Merge https://github.com/filebrowser/filebrowser:master (dfe6e5b) into oadp-dev#18
Open
oadp-rebasebot-app[bot] wants to merge 51 commits into
Open
Merge https://github.com/filebrowser/filebrowser:master (dfe6e5b) into oadp-dev#18oadp-rebasebot-app[bot] wants to merge 51 commits into
oadp-rebasebot-app[bot] wants to merge 51 commits into
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: oadp-rebasebot-app[bot] The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
Hi @oadp-rebasebot-app[bot]. Thanks for your PR. I'm waiting for a migtools member to verify that this patch is reasonable to test. If it is, they should reply with Regular contributors should join the org to skip this step. Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
oadp-rebasebot-app
Bot
changed the title
oadp-rebasebot-cloner
Bot
force-pushed
the
rebase-bot-oadp-dev
branch
from
16a88fb to
44b416d
Compare
…, symlink escape) - http/raw.go: strip Windows backslash separators from archive entry names on any host. filepath.ToSlash is a no-op for "\" on Linux, so a stored backslash filename was emitted verbatim and could escape the extraction directory on Windows extractors (zip-slip). (GHSA-gxjx-7m74-hcq8) - http/auth.go: cap the login and signup request bodies with http.MaxBytesReader (1 MiB). The JSON decoder previously read an arbitrarily large password into memory before bcrypt truncated it, enabling unauthenticated memory-exhaustion DoS. (GHSA-w5fm-68j4-fpc4) - files/file.go, http/resource.go: add files.WithinScope and refuse to follow a symlink whose on-disk target escapes the user's scoped root, on both the read path (stat) and the write path (writeFile). Prevents a scoped user from reading/overwriting/sharing files outside their scope via a pre-existing escaping symlink. (GHSA-239w-m3h6-ch8v) Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Check WithinScope for src and dst in resourcePatchHandler before fileutils.Copy/MoveFile, which follow symlinks and bypassed the stat()/writeFile() guards (GHSA-239w-m3h6-ch8v).
Compare the share token with subtle.ConstantTimeCompare instead of ==.
Prevents browsers from MIME-sniffing uploaded files into a renderable type.
WithinScope compared targets against root+separator, which produced "//" when the scope resolved to "/". No path matched, so every write was rejected with os.ErrPermission (HTTP 403), breaking saves and uploads for root-scoped installs. Skip the appended separator when root already ends in one.
…blic-share recipients read and write files outside of scope
New config option: --branding.disableUserProfile This option allows to disable User Profile together with User settings. Signed-off-by: Michal Pryc <mpryc@redhat.com>
New config option: --branding.defaultLoginUser "username" This option allows to provide default Username, which will result in hiding username field from the welcome page. Signed-off-by: Michal Pryc <mpryc@redhat.com>
Removes Help options "Delete" and "Rename" if the following permissions are revoked from a particular user: --perm.delete=false --perm.rename=false Signed-off-by: Michal Pryc <mpryc@redhat.com>
Add multi-stage Containerfile for UBI-based builds. Signed-off-by: Michal Pryc <mpryc@redhat.com>
Adds OWNERS file. Signed-off-by: Michal Pryc <mpryc@redhat.com>
Fix downstream changes to match upstream refactored functions. Signed-off-by: Michal Pryc <mpryc@redhat.com>
Disable Validate Title check (semantic commit PR titles are not used downstream). Fix Go version to 1.25 and add oadp-* branches to CI triggers.
oadp-rebasebot-app
Bot
changed the title
oadp-rebasebot-cloner
Bot
force-pushed
the
rebase-bot-oadp-dev
branch
from
44b416d to
a7a33ec
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.