1#@!#!123s

: / var / softaculous / cftp /
Filename : changelog.txt
back
# ProjectSend r2029

## New Features

- **TOTP Two-Factor Authentication** — Users can now set up an authenticator app (Google Authenticator, Authy, and others) as a second factor. Includes a QR code setup flow, login-time verification, and an admin toggle in security settings.
- **In-App Changelog Viewer** — After a database upgrade, the upgrade notice includes a "See what's new" link that opens a modal with the full release changelog rendered inline — no need to leave the admin panel.

## Security Updates

- **Fix stored XSS via event handler attributes** — `strip_tags()` with an allowlist preserved event handlers (`onfocus`, `onmouseover`, etc.) on allowed tags when rendering file and group descriptions. All attributes are now stripped from allowed tags.
- **Harden session cookies** — Added `HttpOnly`, `Secure` (on HTTPS), and `SameSite=Lax` flags to prevent JavaScript from reading session cookies and reduce hijacking risk.
- **Restrict auto-update downloads to official server** — The updater now enforces an allowlist so only HTTPS downloads from projectsend.org are accepted, preventing installation of malicious archives.
- **Fix CSRF on file upload endpoint** — The upload endpoint bypassed CSRF validation. The token is now sent with every upload chunk and the bypass constant has been removed.

## Improvements

- **Redesigned error pages** — Each error type now shows a relevant icon, a descriptive subtitle, and a "Return to homepage" link. HTTP codes 400, 410, and 500 now route to the correct page instead of 403.
- **PHP version pre-check in auto-updater** — The updater validates the server PHP version before proceeding, preventing updates from breaking installations running older PHP (#1536).
- **Refreshed GitHub presence** — Rewrote the README with screenshots, a comparison table, and a feature list. Added structured issue templates for bug reports and feature requests.

## Bug Fixes

- Fix 403 on all downloads caused by accidental removal of `$allowed_levels` from `process.php`.

## Maintenance

- PHP 8.2 minimum enforced. CI updated to test PHP 8.2–8.4, Node 16 replaced with Node 22.
- PHPStan type hints added across Auth, AutoUpdate, Download, Encryption, Files, Folders, S3Storage, and Users classes.

r2002

What's Changed in r2002
Security

    Path Traversal Fix in Import Orphans: Sanitized filenames with basename() before constructing file paths in the import and delete actions, preventing directory traversal attacks via crafted POST values (#994)

Bug Fixes

    Dashboard Storage Usage Calculation: Fixed the file size migration that caused PHP memory/time limits on large installations, leaving most size values at 0. Added a "Recalculate Storage" button for admins (#1533)
    Gulp 5 Corrupting Font Files: Fixed binary font files being corrupted during build due to Gulp 5's default UTF-8 encoding (#1531)
    HTML Output of File Descriptions: Fixed CKEditor file descriptions showing raw HTML tags instead of rendered content across all templates (#1528)
    PHP 8.2 Deprecation Warnings: Fixed "Creation of dynamic property" warnings in CustomAsset class
    Bullets Alignment: Fixed list bullets alignment in public download descriptions

Improvements

    Timezone Select Refactor: Rewrote timezone selector to use the standard form system with proper optgroup support

Maintenance

    Translation Strings Updates5

What's New in ProjectSend r1945

🔐 Security & Enterprise Features

    Server-Side File Encryption: AES-256-GCM authenticated encryption for files at rest with support for cloud storage
    Advanced Permissions System: Complete overhaul with granular controls and custom role creation
    Enhanced LDAP/Active Directory: Improved enterprise authentication with dynamic role management and smart fallbacks
    Security Fixes:
        XSS vulnerability fixes in file editor and custom download aliases (reported by Raducu Alexandru-ionut)
        Server software info escaping
        Secure random string generation (found by hassan al-khafaji)
        Prevention of unauthorized file previews

📁 File Management

    Download Limits: Set per-user or total download caps with automatic enforcement and abuse prevention
    Disk Quota Management: Per-account storage limits with real-time usage tracking
    Redesigned File Editor: Modern tabbed interface with bulk operations and mobile optimization
    External Storage Integration: AWS S3 support with flexible upload destinations and file import capabilities
    Batch File Encryption Tool: Encrypt multiple files at once
    Enhanced Folder System: Improved folder visibility for clients with better permission handling
    (contributions by Matani-Git)

🎨 Customization & UI

    9 New Themes: Expanded from 3 to 9 professional themes including Modern, Retro90s, Dark Cards, Business, and Google-like templates
    Email Templates & Themes: Visual editor with CKEditor integration, multiple professional designs and dynamic variables
    Custom Fields System: Add custom fields for users and clients with drag-and-drop ordering and multiple field types
    Enhanced User Interface:
        Unsaved changes warnings
        Data preservation on validation failures
        Light/dark mode toggle for admin pages
        Improved form validation and required field indicators
        Cards view for manage files with details sidebar

⚙️ System Improvements

    System Auto Update: Automatic updates with zero downtime and configurable channels (stable/beta)
    Regenerate Thumbnails: Advanced thumbnail regeneration tool with filtering, custom dimensions, and date range support
    Multiple CAPTCHA Methods: Choose from reCAPTCHA v2, v3, or Cloudflare Turnstile
    Remember Me Option: Persistent login sessions with configurable duration
    Favicon Customization: Upload custom favicon files
    Dashboard Widgets: New download analytics and storage analytics widgets with drag-drop positioning
    Roles Manager: Complete role and permission management interface with custom role creation

🐛 Bug Fixes & Improvements

    Fixed session expiring with "Remember me" checked
    Fixed missing "Manage files" link with correct permissions
    Fixed SMTP authentication (by dawnstrider)
    Fixed username validation to allow underscores (by xia-stan)
    Fixed folder display issues for clients (by Matani-Git)
    Fixed 500 error when users upload files (by Matani-Git)
    Fixed actions log sorting (by rainyday4me)
    Fixed custom downloads table missing ID
    Fixed video preview functionality (by Nimon77)
    Fixed double X in close modal button (by rob4226)
    Fixed uploads folder .htaccess (by log4en)
    Fixed bad redirects (found by MGPhil)
    Fixed cronjob example (by ehawman)
    Registration bug fix (by bmartin13)
    Fixed deprecated dynamic property warnings (by raduhazsda)
    Fixed plupload styling for dark mode
    Preserve form data on errors
    Light mode set as default
    Added missing CSRF protections
    Fixed toggle styling

🔧 Technical Improvements

    PHPStan implementation with baseline (Co-authored by Claude)
    Updated dependencies: axios, @babel/traverse, follow-redirects
    GitHub Actions for security scanning and build status
    Composer validation fixes
    Support for environment variables in SMTP configuration (by redondi88)
    CodeMirror loaded from local lib (node_modules can be excluded)
    Auto-calculation of version numbers for releases
    Improved chunk size configuration (fixes #1203)