Copyparty ftp/sftp: Sharing a single file did not fully restrict source-folder access
There was a missing permission-check in the shares feature (the shr global-option).
This vulnerability only applies in the following scenario:
* The shares feature is used for the specific purpose of creating a share of just a single file inside a folder
* Either the FTP or SFTP server is enabled, and also made publically accessible
* If a share is password-protected, then SFTP was not vulnerable unless the sftp-pw global-option was also enabled
Given these conditions, when a user is browsing a share through either FTP or SFTP (not http or https), they can gain read-access to the remaining files inside the shared folder by guessing/bruteforcing the filenames.
It was not possible to descend into subdirectories in this manner; only the sibling files were accessible.
This issue did not affect filekeys or dirkeys.
This vulnerability is CVE-2025-58753 which was previously fixed for HTTP and HTTPS, but not for FTP. The FTPS server did not yet exist at that time.