Log in
SECURITY: fix single-file shares
20 September 2025 om 01:19
- read-only demo server at https://a.ocv.me/pub/demo/
- docker image β± similar software β± client testbed
there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2025-09-07)
β οΈ ATTN: this release fixes CVE-2025-58753, an issue with shares
- when a share is created for just one or more files inside a folder, it was possible to access the other files inside that folder by guessing the filenames
- it was not possible to descend into subdirectories in this manner; only the sibling files were accessible
- NOTE: this does NOT affect filekeys; this is specifically regarding the
shrglobal-option
recent important news
- v1.19.8 (2025-09-07) fixed CVE-2025-58753 (a missing permission-check inside single-file shares)
- v1.15.0 (2024-09-08) changed upload deduplication to be default-disabled
- v1.14.3 (2024-08-30) fixed a bug that was introduced in v1.13.8 (2024-08-13); this bug could lead to data loss -- see the v1.14.3 release-notes for details
π§ͺ new features
- #761 IdP: option to replace the login/logout links and buttons with redirects into an IdP UI 09f2299
- #726 disk-usage and server-version can be selectively hidden according to user permissions 19a4c45
- option
--shr-who/ volflagshr_whodecides who is able to create a share of that volume edafa15 - #751 nixos: add globalExtraConfig to specify repeatable config parameters (thx @xvrqt!) 09e3018
- some very small speedups (mainly u2c and ancient python versions) 74821a3
- #759 #393 total folder size now decreases when files inside are deleted 96b109b
- would previously require a reindex to get back on track
π©Ή bugfixes
- fix GHSA-pxvw-4w88-6x95 by fencing fileshares to just the shared files e0a92ba
- #397 prevent hinting at valid passwords, even if they cannot be used to authenticate with 7a4ee4d
- #747 disable some features if
/tmpmust be used for runtime config e6755aa- the config-folder will now also be created with chmod 700 (accessible by owner only)
- #733 #298 fix hotkeys on non-qwerty keyboard layouts (dvorak etc.) e798a9a
- #539 ftp-server: support clients which never does a CWD b049631
- ignore the plaintext session-cookie on https; fixes some confusing behavior when switching from https to http c71128f
og-uawould prevent clients matching the pattern from accessing fullsize filesog-uawas only possible to set globally; theog_uavolflag was ignored 422f8f6- uds / unix-domain-sockets got wrong permissions when
rm-sckwas used e270fe6 - #727 macos: support running from config-files 230a146
- #539 avoid issues if someone uploads a file with a last-modified timestamp from year -9999999999999 eeb7738
- using the spacebar to pause a video was jank on chrome bfcb6ea
- block the next-song hotkey while a folder is loading f7e08ed
- #748 fix rare js-panic when an action is aborted aaeec11
- #738 bubbleparty: use /bin/bash (thx @ckastner!) 0469b5a
π§ other changes
- partyfuse: nice speedup by caching
readdirtoo 06d2654 - partyfuse: explain usage with usernames 1cdb388
- connect-page: better examples when usernames enabled 3bdef75
- docker: fix image annotations ab56238
π fun facts
β οΈ not the latest version!
