Skip to content

Commit 8b399ec

Browse files
chore: update changelog
1 parent 80b1b91 commit 8b399ec

1 file changed

Lines changed: 169 additions & 7 deletions

File tree

CHANGELOG.md

Lines changed: 169 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -38,6 +38,18 @@ ownCloud admins and users.
3838

3939
## Summary
4040

41+
* Security - Sanitize storage connection error messages returned to clients: [#41585](https://github.com/owncloud/core/pull/41585)
42+
* Security - Prevent user enumeration via differential password reset UI: [#41586](https://github.com/owncloud/core/pull/41586)
43+
* Security - Disable group-admin feature by default behind allow_subadmins: [#41634](https://github.com/owncloud/core/pull/41634)
44+
* Bugfix - Add missing space to mail footer signature delimiter: [#41364](https://github.com/owncloud/core/issues/41364)
45+
* Bugfix - Fix htaccess RewriteBase rules blocking API requests by file extension: [#41418](https://github.com/owncloud/core/issues/41418)
46+
* Bugfix - Fix subadmin email change updating caller's address instead of target's: [#41574](https://github.com/owncloud/core/pull/41574)
47+
* Bugfix - Adjust code to avoid PHP8 messages: [#41597](https://github.com/owncloud/core/pull/41597)
48+
* Bugfix - Support federation between systems in subdirectories: [#41599](https://github.com/owncloud/core/pull/41599)
49+
* Bugfix - Remove owncloud.com/federation link from federated cloud settings: [#41608](https://github.com/owncloud/core/pull/41608)
50+
* Bugfix - Fix JS test isolation bugs exposed by Jasmine 5 random test ordering: [#41616](https://github.com/owncloud/core/pull/41616)
51+
* Bugfix - Decrypt versions and trashbin so encryption can be disabled: [#41623](https://github.com/owncloud/core/issues/41623)
52+
* Bugfix - Fix user:home:list-dirs and user:home:list-users crashing on PHP 8: [#41630](https://github.com/owncloud/core/issues/41630)
4153
* Change - Update M$ Office icons: [#41347](https://github.com/owncloud/core/pull/41347)
4254
* Change - No longer store auto loader information in any memory cache: [#41376](https://github.com/owncloud/core/pull/41376)
4355
* Change - Update PHP dependencies: [#41450](https://github.com/owncloud/core/pull/41450)
@@ -47,6 +59,136 @@ ownCloud admins and users.
4759

4860
## Details
4961

62+
* Security - Sanitize storage connection error messages returned to clients: [#41585](https://github.com/owncloud/core/pull/41585)
63+
64+
The external storage status handler returned raw exception messages including
65+
Guzzle cURL error details such as resolved IP addresses and port numbers in the
66+
JSON response. This allowed authenticated users to distinguish connection states
67+
and map internal network topology. The full exception is now logged server-side
68+
only; a generic message is returned to the client.
69+
70+
https://github.com/owncloud/core/pull/41585
71+
72+
* Security - Prevent user enumeration via differential password reset UI: [#41586](https://github.com/owncloud/core/pull/41586)
73+
74+
The login form showed a "Reset it?" link only when a valid user on a backend
75+
that supports password changes was detected. LDAP users produced a different
76+
response than non-existent users, allowing unauthenticated enumeration of
77+
accounts on those backends. The backend capability check has been removed; the
78+
reset link is now shown uniformly regardless of user existence or backend type.
79+
80+
https://github.com/owncloud/core/pull/41586
81+
82+
* Security - Disable group-admin feature by default behind allow_subadmins: [#41634](https://github.com/owncloud/core/pull/41634)
83+
84+
Disable the subadmin (group-admin) feature by default behind a new
85+
allow_subadmins system config, as a security risk-mitigation. The feature's code
86+
path has known security shortcomings; deployments that rely on it can opt back
87+
in with 'allow_subadmins' => true in config.php. On upgrade, existing
88+
group-admin assignments are ignored until an admin sets 'allow_subadmins' =>
89+
true in config.php.
90+
91+
https://github.com/owncloud/core/pull/41634
92+
93+
* Bugfix - Add missing space to mail footer signature delimiter: [#41364](https://github.com/owncloud/core/issues/41364)
94+
95+
We've fixed the signature delimiter in the email footer templates. The delimiter
96+
on the first line was missing the trailing space required by the signature block
97+
convention (RFC 3676), so mail clients were unable to recognize and collapse the
98+
signature. The delimiter is now correctly written as "-- " (dash-dash-space).
99+
100+
https://github.com/owncloud/core/issues/41364
101+
https://github.com/owncloud/core/pull/41617
102+
103+
* Bugfix - Fix htaccess RewriteBase rules blocking API requests by file extension: [#41418](https://github.com/owncloud/core/issues/41418)
104+
105+
Files whose names end in extensions like .jpg, .png, .svg, .json and others
106+
could not be marked as favorites or have their tags updated via the files API
107+
when htaccess.RewriteBase was configured. The .htaccess rules generated by `occ
108+
maintenance:update:htaccess` used a URI extension check to skip routing through
109+
index.php, which inadvertently blocked API requests to paths like
110+
`/apps/files/api/v1/files/photo.jpg`, returning 405 Method Not Allowed.
111+
112+
The fix replaces the extension-based condition with `RewriteCond
113+
%{REQUEST_FILENAME} !-f`, which correctly routes virtual API paths through
114+
index.php while still serving actual static files directly.
115+
116+
https://github.com/owncloud/core/issues/41418
117+
118+
* Bugfix - Fix subadmin email change updating caller's address instead of target's: [#41574](https://github.com/owncloud/core/pull/41574)
119+
120+
The verification token and confirmation link in the subadmin path of
121+
setMailAddress were associated with the caller's account instead of the target
122+
user's account. Clicking the confirmation link changed the subadmin's email
123+
rather than the intended target's email.
124+
125+
https://github.com/owncloud/core/pull/41574
126+
127+
* Bugfix - Adjust code to avoid PHP8 messages: [#41597](https://github.com/owncloud/core/pull/41597)
128+
129+
Avoid trying to access array offset on false in the encryption storage wrapper.
130+
131+
Handle passing null to normalizeUrl in the federation DbHandler.
132+
133+
https://github.com/owncloud/core/pull/41597
134+
135+
* Bugfix - Support federation between systems in subdirectories: [#41599](https://github.com/owncloud/core/pull/41599)
136+
137+
If a federated server was installed in a subdirectory like:
138+
139+
Mydomain.com/cloud
140+
141+
Then checks to see that the server is up and responding would fail. This problem
142+
has been corrected.
143+
144+
https://github.com/owncloud/core/pull/41599
145+
146+
* Bugfix - Remove owncloud.com/federation link from federated cloud settings: [#41608](https://github.com/owncloud/core/pull/41608)
147+
148+
The "Add to your website" feature in the personal federation settings was
149+
generating a link to https://owncloud.com/federation# which no longer works
150+
after owncloud.com was restructured. The federation Cloud ID is now displayed
151+
directly without linking to the defunct external page.
152+
153+
https://github.com/owncloud/core/pull/41608
154+
155+
* Bugfix - Fix JS test isolation bugs exposed by Jasmine 5 random test ordering: [#41616](https://github.com/owncloud/core/pull/41616)
156+
157+
Several JS test specs left shared singleton state dirty between tests, causing
158+
intermittent failures when Jasmine 5 ran tests in random order. Fixed
159+
OC._currentMenu leak in fileactionsmenuSpec, stale OCA.Files.fileActions
160+
reference causing infinite recursion in files_sharing/appSpec, and stale models
161+
in the OC.SystemTags.collection singleton in systemtagsinfoviewSpec and
162+
systemtagsinputfieldSpec.
163+
164+
https://github.com/owncloud/core/pull/41616
165+
166+
* Bugfix - Decrypt versions and trashbin so encryption can be disabled: [#41623](https://github.com/owncloud/core/issues/41623)
167+
168+
"occ encryption:decrypt-all" only walked the regular "files" folder, leaving the
169+
"encrypted" flag set on entries in "files_versions" and "files_trashbin".
170+
Because "occ encryption:disable" refuses while any file cache row is still
171+
flagged as encrypted, administrators were left unable to disable encryption even
172+
though decrypt-all reported success.
173+
174+
Decrypt-all now also descends into "files_versions" and "files_trashbin", and
175+
the disable command now lists the paths that are still flagged as encrypted
176+
together with a hint on how to clean them up, instead of printing a generic
177+
message.
178+
179+
https://github.com/owncloud/core/issues/41623
180+
https://github.com/owncloud/core/pull/41624
181+
182+
* Bugfix - Fix user:home:list-dirs and user:home:list-users crashing on PHP 8: [#41630](https://github.com/owncloud/core/issues/41630)
183+
184+
The occ commands user:home:list-dirs and user:home:list-users --all passed null
185+
as the search pattern to IUserManager::search() to mean "all users". On PHP 8
186+
the null reached Connection::escapeLikeParameter(string $param) and raised a
187+
TypeError, aborting the command. Both commands now pass the empty string, which
188+
is the established "match all" sentinel used by every other caller.
189+
190+
https://github.com/owncloud/core/issues/41630
191+
50192
* Change - Update M$ Office icons: [#41347](https://github.com/owncloud/core/pull/41347)
51193

52194
Icons have been updated according to the M$ cloud storage partner program
@@ -65,37 +207,57 @@ ownCloud admins and users.
65207

66208
* doctrine/dbal (2.13.9 to 3.10.4)
67209

68-
* google/apiclient (v2.19.0 to v2.19.3)
210+
* firebase/php-jwt (7.0.5 to 7.1.0)
69211

70-
* google/apiclient-services (v0.435.0 to v0.441.1)
212+
* google/apiclient (v2.19.0 to v2.19.3)
71213

72-
* google/auth (v1.50.0 to v1.50.1)
214+
* google/apiclient-services (v0.435.0 to v0.445.0)
73215

74-
* guzzlehttp/psr7 (2.8.0 to 2.10.4)
216+
* google/auth (v1.50.0 to v1.51.0)
75217

76-
* guzzlehttp/guzzle (7.10.0 to 7.11.0)
218+
* guzzlehttp/guzzle (7.10.0 to 7.12.0)
77219

78220
* guzzlehttp/promises (2.3.0 to 2.4.1)
79221

222+
* guzzlehttp/psr7 (2.8.0 to 2.12.0)
223+
80224
* laravel/serializable-closure (v2.0.10 to v2.0.13)
81225

82-
* phpseclib/phpseclib (3.0.49 to 3.0.50)
226+
* phpseclib/phpseclib (3.0.49 to 3.0.55)
83227

84228
* pimple/pimple (3.6.1 to 3.6.2)
85229

230+
* sabre/event (5.1.7 to 5.1.8)
231+
86232
* sabre/vobject (4.5.8 to 4.6.0)
87233

88-
* symfony/deprecation-contracts (v3.6.0 to v3.7.0)
234+
* symfony/console (v7.4.7 to v7.4.13)
89235

90236
* symfony/mailer (v7.4.6 to v7.4.12)
91237

238+
* symfony/process (v7.4.5 to v7.4.13)
239+
240+
* symfony/routing (v7.4.6 to v7.4.13)
241+
242+
* symfony/string (v7.4.6 to v7.4.13)
243+
244+
* symfony/translation (v7.4.6 to v7.4.10)
245+
246+
* symfony/deprecation-contracts (v3.6.0 to v3.7.0)
247+
248+
* symfony/translation-contracts (v3.6.1 to v3.7.0)
249+
92250
https://github.com/owncloud/core/pull/41450
93251
https://github.com/owncloud/core/pull/41477
94252
https://github.com/owncloud/core/pull/41495
95253
https://github.com/owncloud/core/pull/41561
96254
https://github.com/owncloud/core/pull/41564
97255
https://github.com/owncloud/core/pull/41569
98256
https://github.com/owncloud/core/pull/41590
257+
https://github.com/owncloud/core/pull/41613
258+
https://github.com/owncloud/core/pull/41619
259+
https://github.com/owncloud/core/pull/41626
260+
https://github.com/owncloud/core/pull/41635
99261

100262
* Change - Drop command db:convert-type: [#41451](https://github.com/owncloud/core/pull/41451)
101263

0 commit comments

Comments
 (0)