Commit graph

262 commits

Author SHA1 Message Date
JinHyuk Sung
43a404ca69
fix: match admin share paths by owner scope (#5992) 2026-06-27 07:43:22 +02:00
Rayan Salhab
d9cf2f0100
fix: preserve SRT subtitle line breaks (#6002) 2026-06-27 07:28:55 +02:00
Henrique Dias
a1063925e1
fix: restore symlink behavior as opt-in followExternalSymlinks 2026-06-23 13:19:51 +02:00
Henrique Dias
64511ce45e
fix: dangling symlink, write, delete scope bugs 2026-06-23 12:35:55 +02:00
Henrique Dias
d9816b1531
chore: add symlink tests 2026-06-07 18:21:13 +02:00
Henrique Dias
7c2c0a11b3
refactor: ScopedFs to avoid escaping symlinks 2026-06-07 18:16:46 +02:00
Henrique Dias
3406d3d7f9
fix: recursive check 2026-06-07 17:12:31 +02:00
Henrique Dias
3471ec2c4b
fix: incomplete fix for symlinked directories let scopes users and public-share recipients read and write files outside of scope 2026-06-04 11:02:18 +02:00
Henrique Dias
35db07d015
fix: set X-Content-Type-Options: nosniff on raw file responses
Prevents browsers from MIME-sniffing uploaded files into a renderable type.
2026-06-03 12:21:23 +02:00
Henrique Dias
19514367ad
fix: use constant-time comparison for share access token
Compare the share token with subtle.ConstantTimeCompare instead of ==.
2026-06-03 12:21:23 +02:00
Henrique Dias
cdd666fc95
fix: prevent symlink scope escape in copy/move/rename
Check WithinScope for src and dst in resourcePatchHandler before
fileutils.Copy/MoveFile, which follow symlinks and bypassed the
stat()/writeFile() guards (GHSA-239w-m3h6-ch8v).
2026-06-03 12:21:23 +02:00
mehmet turac
103acd15fe
fix: force octet-stream for attachment downloads (#5942) 2026-06-03 11:59:17 +02:00
Henrique Dias
ca019ae7d9
fix: check if share is within scope when creating 2026-06-03 11:57:10 +02:00
Henrique Dias
166583db63
fix: disallow shares for non-existent paths 2026-06-03 11:43:22 +02:00
Henrique Dias
847d08bdd1
fix: address three security disclosures (archive traversal, login DoS, symlink escape)
- http/raw.go: strip Windows backslash separators from archive entry names
  on any host. filepath.ToSlash is a no-op for "\" on Linux, so a stored
  backslash filename was emitted verbatim and could escape the extraction
  directory on Windows extractors (zip-slip). (GHSA-gxjx-7m74-hcq8)

- http/auth.go: cap the login and signup request bodies with
  http.MaxBytesReader (1 MiB). The JSON decoder previously read an
  arbitrarily large password into memory before bcrypt truncated it,
  enabling unauthenticated memory-exhaustion DoS. (GHSA-w5fm-68j4-fpc4)

- files/file.go, http/resource.go: add files.WithinScope and refuse to
  follow a symlink whose on-disk target escapes the user's scoped root,
  on both the read path (stat) and the write path (writeFile). Prevents a
  scoped user from reading/overwriting/sharing files outside their scope
  via a pre-existing escaping symlink. (GHSA-239w-m3h6-ch8v)

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-03 11:21:00 +02:00
Henrique Dias
0231b7ebdf
fix: cross-user unauthorized share-link deletion 2026-06-03 10:31:44 +02:00
Henrique Dias
e07c59df0b
fix: incorrect access control in public directory shares via rule path rebasing 2026-06-03 10:24:05 +02:00
mehmet turac
9cc18a81e3
fix: show item shares from all users to admins (#5941) 2026-05-17 15:01:02 +02:00
Anthony Geourjon
f4e148523e
fix: Fix conflict modal and add a resume transfert option (#5884)
Co-authored-by: Henrique Dias <mail@hacdias.com>
2026-05-05 14:24:06 +02:00
kodareef5
1e03feadb5
fix: check download permission in resource handler (#5891) 2026-04-04 21:58:17 +02:00
kodareef5
7dbf7a3528
fix: check share owner permissions on public share access (#5888) 2026-04-04 21:56:55 +02:00
Ariel Leyva
7a16129bfc
fix(tus): reject negative upload-length to prevent inconsistent cache entry (#5876) 2026-04-04 09:11:50 +02:00
Ariel Leyva
0f39bd055e
fix: check download permission when sharing permission is enabled (#5875) 2026-04-04 09:11:21 +02:00
Henrique Dias
a8fc1657b7
fix: shares listing 2026-03-28 20:02:12 +01:00
Henrique Dias
c406bda0c7
fix: json escaping 2026-03-28 19:54:21 +01:00
Henrique Dias
d9f9460c1e
fix: use html/template 2026-03-28 19:16:12 +01:00
Henrique Dias
b6a4fb1f27
fix: self-registered users don't get execute perms 2026-03-28 19:08:19 +01:00
lif
8f81b77cf2
fix: include filename in Content-Disposition header for inline downloads (#5860) 2026-03-28 19:03:07 +01:00
Arran
4812536555
fix: touch Redis upload cache key on GetLength to prevent TTL expiry (#5850) 2026-03-26 16:27:28 +01:00
Henrique Dias
fc80f4f44c
fix: base url/reverse proxy redirect 2026-03-14 09:30:35 +01:00
Henrique Dias
09a26166b4
fix: make perm.share depend on share.download 2026-03-14 08:31:55 +01:00
Henrique Dias
a63573b67e
fix: signup handler shouldn't create admins 2026-03-14 08:23:10 +01:00
Henrique Dias
4bd7d69c82
fix: clean path in patch handler 2026-03-14 08:13:51 +01:00
Sergio
0542fc0ba4
fix(tus): preserve percent-encoded upload paths in Location header (#5817) 2026-03-11 19:37:07 +01:00
Ariel Leyva
4af3f85e64
fix(csv-viewer): add support for missing text encodings in dropdown list (#5795) 2026-03-06 15:26:13 +01:00
Henrique Dias
7ed1425115
fix: check for correct permission in TUS Delete 2026-03-04 10:04:22 +01:00
Henrique Dias
31194fb57a
fix: correctly clean path 2026-02-28 10:31:09 +01:00
Ariel Leyva
f67bccf8c5
feat: support for multiple encodings in CSV files (#5756) 2026-02-14 07:37:28 +01:00
Nian
6a76dfeba9
fix: respect Accept-Encoding for pre-compressed JS (#5750) 2026-02-14 07:30:10 +01:00
Henrique Dias
489af403a1
fix: remove skip clean 2026-02-08 08:02:03 +01:00
Henrique Dias
ff2f00498c
fix: normalize fields capitalization 2026-02-08 07:50:40 +01:00
Arran
08d7a1504c
feat: Add Redis upload cache for multi-replica deployments (#5724) 2026-02-01 17:08:40 +01:00
Ariel Leyva
d441b28f43
fix: avoid 409 conflict when renaming files differing only by case (#5729) 2026-02-01 11:37:07 +01:00
Ariel Leyva
cfa6c5864e
fix: request current password when deleting users (#5667) 2026-01-18 08:36:25 +01:00
Beckam White
fda8a99292
feat: add "redirect after copy/move" user setting (#5662) 2026-01-10 10:27:54 +01:00
Jagadam Dinesh Reddy
4fd18a382c
feat: force file sync while uploading file (#5668) 2026-01-10 09:30:08 +01:00
Ariel Leyva
b8151a038a
fix: request a password to change sensitive user data (#5629) 2026-01-03 08:44:03 +01:00
Ariel Leyva
a2d80c62c1
feat: add "disable image resolution calculation" flag (#5638) 2025-12-29 08:25:49 +01:00
Dominik
9595f3939c
fix: conversion of backslashes in file paths for archive creation (#5637)
Co-authored-by: FadedAtlas <fadedatlas.shield181@slmail.me>
2025-12-28 22:07:00 +01:00
Ramires Viana
20bfd131c6
feat: support streaming response for search results (#5630)
Co-authored-by: manx98 <1323517022@qq.com>
2025-12-28 21:57:25 +01:00