Skip to content

Releases: Sync-in/server

v2.4.2

Choose a tag to compare

@github-actions github-actions released this 26 Jun 13:51
b8688a4

Bug Fixes

  • backend:files: bound search result limit (4df1b8d)
  • backend:files: escape search terms for Unicode regex (6b5a0c5)
  • backend:files: make highlight context Unicode-aware (6e574c3)
  • frontend: pin pdf.js viewer assets to v5.7.284 (e342d01)

v2.4.1

Choose a tag to compare

@github-actions github-actions released this 24 Jun 09:27
6797d21

Security

Thanks to @456789TZ for reporting this. The mitigation against username enumeration via timing attacks has been completed.

Bug Fixes

  • auth: require step-up for app password mutations (db19b3e)
  • backend:auth: invalidate WebDAV cache on app password deletion (6dae284)
  • backend:sync: await usersManager.updateAccesses in 2FA recovery code validation (8f55344)
  • docker: add editors section in environment.yaml (1de3e09)
  • docker: add Euro-Office config to nginx volumes (a864684)
  • frontend:files: add support for dynamic editor naming in OnlyOffice components and error handling (98031da)

v2.4.0

Choose a tag to compare

@github-actions github-actions released this 22 Jun 22:50
814d4e1

Highlights

  • Euro-Office is now available as an online document editor alongside OnlyOffice and Collabora
  • Cancellable file tasks: uploads, downloads, archive creation, extraction, copies, moves and deletions can now be canceled from the task panel
  • Task queue management: file operations are now queued and limited per user to avoid too many heavy tasks running in parallel
  • Detailed task progress: long-running operations can now show clearer progress instead of only a running state
  • ZIP archive creation: Sync-in can now create ZIP archives, in addition to TAR and TGZ
  • OIDC verified email control: administrators can require verified OIDC email addresses before account linking or profile synchronization
  • Grouped editor configuration: editor settings are now centralized under applications.files.editors, with legacy OnlyOffice and Collabora settings deprecated

🐞 Bug Fixes

  • More reliable URL downloads: compressed server responses are now handled correctly, preventing size errors and incomplete downloads
  • CJK full-text search support: search now supports Chinese, Japanese, Korean and other languages without space-separated words
  • Text and Markdown editor fixes: editors now preserve focus more reliably, detect changes correctly and refresh file size after saving
  • Improved filtered selection: multi-selection remains more consistent when file lists are filtered
  • More reliable server startup: MySQL connection errors are detected earlier, allowing a clean exit and automatic restart
  • Safer configuration loading: quoted sensitive values such as secrets, database URLs and initial credentials are now loaded without keeping quote characters

⚠️ Security

  • Stronger 2FA enforcement for API tokens
    Fixed vulnerability GHSA-92cr-jxw4-5wjg.
    API token creation now correctly requires the second factor when 2FA is enabled.

  • Better protection against repeated TOTP attempts
    Fixed vulnerability GHSA-274f-6w77-8qm9.
    Failed TOTP attempts during desktop sync client registration are now counted correctly, including repeated or concurrent attempts.

  • Safer synchronization filters
    Fixed vulnerability GHSA-jx63-h26r-8cph.
    Sync filters are now validated and limited before use to prevent malicious overload during synchronization.

  • More reliable synchronization uploads
    Uploaded files are checked before replacing the destination file, preserving the existing file in case of size, quota or checksum errors.

  • Sessions aligned with account state
    Browser and WebSocket sessions now better reflect role, permission and active/inactive account changes.

  • OIDC and LDAP hardening
    New OIDC directives allow verified email enforcement and explicit private IP avatar downloads. Insecure OIDC/LDAP password authentication defaults are now disabled.

  • Stricter external login validation
    Logins from external identity providers are now limited to valid names, preventing file-path interpretation.

  • Safer archive extraction
    Archive extraction now blocks unexpected paths more reliably, cleans up interrupted extractions and applies storage quotas during extraction.

Contributors: @Stephan-P, @7185, @rchan96, @o2asdv,
Special thanks to @SakusenSec for responsibly reporting these security issues.

➡️ Read the release announcement

Features

  • auth: refresh browser user state with token renewal (cad5f12)
  • backend:auth: add OIDC verified email enforcement option (cd71b04)
  • backend:cache: add atomic bounded counter increments (c172825)
  • backend:files: add cancellable copy, move and delete tasks (e23151e)
  • backend:files: add Euro-Office editor support (9fe93bd)
  • backend:files: improve task progress tracking for copy and move operations (7939491)
  • backend:files: queue and limit concurrent tasks per user (395f841)
  • backend:files: track download, compression and extraction progress (caa6a92)
  • config: group editor config under files.editors (bd50a29)
  • files: add ZIP archive creation with optional compression (7c94d6a)
  • files: batch active task polling (e36af62)
  • files: expose task cancellation capability (14e5b9e)
  • files: make downloads and (de)compression abortable (a43025e)
  • frontend:files: add global task cancellation action (8a044bd)
  • frontend:files: cancel uploads from tasks sidebar (b01dc90)
  • frontend:files: limit concurrent uploads (81a95bc)
  • frontend:files: track queued uploads and throttle progress updates (a0ff216)

Bug Fixes

  • backend:auth: disable insecure OIDC requests by default (9e59a09)
  • backend:auth: disable LDAP local password fallback by default (d57c42d)
  • backend:auth: disable OIDC local password fallback by default (315fc75)
  • backend:auth: enforce 2FA and isolate JWT token types (3ec74e2)
  • backend:auth: harden OIDC avatar synchronization (5024afa)
  • backend:auth: increment failed attempts for 2FA-enabled users (b13a4aa)
  • backend:auth: prevent 2FA password attempt counter bypass (5f53f7f)
  • backend:auth: tolerate OIDC avatar downloads using maxSize guard (597afbf)
  • backend:auth: update failed login attempts atomically (285b870)
  • backend:auth: validate current user state for active sessions (1022355)
  • backend:config: make logger optional and quote sensitive YAML values (5390ba9)
  • backend:config: normalize quoted admin credentials (5fea5b4)
  • backend:config: support single-quoted environment values (715e761)
  • backend:files: align HEAD and GET encoding for downloads (67667f6)
  • backend:files: centralize path containment checks (e96c3f1)
  • backend:files: clean orphan task files (0d4b306)
  • backend:files: clean up task watchers on module shutdown (0ccf212)
  • backend:files: enforce storage quota during archive extraction (8fffc17)
  • backend:files: extend scheduler cleanup to stale user tmp files (c115ec2)
  • backend:files: harden archive extraction and clean up partial output (9615ed0)
  • backend:files: improve filtered file selection behavior (3ab86bc)
  • backend:files: stage archive extraction in user temp directory (06f1425)
  • backend:files: stage downloads and archives in user tmp paths bef...
Read more

v2.3.0

Choose a tag to compare

@github-actions github-actions released this 22 May 10:24
e902f7c

Highlights

  • Integrated Markdown editor: visual/source Markdown editing with tables, task lists, images, code blocks, file locking and unsaved-change protection
  • Unified editor search: shared search UI for text and Markdown editors, with result count and previous/next navigation
  • Configurable document creation: administrators can show or hide OpenDocument and Microsoft Office templates
  • Optional trash retention: automatic cleanup can now be configured separately for user spaces and collaborative spaces
  • Improved content indexing: more memory-efficient full-text indexing, batched metadata processing and safer cleanup
  • OIDC/LDAP synchronization extended: OIDC avatar synchronization and storage quota synchronization through LDAP attributes or OIDC claims
  • User visibility controls: users without a group can now be hidden from global visibility with showUngroupedUsers: false
  • Text and Markdown editing improvements: better text file detection and increased edit size limit from 10 MB to 25 MB

🐞 Bug Fixes

  • Guest link temporary paths: temporary paths for accounts associated with guest links are now created correctly
  • File storage consistency: stronger uniqueness checks prevent rare duplicate file storage cases (@zjean)
  • More reliable file unlocking: editable file locks are now released more reliably when editors or the browser are closed
  • MIME type updates: MIME types are now recalculated after file rename, move or replacement
  • Disabled space trash handling: trash for disabled spaces is now shown as disabled and can no longer be browsed
  • Improved file selection: range selection works more reliably with filtering enabled
  • Safer renaming: renaming now selects only the file name, without the extension
  • Web interface polish: sidebar submenu visibility, table row height, dialog spacing and viewer tooltips were refined

⚠️ Security

  • Trash immutability for spaces
    Files in the trash are now treated as read-only items. Modifying files in the trash and creating new files there are now blocked.

  • More reliable uploads
    Failed uploads are no longer kept in the destination space. File replacements now use temporary files before replacing the destination.

  • Better guest link isolation
    Accounts created from guest links now have restricted visibility over users and groups, limited to their managers and personal groups.

  • Fixed a security vulnerability: CVE-2026-47684
    SSRF protection for URL downloads has been strengthened, notably against IPv4-mapped IPv6 bypasses, DNS rebinding, unsafe redirects, proxy bypasses and oversized data streams.
    Reported by @x0root

Contributors: @Stephan-P, @7185, @q16marvin, @zjean, @fyr77, @TheLouD1, @markussbk, @Maxmystere, @romainsady

➡️ Read the release announcement

Features

  • backend:auth: allow trusted private IPs for OIDC avatar downloads (9c9b682)
  • backend:auth: harden OIDC avatar sync and add avatar metadata tracking (22ac4f0)
  • backend:auth: map configurable OIDC/LDAP storage quota to user profile (76b4b8c)
  • backend:files: enable HTML-to-text conversion for all base elements (6352393)
  • backend:files: optimize content indexing memory usage with batched metadata, run_id cleanup, and pending scheduler state (3d819cd)
  • backend:files: prevent file mutations in trash repository (738402c)
  • backend:files: split trash retention by repository type (1c490ee)
  • backend:files: support trusted private IP downloads (44261ea)
  • backend:files: trash retention support with indexing and cleanup (c990335)
  • backend:users: add avatar synchronization for OIDC users (8790c19)
  • backend:users: add showUngroupedUsers toggle for ungrouped account visibility (2fad377)
  • backend:users: convert uploaded avatars to PNG during update (47af28b)
  • backend:users: hide all users and groups for guest-link accounts (c5e1988)
  • files: add a disabled indexing state and update scheduler/admin indexing workflows (f7fc4f1)
  • files: add optional document types for frontend (7e8f64f)
  • frontend:files: add binary probe for unknown text files (fea9e17)
  • frontend:files: implement common file viewer search (ae3866e)
  • frontend:files: improve markdown detection and viewer handling (3d2d871)
  • frontend:files: refine file actions for trash and selection menus (666d661)
  • frontend:files: refresh MIME metadata after move (bb85795)
  • frontend:files: select filename without extension when renaming files (163b5c9)
  • frontend:files: start implementing markdown viewer editor (f36a2bc)
  • frontend:files: WIP markdown viewer editor (c2bf44f)

Bug Fixes

  • backend:files: harden multipart upload replacement (c63f83c)
  • backend:files: harden remote downloads against SSRF, redirects, proxy bypasses and oversized streams (22e773e)
  • backend:files: make space file lookup resilient to stale kind (5f64673)
  • backend:links: ensure tmp path is created after authentication for guest links (d782aaa)
  • backend:spaces: invalidate spaces cache when space state changes (0c95836)
  • backend:users: restrict usersWhitelist so guests only see shared-group or managed users (17fd9ba)
  • backend:users: unify avatar rendering to 512px and tune dynamic font scaling (6ecd91d)
  • files,comments: prevent duplicate file rows and handle undefined fileId (c04adef)
  • frontend:admin: adjust group dialog spacing (c30b72d)
  • frontend:admin: allow admins to see all users when selecting members in spaces and child shares (cba4eeb)
  • frontend:auth: handle impersonation logout without token refresh retry and force fallback logout on error (ead2508)
  • frontend:files: unlock extensionless text files on viewer close (9595153)
  • frontend:files: fix range file selection when filtering is enabled (43125d5)
  • frontend:files: hide PDF viewer toggle label on mobile (9d1154e)
  • frontend:files: initialize file selection after dialog view init (9d0fe08)
  • frontend:files: prevent stale save tooltip in viewers (70b3b98)
  • frontend:files: release editable viewer lock on destroy (5fdc7b2)
  • frontend:files: unlock text editors on page unload ([4f9025e](4f9025e...
Read more

v2.2.1

Choose a tag to compare

@github-actions github-actions released this 19 Apr 22:40
083444d

Security

Features

  • admin: add indexing box to admin tools (8686147)
  • backend:files: treat "_" as a term boundary in regex search (bcd3577)

Bug Fixes

  • backend:files: add support for page rotation during OCR extraction (6837cc4)
  • backend:files: handle axios content-length header as number-safe value (3599ccb)

v2.2.0

Choose a tag to compare

@github-actions github-actions released this 14 Apr 09:32
effab16

Highlights

  • Full-text search upgrade: PDF OCR indexing and Markdown content indexing
  • Admin improvements: spaces can now be created/managed from the administration UI, with direct quota management
  • New file event system: automatic storage usage recalculation and full-text reindexing
  • Guest management enhancement: managers can now administer guests’ personal groups from profile settings
  • LDAP support extended with tlsOptions (including ca, rejectUnauthorized, etc.)
  • Better PDF experience: pdf.js is now the default viewer, with edit-mode fallback to OnlyOffice. Thanks @zjean
  • Reliability : indexing scheduler concurrency fix, cache/WebDAV/URL fixes.

⚠️ Security

  • Basic Auth security hardening
    The cache key is now based on a hash, eliminating case-related collisions and preventing the storage of decodable identifiers.
    Thanks @zalo-alex and @naif-alfardan

  • Fixed a security vulnerability: CVE-2026-41161 GHSA-43fj-qp3h-hrh5
    A flaw allowed user account enumeration via the login endpoint through response time analysis, particularly in brute-force scenarios.
    Reported by @ppfeister, fixed by @7185

➡️ Read the release announcement

Features

  • admin: allow managing spaces from the admin section (9822209)
  • backend:auth: add tlsOptions support for ldap provider (2042ade)
  • backend:files: add indexing support for markdown files (abf59e7)
  • backend:files: add pdf ocr indexing (d37c531)
  • backend:files: add support for configurable OCR language paths (48443aa)
  • backend:files: align emitted FileEvent actions with real file mutations (e0c7175)
  • backend:files: emit file event on document modification (e7ed38c)
  • backend:files: extend indexing key generation for anchored roots (824bff8)
  • backend:files: implement file event manager (c9951d7)
  • backend:files: implement incremental indexing triggers for full-text search (468c1c3)
  • backend:infrastructure: allow null or undefined args in cache key slug generation (9d661ea)
  • backend:users: allow searching groups by description (434bd30)
  • frontend:admin: show cumulative storage usage for users and spaces (5af4996)
  • frontend: extend group parent model with description and adjust anchor file dialog layout (01bc72b)
  • users: allow to manage personal groups from the guest profile dialog (c5d3c70)

Bug Fixes

  • backend:auth: derive basic auth cache key from hashed credentials instead of Authorization header (be98def)
  • backend:auth: prevent user enumeration via timing attacks (80eebf3)
  • backend:files: ensure content indexing scheduling has no parallel executions (0bef5a6)
  • backend:files: ensure storage quota is updated in cache (030b87e)
  • backend:files: handle locks without scope in checkConflicts (f9bcbde)
  • backend:files: handle optional chaining in indexing key generation (2b2c238)
  • backend:users: ensure whitelist cache entries with parameters are properly cleared (5e21b8d)
  • backend:users: handle guest login rename without space location rename (2627d2d)
  • backend:users: sanitize group and app password names for safe route params (d1b21a8)
  • backend:webdav: restore access to shares repository via WebDAV (bec04e1)
  • files: encode special characters not handled by AuthInterceptor (d9e81f0)
  • files: handle document-open error messages for HEAD requests (328d823)
  • frontend:users: add button behavior inside groups (d13132a)
  • users: ensure guests cannot be elected as group managers (24e0d57)

v2.1.0

Choose a tag to compare

@github-actions github-actions released this 13 Mar 16:06
7868bb2

⭐ Highlights

  • 🎨 Major frontend UI refresh for a cleaner, more modern experience
  • 🔐 New OIDC provider toggle: security.supportPKCE for PKCE flow control
  • 🐳 Docker enhancement: new FORCE_PERMISSIONS env var to enforce data file permissions (@7185)
  • 🌍 Internationalization update: Dutch (nl) locale added (@Stephan-P)
  • 🕒 Database reliability: MySQL connections now consistently use UTC timezone
  • 📂 File handling hardening: better PDF cleanup and safer directory scanning (skips unreadable paths)
  • ➕ Additional quality and stability improvements across backend and frontend

➡️ Read the release announcement

Features

  • frontend refresh UI (#127)
  • backend:auth: add toggle for security.supportPKCE in OIDC provider (d90cbf7)
  • docker: add FORCE_PERMISSIONS variable to set permissions on data files (1eb57d6)
  • frontend:i18n: add nl (4c3a0cb)

Bug Fixes

  • backend:database: ensure MySQL connection uses UTC timezone (e7d2ed9)
  • backend:files: avoid buffer copy and ensure PDF document cleanup (f28c71b)
  • backend:files: skip unreadable directories when walking for size and entry counts (6b0a6a7)
  • frontend:recents: move user avatar tooltip container to body to fix overlap with card (5029911)

v2.0.0

Choose a tag to compare

@github-actions github-actions released this 09 Feb 23:27
e2abf48

⭐ Highlights

  • 🆔 OpenID Connect (OIDC) authentication support
  • ⚠️ Breaking change: authentication configuration renamed and refactored
  • 🔐 New authentication architecture enabling Desktop & CLI registration via OIDC
  • 🏢 Advanced LDAP support (service bind, admin break-glass, DN/CN, auto user & permissions)
  • 🔑 Support for OTP recovery codes and application-based client registration
  • 🧩 Improved configuration validation and error diagnostics
  • ✨ User experience improvements (recent items redesign, file rename behavior)
  • 📊 JSON logging output for improved observability
  • ➕ And many other improvements and refinements

➡️ Read the release announcement

⚠ BREAKING CHANGES

  • auth: rename method to provider in AuthConfig and replace authMethod with authProvider for naming consistency (9d187e0)
  • backend:auth:ldap: move adminGroup to options (96d52c9)

Features

  • auth:oidc: enhance OIDC configuration (8bcf35d)
  • auth:oidc: revise authentication flow logic (abb9979)
  • auth:sync: introduce registerWithAuth to enable desktop client registration from external process (OIDC) (b6525ec)
  • auth: implement OIDC authentication support and refactor auth providers (28bbf1d)
  • auth: refactor authentication services and add desktop client registration support (08c6e0f)
  • auth: support desktop app OIDC authentication flow (0d6963f)
  • backend:auth:ldap: add service bind support, adminGroup DN/CN handling, optimized search flow, tests, and updated docs (f7b9d0f)
  • backend:auth:ldap: add autoCreateUser and autoCreatePermissions (96d52c9)
  • backend:auth: add LDAP/OIDC local password fallback and admin break-glass access (23a93b5)
  • backend:config: improve error messages for environment config validation (a5df529)
  • backend:sync: add support for TOTP recovery codes during client registration (3cb3ea4)
  • backend:sync: improve sync path error handling and enforce subdirectory selection (549ada3)
  • backend: add jsonOutput option to logger (02cbe04)
  • frontend:spaces: improve server connection error handling and UI feedback (097b230)
  • frontend/backend: add client auth scope for password-based apps to register servers across desktop apps and CLI (5f131bf)
  • frontend: allow filename rename validation on blur (da930b8)
  • frontend: restyle recents widget (9845502)
  • frontend: update widget badge styles and color scheme (10feb97)

Bug Fixes

  • backend:webdav: ensure lock paths in headers are decoded correctly (ceb2f38)
  • backend:webdav: set correct http status line (a651fc3)
  • frontend:routes: remove redundant canActivateChild guard from app routes (3b5a80a)
  • frontend:spaces: remove tap directive keyboard handler blocking spaces in edit input and preserve whitespace in displayed file name (e0b328b)

v1.11.0

Choose a tag to compare

@github-actions github-actions released this 21 Jan 00:06
9870662

Security

Features

  • frontend: add delayed auto-collapse functionality for right sidebar (315bad2)

v1.10.1

Choose a tag to compare

@github-actions github-actions released this 12 Jan 00:55
e8c0dcc

Bug Fixes

  • auth:webdav basic auth fails with ":" in password (#104) (9671b71)
  • backend:comments: refine file path query for better handling of space roots (5b0c8ff)
  • backend:webdav: treat PUT requests as binary streams to avoid body parsing (edc291c)