v3.17.0

Changes 06/20/2026 (v3.17.0)

release(v3.17.0): phpseclib dependency security update

Commit message

release(v3.17.0): phpseclib dependency security update

- deps(composer): upgrade phpseclib/phpseclib to 3.0.55

Changed

• Dependency security maintenance
  • Updated phpseclib/phpseclib to 3.0.55 in Composer dependencies and the locked dependency set.

v3.17.0

Full Changelog

v3.16.0 → v3.17.0

SHA-256 (zip)

85872bf3fdcade00288567448a444757806a87557eb4818351d9ed29be08d136  FileRise-v3.17.0.zip

v3.16.0

Changes 06/16/2026 (v3.16.0)

release(v3.16.0): security hardening

Commit message

release(v3.16.0): security hardening

- security(auth): require trusted proxy source validation for proxy-header login
- security(webdav): block password-only WebDAV login for TOTP-enabled accounts
- security(extract): apply blocked upload filename policy before archive extraction
- security(setup): keep first-run setup closed after initial admin creation
- security(auth): resolve remember-me admin status from the current user role
- security(upload): reject encoded path separators before upload writes

Fixed

• Proxy-header login hardening

  • Proxy-header login now accepts the configured identity header only from sources listed in FR_TRUSTED_PROXIES.
  • If you already use proxy-header login, set FR_TRUSTED_PROXIES to the reverse proxy IP or CIDR before upgrading; otherwise FileRise will ignore the identity header and users will not be auto-authenticated.

• WebDAV MFA hardening

  • WebDAV no longer accepts password-only Basic authentication for accounts that have TOTP enabled.
  • Users who need WebDAV access should use an account without TOTP until a separate app-password flow is available.

• Archive extraction hardening

  • Archive extraction now applies the blocked upload filename policy before files are written to disk.
  • Mixed archives can still extract allowed files while blocked file types are skipped and reported as warnings.

• First-run setup hardening

  • FileRise now writes a setup-complete marker after initial admin creation and also creates it automatically for existing installs with users.
  • If users.txt later becomes empty, first-run setup remains closed and requires out-of-band recovery.

• Remember-me role hardening

  • Remember-me auto-login now resolves admin status from the current user record instead of trusting role data stored with the token.
  • Rotated and newly issued remember-me tokens no longer store the admin flag.

• Upload filename hardening

  • Upload handling now rejects encoded path separators before resolving the destination path.
  • Normal filenames and allowed folder upload paths continue to work.

v3.16.0

Full Changelog

v3.15.0 → v3.16.0

SHA-256 (zip)

a042bfafa530c7341adfce108801af0288ada2a84c520d18c2bcb16302cfcccc  FileRise-v3.16.0.zip

v3.15.0

Changes 06/11/2026 (v3.15.0)

release(v3.15.0): shared-folder boundary hardening

Commit message

release(v3.15.0): shared-folder boundary hardening

- security(shares): keep shared-folder subpaths inside the original shared folder boundary

Fixed

• Shared-folder boundary hardening
  • Tightened public shared-folder subpath handling so listing, direct file download, upload targets, and ZIP creation remain inside the originally shared folder.
  • Existing normal files, subfolders, and in-bound shared-folder content remain supported.

v3.15.0

Full Changelog

v3.14.0 → v3.15.0

SHA-256 (zip)

3915ba1d5beccfe4cf84b32f26b4a0c53120b33e5bcdf5f0c8ed14d206b1bb2c  FileRise-v3.15.0.zip

v3.14.0

Changes 06/03/2026 (v3.14.0)

release(v3.14.0): request validation hardening and symfony/yaml dependency update

Commit message

release(v3.14.0): request validation hardening and symfony/yaml dependency update

- security(csrf): enforce request-token checks on additional file and admin POST actions
- deps(composer): upgrade symfony/yaml to 8.0.12

Fixed

• Request validation hardening
  • Added server-side CSRF enforcement to file creation and file share-link creation.
  • Added CSRF enforcement to admin OIDC discovery and ClamAV self-test POST actions.
  • Existing web UI flows continue to send the required CSRF token for these actions.

Changed

• Dependency security maintenance
  • Updated symfony/yaml to 8.0.12 in Composer dev dependencies and the locked dependency set.

v3.14.0

Full Changelog

v3.13.0 → v3.14.0

SHA-256 (zip)

bd68703dc9140caa8f7cbc8c1a4be004ef9e665d01316fd527fe38b0a76b99e5  FileRise-v3.14.0.zip

v3.13.0

Changes 05/07/2026 (v3.13.0)

release(v3.13.0): DOMPurify and phpseclib dependency updates

Commit message

release(v3.13.0): DOMPurify and phpseclib dependency updates

- deps(frontend): upgrade bundled DOMPurify from 3.3.1 to 3.4.2
- deps(composer): upgrade phpseclib/phpseclib to 3.0.52

Changed

• Dependency security maintenance
  • Updated bundled DOMPurify from 3.3.1 to 3.4.2 and pointed the app shell at the new vendored path.
  • Updated phpseclib/phpseclib to 3.0.52 in Composer dependencies and the locked dependency set.

v3.13.0

Full Changelog

v3.12.0 → v3.13.0

SHA-256 (zip)

d10522271eeadb3556329ab87b292faf5b143b7035dea78c1a0d63f4e3ad977e  FileRise-v3.13.0.zip

v3.12.0

Changes 04/29/2026 (v3.12.0)

release(v3.12.0): TOTP setup flow hardening

Commit message

release(v3.12.0): TOTP setup flow hardening

- auth(totp): tighten setup QR access to fully authenticated profile sessions
- auth(totp): avoid reusing existing TOTP enrollment data during setup

Fixed

• TOTP setup flow hardening
  • Tightened TOTP setup so enrollment QR generation is only available from a fully authenticated profile session.
  • Accounts that already have TOTP configured are no longer offered a setup QR for the existing enrollment.
  • Existing TOTP sign-in, recovery-code, disable, and first-time setup flows remain supported.

Changed

• Authenticator re-enrollment behavior
  • Users who need to enroll a replacement authenticator should disable TOTP and enable it again to generate a fresh enrollment.

v3.12.0

Full Changelog

v3.11.2 → v3.12.0

SHA-256 (zip)

40e8c5c1c30f6196c0dabe69437377ddb9ca6a7fba4440de4e63e6da152673a2  FileRise-v3.12.0.zip

v3.11.2

Changes 04/16/2026 (v3.11.2)

release(v3.11.2): phpseclib security dependency update

Commit message

release(v3.11.2): phpseclib security dependency update

- deps(composer): upgrade phpseclib/phpseclib to 3.0.51 to pick up the latest upstream security fix

Changed

• Dependency security maintenance
  • Updated phpseclib/phpseclib to 3.0.51 in Composer dependencies to pick up the current upstream security fix in the locked dependency set.
  • This release addresses the upstream advisory covering variable-time HMAC comparison in SSH2::get_binary_packet().

v3.11.2

Full Changelog

v3.11.1 → v3.11.2

SHA-256 (zip)

ab30b6a719d042ba638332d136870449a2f94d9355b85b00e939cb55989909ff  FileRise-v3.11.2.zip

v3.11.1

Changes 03/24/2026 (v3.11.1)

release(v3.11.1): shared-hosting worker fallback and deleted-user session invalidation (closes #110)

Commit message

release(v3.11.1): shared-hosting worker fallback and deleted-user session invalidation (closes #110)

- transfer(shared-hosting): fall back from shell_exec to exec or foreground workers so move/copy/zip jobs stay usable on restrictive hosts (#110)
- compat(shell): degrade ClamAV, archive, and admin diagnostics paths cleanly when PHP command execution is unavailable
- auth(delete-user): invalidate deleted-account sessions and revoke remember-me tokens so removed users cannot regain access on subsequent requests

Fixed

• Shared-hosting transfer compatibility

  • Fixed a case where move/copy jobs could fail with 500 on hosts that disable proc_open() / shell_exec() and similar process-launch functions, leaving folder operations unusable.
  • FileRise now falls back to safer worker-launch paths and foreground execution where appropriate so transfer and ZIP workflows remain usable on more restrictive shared-hosting environments.

• Deleted-account session invalidation

  • Fixed a case where a deleted account could continue using an already-established session until the PHP session expired or the web service was restarted.
  • Deleted users can no longer regain access through remember-me restoration, and user deletion now revokes stored remember-me tokens for that account.

Changed

• Shell-dependent feature degradation
  • Shell-backed features now report clearer host limitations when PHP command execution is unavailable instead of failing with less actionable worker or command errors.
  • ClamAV diagnostics, archive operations, and related admin/runtime checks now degrade more cleanly on locked-down hosts.

v3.11.1

Full Changelog

v3.11.0 → v3.11.1

SHA-256 (zip)

5d3d21169fee0b2c6e6707eeee4cc89b74f7d8392d8a5963eaa71be7fbc81624  FileRise-v3.11.1.zip

v3.11.0

Changes 03/20/2026 (v3.11.0)

release(v3.11.0): snippet ownership enforcement and phpseclib security update

Commit message

release(v3.11.0): snippet ownership enforcement and phpseclib security update

- file(snippet): enforce per-file read_own ownership checks before returning hover-preview snippet content
- file(snippet): align snippet access with the existing single-file read authorization helper path
- deps(composer): upgrade phpseclib/phpseclib to 3.0.50 to pick up the latest upstream security patch

Fixed

• Snippet access control for own-only folders
  • The file snippet / hover-preview endpoint now enforces the same per-file ownership check already used by other single-file read paths when access comes only from read_own.
  • Users with own-only visibility can no longer retrieve snippet content from files uploaded by other users in the same folder.

Changed

• Dependency security maintenance
  • Updated phpseclib/phpseclib to 3.0.50 in Composer dependencies to pick up the current upstream security fix in the locked dependency set.

v3.11.0

Full Changelog

v3.10.0 → v3.11.0

SHA-256 (zip)

a9884226d9bf0f0869de0574da06113bce3f750806e322d5d4ac17234bd475b3  FileRise-v3.11.0.zip

v3.10.0

Changes 03/16/2026 (v3.10.0)

release(v3.10.0): resumable upload hardening and ONLYOFFICE callback authorization tightening

Commit message

release(v3.10.0): resumable upload hardening and ONLYOFFICE callback authorization tightening

- upload(resumable): stop deriving temporary chunk directories from raw client identifiers and switch to hashed internal temp-folder names
- upload(cleanup): require authenticated upload access for resumable temp-folder removal and keep recursive cleanup bounded to the intended staging root
- upload(compat): preserve normal resumable upload flow while making temp-path resolution consistent across probe, write, and cleanup paths
- onlyoffice(callback): issue save callbacks only for editable sessions, bind callbacks to the authorized actor/file, and stop trusting body-supplied editor identities
- onlyoffice(origin): restrict callback fetch URLs to the configured Document Server origin while keeping callback JWT validation compatible with existing deployments

Changed

• Resumable temp-folder naming
  • Resumable upload staging now maps client identifiers to hashed internal temp-folder names instead of using raw identifier values directly in filesystem paths.
  • The same temp-folder mapping is now used consistently for chunk probe, chunk staging, and resumable cleanup operations.

Fixed

• Resumable cleanup guardrails

  • Tightened resumable temp-folder cleanup so recursive deletion stays bounded to the expected staging area.
  • The resumable cleanup endpoint now requires an authenticated session with upload permission for the target folder before removing chunk temp data.

• ONLYOFFICE save authorization

  • View-only ONLYOFFICE sessions no longer receive save-capable callback URLs.
  • ONLYOFFICE save callbacks are now bound to the authorized actor and file, and no longer trust body-supplied editor identities.
  • Save fetches are restricted to the configured ONLYOFFICE Document Server origin before FileRise downloads updated content and writes it back to disk.

v3.10.0

Full Changelog

v3.9.4 → v3.10.0

SHA-256 (zip)

f29143d5ace47f847ac43a1526ba376f16a572e30c5b4fa3127cf5325eebbd61  FileRise-v3.10.0.zip