|
1 | 1 | # Changelog |
2 | 2 |
|
| 3 | +## Changes 03/16/2026 (v3.10.0) |
| 4 | + |
| 5 | +`release(v3.10.0): resumable upload hardening and ONLYOFFICE callback authorization tightening` |
| 6 | + |
| 7 | +**Commit message** |
| 8 | + |
| 9 | +```text |
| 10 | +release(v3.10.0): resumable upload hardening and ONLYOFFICE callback authorization tightening |
| 11 | +
|
| 12 | +- upload(resumable): stop deriving temporary chunk directories from raw client identifiers and switch to hashed internal temp-folder names |
| 13 | +- upload(cleanup): require authenticated upload access for resumable temp-folder removal and keep recursive cleanup bounded to the intended staging root |
| 14 | +- upload(compat): preserve normal resumable upload flow while making temp-path resolution consistent across probe, write, and cleanup paths |
| 15 | +- onlyoffice(callback): issue save callbacks only for editable sessions, bind callbacks to the authorized actor/file, and stop trusting body-supplied editor identities |
| 16 | +- onlyoffice(origin): restrict callback fetch URLs to the configured Document Server origin while keeping callback JWT validation compatible with existing deployments |
| 17 | +``` |
| 18 | + |
| 19 | +**Changed** |
| 20 | + |
| 21 | +- **Resumable temp-folder naming** |
| 22 | + - Resumable upload staging now maps client identifiers to hashed internal temp-folder names instead of using raw identifier values directly in filesystem paths. |
| 23 | + - The same temp-folder mapping is now used consistently for chunk probe, chunk staging, and resumable cleanup operations. |
| 24 | + |
| 25 | +**Fixed** |
| 26 | + |
| 27 | +- **Resumable cleanup guardrails** |
| 28 | + - Tightened resumable temp-folder cleanup so recursive deletion stays bounded to the expected staging area. |
| 29 | + - The resumable cleanup endpoint now requires an authenticated session with upload permission for the target folder before removing chunk temp data. |
| 30 | + |
| 31 | +- **ONLYOFFICE save authorization** |
| 32 | + - View-only ONLYOFFICE sessions no longer receive save-capable callback URLs. |
| 33 | + - ONLYOFFICE save callbacks are now bound to the authorized actor and file, and no longer trust body-supplied editor identities. |
| 34 | + - Save fetches are restricted to the configured ONLYOFFICE Document Server origin before FileRise downloads updated content and writes it back to disk. |
| 35 | + |
| 36 | +--- |
| 37 | + |
3 | 38 | ## Changes 03/15/2026 (v3.9.4) |
4 | 39 |
|
5 | 40 | `release(v3.9.4): preserve legacy compatibility path while keeping post-rotation key-file preference` |
|
0 commit comments