Skip to content

Releases: error311/FileRise

v3.21.0

Choose a tag to compare

@github-actions github-actions released this 05 Jul 16:05

Changes 07/05/2026 (v3.21.0)

release(v3.21.0): authentication and public config hardening

Commit message

release(v3.21.0): authentication and public config hardening

- security(auth): enforce disabled login methods server-side
- security(auth): add source-wide failed-login throttling
- security(config): sanitize public footer branding HTML server-side

Fixed

  • Login method policy hardening

    • Form login, Basic Auth login, and OIDC login now enforce the configured disabled-login-method flags on the server.
    • Direct requests to disabled login endpoints now return 403 Forbidden before credential validation or OIDC flow setup.
  • Login throttling hardening

    • Login throttling now keeps the existing per-source-and-username limit and also applies a source-wide failed-attempt limit.
    • Rotating usernames from the same source no longer grants unlimited fresh login-attempt budgets.
  • Public branding config hardening

    • Public site configuration now sanitizes footer branding HTML server-side before returning it to clients.
    • Existing safe footer text, inline formatting, and safe links are preserved.

Upgrade notes

  • Deployments that intentionally disabled a login method in the Admin Panel must now re-enable it before direct API use of that method will work.
  • Deployments behind reverse proxies should verify trusted proxy/IP header settings so login throttling uses the real client IP instead of the proxy address.
  • Footer branding now permits safe text, inline formatting, and safe links; unsupported active or embedded HTML is stripped.

v3.21.0

Full Changelog

v3.20.0 β†’ v3.21.0

SHA-256 (zip)

453fea2c671916366d9517547833a6f39bcd3f3bab7bc1f8a579b63c930d6e92  FileRise-v3.21.0.zip

v3.20.0

Choose a tag to compare

@github-actions github-actions released this 03 Jul 04:28

Changes 07/03/2026 (v3.20.0)

release(v3.20.0): file preview hardening

Commit message

release(v3.20.0): file preview hardening

- security(file): require authentication before snippet preview access

Fixed

  • File preview hardening
    • File snippet previews now require an authenticated session before any ACL, path, or file-content handling.
    • Unauthenticated snippet requests now return 401 Unauthorized.

v3.20.0

Full Changelog

v3.19.0 β†’ v3.20.0

SHA-256 (zip)

84930a4ad83346285f0f513fccadce7366beb025f5d3ea68e53ee9e556609909  FileRise-v3.20.0.zip

v3.19.0

Choose a tag to compare

@github-actions github-actions released this 26 Jun 04:03

Changes 06/26/2026 (v3.19.0)

release(v3.19.0): folder creation hardening

Commit message

release(v3.19.0): folder creation hardening

- security(folder): reject traversal segments before directory creation

Fixed

  • Folder creation hardening
    • Folder creation now rejects . and .. path segments before creating directories.
    • Local folder creation now verifies the parent path stays inside the configured upload root before directory creation.
    • Existing valid child-folder and root-relative nested folder creation behavior is preserved.

v3.19.0

Full Changelog

v3.18.0 β†’ v3.19.0

SHA-256 (zip)

1c53769c1e47eb9591bd7f5fb04ea4fca2e0f1cc3cac5adb2dc4be3ee2c2ce74  FileRise-v3.19.0.zip

v3.18.0

Choose a tag to compare

@github-actions github-actions released this 23 Jun 22:29

Changes 06/23/2026 (v3.18.0)

release(v3.18.0): file operation hardening

Commit message

release(v3.18.0): file operation hardening

- security(upload): reject shared-upload filename collisions and require edit authority for replacements
- security(metadata): use collision-resistant folder metadata filenames

Fixed

  • Upload overwrite hardening

    • Public shared-folder and portal uploads are now create-only when the destination filename already exists.
    • Authenticated uploads now require edit authority plus ownership, folder ownership, admin, or bypass ownership before replacing an existing file.
    • Upload collision errors preserve the original file content and return an explicit conflict/permission response.
  • Folder metadata isolation hardening

    • Folder metadata filenames now preserve distinct logical folder paths instead of flattening separators and spaces into the same name.
    • Ownership and read_own checks now resolve metadata from the same isolated path used by uploads, file operations, WebDAV, and background transfer handling.
    • Simple non-colliding folder metadata filenames remain compatible; existing metadata for collision-prone folders is copied into the isolated filename on first access.

v3.18.0

Full Changelog

v3.17.0 β†’ v3.18.0

SHA-256 (zip)

cf024445b2fad4074b63ede97a6282765016a83c3a6d8ca3aeb62441d8b1db5e  FileRise-v3.18.0.zip

v3.17.0

Choose a tag to compare

@github-actions github-actions released this 21 Jun 02:00

Changes 06/20/2026 (v3.17.0)

release(v3.17.0): phpseclib dependency security update

Commit message

release(v3.17.0): phpseclib dependency security update

- deps(composer): upgrade phpseclib/phpseclib to 3.0.55

Changed

  • Dependency security maintenance
    • Updated phpseclib/phpseclib to 3.0.55 in Composer dependencies and the locked dependency set.

v3.17.0

Full Changelog

v3.16.0 β†’ v3.17.0

SHA-256 (zip)

85872bf3fdcade00288567448a444757806a87557eb4818351d9ed29be08d136  FileRise-v3.17.0.zip

v3.16.0

Choose a tag to compare

@github-actions github-actions released this 17 Jun 02:31

Changes 06/16/2026 (v3.16.0)

release(v3.16.0): security hardening

Commit message

release(v3.16.0): security hardening

- security(auth): require trusted proxy source validation for proxy-header login
- security(webdav): block password-only WebDAV login for TOTP-enabled accounts
- security(extract): apply blocked upload filename policy before archive extraction
- security(setup): keep first-run setup closed after initial admin creation
- security(auth): resolve remember-me admin status from the current user role
- security(upload): reject encoded path separators before upload writes

Fixed

  • Proxy-header login hardening

    • Proxy-header login now accepts the configured identity header only from sources listed in FR_TRUSTED_PROXIES.
    • If you already use proxy-header login, set FR_TRUSTED_PROXIES to the reverse proxy IP or CIDR before upgrading; otherwise FileRise will ignore the identity header and users will not be auto-authenticated.
  • WebDAV MFA hardening

    • WebDAV no longer accepts password-only Basic authentication for accounts that have TOTP enabled.
    • Users who need WebDAV access should use an account without TOTP until a separate app-password flow is available.
  • Archive extraction hardening

    • Archive extraction now applies the blocked upload filename policy before files are written to disk.
    • Mixed archives can still extract allowed files while blocked file types are skipped and reported as warnings.
  • First-run setup hardening

    • FileRise now writes a setup-complete marker after initial admin creation and also creates it automatically for existing installs with users.
    • If users.txt later becomes empty, first-run setup remains closed and requires out-of-band recovery.
  • Remember-me role hardening

    • Remember-me auto-login now resolves admin status from the current user record instead of trusting role data stored with the token.
    • Rotated and newly issued remember-me tokens no longer store the admin flag.
  • Upload filename hardening

    • Upload handling now rejects encoded path separators before resolving the destination path.
    • Normal filenames and allowed folder upload paths continue to work.

v3.16.0

Full Changelog

v3.15.0 β†’ v3.16.0

SHA-256 (zip)

a042bfafa530c7341adfce108801af0288ada2a84c520d18c2bcb16302cfcccc  FileRise-v3.16.0.zip

v3.15.0

Choose a tag to compare

@github-actions github-actions released this 12 Jun 01:44

Changes 06/11/2026 (v3.15.0)

release(v3.15.0): shared-folder boundary hardening

Commit message

release(v3.15.0): shared-folder boundary hardening

- security(shares): keep shared-folder subpaths inside the original shared folder boundary

Fixed

  • Shared-folder boundary hardening
    • Tightened public shared-folder subpath handling so listing, direct file download, upload targets, and ZIP creation remain inside the originally shared folder.
    • Existing normal files, subfolders, and in-bound shared-folder content remain supported.

v3.15.0

Full Changelog

v3.14.0 β†’ v3.15.0

SHA-256 (zip)

3915ba1d5beccfe4cf84b32f26b4a0c53120b33e5bcdf5f0c8ed14d206b1bb2c  FileRise-v3.15.0.zip

v3.14.0

Choose a tag to compare

@github-actions github-actions released this 03 Jun 04:27

Changes 06/03/2026 (v3.14.0)

release(v3.14.0): request validation hardening and symfony/yaml dependency update

Commit message

release(v3.14.0): request validation hardening and symfony/yaml dependency update

- security(csrf): enforce request-token checks on additional file and admin POST actions
- deps(composer): upgrade symfony/yaml to 8.0.12

Fixed

  • Request validation hardening
    • Added server-side CSRF enforcement to file creation and file share-link creation.
    • Added CSRF enforcement to admin OIDC discovery and ClamAV self-test POST actions.
    • Existing web UI flows continue to send the required CSRF token for these actions.

Changed

  • Dependency security maintenance
    • Updated symfony/yaml to 8.0.12 in Composer dev dependencies and the locked dependency set.

v3.14.0

Full Changelog

v3.13.0 β†’ v3.14.0

SHA-256 (zip)

bd68703dc9140caa8f7cbc8c1a4be004ef9e665d01316fd527fe38b0a76b99e5  FileRise-v3.14.0.zip

v3.13.0

Choose a tag to compare

@github-actions github-actions released this 07 May 07:20

Changes 05/07/2026 (v3.13.0)

release(v3.13.0): DOMPurify and phpseclib dependency updates

Commit message

release(v3.13.0): DOMPurify and phpseclib dependency updates

- deps(frontend): upgrade bundled DOMPurify from 3.3.1 to 3.4.2
- deps(composer): upgrade phpseclib/phpseclib to 3.0.52

Changed

  • Dependency security maintenance
    • Updated bundled DOMPurify from 3.3.1 to 3.4.2 and pointed the app shell at the new vendored path.
    • Updated phpseclib/phpseclib to 3.0.52 in Composer dependencies and the locked dependency set.

v3.13.0

Full Changelog

v3.12.0 β†’ v3.13.0

SHA-256 (zip)

d10522271eeadb3556329ab87b292faf5b143b7035dea78c1a0d63f4e3ad977e  FileRise-v3.13.0.zip

v3.12.0

Choose a tag to compare

@github-actions github-actions released this 30 Apr 00:57

Changes 04/29/2026 (v3.12.0)

release(v3.12.0): TOTP setup flow hardening

Commit message

release(v3.12.0): TOTP setup flow hardening

- auth(totp): tighten setup QR access to fully authenticated profile sessions
- auth(totp): avoid reusing existing TOTP enrollment data during setup

Fixed

  • TOTP setup flow hardening
    • Tightened TOTP setup so enrollment QR generation is only available from a fully authenticated profile session.
    • Accounts that already have TOTP configured are no longer offered a setup QR for the existing enrollment.
    • Existing TOTP sign-in, recovery-code, disable, and first-time setup flows remain supported.

Changed

  • Authenticator re-enrollment behavior
    • Users who need to enroll a replacement authenticator should disable TOTP and enable it again to generate a fresh enrollment.

v3.12.0

Full Changelog

v3.11.2 β†’ v3.12.0

SHA-256 (zip)

40e8c5c1c30f6196c0dabe69437377ddb9ca6a7fba4440de4e63e6da152673a2  FileRise-v3.12.0.zip