release(v3.16.0): security hardening

- security(auth): require trusted proxy source validation for proxy-header login
- security(webdav): block password-only WebDAV login for TOTP-enabled accounts
- security(extract): apply blocked upload filename policy before archive extraction
- security(setup): keep first-run setup closed after initial admin creation
- security(auth): resolve remember-me admin status from the current user role
- security(upload): reject encoded path separators before upload writes

Author: error311

CHANGELOG.md

@@ -1,5 +1,50 @@
 # Changelog
 
+## Changes 06/16/2026 (v3.16.0)
+
+`release(v3.16.0): security hardening`
+
+**Commit message**
+
+```text
+release(v3.16.0): security hardening
+
+- security(auth): require trusted proxy source validation for proxy-header login
+- security(webdav): block password-only WebDAV login for TOTP-enabled accounts
+- security(extract): apply blocked upload filename policy before archive extraction
+- security(setup): keep first-run setup closed after initial admin creation
+- security(auth): resolve remember-me admin status from the current user role
+- security(upload): reject encoded path separators before upload writes
+```
+
+**Fixed**
+
+- **Proxy-header login hardening**
+  - Proxy-header login now accepts the configured identity header only from sources listed in `FR_TRUSTED_PROXIES`.
+  - If you already use proxy-header login, set `FR_TRUSTED_PROXIES` to the reverse proxy IP or CIDR before upgrading; otherwise FileRise will ignore the identity header and users will not be auto-authenticated.
+
+- **WebDAV MFA hardening**
+  - WebDAV no longer accepts password-only Basic authentication for accounts that have TOTP enabled.
+  - Users who need WebDAV access should use an account without TOTP until a separate app-password flow is available.
+
+- **Archive extraction hardening**
+  - Archive extraction now applies the blocked upload filename policy before files are written to disk.
+  - Mixed archives can still extract allowed files while blocked file types are skipped and reported as warnings.
+
+- **First-run setup hardening**
+  - FileRise now writes a setup-complete marker after initial admin creation and also creates it automatically for existing installs with users.
+  - If `users.txt` later becomes empty, first-run setup remains closed and requires out-of-band recovery.
+
+- **Remember-me role hardening**
+  - Remember-me auto-login now resolves admin status from the current user record instead of trusting role data stored with the token.
+  - Rotated and newly issued remember-me tokens no longer store the admin flag.
+
+- **Upload filename hardening**
+  - Upload handling now rejects encoded path separators before resolving the destination path.
+  - Normal filenames and allowed folder upload paths continue to work.
+
+---
+
 ## Changes 06/11/2026 (v3.15.0)
 
 `release(v3.15.0): shared-folder boundary hardening`

README.md

@@ -260,7 +260,7 @@ export PERSISTENT_TOKENS_KEY="$(openssl rand -hex 32)"
 | `PGID`                  | Optional | `100`                            | If running as root, remap `www-data` group to this GID (e.g. Unraid’s 100).                           |
 | `FR_PUBLISHED_URL`      | Optional | `https://example.com/files`      | Public URL when behind proxies/subpaths (share links, portals, redirects). |
 | `FR_BASE_PATH`          | Optional | `/files`                         | Force a subpath when the proxy strips the prefix (overrides auto-detect). |
-| `FR_TRUSTED_PROXIES`    | Optional | `127.0.0.1,10.0.0.0/8`            | Comma-separated IPs/CIDRs for trusted proxies; only these can supply the client IP header. |
+| `FR_TRUSTED_PROXIES`    | Optional | `127.0.0.1,10.0.0.0/8`            | Comma-separated IPs/CIDRs for trusted proxies; only these can supply the client IP header or proxy-auth identity header. |
 | `FR_IP_HEADER`          | Optional | `X-Forwarded-For`                | Header to trust for the real client IP when the proxy is trusted. |
 
 > Full list of common env variables: [Common Environment variables](https://github.com/error311/FileRise/wiki/Common-Env-Variables)
@@ -354,7 +354,7 @@ Notes:
 - Persist `/var/www/metadata` so the generated persistent tokens key survives container recreation.
 - Either set your own strong `PERSISTENT_TOKENS_KEY` or let a pristine install generate one and then back up `metadata/persistent_tokens.key`.
 - Use HTTPS and set `SECURE="true"` when behind TLS/reverse proxy.
-- If behind a proxy, set `FR_TRUSTED_PROXIES` and `FR_IP_HEADER`.
+- If behind a proxy, set `FR_TRUSTED_PROXIES` and `FR_IP_HEADER`; proxy-header login also requires `FR_TRUSTED_PROXIES`.
 - Set `FR_PUBLISHED_URL` (and `FR_BASE_PATH` if needed) so share links are correct.
 - Block direct HTTP access to `/uploads` (serve only `public/` and deny access to `/uploads`, `/users`, `/metadata`).
 

config/config.php

@@ -457,7 +457,7 @@ function fr_forget_authenticated_user(bool $clearRememberCookie = false): void
         $_SESSION["folderOnly"]    = $perms['folderOnly']    ?? false;
         $_SESSION["readOnly"]      = $perms['readOnly']      ?? false;
         $_SESSION["disableUpload"] = $perms['disableUpload'] ?? false;
-        $_SESSION["isAdmin"]       = !empty($payload["isAdmin"]);
+        $_SESSION["isAdmin"]       = (\FileRise\Domain\AuthModel::getUserRole($payload["username"]) === '1');
 
         if (!empty($payload['token']) && !empty($payload['expiry'])) {
             setcookie('remember_me_token', $payload['token'], (int)$payload['expiry'], '/', '', $secure, true);
@@ -501,24 +501,32 @@ function fr_forget_authenticated_user(bool $clearRememberCookie = false): void
 if (AUTH_BYPASS) {
     $hdrKey = AUTH_HEADER;   // e.g. "HTTP_X_REMOTE_USER"
     if (!empty($_SERVER[$hdrKey])) {
-        // regenerate once per session
-        if (empty($_SESSION['authenticated'])) {
-            session_regenerate_id(true);
-        }
+        if (!\FileRise\Domain\AuthModel::isRequestFromTrustedProxy()) {
+            $remote = preg_replace('/[^A-Fa-f0-9:\.]/', '', (string)($_SERVER['REMOTE_ADDR'] ?? 'unknown'));
+            if ($remote === '') {
+                $remote = 'unknown';
+            }
+            error_log("FileRise: ignored proxy-auth header from untrusted source {$remote}; set FR_TRUSTED_PROXIES for proxy-header login.");
+        } else {
+            // regenerate once per session
+            if (empty($_SESSION['authenticated'])) {
+                session_regenerate_id(true);
+            }
 
-        $username = $_SERVER[$hdrKey];
-        $_SESSION['authenticated'] = true;
-        $_SESSION['username']      = $username;
+            $username = $_SERVER[$hdrKey];
+            $_SESSION['authenticated'] = true;
+            $_SESSION['username']      = $username;
 
-        // ◾ lookup actual role instead of forcing admin
-        $role = \FileRise\Domain\AuthModel::getUserRole($username);
-        $_SESSION['isAdmin'] = ($role === '1');
+            // ◾ lookup actual role instead of forcing admin
+            $role = \FileRise\Domain\AuthModel::getUserRole($username);
+            $_SESSION['isAdmin'] = ($role === '1');
 
-        // carry over any folder/read/upload perms
-        $perms = loadUserPermissions($username) ?: [];
-        $_SESSION['folderOnly']    = $perms['folderOnly']    ?? false;
-        $_SESSION['readOnly']      = $perms['readOnly']      ?? false;
-        $_SESSION['disableUpload'] = $perms['disableUpload'] ?? false;
+            // carry over any folder/read/upload perms
+            $perms = loadUserPermissions($username) ?: [];
+            $_SESSION['folderOnly']    = $perms['folderOnly']    ?? false;
+            $_SESSION['readOnly']      = $perms['readOnly']      ?? false;
+            $_SESSION['disableUpload'] = $perms['disableUpload'] ?? false;
+        }
     }
 }
 

docs/wiki/oidc sso.md

@@ -80,3 +80,4 @@ Example:
 ## Proxy auth headers (advanced)
 
 If your reverse proxy authenticates users, you can disable form login and trust a header (default `X-Remote-User`) via **Admin → Login options**.
+Set `FR_TRUSTED_PROXIES` to the reverse proxy IP or CIDR before enabling this mode; FileRise only accepts the proxy-auth identity header from trusted proxy sources.

docs/wiki/webdav.md

@@ -48,6 +48,7 @@ curl -u username:password -X PROPFIND -H "Depth: 1" "https://your-server/webdav.
 
 - URL encode spaces with `%20`.
 - Use HTTPS in production.
+- Accounts with TOTP enabled cannot use password-only WebDAV Basic authentication.
 - WebDAV uploads can be capped via `FR_WEBDAV_MAX_UPLOAD_BYTES`.
 
 ---

docs/wiki/webdav2.md

@@ -52,7 +52,8 @@ Set `BasicAuthLevel` to `2`, then restart the `WebClient` service.
 
 - If FileRise is hosted under a subpath (e.g. `/files`), use:
   - `https://your-server/files/webdav.php/`
-- Folder-only users are scoped to their folder in WebDAV.
+- WebDAV uses the same folder ACLs as the web UI.
+- Accounts with TOTP enabled cannot use password-only WebDAV Basic authentication.
 - WebDAV uploads can be capped with `FR_WEBDAV_MAX_UPLOAD_BYTES`.
 
 ---

public/js/adminPanel.js

@@ -7753,7 +7753,7 @@ export function openAdminPanel() {
     <small class="text-muted d-block mt-1">
       ${tf(
           "proxy_only_login_help",
-          "When enabled, FileRise trusts the reverse proxy header and disables the login form, HTTP Basic and OIDC."
+          "When enabled, FileRise trusts the reverse proxy header from FR_TRUSTED_PROXIES and disables the login form, HTTP Basic and OIDC."
         )}
     </small>
   </div>

public/webdav.php

@@ -41,7 +41,7 @@
 
 // ─── 3) HTTP-Basic backend (delegates to your AuthModel) ────────────────────
 $authBackend = new BasicCallBack(function(string $user, string $pass) {
-    return \FileRise\Domain\AuthModel::authenticate($user, $pass) !== false;
+    return \FileRise\Domain\AuthModel::authenticateWebDav($user, $pass);
 });
 $authPlugin = new AuthPlugin($authBackend, 'FileRise');
 

src/FileRise/Domain/AuthModel.php

@@ -282,6 +282,19 @@ public static function authenticate(string $username, string $password)
         return false;
     }
 
+    public static function authenticateWebDav(string $username, string $password): bool
+    {
+        $user = self::authenticate($username, $password);
+        if ($user === false) {
+            return false;
+        }
+        if (!empty($user['totp_secret'])) {
+            error_log('FileRise: denied WebDAV password-only login for TOTP-enabled user ' . self::sanitizeLogValue($username, 80));
+            return false;
+        }
+        return true;
+    }
+
     /**
      * Loads failed login attempts from a file.
      *
@@ -442,6 +455,18 @@ protected static function getTrustedProxies(): array
         return array_values(array_filter($parts, fn($part) => $part !== ''));
     }
 
+    public static function isRequestFromTrustedProxy(?array $server = null): bool
+    {
+        $server = $server ?? $_SERVER;
+        $remote = trim((string)($server['REMOTE_ADDR'] ?? ''));
+        if ($remote === '' || !filter_var($remote, FILTER_VALIDATE_IP)) {
+            return false;
+        }
+
+        $trusted = self::getTrustedProxies();
+        return $trusted !== [] && self::isTrustedProxy($remote, $trusted);
+    }
+
     protected static function normalizeHeaderKey(string $header): string
     {
         $key = strtoupper(str_replace('-', '_', trim($header)));
@@ -572,7 +597,7 @@ public static function loadFolderPermission(string $username): bool
      * Validate a remember-me token and return its stored payload.
      *
      * @param string $token
-     * @return array|null  Returns ['username'=>…, 'expiry'=>…, 'isAdmin'=>…] or null if invalid/expired.
+     * @return array|null  Returns ['username'=>…, 'expiry'=>…] or null if invalid/expired.
      */
     public static function validateRememberToken(string $token): ?array
     {
@@ -654,15 +679,13 @@ public static function consumeRememberToken(string $token): ?array
         }
 
         $expiry = (int)$payload['expiry'];
-        $isAdmin = !empty($payload['isAdmin']);
 
         $newToken = bin2hex(random_bytes(32));
         $newHash = self::rememberTokenHash($newToken);
 
         $all[$newHash] = [
             'username' => $username,
-            'expiry'   => $expiry,
-            'isAdmin'  => $isAdmin
+            'expiry'   => $expiry
         ];
 
         unset($all[$hash]);
@@ -675,7 +698,6 @@ public static function consumeRememberToken(string $token): ?array
         return [
             'username' => $username,
             'expiry'   => $expiry,
-            'isAdmin'  => $isAdmin,
             'token'    => $newToken
         ];
     }
@@ -684,7 +706,7 @@ public static function consumeRememberToken(string $token): ?array
      * Issue a new remember-me token and store it hashed on disk.
      *
      * @param string $username
-     * @param bool   $isAdmin
+     * @param bool   $isAdmin Kept for call-site compatibility; roles are resolved from users.txt on use.
      * @param int|null $expiry
      * @return array{token:string,expiry:int}
      */
@@ -696,8 +718,7 @@ public static function issueRememberToken(string $username, bool $isAdmin, ?int
         $all = self::loadRememberTokenStore();
         $all[self::rememberTokenHash($token)] = [
             'username' => $username,
-            'expiry'   => $expiry,
-            'isAdmin'  => $isAdmin
+            'expiry'   => $expiry
         ];
         self::saveRememberTokenStore($all);
 

src/FileRise/Domain/FileModel.php

@@ -1789,6 +1789,14 @@ public static function extractZipArchive($folder, $files)
             return false;
         };
 
+        $isAllowedArchiveFile = function (string $entry): bool {
+            $e = trim(str_replace('\\', '/', $entry), '/');
+            if ($e === '' || str_ends_with($e, '/')) {
+                return false;
+            }
+            return UploadNamePolicy::isAllowedForWrite(basename($e));
+        };
+
         // Generalized metadata stamper: writes to the specified folder's metadata.json
         $stampMeta = function (string $folderStr, string $basename) use (&$getMeta, &$putMeta, $actor, $now) {
             $meta = $getMeta($folderStr);
@@ -2259,6 +2267,7 @@ public static function extractZipArchive($folder, $files)
                 $unsafe = false;
                 $unsafeReason = '';
                 $skippedSymlinks = 0;
+                $skippedBlocked = 0;
                 $totalUncompressed = 0;
                 $fileCount = 0;
                 $allowedEntries = [];   // names to extract (files and/or directories)
@@ -2302,6 +2311,10 @@ public static function extractZipArchive($folder, $files)
 
                     // Track limits only for files we're going to extract
                     if (!$isDir) {
+                        if (!$isAllowedArchiveFile($name)) {
+                            $skippedBlocked++;
+                            continue;
+                        }
                         $fileCount++;
                         $sz = isset($stat['size']) ? (int)$stat['size'] : 0;
                         $totalUncompressed += $sz;
@@ -2334,7 +2347,9 @@ public static function extractZipArchive($folder, $files)
                 if (empty($allowedEntries)) {
                     $zip->close();
                     // Treat as success (nothing visible to extract), but informatively note it
-                    if ($skippedSymlinks > 0) {
+                    if ($skippedBlocked > 0) {
+                        $errors[] = "$archiveBase contained only blocked file types.";
+                    } elseif ($skippedSymlinks > 0) {
                         $errors[] = "$archiveBase contained only symlink entries.";
                     } else {
                         $errors[] = "$archiveBase contained only hidden or unsupported entries.";
@@ -2362,6 +2377,9 @@ public static function extractZipArchive($folder, $files)
                 if ($skippedSymlinks > 0) {
                     $warnings[] = "$archiveBase: skipped {$skippedSymlinks} symlink entr" . ($skippedSymlinks === 1 ? 'y' : 'ies') . ".";
                 }
+                if ($skippedBlocked > 0) {
+                    $warnings[] = "$archiveBase: skipped {$skippedBlocked} blocked file type" . ($skippedBlocked === 1 ? '' : 's') . ".";
+                }
                 continue;
             }
 
@@ -2391,6 +2409,7 @@ public static function extractZipArchive($folder, $files)
             $unsafe = false;
             $unsafeReason = '';
             $skippedSymlinks = 0;
+            $skippedBlocked = 0;
             $totalUncompressed = 0;
             $fileCount = 0;
             $allowedEntries = [];
@@ -2416,6 +2435,7 @@ public static function extractZipArchive($folder, $files)
                 &$unsafe,
                 &$unsafeReason,
                 &$skippedSymlinks,
+                &$skippedBlocked,
                 &$totalUncompressed,
                 &$fileCount,
                 $isUnsafeEntryPath,
@@ -2424,7 +2444,8 @@ public static function extractZipArchive($folder, $files)
                 $SKIP_DOTFILES,
                 $MAX_UNZIP_BYTES,
                 $MAX_UNZIP_FILES,
-                $formatBytes
+                $formatBytes,
+                $isAllowedArchiveFile
             ) {
                 if ($curPath === null) {
                     return;
@@ -2471,8 +2492,11 @@ public static function extractZipArchive($folder, $files)
                     return;
                 }
 
-                $allowedEntries[] = $name;
                 if (!$isDir) {
+                    if (!$isAllowedArchiveFile($name)) {
+                        $skippedBlocked++;
+                        return;
+                    }
                     $fileCount++;
                     $totalUncompressed += $size;
                     if ($fileCount > $MAX_UNZIP_FILES) {
@@ -2492,6 +2516,7 @@ public static function extractZipArchive($folder, $files)
                     $allowedFiles[] = $name;
                     $expectedSizes[$name] = $size;
                 }
+                $allowedEntries[] = $name;
             };
 
             foreach ($listOut as $line) {
@@ -2580,7 +2605,9 @@ public static function extractZipArchive($folder, $files)
             }
 
             if (empty($allowedEntries)) {
-                if ($skippedSymlinks > 0) {
+                if ($skippedBlocked > 0) {
+                    $errors[] = "$archiveBase contained only blocked file types.";
+                } elseif ($skippedSymlinks > 0) {
                     $errors[] = "$archiveBase contained only symlink entries.";
                 } else {
                     $errors[] = "$archiveBase contained only hidden or unsupported entries.";
@@ -2752,6 +2779,9 @@ public static function extractZipArchive($folder, $files)
             if ($skippedSymlinks > 0) {
                 $warnings[] = "$archiveBase: skipped {$skippedSymlinks} symlink entr" . ($skippedSymlinks === 1 ? 'y' : 'ies') . ".";
             }
+            if ($skippedBlocked > 0) {
+                $warnings[] = "$archiveBase: skipped {$skippedBlocked} blocked file type" . ($skippedBlocked === 1 ? '' : 's') . ".";
+            }
             if (!$usedUnar && $extractDetail !== '') {
                 $warnings[] = "$archiveBase: " . $extractDetail;
             }