Skip to content

r2029-ls265

Latest
Latest

Choose a tag to compare

View all tags
@LinuxServer-CI LinuxServer-CI released this 13 Apr 22:08
r2029-ls265
e949673
This commit was signed with the committer’s verified signature.
LinuxServer-CI LinuxServer.io CI
SSH Key Fingerprint: fh11rWL5oCDRdg8ER4TS1r8mdK7lLmwPcJouqXZgNko
Verified
Learn about vigilant mode.

CI Report:

https://ci-tests.linuxserver.io/linuxserver/projectsend/r2029-ls265/index.html

LinuxServer Changes:

Full Changelog: r2029-ls264...r2029-ls265

Remote Changes:

What's Changed in r2029

New Features

  • TOTP Two-Factor Authentication: Users can now set up an authenticator app (Google Authenticator, Authy, and others) as a second factor. Includes a QR code setup flow, login-time verification, and an admin toggle in security settings.
  • In-App Changelog Viewer: After a database upgrade, the upgrade notice includes a "See what's new" link that opens a modal with the full release changelog rendered inline.

Security Updates

  • Fix Stored XSS via Event Handler Attributes: strip_tags() with an allowlist preserved event handlers on allowed tags. All attributes are now stripped from allowed tags.
  • Harden Session Cookies: Added HttpOnly, Secure (on HTTPS), and SameSite=Lax flags to session cookies.
  • Restrict Auto-Update Downloads to Official Server: The updater now enforces an allowlist so only HTTPS downloads from projectsend.org are accepted.
  • Fix CSRF on File Upload Endpoint: The upload endpoint bypassed CSRF validation. The token is now sent with every upload chunk.

Improvements

  • Redesigned Error Pages: Each error type now shows a relevant icon, a descriptive subtitle, and a "Return to homepage" link. HTTP codes 400, 410, and 500 now route to the correct page.
  • PHP Version Pre-Check in Auto-Updater: The updater validates the server PHP version before proceeding, preventing updates from breaking installations running older PHP (#1536).
  • Refreshed GitHub Presence: Rewrote the README with screenshots, a comparison table, and a feature list. Added structured issue templates.

Bug Fixes

  • Fix 403 on All Downloads: The $allowed_levels definition was accidentally removed from process.php, causing all download requests to return 403.

Maintenance

  • PHP 8.2 minimum enforced. CI updated to test PHP 8.2–8.4, Node 16 replaced with Node 22.
  • PHPStan type hints added across Auth, AutoUpdate, Download, Encryption, Files, Folders, S3Storage, and Users classes.

SHA-256: 9d5eb455b1e39ee423759b9cede2c62ac57d3ab678e85438f3b6aa2599cf561f

Full Changelog: projectsend/projectsend@r2002...r2029

Assets 2
Loading