github Sync-in/server v2.4.0
on GitHub

7 hours ago

Highlights

  • Euro-Office is now available as an online document editor alongside OnlyOffice and Collabora
  • Cancellable file tasks: uploads, downloads, archive creation, extraction, copies, moves and deletions can now be canceled from the task panel
  • Task queue management: file operations are now queued and limited per user to avoid too many heavy tasks running in parallel
  • Detailed task progress: long-running operations can now show clearer progress instead of only a running state
  • ZIP archive creation: Sync-in can now create ZIP archives, in addition to TAR and TGZ
  • OIDC verified email control: administrators can require verified OIDC email addresses before account linking or profile synchronization
  • Grouped editor configuration: editor settings are now centralized under applications.files.editors, with legacy OnlyOffice and Collabora settings deprecated

🐞 Bug Fixes

  • More reliable URL downloads: compressed server responses are now handled correctly, preventing size errors and incomplete downloads
  • CJK full-text search support: search now supports Chinese, Japanese, Korean and other languages without space-separated words
  • Text and Markdown editor fixes: editors now preserve focus more reliably, detect changes correctly and refresh file size after saving
  • Improved filtered selection: multi-selection remains more consistent when file lists are filtered
  • More reliable server startup: MySQL connection errors are detected earlier, allowing a clean exit and automatic restart
  • Safer configuration loading: quoted sensitive values such as secrets, database URLs and initial credentials are now loaded without keeping quote characters

⚠️ Security

  • Stronger 2FA enforcement for API tokens
    Fixed vulnerability GHSA-92cr-jxw4-5wjg.
    API token creation now correctly requires the second factor when 2FA is enabled.

  • Better protection against repeated TOTP attempts
    Fixed vulnerability GHSA-274f-6w77-8qm9.
    Failed TOTP attempts during desktop sync client registration are now counted correctly, including repeated or concurrent attempts.

  • Safer synchronization filters
    Fixed vulnerability GHSA-jx63-h26r-8cph.
    Sync filters are now validated and limited before use to prevent malicious overload during synchronization.

  • More reliable synchronization uploads
    Uploaded files are checked before replacing the destination file, preserving the existing file in case of size, quota or checksum errors.

  • Sessions aligned with account state
    Browser and WebSocket sessions now better reflect role, permission and active/inactive account changes.

  • OIDC and LDAP hardening
    New OIDC directives allow verified email enforcement and explicit private IP avatar downloads. Insecure OIDC/LDAP password authentication defaults are now disabled.

  • Stricter external login validation
    Logins from external identity providers are now limited to valid names, preventing file-path interpretation.

  • Safer archive extraction
    Archive extraction now blocks unexpected paths more reliably, cleans up interrupted extractions and applies storage quotas during extraction.

Contributors: @Stephan-P, @7185, @rchan96, @o2asdv,
Special thanks to @SakusenSec for responsibly reporting these security issues.

➡️ Read the release announcement

Features

  • auth: refresh browser user state with token renewal (cad5f12)
  • backend:auth: add OIDC verified email enforcement option (cd71b04)
  • backend:cache: add atomic bounded counter increments (c172825)
  • backend:files: add cancellable copy, move and delete tasks (e23151e)
  • backend:files: add Euro-Office editor support (9fe93bd)
  • backend:files: improve task progress tracking for copy and move operations (7939491)
  • backend:files: queue and limit concurrent tasks per user (395f841)
  • backend:files: track download, compression and extraction progress (caa6a92)
  • config: group editor config under files.editors (bd50a29)
  • files: add ZIP archive creation with optional compression (7c94d6a)
  • files: batch active task polling (e36af62)
  • files: expose task cancellation capability (14e5b9e)
  • files: make downloads and (de)compression abortable (a43025e)
  • frontend:files: add global task cancellation action (8a044bd)
  • frontend:files: cancel uploads from tasks sidebar (b01dc90)
  • frontend:files: limit concurrent uploads (81a95bc)
  • frontend:files: track queued uploads and throttle progress updates (a0ff216)

Bug Fixes

  • backend:auth: disable insecure OIDC requests by default (9e59a09)
  • backend:auth: disable LDAP local password fallback by default (d57c42d)
  • backend:auth: disable OIDC local password fallback by default (315fc75)
  • backend:auth: enforce 2FA and isolate JWT token types (3ec74e2)
  • backend:auth: harden OIDC avatar synchronization (5024afa)
  • backend:auth: increment failed attempts for 2FA-enabled users (b13a4aa)
  • backend:auth: prevent 2FA password attempt counter bypass (5f53f7f)
  • backend:auth: tolerate OIDC avatar downloads using maxSize guard (597afbf)
  • backend:auth: update failed login attempts atomically (285b870)
  • backend:auth: validate current user state for active sessions (1022355)
  • backend:config: make logger optional and quote sensitive YAML values (5390ba9)
  • backend:config: normalize quoted admin credentials (5fea5b4)
  • backend:config: support single-quoted environment values (715e761)
  • backend:files: align HEAD and GET encoding for downloads (67667f6)
  • backend:files: centralize path containment checks (e96c3f1)
  • backend:files: clean orphan task files (0d4b306)
  • backend:files: clean up task watchers on module shutdown (0ccf212)
  • backend:files: enforce storage quota during archive extraction (8fffc17)
  • backend:files: extend scheduler cleanup to stale user tmp files (c115ec2)
  • backend:files: harden archive extraction and clean up partial output (9615ed0)
  • backend:files: improve filtered file selection behavior (3ab86bc)
  • backend:files: stage archive extraction in user temp directory (06f1425)
  • backend:files: stage downloads and archives in user tmp paths before publishing (1363899)
  • backend:files: support multilingual full-text search (9a462c5)
  • backend:sync: add validation for path filter size, length, and repetitions (0fdcda9)
  • backend:sync: limit gzip diff body size (65acac1)
  • backend:sync: update path filter length validation and add pattern length constant (4355471)
  • backend:sync: validate path filter regex before diff (b1dcaa1)
  • backend:sync: validate uploads before promoting temp files (346f8cb)
  • backend:users: prevent path traversal through federated user logins (c2dd22e)
  • backend: improve connection checks and bootstrap resilience (8c140d9)
  • frontend:files: add missing constructor inheritance in files-viewer-text.component.ts (965d0ce)
  • frontend:files: clean ended tasks for deleted trash folders (6bd4604)
  • frontend:files: preserve editor focus and track text changes (86fac72)
  • frontend:files: refresh file size after saving (f11af14)
Check out latest releases or
releases around Sync-in/server v2.4.0

Don't miss a new server release

NewReleases is sending notifications on new releases.

Get notifications