filebrowser/http
Henrique Dias 847d08bdd1
fix: address three security disclosures (archive traversal, login DoS, symlink escape)
- http/raw.go: strip Windows backslash separators from archive entry names
  on any host. filepath.ToSlash is a no-op for "\" on Linux, so a stored
  backslash filename was emitted verbatim and could escape the extraction
  directory on Windows extractors (zip-slip). (GHSA-gxjx-7m74-hcq8)

- http/auth.go: cap the login and signup request bodies with
  http.MaxBytesReader (1 MiB). The JSON decoder previously read an
  arbitrarily large password into memory before bcrypt truncated it,
  enabling unauthenticated memory-exhaustion DoS. (GHSA-w5fm-68j4-fpc4)

- files/file.go, http/resource.go: add files.WithinScope and refuse to
  follow a symlink whose on-disk target escapes the user's scoped root,
  on both the read path (stat) and the write path (writeFile). Prevents a
  scoped user from reading/overwriting/sharing files outside their scope
  via a pre-existing escaping symlink. (GHSA-239w-m3h6-ch8v)

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-03 11:21:00 +02:00
..
auth.go fix: address three security disclosures (archive traversal, login DoS, symlink escape) 2026-06-03 11:21:00 +02:00
commands.go refactor: cleanup package names (#5605) 2025-12-06 10:52:11 +01:00
data.go fix: incorrect access control in public directory shares via rule path rebasing 2026-06-03 10:24:05 +02:00
headers.go refactor: cleanup package names (#5605) 2025-12-06 10:52:11 +01:00
http.go fix: Fix conflict modal and add a resume transfert option (#5884) 2026-05-05 14:24:06 +02:00
preview.go refactor: cleanup package names (#5605) 2025-12-06 10:52:11 +01:00
preview_enum.go refactor: cleanup package names (#5605) 2025-12-06 10:52:11 +01:00
public.go fix: incorrect access control in public directory shares via rule path rebasing 2026-06-03 10:24:05 +02:00
public_test.go fix: incorrect access control in public directory shares via rule path rebasing 2026-06-03 10:24:05 +02:00
raw.go fix: address three security disclosures (archive traversal, login DoS, symlink escape) 2026-06-03 11:21:00 +02:00
raw_test.go fix: include filename in Content-Disposition header for inline downloads (#5860) 2026-03-28 19:03:07 +01:00
resource.go fix: address three security disclosures (archive traversal, login DoS, symlink escape) 2026-06-03 11:21:00 +02:00
search.go feat: support streaming response for search results (#5630) 2025-12-28 21:57:25 +01:00
settings.go fix: request a password to change sensitive user data (#5629) 2026-01-03 08:44:03 +01:00
share.go fix: show item shares from all users to admins (#5941) 2026-05-17 15:01:02 +02:00
static.go fix: json escaping 2026-03-28 19:54:21 +01:00
subtitle.go refactor: cleanup package names (#5605) 2025-12-06 10:52:11 +01:00
tus_handlers.go fix(tus): reject negative upload-length to prevent inconsistent cache entry (#5876) 2026-04-04 09:11:50 +02:00
upload_cache_memory.go feat: Add Redis upload cache for multi-replica deployments (#5724) 2026-02-01 17:08:40 +01:00
upload_cache_redis.go fix: touch Redis upload cache key on GetLength to prevent TTL expiry (#5850) 2026-03-26 16:27:28 +01:00
users.go fix: check download permission when sharing permission is enabled (#5875) 2026-04-04 09:11:21 +02:00
utils.go fix: base url/reverse proxy redirect 2026-03-14 09:30:35 +01:00