folder declares permissions
+        expect = fp.split("/")[:-1]
+        for x in reversed(expect):
+            if x != "n":
+                expect = x
+                break
+
+        return [expect in self.can_read, expect in self.can_write]
+
+    def in_dive(self, top, fp):
+        # archiver bails at first inaccessible subvolume
+        top = top.strip("/").split("/")
+        fp = fp.split("/")
+        for f1, f2 in zip(top, fp):
+            if f1 != f2:
+                return False
+
+        for f in fp[len(top) :]:
+            if f == self.fn:
+                return True
+            if f not in self.can_read and f != "n":
+                return False
+
+        return True
+
+    def put(self, url):
+        buf = "PUT /{0} HTTP/1.1\r\nCookie: cppwd=o\r\nConnection: close\r\nContent-Length: {1}\r\n\r\nok {0}\n"
+        buf = buf.format(url, len(url) + 4).encode("utf-8")
+        conn = tu.VHttpConn(self.args, self.auth, self.log, buf)
+        HttpCli(conn).run()
+        return conn.s._reply.decode("utf-8").split("\r\n\r\n", 1)
+
+    def curl(self, url, binary=False):
+        conn = tu.VHttpConn(self.args, self.auth, self.log, hdr(url))
+        HttpCli(conn).run()
+        if binary:
+            h, b = conn.s._reply.split(b"\r\n\r\n", 1)
+            return [h.decode("utf-8"), b]
+
+        return conn.s._reply.decode("utf-8").split("\r\n\r\n", 1)
+
+    def log(self, src, msg, c=0):
+        # print(repr(msg))
+        pass

tests/test_vfs.py

@@ -3,18 +3,18 @@
 from __future__ import print_function, unicode_literals
 
 import os
-import time
 import json
 import shutil
 import tempfile
 import unittest
-import subprocess as sp  # nosec
 
 from textwrap import dedent
 from argparse import Namespace
 from copyparty.authsrv import AuthSrv
 from copyparty import util
 
+from tests import util as tu
+
 
 class Cfg(Namespace):
     def __init__(self, a=[], v=[], c=None):
@@ -51,52 +51,11 @@ class TestVFS(unittest.TestCase):
         real = [x[0] for x in real]
         return fsdir, real, virt
 
-    def runcmd(self, *argv):
-        p = sp.Popen(argv, stdout=sp.PIPE, stderr=sp.PIPE)
-        stdout, stderr = p.communicate()
-        stdout = stdout.decode("utf-8")
-        stderr = stderr.decode("utf-8")
-        return [p.returncode, stdout, stderr]
-
-    def chkcmd(self, *argv):
-        ok, sout, serr = self.runcmd(*argv)
-        if ok != 0:
-            raise Exception(serr)
-
-        return sout, serr
-
-    def get_ramdisk(self):
-        for vol in ["/dev/shm", "/Volumes/cptd"]:  # nosec (singleton test)
-            if os.path.exists(vol):
-                return vol
-
-        if os.path.exists("/Volumes"):
-            devname, _ = self.chkcmd("hdiutil", "attach", "-nomount", "ram://8192")
-            devname = devname.strip()
-            print("devname: [{}]".format(devname))
-            for _ in range(10):
-                try:
-                    _, _ = self.chkcmd(
-                        "diskutil", "eraseVolume", "HFS+", "cptd", devname
-                    )
-                    return "/Volumes/cptd"
-                except Exception as ex:
-                    print(repr(ex))
-                    time.sleep(0.25)
-
-            raise Exception("ramdisk creation failed")
-
-        ret = os.path.join(tempfile.gettempdir(), "copyparty-test")
-        try:
-            os.mkdir(ret)
-        finally:
-            return ret
-
     def log(self, src, msg, c=0):
         pass
 
     def test(self):
-        td = os.path.join(self.get_ramdisk(), "vfs")
+        td = os.path.join(tu.get_ramdisk(), "vfs")
         try:
             shutil.rmtree(td)
         except OSError:
@@ -268,7 +227,7 @@ class TestVFS(unittest.TestCase):
         self.assertEqual(list(v1), list(v2))
 
         # config file parser
-        cfg_path = os.path.join(self.get_ramdisk(), "test.cfg")
+        cfg_path = os.path.join(tu.get_ramdisk(), "test.cfg")
         with open(cfg_path, "wb") as f:
             f.write(
                 dedent(

tests/util.py

@@ -0,0 +1,97 @@
+import os
+import time
+import jinja2
+import tempfile
+import subprocess as sp
+
+from copyparty.util import Unrecv
+
+
+J2_ENV = jinja2.Environment(loader=jinja2.BaseLoader)
+J2_FILES = J2_ENV.from_string("{{ files|join('\n') }}")
+
+
+def runcmd(*argv):
+    p = sp.Popen(argv, stdout=sp.PIPE, stderr=sp.PIPE)
+    stdout, stderr = p.communicate()
+    stdout = stdout.decode("utf-8")
+    stderr = stderr.decode("utf-8")
+    return [p.returncode, stdout, stderr]
+
+
+def chkcmd(*argv):
+    ok, sout, serr = runcmd(*argv)
+    if ok != 0:
+        raise Exception(serr)
+
+    return sout, serr
+
+
+def get_ramdisk():
+    for vol in ["/dev/shm", "/Volumes/cptd"]:  # nosec (singleton test)
+        if os.path.exists(vol):
+            return vol
+
+    if os.path.exists("/Volumes"):
+        devname, _ = chkcmd("hdiutil", "attach", "-nomount", "ram://32768")
+        devname = devname.strip()
+        print("devname: [{}]".format(devname))
+        for _ in range(10):
+            try:
+                _, _ = chkcmd("diskutil", "eraseVolume", "HFS+", "cptd", devname)
+                return "/Volumes/cptd"
+            except Exception as ex:
+                print(repr(ex))
+                time.sleep(0.25)
+
+        raise Exception("ramdisk creation failed")
+
+    ret = os.path.join(tempfile.gettempdir(), "copyparty-test")
+    try:
+        os.mkdir(ret)
+    finally:
+        return ret
+
+
+class NullBroker(object):
+    def put(*args):
+        pass
+
+
+class VSock(object):
+    def __init__(self, buf):
+        self._query = buf
+        self._reply = b""
+        self.sendall = self.send
+
+    def recv(self, sz):
+        ret = self._query[:sz]
+        self._query = self._query[sz:]
+        return ret
+
+    def send(self, buf):
+        self._reply += buf
+        return len(buf)
+
+
+class VHttpSrv(object):
+    def __init__(self):
+        self.broker = NullBroker()
+
+        aliases = ["splash", "browser", "browser2", "msg", "md", "mde"]
+        self.j2 = {x: J2_FILES for x in aliases}
+
+
+class VHttpConn(object):
+    def __init__(self, args, auth, log, buf):
+        self.s = VSock(buf)
+        self.sr = Unrecv(self.s)
+        self.addr = ("127.0.0.1", "42069")
+        self.args = args
+        self.auth = auth
+        self.log_func = log
+        self.log_src = "a"
+        self.hsrv = VHttpSrv()
+        self.nbyte = 0
+        self.workload = 0
+        self.t0 = time.time()