v2.6.3
New features
- EventManager: system commands are disabled by default and an allow list has been added to explicitly define which ones are allowed. CVE-2024-52309. Thanks to @hyperreality for reporting.
- EventManager: add
{{EscapedVirtualPath}}
placeholder. - EventManager: add
{{DateTime}}
placeholder.
Bug Fixes
- WebAdmin: check CSRF header when deleting blocked hosts in the same way we already do for all other state-changing endpoints.
- WebAdmin: correctly display multiple active connections for the same session.
- WebClient: improve readability of upload progress.
- Plugins: fix passing additional environment variables.
Backward incompatible changes
If you rely on EventManager to execute system commands, you should add the commands to the allowed list like this:
SFTPGO_COMMON__EVENT_MANAGER__ENABLED_COMMANDS="/bin/command1,/usr/bin/command2"
The following admin permissions have been removed:
- manage_admins
- manage_apikeys
- manage_system
- retention_checks
- manage_event_rules
- manage_roles
- manage_ip_lists
Now you need to add the *
permission to replace the removed granular permissions because the removed permissions allow actions that should only be allowed to super administrators.
For example, you can define an administrator with the manage_system
permission and not with the manage_admins
or manage_user
permission, but the manage_system
permission allows you to restore a backup and then create users and administrators.
There is no point in having separate, overlapping permissions.