✨ 新功能
✨ NEW FEATURES
- 新增 OAuth 资源服务器支持以对接外部身份认证,具体参考配置文件中 OAuth 参数说明。
- Added OAuth resource server to support external identity authentication. For details, please refer to the OAuth parameter description in the configuration file.
- 新增
cors-allowed-origins配置项,支持自定义跨域 Origin 白名单。 - Added
cors-allowed-originsconfiguration item to support custom cross-domain Origin whitelist. - 新增
trusted-proxies配置项,支持限制信任X-Forwarded-*头的反向代理 IP / 网段。 - Added
trusted-proxiesconfiguration item to support restricting trust of reverse proxy IP/network segments withX-Forwarded-*header. - 新增所有请求的自定义 HTTP 响应头配置,同时提供对 Cloudflare Tunnel 隧道的连接保活验证。
- Added custom HTTP response header configuration for all requests and provided connection keepalive verification for Cloudflare Tunnel tunnels.
- 新增 WebGUI 登录绑定客户端 IP 的安全校验开关,以及自定义登录 Token 有效期的设置。
- Added the security verification switch for binding client IP to WebGUI login, and the setting of custom login Token validity period.
- 新增 WebGUI 增强设置, 允许直接通过 WebGUI 对 FNSS 进行参数调整
- Added WebGUI enhanced settings, allowing parameter adjustment of FNSS directly through WebGUI
🛠 修复
🛠 Fix
- 修复 CORS 跨域无限制反射任意 Origin 的安全隐患。
- Fixed the security risk of CORS cross-domain unrestricted reflection of any Origin.
- 修复分享密码明文 MD5 存储问题,并在旧记录校验通过时静默自动重构升级为 bcrypt。
- Fixed the problem of sharing password plaintext MD5 storage, and silently and automatically reconstructed and upgraded to bcrypt when the old record verification passed.
- 修复文件下载接口未拦截已软删除文件的越权获取风险。
- Fixed the problem that the file download interface does not block the risk of unauthorized access to soft-deleted files.
- 修复静态页面拼接 API 链接时未安全编码造成的潜在 XSS 注入风险。
- Fixed the potential XSS injection risk caused by unsafe coding when splicing API links on static pages.
- 修复 Git 仓库地址未校验协议的隐患,阻断
file://本地路径及指向私有 IP 网段的 SSRF 访问。 - Fixed the hidden danger of Git warehouse address not verifying the protocol, blocking
file://local paths and SSRF access to private IP network segments. - 修复获取同步配置时 Git 密码明文回显至前端的泄露风险。
- Fixed the leakage risk of Git password plain text being echoed to the front end when obtaining synchronization configuration.
- 修复
user_static静态资源目录创建时权限过大(0777)的问题,收缩限制为 0755。 - Fixed the problem of excessive permissions (0777) when creating the
user_staticstatic resource directory, and the shrink limit is 0755. - 修复 Cloudflare Tunnel 隧道程序无法下载的问题。
- Fixed the issue where the Cloudflare Tunnel tunnel program could not be downloaded.
⚡️ 优化与改进
⚡️ Optimization and improvement
- 分享 Token 升级为更长的 HMAC-SHA256 签名,且在解析失败时自动回退兼容旧版 AES-ECB。
- The share token is upgraded to a longer HMAC-SHA256 signature, and automatically falls back to the old version of AES-ECB when parsing fails.
- 升级随机数生成算法,生成随机令牌等场景改用密码学安全的
crypto/rand。 - Upgrade the random number generation algorithm and use cryptographically secure
crypto/randfor scenarios such as generating random tokens. - 访问日志在输出前对 URL 参数中的
token、password、share-token等敏感键自动进行掩码脱敏。 - Access logs are automatically masked and desensitized to sensitive keys such as
token,password, andshare-tokenin URL parameters before output. - 对自定义响应头进行黑名单过滤,拦截在配置中恶意或意外覆盖 CSP 等核心系统安全头。
- Blacklist filter custom response headers to intercept core system security headers such as CSP that are maliciously or accidentally overwritten in the configuration.
- 系统检查更新升级功能增加超时时间设定,并改为使用系统配置中指定的临时目录。
- The system check update upgrade function adds a timeout setting and uses the temporary directory specified in the system configuration instead.
- 移除问题比较多的 Mysql支持。
- Remove Mysql support with many problems.
- 移除 Ngrok 中继网关支持 (后续会增加更多中继网关)。
- Remove Ngrok relay gateway support (more relay gateways will be added in the future).