New features
- Symbolic links: the new
symlink_modesetting selects, per backend, whether clients holding thecreate_symlinkspermission may create symbolic links on the local filesystem, the SFTP backend, or both. It is disabled by default. Creating a link requirescreate_symlinkson both the link's directory and the directory it points into, so per-directory permissions are enforced consistently on the path the client requests. - OIDC redirect: the WebClient OIDC login now preserves a
nextredirect target across the IdP round-trip.
Bug fixes
- httpd: return after a CSRF failure in the web client login. The login POST handler rendered the CSRF error page but did not return, so execution fell through into the post-connect hook and the credential verification pipeline. Added the missing
returnto match the admin login, password reset, and setup handlers.
Hardening
- Improve symbolic links handling and add more test cases.
- httpd: clean and unify the WebClient post-login redirect target validation.