# ProjectSend r2029
## New Features
- **TOTP Two-Factor Authentication** — Users can now set up an authenticator app (Google Authenticator, Authy, and others) as a second factor. Includes a QR code setup flow, login-time verification, and an admin toggle in security settings.
- **In-App Changelog Viewer** — After a database upgrade, the upgrade notice includes a "See what's new" link that opens a modal with the full release changelog rendered inline — no need to leave the admin panel.
## Security Updates
- **Fix stored XSS via event handler attributes** — `strip_tags()` with an allowlist preserved event handlers (`onfocus`, `onmouseover`, etc.) on allowed tags when rendering file and group descriptions. All attributes are now stripped from allowed tags.
- **Harden session cookies** — Added `HttpOnly`, `Secure` (on HTTPS), and `SameSite=Lax` flags to prevent JavaScript from reading session cookies and reduce hijacking risk.
- **Restrict auto-update downloads to official server** — The updater now enforces an allowlist so only HTTPS downloads from projectsend.org are accepted, preventing installation of malicious archives.
- **Fix CSRF on file upload endpoint** — The upload endpoint bypassed CSRF validation. The token is now sent with every upload chunk and the bypass constant has been removed.
## Improvements
- **Redesigned error pages** — Each error type now shows a relevant icon, a descriptive subtitle, and a "Return to homepage" link. HTTP codes 400, 410, and 500 now route to the correct page instead of 403.
- **PHP version pre-check in auto-updater** — The updater validates the server PHP version before proceeding, preventing updates from breaking installations running older PHP (#1536).
- **Refreshed GitHub presence** — Rewrote the README with screenshots, a comparison table, and a feature list. Added structured issue templates for bug reports and feature requests.
## Bug Fixes
- Fix 403 on all downloads caused by accidental removal of `$allowed_levels` from `process.php`.
## Maintenance
- PHP 8.2 minimum enforced. CI updated to test PHP 8.2–8.4, Node 16 replaced with Node 22.
- PHPStan type hints added across Auth, AutoUpdate, Download, Encryption, Files, Folders, S3Storage, and Users classes.
r2002
What's Changed in r2002
Security
Path Traversal Fix in Import Orphans: Sanitized filenames with basename() before constructing file paths in the import and delete actions, preventing directory traversal attacks via crafted POST values (#994)
Bug Fixes
Dashboard Storage Usage Calculation: Fixed the file size migration that caused PHP memory/time limits on large installations, leaving most size values at 0. Added a "Recalculate Storage" button for admins (#1533)
Gulp 5 Corrupting Font Files: Fixed binary font files being corrupted during build due to Gulp 5's default UTF-8 encoding (#1531)
HTML Output of File Descriptions: Fixed CKEditor file descriptions showing raw HTML tags instead of rendered content across all templates (#1528)
PHP 8.2 Deprecation Warnings: Fixed "Creation of dynamic property" warnings in CustomAsset class
Bullets Alignment: Fixed list bullets alignment in public download descriptions
Improvements
Timezone Select Refactor: Rewrote timezone selector to use the standard form system with proper optgroup support
Maintenance
Translation Strings Updates5
What's New in ProjectSend r1945
🔐 Security & Enterprise Features
Server-Side File Encryption: AES-256-GCM authenticated encryption for files at rest with support for cloud storage
Advanced Permissions System: Complete overhaul with granular controls and custom role creation
Enhanced LDAP/Active Directory: Improved enterprise authentication with dynamic role management and smart fallbacks
Security Fixes:
XSS vulnerability fixes in file editor and custom download aliases (reported by Raducu Alexandru-ionut)
Server software info escaping
Secure random string generation (found by hassan al-khafaji)
Prevention of unauthorized file previews
📁 File Management
Download Limits: Set per-user or total download caps with automatic enforcement and abuse prevention
Disk Quota Management: Per-account storage limits with real-time usage tracking
Redesigned File Editor: Modern tabbed interface with bulk operations and mobile optimization
External Storage Integration: AWS S3 support with flexible upload destinations and file import capabilities
Batch File Encryption Tool: Encrypt multiple files at once
Enhanced Folder System: Improved folder visibility for clients with better permission handling
(contributions by Matani-Git)
🎨 Customization & UI
9 New Themes: Expanded from 3 to 9 professional themes including Modern, Retro90s, Dark Cards, Business, and Google-like templates
Email Templates & Themes: Visual editor with CKEditor integration, multiple professional designs and dynamic variables
Custom Fields System: Add custom fields for users and clients with drag-and-drop ordering and multiple field types
Enhanced User Interface:
Unsaved changes warnings
Data preservation on validation failures
Light/dark mode toggle for admin pages
Improved form validation and required field indicators
Cards view for manage files with details sidebar
⚙️ System Improvements
System Auto Update: Automatic updates with zero downtime and configurable channels (stable/beta)
Regenerate Thumbnails: Advanced thumbnail regeneration tool with filtering, custom dimensions, and date range support
Multiple CAPTCHA Methods: Choose from reCAPTCHA v2, v3, or Cloudflare Turnstile
Remember Me Option: Persistent login sessions with configurable duration
Favicon Customization: Upload custom favicon files
Dashboard Widgets: New download analytics and storage analytics widgets with drag-drop positioning
Roles Manager: Complete role and permission management interface with custom role creation
🐛 Bug Fixes & Improvements
Fixed session expiring with "Remember me" checked
Fixed missing "Manage files" link with correct permissions
Fixed SMTP authentication (by dawnstrider)
Fixed username validation to allow underscores (by xia-stan)
Fixed folder display issues for clients (by Matani-Git)
Fixed 500 error when users upload files (by Matani-Git)
Fixed actions log sorting (by rainyday4me)
Fixed custom downloads table missing ID
Fixed video preview functionality (by Nimon77)
Fixed double X in close modal button (by rob4226)
Fixed uploads folder .htaccess (by log4en)
Fixed bad redirects (found by MGPhil)
Fixed cronjob example (by ehawman)
Registration bug fix (by bmartin13)
Fixed deprecated dynamic property warnings (by raduhazsda)
Fixed plupload styling for dark mode
Preserve form data on errors
Light mode set as default
Added missing CSRF protections
Fixed toggle styling
🔧 Technical Improvements
PHPStan implementation with baseline (Co-authored by Claude)
Updated dependencies: axios, @babel/traverse, follow-redirects
GitHub Actions for security scanning and build status
Composer validation fixes
Support for environment variables in SMTP configuration (by redondi88)
CodeMirror loaded from local lib (node_modules can be excluded)
Auto-calculation of version numbers for releases
Improved chunk size configuration (fixes #1203) |