Skip to content

v2.6.3

Compare
Choose a tag to compare
@github-actions github-actions released this 15 Nov 17:17
· 189 commits to main since this release
cf3e1d3

New features

  • EventManager: system commands are disabled by default and an allow list has been added to explicitly define which ones are allowed. CVE-2024-52309. Thanks to @hyperreality for reporting.
  • EventManager: add {{EscapedVirtualPath}} placeholder.
  • EventManager: add {{DateTime}} placeholder.

Bug Fixes

  • WebAdmin: check CSRF header when deleting blocked hosts in the same way we already do for all other state-changing endpoints.
  • WebAdmin: correctly display multiple active connections for the same session.
  • WebClient: improve readability of upload progress.
  • Plugins: fix passing additional environment variables.

Backward incompatible changes

If you rely on EventManager to execute system commands, you should add the commands to the allowed list like this:

SFTPGO_COMMON__EVENT_MANAGER__ENABLED_COMMANDS="/bin/command1,/usr/bin/command2"

The following admin permissions have been removed:

  • manage_admins
  • manage_apikeys
  • manage_system
  • retention_checks
  • manage_event_rules
  • manage_roles
  • manage_ip_lists

Now you need to add the * permission to replace the removed granular permissions because the removed permissions allow actions that should only be allowed to super administrators.
For example, you can define an administrator with the manage_system permission and not with the manage_admins or manage_user permission, but the manage_system permission allows you to restore a backup and then create users and administrators.
There is no point in having separate, overlapping permissions.