Merge https://github.com/filebrowser/filebrowser:master (fe7efb2) into oadp-dev#18
Merge https://github.com/filebrowser/filebrowser:master (fe7efb2) into oadp-dev#18oadp-rebasebot-app[bot] wants to merge 75 commits into
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: oadp-rebasebot-app[bot] The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
Hi @oadp-rebasebot-app[bot]. Thanks for your PR. I'm waiting for a migtools member to verify that this patch is reasonable to test. If it is, they should reply with Regular contributors should join the org to skip this step. Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
16a88fb to
44b416d
Compare
…, symlink escape) - http/raw.go: strip Windows backslash separators from archive entry names on any host. filepath.ToSlash is a no-op for "\" on Linux, so a stored backslash filename was emitted verbatim and could escape the extraction directory on Windows extractors (zip-slip). (GHSA-gxjx-7m74-hcq8) - http/auth.go: cap the login and signup request bodies with http.MaxBytesReader (1 MiB). The JSON decoder previously read an arbitrarily large password into memory before bcrypt truncated it, enabling unauthenticated memory-exhaustion DoS. (GHSA-w5fm-68j4-fpc4) - files/file.go, http/resource.go: add files.WithinScope and refuse to follow a symlink whose on-disk target escapes the user's scoped root, on both the read path (stat) and the write path (writeFile). Prevents a scoped user from reading/overwriting/sharing files outside their scope via a pre-existing escaping symlink. (GHSA-239w-m3h6-ch8v) Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…p-gpj6) When Signup is enabled with the default scope and createUserDir off, every self-registered user inherits the served root and can read/modify/delete all files. Add a startup WARNING for this configuration and document the risk and the --createUserDir mitigation. No behavior or default change.
…6h-j3ww) The fix for CVE-2026-54093 rewrote backslashes to the path separator "/" in archive entry names. On POSIX hosts a backslash is a legal filename byte, so that rewrite manufactured a traversal sequence ("..\..\x" -> "../../x") out of a single in-scope file, turning a Windows-only zip-slip into a cross-platform one. Neutralize backslashes to an inert character instead, and reject any entry whose name is not already a normalized root-relative path. Adds a regression test that downloads a folder containing a backslash-named file as a zip.
…-g7h6-22m7) cleanUsername is many-to-one, so distinct usernames (e.g. "teamone/x" and "teamone-x") can normalize to the same home directory. With CreateUserDir enabled, the second registrant silently reused the first user's directory, breaking per-user isolation. Add a GetByScope lookup and reject a signup whose derived scope is already taken. The check is gated on CreateUserDir: when it is off, signups intentionally share the configured default scope. Adds a regression test for the colliding-username case.
…GHSA-833g-cqhp-h72j) The share management endpoints serialized the storage struct directly, returning the bcrypt password_hash (crackable offline) and the bypass token for every share an authenticated caller could list, with admins seeing them for all users. Return a response DTO that exposes only whether a share is password-protected (hasPassword) and drops both secrets. The storage struct keeps its tags so the secrets stay persisted and the server-side auth/public flows are unchanged. Updates the frontend to use hasPassword and adds a regression test.
…SA-pp88-jhwj-5qh5) DeleteWithPathPrefix queried the share index with the raw path, so deleting a directory through a trailing-slash path (e.g. DELETE /api/resources/a/) only matched descendants like /a/child and missed the exact /a share, leaving it in storage. If the same path was later recreated, the stale public share re-exposed the new content. Normalize the path before the prefix query so the exact share and its descendants are both removed. Adds a regression test.
8d7b847 to
81bb486
Compare
New config option: --branding.disableUserProfile This option allows to disable User Profile together with User settings. Signed-off-by: Michal Pryc <mpryc@redhat.com>
New config option: --branding.defaultLoginUser "username" This option allows to provide default Username, which will result in hiding username field from the welcome page. Signed-off-by: Michal Pryc <mpryc@redhat.com>
Removes Help options "Delete" and "Rename" if the following permissions are revoked from a particular user: --perm.delete=false --perm.rename=false Signed-off-by: Michal Pryc <mpryc@redhat.com>
Add multi-stage Containerfile for UBI-based builds. Signed-off-by: Michal Pryc <mpryc@redhat.com>
Adds OWNERS file. Signed-off-by: Michal Pryc <mpryc@redhat.com>
Fix downstream changes to match upstream refactored functions. Signed-off-by: Michal Pryc <mpryc@redhat.com>
Disable Validate Title check (semantic commit PR titles are not used downstream). Fix Go version to 1.25 and add oadp-* branches to CI triggers.
81bb486 to
7882e03
Compare
No description provided.