github error311/FileRise v3.21.0

4 hours ago

Changes 07/05/2026 (v3.21.0)

release(v3.21.0): authentication and public config hardening

Commit message

release(v3.21.0): authentication and public config hardening

- security(auth): enforce disabled login methods server-side
- security(auth): add source-wide failed-login throttling
- security(config): sanitize public footer branding HTML server-side

Fixed

  • Login method policy hardening

    • Form login, Basic Auth login, and OIDC login now enforce the configured disabled-login-method flags on the server.
    • Direct requests to disabled login endpoints now return 403 Forbidden before credential validation or OIDC flow setup.
  • Login throttling hardening

    • Login throttling now keeps the existing per-source-and-username limit and also applies a source-wide failed-attempt limit.
    • Rotating usernames from the same source no longer grants unlimited fresh login-attempt budgets.
  • Public branding config hardening

    • Public site configuration now sanitizes footer branding HTML server-side before returning it to clients.
    • Existing safe footer text, inline formatting, and safe links are preserved.

Upgrade notes

  • Deployments that intentionally disabled a login method in the Admin Panel must now re-enable it before direct API use of that method will work.
  • Deployments behind reverse proxies should verify trusted proxy/IP header settings so login throttling uses the real client IP instead of the proxy address.
  • Footer branding now permits safe text, inline formatting, and safe links; unsupported active or embedded HTML is stripped.

v3.21.0

Full Changelog

v3.20.0 → v3.21.0

SHA-256 (zip)

453fea2c671916366d9517547833a6f39bcd3f3bab7bc1f8a579b63c930d6e92  FileRise-v3.21.0.zip

Don't miss a new FileRise release

NewReleases is sending notifications on new releases.