Sftpgo Versions Save

Bug fixes:

• Fixes paths validation for some Windows specific edge cases: in previous versions, you can get high CPU usage if you reference a path on a missing drive.
• FTP: check the TYPE parameter in a case-insensitive manner: fixes compatibility with some scanners.
• S3: improve "directories" detection.
• WebUI: respect token validation mode for CSRF header.
• OpenAPI: fix charset and some wrong documented responses.
• EventManager: fix placeholders for filesystem events paths.

New features:

• WebClient: add drag and drop upload UI.
• sftpd: add support for DH Group Exchange KEX.

Bug fixes:

• S3: fix SeaweedFS compatibility.
• AzBlob: fixed support for blobs with Data Lake Storage Gen2 feature enabled.
• AzBlob: fixed recursive directories deletion from the WebClient.

New features

• EventManager: allow to access the backup file.
• EventManager: add a placeholder to get the parent directory.
• WebUI: try harder to prevent browsers from auto-filling in password fields.
• WebClient: make folder deletion recursive.

Bug fixes

• Shared providers: allow to immediately re-add soft-deleted users and event rules.
• Plugins: fix hash check.
• Fix restore of users with MFA configuration.

New features

• EventManager: this is the major new feature in this release, it allows custom workflows based on server events or schedules. Take a look at the docs and some common use cases.
• Allow to set environment variables from files inside the env.d directory relative to config dir. This is the recommended method to configure SFTPGo if you are not using it in Docker/Kubernetes, so that after updating SFTPGo you will avoid merging your custom settings with the updated configuration file. Take a look at the updated getting started guide.
• WebAdmin: allow to simplify the add/update user page.
• WebClient: allow partial downloads from shares.
• Allow to refuse an upload if the post-upload hook/action fails.
• Allow cross virtual folder renaming if the underlying resource is the same.
• SFTP: fix relative symlinks handling.
• Postgres data provider: switch to pgx driver and add multi hosts support.
• Experimental HTTPFs storage backend: you can implement your own storage backend by implementing a REST API.
• Multi-node installations: added support for inter-node communications. The list of active sessions includes clients from all nodes.
• Added support for graceful shutdown.
• More granular log level control.
• WebDAV: allow to set last modification time.
• WebDAV: allow to disable the WWW-Authenticate header if the authentication fails.
• FTP/WebDAV: add support for anonymous users.
• FTP: allow to require TLS on a per-user basis.
• Allow to parametrize the default expiration for shares.
• Allow a client if its IP is both allowed and denied. So you can define a default group deny policy that can be overridden on a per-user basis.
• Allow to disable REST API.
• Command hooks: allow to set custom arguments.
• Build: added support for embedding templates and other static files.
• Add support for checking sha256crypt passwords.
• Azure Blob: port to the latest SDK.
• Other minor fixes and improvements.

Backward incompatible changes:

• Removed the auto-backup feature from the configuration file. You can now schedule backups using the EventManager.
• Removed the log-verbose flag from the serve sub-command. Replaced from the more generic log-level flag.
• Replaced retention report emails with CSV reports.
• Script based hooks don't receive anymore global environment variables for security reasons. You have to explicitly set any environment variable such as PATH etc., in the "command" configuration section, if you need them.

• FTP: fix APPE command issued on non-existent files
• Azure Blob: use UUIDs as block IDs
• WebClient: validate PDF files before rendering

• WebClient/HTTP API: ensure to check home dir, when needed, in multi-node setups
• FTPD: return paths relative to the working directory in NLST responses
• Security: fix XSS vulnerabilities in WebClient

• OIDC: allow to get the role field from a sub-struct.
• Docker: add a variant with official plugins included. For now the only tag published is v2.3.4-plugins. The other usual tags will be added in the next release.
• FTP: fix MLST, the initial space prefix was missing.
• FTP: always generate a defender event if the client does not authenticate.
• Security: fix recovery codes abuse

• AzBlob: fix SAS URL with embedded container name.
• Allow to edit profile for users logged in via OIDC

• Fix data provider reset command.
• Fix sql tables prefix handling. The prefix was missing on some tables.
• Backup: include folders set on groups.
• Config: fix get branding from env vars.
• S3: fix renaming large files and improve rename performance.
• OIDC: allow to configure OAuth2 scopes.
• OIDC: added a debug option to allow you to inspect the received id_token.
• WebAdmin/WebClient: allow to disable OIDC login button and/or login forms per-binding.
• WebAdmin: update moment.js to 2.29.4 to fix a security issue.
• User templates: apply placeholders also for start directory.
• WebClient: add an HTML5 player.
• Add a link to donations/sponsorships options on the setup page: helping the project is very important or it will die in the long run.

Backward incompatible changes:

• if you are using sql_tables_prefix please add the defined prefix where it is missing by renaming the affected tables. Before v2.3.2 the prefix was not applied to some tables. This bug has been fixed, but database consistency must be ensured before upgrading.

• WebAdmin: change date formatting to ensure Safari compatibility.
• Fix IP proxy header parsing if listening on UNIX domain socket.
• Fix compatibility with MySQL 8.x.
• YUM and APT repo are now available.