Skip to content

@monkeyiq monkeyiq released this May 26, 2020

Release Version 2.18

Release date: 27 May 2020.

Distribution

Source snapshots are attached to this announcement and the git tag master-filesender-2.18 contains the base that these snapshots were created from.

Installation

Documentation is available at http://docs.filesender.org/v2.0/install/

Upgrade Notes

Version 2.x breaks compatibility with version 1.x. We recommend a fresh installation to version 2.x of FileSender.

Major changes since 2.17

Execution of scripts/upgrade/database.php is required. Some new views have been created and a column type modified. There are changes in the templates directory.

Guest creation and reminders can now be rate limited on how frequently they can occur. Note that while there is already a limit on the number of guests a user can create, a user might attempt to be nasty by creating a bunch of
guests and then deleting them all so they can remake more. This update introduces a new 'rate' of creation limit allowing a cap on per day guest creation activity with new configuration settings.

This rate limiting feature relies on the auditlog to keep track of how many times the user reminds a guest or tries to create a guest.

To compliment the new rate limiting there is a new section in the admin / users page allowing a site administrator to see who hit guest creation total limit, rate limit, who has deleted the most guests that did not send even a single file,
and who has deleted the most guests in all. While a typo would mean deleting a guest that didn't send a file, it is unlikely that a user will delete a whole bunch of unused guests that didn't do anything themselves as that sort of goes against the reason to make the guest in the first place. #787

The my transfers page now allows sorting transfers by clicking o nthe table headers. The number of transfers to display was increased and the closed transfers have been moved on to their own subpage. #796

The admin / transfers page can now be sorted by clicking on the table headers. #794

The admin / transfers page how allows searching by transaction id range #800 #802

A new configuration option (admin_can_view_user_transfers_page) which, when enabled, allows an admin to view a "my transfers" page as a specific user. When this option is enabled an admin can find a user in admin / users and then click to see the "my transfers" page that that user would see instead of their own. The menu item colour, menu item text, and top banner are changed when in this mode to hint to the sys admin that they are not dealing with their own transfers but with user data and so should be very careful. #799

A new validation script, scripts/upgrade/checkconfig.php, was added to allow more complex config.php verification than would be desirable on normal user access. #795

Some transfer options can now be removed in the my transfers page. At the moment this is limited to removing the daily statistics option from an existing transfer. #801

An update to the localuserdb user creation web code #797

The PostgreSQL CI upgrade test dataset was reduced in size due to an out of disk on Travis with one of the new indexes. #788

As a number of issues have been reported relating to cron job execution a new CI task was added to populate a custom database and update the expires time before running the cron job and verifying that jobs are closed as expected. These jobs include both single file and directory tree uploads and one of each is retired during cron execution and one of each is left active. Hopefully this should help catch issues with cron execution by executing a wider range of code and also hitting more database code. #798

Update to RestServer to be quietly resilient to non array response data #786

Fixed an issue with REMOTE_ADDR and cron execution by allowing that to resolve to 127.0.0.1 if being set from a cron job #792

Translatableemails.variables is now a mediumtext to allow cron job execution in some cases where that field was too small. No changes were needed on PostgreSQL as the field was not limited in size in the same manner. #791

Two of the Collection subtypes have been split out to avoid an issue in cron job execution #790

A new window.filesender.log() function to be used in preference to console.log() as that the logging will be collected on browsers that disable logs when the developer console is not open. #793

Internationalization new terms imported to poeditor #789 #805 #804

From a development perspective:

The new rate limiting functionality #787 uses a new
Logger::logActivityRateLimited() method as a single point of call to either return normally or throw an exception if the rate is too high when taken against a configuration setting. This new method acts like Logger::logActivity() but will also log a "rate limit hit" if called too frequently and then throw an exception. This effectively rolls a whole control block to verify rate limiting into a single function call.

DBObject now has a count() method to compliment the all() method if you only want a count of results from a query. #787

Configuration changes

  • guest_reminder_limit_per_day
    Limit the number of guest reminders a user can send to each guest per day (default to 0 which means disabled)
  • guest_create_limit_per_day
    Limit the number of guests a user can create per day (default to 0 which means disabled)
  • admin_can_view_user_transfers_page
    when set to true allows the admin to view the my transfers page the way a user would see their page (default to false)

Support and Feedback

Please lodge new github issues for things that might improve the next release!
See Support and Mailinglists and Feature requests.

Assets 2

@monkeyiq monkeyiq released this Apr 29, 2020 · 3 commits to master since this release

Release Version 2.17

Release date: 29 April 2020.

Distribution

Source snapshots are attached to this announcement and the git tag master-filesender-2.17 contains the base that these snapshots were created from.

Installation

Documentation is available at http://docs.filesender.org/v2.0/install/

Upgrade Notes

Version 2.x breaks compatibility with version 1.x. We recommend a fresh installation to version 2.x of FileSender.

Major changes since 2.16

If upgrading from 2.16:

  • Execution of scripts/upgrade/database.php is NOT required.
  • There are NO changes in the templates directory.

This release fixes an issue with recent email address lookup on the upload page when not using local saml databases #784

Configuration changes

None.

Support and Feedback

Please lodge new github issues for things that might improve the next release!
See Support and Mailinglists and Feature requests.

Assets 2

@monkeyiq monkeyiq released this Apr 26, 2020 · 4 commits to master since this release

Release Version 2.16

Release date: 26 April 2020.

Distribution

Source snapshots are attached to this announcement and the git tag master-filesender-2.16 contains the base that these snapshots were created from.

Installation

Documentation is available at http://docs.filesender.org/v2.0/install/

Upgrade Notes

Version 2.x breaks compatibility with version 1.x. We recommend a fresh installation to version 2.x of FileSender.

Major changes since 2.15

Execution of scripts/upgrade/database.php is required. There are changes in the templates directory. Changed templates are admin_users_section.php, download_page.php, statistics_page.php and user_page.php. The database migration script will need to run to create some new columns and a new index.

Many bug fixes, some security related updates, and the new feature that FileSender can no authenticate using a custom SimpleSAMLphp module against users stored in the local filesender database.

A new random roundtriptoken can be created and verified to ensure that the same Web browser is used to create an upload and complete it. #764

Frequent used email addresses are only sent over HTTP POST to avoid the potential for bad interactions with proxies and other potential data leaks. #765

Improved jquery in the transfers table to only show options that are permissible to users #775

Permission checks for transfers are now performed by a central havePermission() method #777

Attempts to modify part of a transfer by guests is now blocked #778

The filesender.py script has improved handing of SSL warnings #774

The password entered on the download page is now hidden by default with an option to reveal it. This is more inline with the upload page functionality and should be more secure in environments where the screen is not absolutely secure from inspection at download time. #772

The transfer::getUsage now performs the size calculation in the database server instead of transfering numbers back to PHP to sum. #776

Frequent email address lookups are now performed case insensitive #770

A new DBObbject::countEstimate() method was added to allow finding the estimated number of tuples in a database table. This should be quicker than select count(*) as it can use the database statistics to give an approximate answer. This is used to display the number of users in the global_statistics section of the statistics page #771

Improved error message when you attempt to download a transfer that is expired or deleted #769

Improvements to how client ip lookup is configured and performed #751 #752

A new SimpleSAMLphp module to allow the user setup and passwords to be handled by FileSender itself. This allows very small scale 1-30 people servers to easily be setup. #761 #763

Web interface for SimpleSAMLphp local filesender authentication mode. #762

lang.js variable replacement has an improved outcome when it encounters a request for variable replacement on null and undefined values #750

On upload page, sending is blocked if the password is too short #755 #756

A new database index was added on AuditLogs.created #749

User language preference is restricted to only when there is an active user #759

IPv6 addresses have ::ffff: removed when displaying IPv4 addresses d479607

A fix for some web environments for the python client download script relating to the generation of filesender.py.ini #746

Cleanup of known installations in documentation #760

Fix for typo in config-templates/apache/filesender.conf #758

Documentation fix for reports_show_ip_addr default value to properly reflect the real default value 1e39ece

Translations from poeditor were imported into github #753 #779

New terms exported to github #768

This relates to and includes the development branch up to and including 865a499

Configuration changes

chunk_upload_roundtriptoken_check_enabled
chunk_upload_roundtriptoken_accept_empty_before
using_local_saml_dbauth

Turning on chunk_upload_roundtriptoken_check_enabled will enable a check that a new
random token is returned with each file chunk that is uploaded for a transfer. That
new token is only returned to a client with a transfer is created. The chunk_upload_roundtriptoken_accept_empty_before can be used to allow transfers that started before the new roundtriptoken was introduced to continue. It allows an admin to set a grace time so that poeple can return, reload and resume an upload even after the roundtriptoken_check_enabled is enabled.

The using_local_saml_dbauth config allows authenticating users using the local filesender database. See the README for details on this feature and how to set it up. https://github.com/filesender/filesender/blob/development/scripts/simplesamlphp/passwordverify/README.md

Support and Feedback

Please lodge new github issues for things that might improve the next release!
See Support and Mailinglists and Feature requests.

Assets 2

@monkeyiq monkeyiq released this Feb 4, 2020 · 5 commits to master since this release

Release Version 2.15

Release date: 4 Feb 2020.

Distribution

Source snapshots are attached to this announcement and the git tag master-filesender-2.15 contains the base that these snapshots were created from.

Installation

Documentation is available at http://docs.filesender.org/v2.0/install/

Upgrade Notes

Version 2.x breaks compatibility with version 1.x. We recommend a fresh installation to version 2.x of FileSender.

Major changes since 2.14

Execution of scripts/upgrade/database.php is required.
There are changes in the templates directory.

This release includes a number of maintenance related updates and also an update to the Filesender REST API code to allow a specific AuP to be shown and user confirmed before generating a REST secret.

Update filesender.py to use a configuration file for storing user name, api secret, and base_url.
This PR also includes and update for sites where get_a_link is true by default, and explicit citation
of python3 as the interpreter required. #717

Ability to delete and create the api secret. This also allows the creation to be behind a REST API specific
AUP if a site wishes. #718 #730

Make the filesender.py script accept the aup as it can not have an api secret unless the user has already
accepted the site REST API AUP. #719

Allow the site admin to delete the API secret for specific users or all users. The later is useful
for introducing an AUP. #720

New buttons to send and clear the client logs on the 'my profile' page. These were added to help debug a report that client logs were not being sent. With the buttons an admin can test the sending and inspection
for their site. #725

Some updates to clientlogs handling #732 #731

There was an issue in the transfer logs where the file name was shown as undefined. This has been updated client side and a new server side update allows the full path to be seen or just the file name depending on if the upload was part of a directory upload or simply a file respectively. #723

Update for admin/users/client logs table border #726

If you select to see the transfer log for a single file on 'my transfers' page then only show the dialog for the file rather than the dialogs for the file and transfer (two modal dialogs at once is bad form). When you select to see
an email log of a file transfer history send information for just that file rather than for the whole transfer. #727

On my transfers page, for get_a_link=false transfers show the subject and message as well. The information is now also formatted into a table for cleaner presentation. #728

refresh the documentation to remove references to Flash that are not longer useful https://github.com/filesender/filesender/pull/722/files

update for cast_as_number #721

update list of active terms and import the english translations into poeditor. #729

translations update #738

merge to master for release #741 #743

Configuration changes

A new api_secret_aup_enabled was added (false by default) which allows an AuP for use of the REST API to be shown before user agreement is obtained prior to generating a REST secret. See https://github.com/filesender/filesender/blob/development/docs/v2.0/admin/configuration/index.md#api_secret_aup_enabled

Support and Feedback

Please lodge new github issues for things that might improve the next release!
See Support and Mailinglists and Feature requests.

Assets 2

@monkeyiq monkeyiq released this Dec 28, 2019 · 6 commits to master since this release

Release Version 2.14

Release date: 28 Dec 2019.

Distribution

Source snapshots are attached to this announcement and the git tag filesender-2.14 contains the base that these snapshots were created from.

Installation

Documentation is available at http://docs.filesender.org/v2.0/install/

Upgrade Notes

Version 2.x breaks compatibility with version 1.x. We recommend a fresh installation to version 2.x of FileSender.

Major changes since 2.13

Execution of scripts/upgrade/database.php is not required.
There are no changes in the templates directory.

This release will use a web assembly implementation of PBKDF2 on Edge and IE11 which lack the capability in their WebCrypto implementation. This is only active in those two browsers in key_version=1. Files uploaded using Edge and IE11 in key_version=1 will be downloadable in other browsers and vice versa. This update should be of particular interest to those who have been using key_version=0 in order to support these specific browsers. This has been tested in IE11 and Edge on Windows 10. Some updates have been merged for IE11 comparability.

An auditlogs query was split into two queries in order to work across mariadb and postgresql and versions of each.

Configuration changes

Added crypto_pbkdf2_dialog_custom_webasm_delay which allows dialogs to still appear before the webasm code is run which might make things unresponsive on some browsers. This is only effective when using webasm pbkdf2 which is itself only done on IE11 and Edge when key_version=1.

Support and Feedback

Please lodge new github issues for things that might improve the next release!
See Support and Mailinglists and Feature requests.

Assets 2
Dec 28, 2019
Merge branch 'master' into development

@monkeyiq monkeyiq released this Dec 2, 2019 · 7 commits to master since this release

Release Version 2.13

Release date: 2 Dec 2019.

Distribution

Source snapshots are attached to this announcement and the git tag filesender-2.13 contains the base that these snapshots were created from.

Installation

Documentation is available at http://docs.filesender.org/v2.0/install/

Upgrade Notes

Version 2.x breaks compatibility with version 1.x. We recommend a fresh installation to version 2.x of FileSender.

Major changes since 2.12

Execution of scripts/upgrade/database.php is not required.
There are no changes in the templates directory.

This update fixes some javascript issues with IE11 (#705) and makes the auditlog cron query work cross database (#704).

Configuration changes

None.

Support and Feedback

Please lodge new github issues for things that might improve the next release!
See Support and Mailinglists and Feature requests.

Assets 2

@monkeyiq monkeyiq released this Nov 28, 2019 · 8 commits to master since this release

Release Version 2.12

Release date: 28 Nov 2019.

Distribution

Source snapshots are attached to this announcement and the git tag filesender-2.12 contains the base that these snapshots were created from.

Installation

Documentation is available at http://docs.filesender.org/v2.0/install/

Upgrade Notes

Version 2.x breaks compatibility with version 1.x. We recommend a fresh installation to version 2.x of FileSender.

Major changes since 2.11

After this release new contributions should be made against the development branch in git. When the next official release is made, the collective changes between development and master will be committed to master and a new tag generated in master. This has the outcome that master will always be the last officially released code and development will be updates made to that master code that has is not yet part of an official release.

Execution of scripts/upgrade/database.php is required. After database.php is executed the script in scripts/upgrade/explicit/upgrade-2.11-to-2.12-after-database-guestsexpire.php should be executed to more explicitly enable guests which do not expire.

There are changes in the templates directory, specifically the guests_page.php and admin/testing.

The PBKDF2 algorithm is commonly used to generate a cryptographic key from a user supplied password. This algorithm has a configurable number of iterations that are be performed as part of the process to make the key. The larger the number of iterations the longer it takes to generate a key from a password. This also implies that it takes longer to guess a password because each guess requires computational effort. Instead of configuring the number of iterations directly a new parameter was added crypto_pbkdf2_expected_secure_to_year which can be between 2020 and 2030 and will override your setting for encryption_password_hash_iterations_new_files which is the number of PBKDF2 iterations to perform. This parameter is saved for each transfer so you can alter it and existing files can still be downloaded and decrypted.

A default value for crypto_pbkdf2_expected_secure_to_year of 2027 was chosen to obtain as much security as possible with a reasonably low delay. A site admin can visit admin/testing to see how long the PBKDF2 delay is for various year settings in their browser.

Due to the PBKDF2 delay taking from a few seconds to 30 seconds depending on browser and the specification of the PC a new dialog was added which is shown by default crypto_pbkdf2_dialog_enabled and will display a dialog to the user when PBKDF2 is occurring so that the user does not conclude that the lack of activity means that the system has stalled.

Many translation updates. Estonian is now imported into et_EE. Polish is imported into pl. An update to the single quoting regex in scripts/language/common.php thanks to @Phaze-III #680.
New scripts to compare two php lang files, convert from poeditor json lang format to php format, and download and import lang files directly from poeditor have been added #687. This poeditor import script gives pull requests like #691. All languages have been reimported from poeditor along the way and again just before the release.

Better handling of guests who do not expire. Such guests now have an expires time of null in the database and many issues where transfers from guests who should not expire but had an expires time in the past have been resolved. See #683

A nicer dialog is now shown when users already have the most guests the system allows them to have #684

The python REST client now takes the default number of days valid for a transfer from the server at the time it is downloaded. Thanks to @peter- for the original pull request that was updated slightly and merged in with #682

Configuration changes

Default values for these should be fine. See https://docs.filesender.org/v2.0/admin/configuration/ for details.

crypto_pbkdf2_expected_secure_to_year
crypto_pbkdf2_dialog_enabled
crypto_pbkdf2_delay_to_show_dialog

Support and Feedback

Please lodge new github issues for things that might improve the next release!
See Support and Mailinglists and Feature requests.

Assets 2

@monkeyiq monkeyiq released this Nov 4, 2019 · 29 commits to master since this release

Release Version 2.11

Release date: 4 Nov 2019.

Distribution

Source snapshots are attached to this announcement and the git tag filesender-2.11 contains the base that these snapshots were created from.

Installation

Documentation is available at http://docs.filesender.org/v2.0/install/

Upgrade Notes

Version 2.x breaks compatibility with version 1.x. We recommend a fresh installation to version 2.x of FileSender.

Major changes since 2.10

Execution of scripts/upgrade/database.php is not needed.
No files in the templates directory were updated.

Cryptographic keys are now cached and reused for all FileSender chunks in an upload and download. This will have a larger performance improvement for more secure user supplied password handling where the security is partially based on the time required to convert a password into a key, for example, using very high PBKDF2 hash iteration values. See #671 for details on the caching.

Improved handling of listing that include both GCM and CBC files on the same page, for example the my transfers page.

If an encrypted file has disappeared from the back end storage and a user tries to download the file a message the the file is not found is shown instead of 'bad password' which may have lead a user to frustration trying passwords many times for such files.

Configuration changes

None.

Support and Feedback

Please lodge new github issues for things that might improve the next release!
See Support and Mailinglists and Feature requests.

Assets 2

@monkeyiq monkeyiq released this Oct 30, 2019 · 32 commits to master since this release

Release Version 2.10

Release date: 31 Oct 2019.

Distribution

Source snapshots are attached to this announcement and the git tag filesender-2.10 contains the base that these snapshots were created from.

Installation

Documentation is available at http://docs.filesender.org/v2.0/install/

Upgrade Notes

Version 2.x breaks compatibility with version 1.x. We recommend a fresh installation to version 2.x of FileSender.

Major changes since 2.9

Execution of scripts/upgrade/database.php is not needed.
No files in the templates directory were updated.

On the database site: a raw reference to the 'recipients' table has been converted to use the getDBTable() to cover table name case and prefixing. A query in AuditLog::cleanup() was updated to work on more versions of MariaDB.
Update to tests to see if a foreign key exists used by upgrade/database.php.

Scoping of filesender object is always done from top level in crypto_app. DBConstantPasswordEncoding is now actively testing CGI variables for rubbish values. DatabaseUpsert and EpochType produce less logging clutter. Small update to JSON log file generation.

Configuration changes

The variable terasender_advanced has been added to ConfigDefaults.php to cover cases where it is not set explicitly in config.php.

Support and Feedback

Please lodge new github issues for things that might improve the next release!
See Support and Mailinglists and Feature requests.

Assets 2
You can’t perform that action at this time.