Commit graph

3117 commits

Author SHA1 Message Date
Henrique Dias
fe7efb2e6a
chore(release): 2.63.18 2026-07-04 08:25:01 +02:00
transifex-integration[bot]
2651260a1c
chore: update translations 2026-07-04 08:24:37 +02:00
Henrique Dias
4470288ba1
fix: deduplicate PT language 2026-07-04 08:24:17 +02:00
Henrique Dias
58d22578e8
chore: update dependencies 2026-07-04 08:23:16 +02:00
林桉
dfc2e887e1
fix: avoid recursive conflict checks for copy and move (#6009) 2026-07-04 08:13:31 +02:00
Aditya Raj Singh
aac2516637
fix(preview): keep the EPUB table-of-contents button clear of the header (#6010) 2026-07-04 08:09:10 +02:00
Henrique Dias
c05ead7e8e
docs: warning about hook executor 2026-06-27 09:37:29 +02:00
Henrique Dias
d76b7d1610
chore(release): 2.63.17 2026-06-27 09:14:08 +02:00
Henrique Dias
f30fca636c
fix(share): delete exact directory share on trailing-slash delete (GHSA-pp88-jhwj-5qh5)
DeleteWithPathPrefix queried the share index with the raw path, so deleting a
directory through a trailing-slash path (e.g. DELETE /api/resources/a/) only
matched descendants like /a/child and missed the exact /a share, leaving it in
storage. If the same path was later recreated, the stale public share re-exposed
the new content. Normalize the path before the prefix query so the exact share
and its descendants are both removed. Adds a regression test.
2026-06-27 09:08:57 +02:00
Henrique Dias
ec13054671
fix(share): stop exposing password hash and bypass token in share API (GHSA-833g-cqhp-h72j)
The share management endpoints serialized the storage struct directly, returning
the bcrypt password_hash (crackable offline) and the bypass token for every
share an authenticated caller could list, with admins seeing them for all users.
Return a response DTO that exposes only whether a share is password-protected
(hasPassword) and drops both secrets. The storage struct keeps its tags so the
secrets stay persisted and the server-side auth/public flows are unchanged.
Updates the frontend to use hasPassword and adds a regression test.
2026-06-27 09:08:56 +02:00
Henrique Dias
883a36f02f
fix(auth): reject signup when normalized home dir collides (GHSA-7rc3-g7h6-22m7)
cleanUsername is many-to-one, so distinct usernames (e.g. "teamone/x" and
"teamone-x") can normalize to the same home directory. With CreateUserDir
enabled, the second registrant silently reused the first user's directory,
breaking per-user isolation. Add a GetByScope lookup and reject a signup whose
derived scope is already taken. The check is gated on CreateUserDir: when it is
off, signups intentionally share the configured default scope. Adds a regression
test for the colliding-username case.
2026-06-27 09:08:56 +02:00
Henrique Dias
8503ba61ff
fix(raw): neutralize backslashes in archive entry names (GHSA-83xp-526h-j3ww)
The fix for CVE-2026-54093 rewrote backslashes to the path separator "/" in
archive entry names. On POSIX hosts a backslash is a legal filename byte, so
that rewrite manufactured a traversal sequence ("..\..\x" -> "../../x") out
of a single in-scope file, turning a Windows-only zip-slip into a cross-platform
one. Neutralize backslashes to an inert character instead, and reject any entry
whose name is not already a normalized root-relative path. Adds a regression
test that downloads a folder containing a backslash-named file as a zip.
2026-06-27 08:39:14 +02:00
Henrique Dias
1fb05d65de
docs,cmd: warn about broad scope for self-signup users (GHSA-6759-996p-gpj6)
When Signup is enabled with the default scope and createUserDir off, every
self-registered user inherits the served root and can read/modify/delete all
files. Add a startup WARNING for this configuration and document the risk and
the --createUserDir mitigation. No behavior or default change.
2026-06-27 08:18:18 +02:00
Henrique Dias
2472fbcd30
fix: normalize recursive listing paths to forward slashes (#6003) 2026-06-27 08:01:26 +02:00
JinHyuk Sung
43a404ca69
fix: match admin share paths by owner scope (#5992) 2026-06-27 07:43:22 +02:00
Rayan Salhab
d9cf2f0100
fix: preserve SRT subtitle line breaks (#6002) 2026-06-27 07:28:55 +02:00
transifex-integration[bot]
6209f8fddd
chore: update translations (#5990) 2026-06-27 07:19:42 +02:00
Henrique Dias
bd1520fe09
chore(release): 2.63.16 2026-06-23 13:33:10 +02:00
Henrique Dias
8cfa6a175f
chore(docs): update CLI documentation 2026-06-23 13:33:00 +02:00
Henrique Dias
a1063925e1
fix: restore symlink behavior as opt-in followExternalSymlinks 2026-06-23 13:19:51 +02:00
Henrique Dias
64511ce45e
fix: dangling symlink, write, delete scope bugs 2026-06-23 12:35:55 +02:00
Henrique Dias
be23ab3a15
chore(release): 2.63.15 2026-06-13 07:20:45 +02:00
Henrique Dias
ffb486e05f
chore: bump minor Go dependencies 2026-06-13 07:19:01 +02:00
yfzhou
403d2bbd33
fix: restore ScopedFs RealPath (#5986) 2026-06-13 07:17:48 +02:00
Henrique Dias
dfe6e5b333
chore(release): 2.63.14 2026-06-07 18:21:40 +02:00
Henrique Dias
d9816b1531
chore: add symlink tests 2026-06-07 18:21:13 +02:00
Henrique Dias
7c2c0a11b3
refactor: ScopedFs to avoid escaping symlinks 2026-06-07 18:16:46 +02:00
Henrique Dias
3406d3d7f9
fix: recursive check 2026-06-07 17:12:31 +02:00
Henrique Dias
67ed670d92
chore(release): 2.63.13 2026-06-06 08:33:27 +02:00
Henrique Dias
a1a514dcbb
fix: copy/move allow overwrite 2026-06-06 08:28:31 +02:00
Henrique Dias
5f7311d324
refactor: cleanup and simplify upload.ts 2026-06-06 08:15:16 +02:00
Henrique Dias
998bd95bfa
chore(release): 2.63.12 2026-06-04 17:17:38 +02:00
Puneet Dixit
c1abe8f561
fix: await copy move conflict detection (#5978) 2026-06-04 17:16:30 +02:00
Puneet Dixit
0bb2768754
fix: keep mobile file sort controls visible (#5977) 2026-06-04 12:49:30 +02:00
Puneet Dixit
7b7ff8ae8f
fix: skip inaccessible children when listing directories (#5958) 2026-06-04 12:49:07 +02:00
Henrique Dias
1086903c14
chore(release): 2.63.11 2026-06-04 11:03:17 +02:00
Henrique Dias
3471ec2c4b
fix: incomplete fix for symlinked directories let scopes users and public-share recipients read and write files outside of scope 2026-06-04 11:02:18 +02:00
Henrique Dias
69c76d11cc
chore(release): 2.63.10 2026-06-03 15:42:27 +02:00
Henrique Dias
6b04cbf5e9
fix: allow writes when user scope resolves to filesystem root
WithinScope compared targets against root+separator, which produced
"//" when the scope resolved to "/". No path matched, so every write
was rejected with os.ErrPermission (HTTP 403), breaking saves and
uploads for root-scoped installs. Skip the appended separator when root
already ends in one.
2026-06-03 15:40:26 +02:00
Henrique Dias
503fd6b01f
chore(release): 2.63.9 2026-06-03 13:13:03 +02:00
Henrique Dias
35db07d015
fix: set X-Content-Type-Options: nosniff on raw file responses
Prevents browsers from MIME-sniffing uploaded files into a renderable type.
2026-06-03 12:21:23 +02:00
Henrique Dias
19514367ad
fix: use constant-time comparison for share access token
Compare the share token with subtle.ConstantTimeCompare instead of ==.
2026-06-03 12:21:23 +02:00
Henrique Dias
cdd666fc95
fix: prevent symlink scope escape in copy/move/rename
Check WithinScope for src and dst in resourcePatchHandler before
fileutils.Copy/MoveFile, which follow symlinks and bypassed the
stat()/writeFile() guards (GHSA-239w-m3h6-ch8v).
2026-06-03 12:21:23 +02:00
mehmet turac
103acd15fe
fix: force octet-stream for attachment downloads (#5942) 2026-06-03 11:59:17 +02:00
Henrique Dias
f5e0c4e2e1
chore(release): 2.63.8 2026-06-03 11:57:30 +02:00
Henrique Dias
ca019ae7d9
fix: check if share is within scope when creating 2026-06-03 11:57:10 +02:00
Henrique Dias
4488f5b131
chore(release): 2.63.7 2026-06-03 11:44:54 +02:00
Henrique Dias
166583db63
fix: disallow shares for non-existent paths 2026-06-03 11:43:22 +02:00
Henrique Dias
85b7d2762d
chore(release): 2.63.6 2026-06-03 11:31:10 +02:00
Henrique Dias
4edabb9ccc
chore(docs): update CLI documentation 2026-06-03 11:30:59 +02:00