From 1fb05d65de98f8dc341409f40d382297ca75bcf0 Mon Sep 17 00:00:00 2001 From: Henrique Dias Date: Sat, 27 Jun 2026 08:08:02 +0200 Subject: [PATCH] docs,cmd: warn about broad scope for self-signup users (GHSA-6759-996p-gpj6) When Signup is enabled with the default scope and createUserDir off, every self-registered user inherits the served root and can read/modify/delete all files. Add a startup WARNING for this configuration and document the risk and the --createUserDir mitigation. No behavior or default change. --- cmd/root.go | 13 +++++++++++++ www/docs/deployment.md | 12 ++++++++++++ 2 files changed, 25 insertions(+) diff --git a/cmd/root.go b/cmd/root.go index d7f7ea50..1d34f866 100644 --- a/cmd/root.go +++ b/cmd/root.go @@ -13,6 +13,7 @@ import ( "os" "os/signal" "path/filepath" + "strings" "syscall" "time" @@ -381,6 +382,18 @@ func getServerSettings(v *viper.Viper, st *storage.Storage) (*settings.Server, e log.Println("WARNING: you fully understand and trust the contents of every user scope.") } + if set, err := st.Settings.Get(); err == nil && set.Signup { + scope := strings.TrimSpace(set.Defaults.Scope) + scopeIsRoot := scope == "" || scope == "." || scope == "/" + + if !set.CreateUserDir && scopeIsRoot { + log.Println("WARNING: Signup is enabled without createUserDir and the default scope is") + log.Println("WARNING: the server root, so every self-registered user can read, modify and") + log.Println("WARNING: delete all files File Browser serves, including other users' files.") + log.Println("WARNING: Enable createUserDir, or set a default scope other than the root.") + } + } + return server, nil } diff --git a/www/docs/deployment.md b/www/docs/deployment.md index aa2968fc..57676004 100644 --- a/www/docs/deployment.md +++ b/www/docs/deployment.md @@ -1,3 +1,15 @@ +## Self-Registration (Signup) + +File Browser allows you to enable user self-registration (signup). This can be enabled via **Settings → Global Settings**, or with `filebrowser config set --signup`. Self-registered users inherit the configured **user defaults**, including the scope. + +> [!WARNING] +> +> By default, the user scope is the server's root, so a self-registered user could read, +> modify, and delete every file File Browser serves. To prevent this, either: +> +> a. Enable `createUserDir` so each user gets their own directory; or +> b. If users are meant to share files, set the default scope to something other than the root. + ## Fail2ban File Browser does not natively support protection against brute force attacks. Therefore, we suggest using something like [fail2ban](https://github.com/fail2ban/fail2ban), which takes care of that by tracking the logs of your File Browser instance. For more information on how fail2ban works, please refer to their [wiki](https://github.com/fail2ban/fail2ban/wiki).