Releases: error311/FileRise
Release list
v3.21.0
Changes 07/05/2026 (v3.21.0)
release(v3.21.0): authentication and public config hardening
Commit message
release(v3.21.0): authentication and public config hardening
- security(auth): enforce disabled login methods server-side
- security(auth): add source-wide failed-login throttling
- security(config): sanitize public footer branding HTML server-side
Fixed
-
Login method policy hardening
- Form login, Basic Auth login, and OIDC login now enforce the configured disabled-login-method flags on the server.
- Direct requests to disabled login endpoints now return
403 Forbiddenbefore credential validation or OIDC flow setup.
-
Login throttling hardening
- Login throttling now keeps the existing per-source-and-username limit and also applies a source-wide failed-attempt limit.
- Rotating usernames from the same source no longer grants unlimited fresh login-attempt budgets.
-
Public branding config hardening
- Public site configuration now sanitizes footer branding HTML server-side before returning it to clients.
- Existing safe footer text, inline formatting, and safe links are preserved.
Upgrade notes
- Deployments that intentionally disabled a login method in the Admin Panel must now re-enable it before direct API use of that method will work.
- Deployments behind reverse proxies should verify trusted proxy/IP header settings so login throttling uses the real client IP instead of the proxy address.
- Footer branding now permits safe text, inline formatting, and safe links; unsupported active or embedded HTML is stripped.
v3.21.0
Full Changelog
SHA-256 (zip)
453fea2c671916366d9517547833a6f39bcd3f3bab7bc1f8a579b63c930d6e92 FileRise-v3.21.0.zip
v3.20.0
Changes 07/03/2026 (v3.20.0)
release(v3.20.0): file preview hardening
Commit message
release(v3.20.0): file preview hardening
- security(file): require authentication before snippet preview access
Fixed
- File preview hardening
- File snippet previews now require an authenticated session before any ACL, path, or file-content handling.
- Unauthenticated snippet requests now return
401 Unauthorized.
v3.20.0
Full Changelog
SHA-256 (zip)
84930a4ad83346285f0f513fccadce7366beb025f5d3ea68e53ee9e556609909 FileRise-v3.20.0.zip
v3.19.0
Changes 06/26/2026 (v3.19.0)
release(v3.19.0): folder creation hardening
Commit message
release(v3.19.0): folder creation hardening
- security(folder): reject traversal segments before directory creation
Fixed
- Folder creation hardening
- Folder creation now rejects
.and..path segments before creating directories. - Local folder creation now verifies the parent path stays inside the configured upload root before directory creation.
- Existing valid child-folder and root-relative nested folder creation behavior is preserved.
- Folder creation now rejects
v3.19.0
Full Changelog
SHA-256 (zip)
1c53769c1e47eb9591bd7f5fb04ea4fca2e0f1cc3cac5adb2dc4be3ee2c2ce74 FileRise-v3.19.0.zip
v3.18.0
Changes 06/23/2026 (v3.18.0)
release(v3.18.0): file operation hardening
Commit message
release(v3.18.0): file operation hardening
- security(upload): reject shared-upload filename collisions and require edit authority for replacements
- security(metadata): use collision-resistant folder metadata filenames
Fixed
-
Upload overwrite hardening
- Public shared-folder and portal uploads are now create-only when the destination filename already exists.
- Authenticated uploads now require edit authority plus ownership, folder ownership, admin, or bypass ownership before replacing an existing file.
- Upload collision errors preserve the original file content and return an explicit conflict/permission response.
-
Folder metadata isolation hardening
- Folder metadata filenames now preserve distinct logical folder paths instead of flattening separators and spaces into the same name.
- Ownership and
read_ownchecks now resolve metadata from the same isolated path used by uploads, file operations, WebDAV, and background transfer handling. - Simple non-colliding folder metadata filenames remain compatible; existing metadata for collision-prone folders is copied into the isolated filename on first access.
v3.18.0
Full Changelog
SHA-256 (zip)
cf024445b2fad4074b63ede97a6282765016a83c3a6d8ca3aeb62441d8b1db5e FileRise-v3.18.0.zip
v3.17.0
Changes 06/20/2026 (v3.17.0)
release(v3.17.0): phpseclib dependency security update
Commit message
release(v3.17.0): phpseclib dependency security update
- deps(composer): upgrade phpseclib/phpseclib to 3.0.55
Changed
- Dependency security maintenance
- Updated
phpseclib/phpseclibto3.0.55in Composer dependencies and the locked dependency set.
- Updated
v3.17.0
Full Changelog
SHA-256 (zip)
85872bf3fdcade00288567448a444757806a87557eb4818351d9ed29be08d136 FileRise-v3.17.0.zip
v3.16.0
Changes 06/16/2026 (v3.16.0)
release(v3.16.0): security hardening
Commit message
release(v3.16.0): security hardening
- security(auth): require trusted proxy source validation for proxy-header login
- security(webdav): block password-only WebDAV login for TOTP-enabled accounts
- security(extract): apply blocked upload filename policy before archive extraction
- security(setup): keep first-run setup closed after initial admin creation
- security(auth): resolve remember-me admin status from the current user role
- security(upload): reject encoded path separators before upload writes
Fixed
-
Proxy-header login hardening
- Proxy-header login now accepts the configured identity header only from sources listed in
FR_TRUSTED_PROXIES. - If you already use proxy-header login, set
FR_TRUSTED_PROXIESto the reverse proxy IP or CIDR before upgrading; otherwise FileRise will ignore the identity header and users will not be auto-authenticated.
- Proxy-header login now accepts the configured identity header only from sources listed in
-
WebDAV MFA hardening
- WebDAV no longer accepts password-only Basic authentication for accounts that have TOTP enabled.
- Users who need WebDAV access should use an account without TOTP until a separate app-password flow is available.
-
Archive extraction hardening
- Archive extraction now applies the blocked upload filename policy before files are written to disk.
- Mixed archives can still extract allowed files while blocked file types are skipped and reported as warnings.
-
First-run setup hardening
- FileRise now writes a setup-complete marker after initial admin creation and also creates it automatically for existing installs with users.
- If
users.txtlater becomes empty, first-run setup remains closed and requires out-of-band recovery.
-
Remember-me role hardening
- Remember-me auto-login now resolves admin status from the current user record instead of trusting role data stored with the token.
- Rotated and newly issued remember-me tokens no longer store the admin flag.
-
Upload filename hardening
- Upload handling now rejects encoded path separators before resolving the destination path.
- Normal filenames and allowed folder upload paths continue to work.
v3.16.0
Full Changelog
SHA-256 (zip)
a042bfafa530c7341adfce108801af0288ada2a84c520d18c2bcb16302cfcccc FileRise-v3.16.0.zip
v3.15.0
Changes 06/11/2026 (v3.15.0)
release(v3.15.0): shared-folder boundary hardening
Commit message
release(v3.15.0): shared-folder boundary hardening
- security(shares): keep shared-folder subpaths inside the original shared folder boundary
Fixed
- Shared-folder boundary hardening
- Tightened public shared-folder subpath handling so listing, direct file download, upload targets, and ZIP creation remain inside the originally shared folder.
- Existing normal files, subfolders, and in-bound shared-folder content remain supported.
v3.15.0
Full Changelog
SHA-256 (zip)
3915ba1d5beccfe4cf84b32f26b4a0c53120b33e5bcdf5f0c8ed14d206b1bb2c FileRise-v3.15.0.zip
v3.14.0
Changes 06/03/2026 (v3.14.0)
release(v3.14.0): request validation hardening and symfony/yaml dependency update
Commit message
release(v3.14.0): request validation hardening and symfony/yaml dependency update
- security(csrf): enforce request-token checks on additional file and admin POST actions
- deps(composer): upgrade symfony/yaml to 8.0.12
Fixed
- Request validation hardening
- Added server-side CSRF enforcement to file creation and file share-link creation.
- Added CSRF enforcement to admin OIDC discovery and ClamAV self-test POST actions.
- Existing web UI flows continue to send the required CSRF token for these actions.
Changed
- Dependency security maintenance
- Updated
symfony/yamlto8.0.12in Composer dev dependencies and the locked dependency set.
- Updated
v3.14.0
Full Changelog
SHA-256 (zip)
bd68703dc9140caa8f7cbc8c1a4be004ef9e665d01316fd527fe38b0a76b99e5 FileRise-v3.14.0.zip
v3.13.0
Changes 05/07/2026 (v3.13.0)
release(v3.13.0): DOMPurify and phpseclib dependency updates
Commit message
release(v3.13.0): DOMPurify and phpseclib dependency updates
- deps(frontend): upgrade bundled DOMPurify from 3.3.1 to 3.4.2
- deps(composer): upgrade phpseclib/phpseclib to 3.0.52
Changed
- Dependency security maintenance
- Updated bundled DOMPurify from
3.3.1to3.4.2and pointed the app shell at the new vendored path. - Updated
phpseclib/phpseclibto3.0.52in Composer dependencies and the locked dependency set.
- Updated bundled DOMPurify from
v3.13.0
Full Changelog
SHA-256 (zip)
d10522271eeadb3556329ab87b292faf5b143b7035dea78c1a0d63f4e3ad977e FileRise-v3.13.0.zip
v3.12.0
Changes 04/29/2026 (v3.12.0)
release(v3.12.0): TOTP setup flow hardening
Commit message
release(v3.12.0): TOTP setup flow hardening
- auth(totp): tighten setup QR access to fully authenticated profile sessions
- auth(totp): avoid reusing existing TOTP enrollment data during setup
Fixed
- TOTP setup flow hardening
- Tightened TOTP setup so enrollment QR generation is only available from a fully authenticated profile session.
- Accounts that already have TOTP configured are no longer offered a setup QR for the existing enrollment.
- Existing TOTP sign-in, recovery-code, disable, and first-time setup flows remain supported.
Changed
- Authenticator re-enrollment behavior
- Users who need to enroll a replacement authenticator should disable TOTP and enable it again to generate a fresh enrollment.
v3.12.0
Full Changelog
SHA-256 (zip)
40e8c5c1c30f6196c0dabe69437377ddb9ca6a7fba4440de4e63e6da152673a2 FileRise-v3.12.0.zip