github filesender/filesender filesender-2.7
Release 2.7
on GitHub

latest releases: master3-filesender-release3.0.beta7, filesender-2.48, filesender-2.47...
4 years ago

Release Version 2.7

Release date: 28 May 2019.

Distribution

Source snapshots are attached to this announcement and the git tag filesender-2.7 contains the base that these snapshots were created from.

Installation

Documentation is available at http://docs.filesender.org/v2.0/install/

Upgrade Notes

Version 2.x breaks compatibility with version 1.x. We recommend a fresh installation to version 2.x of FileSender.

Major changes since 2.6

This release targets appsec and also includes some information that might be useful to how FileSender is used with SimpleSAMLphp. Many of these updates are in response to an audit commissioned by SURFnet and where relevant references are given to sections in that audit.

The X-Frame-Options header is now set to your configured (header_x_frame_options) setting. The default is samesite this was brought in initially with #538 and improved in #539. (audit ref 4.1.1).

The default SimpleSAMLphp installation offers features such as an administration interface and other extra functionality which people may wish to disable. The installation documentation of FileSender has been updated to include information on disabling some SimpleSAMLphp modules and removing some php files to delete functionality which might not be needed in an installation. Users with an existing installation may like to refer to the changes to see if these things make sense for their installation. (audit ref 4.1.2).

With the default configuration SimpleSAMLphp displays detailed error messages in the browser. This is recommended to be turned off with #546 (audit ref 4.1.3).

The default apache configuration has been updated to deny directory listings as they are not required for normal system functionality and may possibly provide an attacker with information https://github.com/filesender/filesender/pull/546/files. (audit ref 4.1.4).

Third party javascript libraries have been updated in #549. This includes scripts to show the current and latest versions of these libraries and allow updates to be performed in the future making it simpler to remain current https://github.com/filesender/filesender/blob/master/scripts/dev/www-lib-update/README.txt. (audit ref 4.1.5).

The information about setting the secure flag on cookies including SimpleSAMLphp ones is included in #546. (audit ref 4.1.6). In addition to this cookie parameter information about setting the samesite cookie parameter is in #561. Unfortunately a clean API has only become available for that in php 7.3 leading to the current solution of forcing the cookie parameter with an apache configuration.

A new option and code to use the OWASP CSRFProtector in addition to internal tokens to protect against CSRF attacks has been added. #556. This can be enabled using the owasp_csrf_protector_enabled configuration directive and installing the included csrf-protector-config.php from the config directory into your filesender config directory. The csrf-protector-config.php file itself should not need modification. (audit ref 4.1.7). The possibility, or lack thereof, for a CSRF attack at login has also been clarified on the SimpleSAMLphp dev list.

A new securityIssue() method was added to the FileSender Logger class to allow capturing the intent that a log message relates to something "security" such as a failed CSRF token validation #559

Other change highlights include:

Support was added for allowing admin entitlement from metadata from your saml server https://github.com/filesender/filesender/pull/545/files.

Some updates to the upload page to stop file and directory dialogs from both appearing (#555 #551) and an update to the download page to remove the option to download as a zip for encrypted files (#554). A fix for empty collections forming bad SQL in some cases (#553).

Configuration changes

The header_x_frame_options config is used to set a default X-Frame http header.

The new OWASP CSRFProtector protection can be turned on by setting owasp_csrf_protector_enabled to true.

The config keys auth_sp_additional_attributes, auth_sp_saml_admin_entitlement and auth_sp_saml_entitlement_attribute are used to allow admin privileges from saml.

Support and Feedback

Please lodge new github issues for things that might improve the next release!
See Support and Mailinglists and Feature requests.

Check out latest releases or
releases around filesender/filesender filesender-2.7

Don't miss a new filesender release

NewReleases is sending notifications on new releases.

Get notifications