Headline
CVE-2022-30470: FileRun - Selfhosted File Manager with Sharing and Backup for Photos, Docs & More
In Afian Filerun 20220202 Changing the “search_tika_path” variable to a custom (and previously uploaded) jar file results in remote code execution in the context of the webserver user.
Changelog****FileRun Update 20220519 (May 2022)
Summary of this fantastic update
Much much better mobile experience. Automatic dark mode, installable PWA, embedded PDF viewer.
Upload by copy+paste! From Windows Explorer or MacOS Finder into your browser! 🤯
Mount as Windows drive without third-party apps.
Edit files with your desktop Microsoft Office without downloading. Changes get saved back to FileRun!
Very fast loading of the UI, lower memory requirements, smoother browsing of massive folders.
The “Photos” view mode shows a much nicer photo grid, and it is now available while browsing any folder.
Collections can now hold files and folders that are shared by other FileRun user accounts. Users without home folders can now also create and manage their own collections.
Lots and lots of improvements and fixes, including security fixes.
Notes for developers
- The FileRun favicons have been updated and the entire “images/favicons” will be replaced. If you have customized the favicon files, you will need to restore your versions from the backup folder the update creates inside “system/data/temp/” back to "images/favicons/".
- All FileRun core JavaScript and CSS files have changed.
The only JS/CSS customizations that will be preserved through this update are the ones made via external files (“customizables/theme.css” for CSS and "$config[‘app’][‘ui’][‘custom_js_url’]" for JS) and the ones made via plugins.
If you made changes to any FileRun code, you will want to verify that everything looks and works as desired after installing this update. - The file “customizables/include.html” is no longer parsed as Smarty code. It is also no longer included in the free FileRun version.
- Updated the TinyMCE plugin to work with the latest version.
Security
- Vulnerability Fix Fixed moderate security vulnerability allowing XSS attacks from one FileRun user to another. Thanks to Christian Pöschl and the “usd AG” Responsible Disclosure Team.
- Warning Please make sure you are not runing an old version of GhostScript on your server. Your server can otherwise be easily compromised by any FileRun user exploiting some critical vulnerabilities. Thanks to Dr. Jens Mueller for the responsible disclosure.
- Improvement Better security for authenticated cached content such as thumbnails and previews.
Mobile Browsers
- Much better experience on mobile, for sharing, searching, tagging, commenting, editing text files.
- Full support for dark mode.
- FileRun now offers the option to install itself as a PWA (Progressive Web App), to open like a native app and use the full screen.
- Faster initial loading, faster navigation through folders, better performance with large lists of files and folders, less memory usage.
- PDF and Office file preview
- Added PDF viewer plugin which is automatically used by the “Open in browser” plugin to open PDF documents on mobile devices without downloading the entire file nor leaving the browser.
- It is used also by the “LibreOffice Viewer” plugin to view office documents on mobile devices.
- This works also for when sharing PDF and office files via web links.
- This plugin can also be used separately, though the default “Open in browser” plugin provides much better performance and experience on desktop.
- It has support for loading very large documents progressively.
- It remembers the last read page and can load a document fast from that particular page.
Photos
- The “Photos” display mode is now available anywhere, including physical folders, virtual folders or the search result. Note that the photos will be shown with proper aspect ratio only if the file metadata has been imported in FileRun, othwerwise the thumbnails will be square because FileRun imports metadata only on upload on when manually triggered.
- The “Photos” display mode is now using the full available space for a more aesthetically pleasing gallery.
- Added ability of users without access to metadata to view photos and videos in full aspect ratio, as well as sort files by metadata document types.
- Photos and videos can now be added to collections with a single click from the “Details” panel.
- Added tree menu option under “Photos” to show only videos.
- FileRun now imports into metadata image sizes of WebP files.
- Added JFIF to be handled as JPG image files.
- Added top toolbar button under “Photos” > “Albums” for creating new photo albums.
- Option to create photo proof sheet is now shown only when image files are selected.
File management
- Big Improvement Added compatibility with Windows native WebDAV. You can mount your FileRun account as a Windows drive without any third-party program. Please see this page for details. Requires that you access your server via HTTPS.
This also means that you can use any third-party software for keeping files/folders from your cumputer in sync with FileRun, without having to use the Nextcloud desktop sync apps.
Also, successfully tested support for Finder’s “Connect to server” on MacOS. - Big Improvement Files and folders can be uploaded from desktop to FileRun, by copy/paste. Tested on Edge, Chrome and Safari. Not supported on Firefox.
- Big Improvement Files and folders can be uploaded by drag and drop from desktop to a FileRun folder wherever that folder is being shown, including search results, collections, starred, etc. It also prevents dropping the files in there if permissions do not allow.
With this change one can upload now files by drag and drop to shared folders without having to browse to the folder first. - Big Improvement Collections can now contain files and folders that are shared from other FileRun user accounts. Users without home folders can now create and manage their own collections.
- Big Improvement The “Office” plugin now opens files via WebDAV to allow editing and saving back to FileRun without having to manually upload the file. First time is being used, it will ask for credentails. Use the “Connect app” option (next to the “Sign out” option in the FileRun menu) to generate credentials for your office app rather than providing your main password. Requires that you access your server via HTTPS.
- Important Fix Uploading/Syncing files larger than 10MB via Nextcloud apps (desktop and mobile) inside folders shared by other FileRun users.
- Important Fix Uploading/Syncing files larger than 10MB via Nextcloud apps (desktop and mobile) when the user account only has upload permission without the permission of making changes to existing files.
- Important Fix Editing files via WebDAV when the files have been shared individually by other FileRun users, rather than via shared folders.
- Important Fix Downloading files sometimes downloads old version from browser cache.
- Important Change Files shared individually and the root of a shared folder can no longer be deleted by other users, not even if the “Make changes” permission is enabled. Files inside shared folders can still be deleted given the appropriate permission; it is only entire shares that can no longer be deleted.
- Improvement You can now move files and folders from the search result by dragging and dropping over the root folder of the search.
- Improvement Downloading a folder now preserves the complete structure, by including the empty subfolders. The files and folders also preserve their modification dates.
- Improvement Made it clearer when a new version of the same file has just been uploaded, by refreshing the folder and the details panel.
- Important Change Various usability improvements related to uploading.
- Downloading empty collections now includes the collection as an empty folder inside the downloaded archive.
- Copying/moving files/folders now shows the “Starred” section, listing the starred folders.
- You can add files and folders to starred by dragging them from the list to the “Starred” folder.
- Fix Anonymous shares are no longer listed twice if the user shares other items not anonymously.
- Keyboard shortcuts
- The shortcuts work much better now.
- FileRun now tries to keep the focus on the file list, so that you can use the keyboard shortcuts at any time without having to click. If the file list looses focus, you can refocus by click anywhere in the list.
- You can now create multiple folders, one after the other, using the N shortcut without having to use the mouse at all.
- Added BACKSPACE for changing the current folder one level up.
- Added “S” keyboard shortcut for searching.
- Added “D” for deleting items. “Del” can still be used.
- Added “R” for renaming items. “F2” can still be used.
- Fix: The keyboard shortcuts no longer try do anything if the context does not allow it.
- Big Improvement Added compatibility with Windows native WebDAV. You can mount your FileRun account as a Windows drive without any third-party program. Please see this page for details. Requires that you access your server via HTTPS.
MacOS and Safari
- Important Fix PDF preview on MacOS Safari.
- Fix Fixed styling on Safari when using the “Text Viewer” file plugin.
- Fix Fixed full-screen in the file viewer on Safari.
- UI Fix Various fixed for Safari 14.
- Improvement Thumbnails are now being shown for Apple “.pages” files.
UI and UX
- Big Improvement Full support for dark mode, automatically set when detected in the browser. To enable this, set “Dark mode” to “Let browser decide” inside “Control Panel” » “Interface” » "Branding". The themes “Drive” and “Corporate” do not have a dark version at this time.
- Performance
- Big Improvement Dramathically improved initial (non-cached) loading speed of the web UI.
- Improvement Much better performance for the file list using the detailed view mode, particularly when listing many items. Much faster selection/deselection of large number of items.
- Improvement A bit better performance for the folder tree list when accessing folders with hundreds of subfolders.
- Big UX Improvement Browsing virtual folders (to search files by tags or music by album or artist), is now much faster, as FileRun no longer loads the entire folder tree just for browsing a particular subfolder.
- Under the “Details” panel
- Big Improvement The “Details” panel now shows info also about the currently opened folder, not only about the selected files/folders. All details, such as label, rating, metadata and tags are included.
- Labels can be now set for the selected file/folder directly from the Details panel.
- Changed the rating icons from stars so it no longer gets confused with starring files.
- The readme for a folder is now shown also when selecting that folder in the main list. This can be used for quickly locating the folder of interest.
- The readme for a folder can be edited directly from the Details panel by clicking the edit button next to the text.
- Tags are now colorful.
- You can add a tag from one file/folder to another by dragging it from the list on top of the file/folder.
- Added option to calculate a folder total size when the folder is paginated, compared to the total of just the current page.
- Change Files “README” (without any extension) are now also used for displaying as text under the “Details” tab when browsing FileRun folders.
- UI Improvement The contextual menus now shows the Prevew options when multiple files are selected, with the viewer cycling only through the selected files.
- Important UI Fix Fix for not enabling mobile interaction for certain laptops which do not report the mouse correctly.
- Improvement The file list remembers now the selected display mode between sessions.
- UI Change Labeled folders have their icons in the color of the chosen label. The little label icon is no longer shown. Instead, the icon is thicker and hovering the mouse over it will show the label text.
- Warning The file/folder labeling will be removed in a future FileRun version. The option to set custom colors on files and folders will be kept, but without a text label. For attaching textual labels, the tagging feature can be used instead.
- Using the scrollbar in the file list no longer affects the file/folder selection. Also, no longer loosing selection when holding Ctrl or Shift key and misclicking a file/folder.
- Folders shared with/by other users show a different icon than regular folders.
- Made browsing deep folders a bit more comfortable in the tree panel.
- Added option for resetting the file grid columns and sorting to default.
- Full-screen button on the file viewer opens the web page in full screen rathar than the video itself. For viewing fullscreen videos, the video player’s fullscreen button can be used instead.
- Made it clearer in the grid column menu which metadata fieldsets metadata grid columns belong to. Also, moving the mouse cursor over a grid column header that has hidden fieldset name, now shows the fieldset name in a tooltip.
- Button elements can be now navigated through using tab and pressed using space or enter.
- Choosing to search files by label you are reminded which are the default label options.
- Better error handling related to the plugins folders and code.
- The copy/move folder chooser now lists the shared folders the same way the folder tree does, with anonymous shares on the same level as the home folder and the shared folders grouped under users without the “Shared with me” folder.
- The contextual menus adapts now accordingly to the different permissions of files and folders shared by other users.
- The search form opens in a popup menu to allow more space for the search result.
- User activity log entries browsed from the control panel are now compact and expand on mouse over.
- The option to connect a WebDAV app has been moved from under the Account settings window directly in the user menu, next to the “Sign out” option.
- Thumbnails for plain text files now follow theme colors.
- Fix: The login form wouldn’t receive an error message from the server in the same language as the one the user selected.
- Many other smaller fixes and improvements.
Other
- Important Fix Error reporting when editing an admin user account.
- Important Fix Bookmarking or reloading searches that contain special characters (such as the wildcard %).
- Fix CloudConvert plugin is now compatible with the V2 API.
- Fix Admin users that can manage only specific groups of users can no longer add user accounts without selecting at least one group that they can manage.
- Improvement The file/folder control panel is now available for items inside the trash folder.
- Important UI Fix Translation for the control panel menu.
- Important UI Fix Made clickable items in folders shared by weblink when they do not have thumbnails.
- Improvement Added support for collection to the “Folder Index” plugin.
- Improvement The “Folder Index” plugin offers now the option of exporting as CSV.
- Improvement Updated cURL certificate bundle.
- Improvement Nextcloud large uploads now check the FileRun user storage quota even before starting.
- Improvement Folder downloading is being logged as a separate entry in the user activity log. It happens also when downloading a folder that has no files.
- Improvement Markdown rendering now supports tables.
- Various fixes to the image editor.
- Fix Nextcloud large uploads now check the max configured upload file size of the FileRun user account. Before the size was checked only on individual upload chunks only, not total.
- Fix Moving files and folders by drag and drop on small screens.
- Fix Activity log not showing file/folder names correctly after restoring from trash.
- UI Fix Avatar display inside Nextcloud desktop app.
- UI Fix Added menu indicator in tree menu to collections.
- UI Fix Hidden “Label” from contextual menu on various tree options which can’t be labeled.
- UI Fix On mobile devices, exiting viewer when selecting several files no longer cancels the file selection.
- UI Fix Bubble indicators not showing on Activity and Comments tabs.
- UI Fix Showing “Preview” option in the context menu on files inside the trash folder.
- UI Fix Drop-down lists now show full-width options.
- UI Change Moved “Copy path” contextual option under “More options” and is now available also when right-clicking items in the grid.
- Fix Control panel activity log file names for items inside the trash folder or items shared with a name alias.
- Fix Handling within collections files and folders shared by other users.
- Fix Adding folders and collections to the download cart from the folder tree menu.
- Fix Renaming a collections and photo albums multiple times in a row.
- Fix Shared file/folder name aliases inside collections.
- Fix Custom user profile image loading when a file accelerator is enabled.
- Fix Preview image file via weblinks when metadata sharing is enabled but file has no tags.
- Fix List zip archive contents when the file is inside the trash.
- Fix Reloading the web page after a search.
- Fix Highlighting .url (External link) files after creating them.
- UI Fix Allow mailto: URLs for the help URL.
- Important UI Change The “One Drive” theme has been removed. The “Corporate” theme will be set instead. If you wish it back, please contact us.
- Important UI Change The “Download Terms” for web links no longer display in HTML format. If you wish to format the text, you can use Markdown.
- UI Fix Buttons and title showing weird code when navigating a folder named "includes".
- Fix Copying direct link to folder from the tree menu.
- Fix Option to merge PDFs is now shown only when PDF files are selected.
- Fix Configure FileRun to use client e-mail programs to send web links instead of the built-in email sending. The “E-mail program” button now opens in a new tab.
- Fix Preventing the FileRun superuser from changing its password with an empty one and getting himself locked out.
- Improvement More meaningful filenames resulted after merging or extracting pages from PDF documents.
- UI Fix The options “Share” and “Add to” are no longer shown for items inside the trash folder.
- UI Fix Getting qr code for multiple shared web links one after the other.
- Onlyoffice plugin Accessed via mobile opens the editor in mobile mode.
- Onlyoffice plugin Uses dark theme is FileRun theme is dark. Available in newer OO versions.
- Onlyoffice plugin Added FileRun control panel options for enabling autosave, chat, comments, compact header and zoom level.
- API Change Uploading files via the API, using HTTP PUT method, requires that the file’s target folder already exists on the server. (Previously, the parent folders where automatically created if needed.)
- API Change Uploading files via the API using HTTP PUT method no longer support OwnCloud chunking mechanism. Uploading large files via the API, should be done via HTTP POST, which supports FileRun’s Flow chunked upload protocol.
- Fix Not queuing for search index files/folders with very long paths.
- Fix Sharing failing for files/folders with very long paths.
- Fix Error importing MP3 metadata under certain conditions on PHP 7.4.
- Dev Fix “customizables/theme.css” is now last to be loaded, to allow better customizations. This file is no longer included with the free FileRun version.
FileRun Update 20220202 (February 2022)
- UINew elegant theme "Corporate", with shades of gray and sharper corners.
- New feature Links to external files and websites. Simply copy/paste an URL, from anywhere, right on top of FileRun, to automatically create a “.url” file. Double-clicking that file opens the URL in a new tab. FileRun will attempt to get the filename or page title from the URL, to use as a filename to identify the linked resource. URL files now have “thumbnails” showing that they are links and the hostname of the linked website. CTRL+V is one option and the other is from the “New” > "Link external file", where you are given a simple prompt to paste the URL with no other options. Tip: paste URLs that you copy from the same FileRun installation, either from the browser address bar or via “More options” > "Copy direct link", to link files between different folders.
- Important fix Sharing with link or send via e-mail when lacking the permission to share with other FileRun users.
- Important fix Video and audio playback when opening files in a new tab on Chrome and Edge.
- Important fix Clicking checkboxes in fieldsets titles in the FileRun control panel while using Safari browser.
- Important fix Using mouse for single-click selection and double-click folder browsing with primarily-touch device, such as a phone or a tablet.
- Improvement Added config options for limiting the media library features Photos/Videos/Music to indexing files only from specific folders instead from the entire user’s home folder.
- Improvement Streaming (HTTP range transfer) large media files would now detect if the files have been modified since the transfer/stream started, avoiding potentially broken downloads.
- UIThe thumbnail display aspect ratio is now constant and can be adjusted from the control panel with options ranging from square 1:1 thumbnails to wide 16:9 thumbnails.
- Improvement The audio player allows seeking by dragging, with second indicator.
- “Video Player” PluginGeneral option to loop playback.
- Improvement Added file type support (thumbnails, plugin support, etc) for files without extension (for example: dockerfile, changelog)
- ImprovementType support for cfg/conf file for thumbnails and text editing syntax highlighting.
- UI FixMetadata search field now being displayed when a metadata search is opened from a bookmarked link or from a file’s details panel.
- Improvement Added ffmpeg thumbnail support for MXF files.
- Improvement Avatars are now SVG so PHP GD library is no longer a requirement.
- Fix Minor undisclosed security vulnerability.
- Fix Added support for IIS for the “Office” plugin.
- Fix Better PHP error handling on failed thumbnail extraction from various formats.
- Fix Predefined metadata field options containing ampersand characters.
- UIMoved the “Recent” folder from the top of the menu lower, next to "Starred".
- UISelected file(s) action buttons are now aligned on the left side of the top toolbar, for easier reach inside folder with just a couple of files.
- UIShowing group avatars in the control panel and in the file sharing panel.
- UISet distinguishable colors to the file extension label for common file types.
- UI FixMore visible autocomplete login form fields on Firefox.
- UI ImprovementAdded padding for allowing easier selection by click&drag of files and folders in grid mode.
- UIVarious other smaller improvements.
- UIUsers editing files via ONLYOFFICE via shared web links have their names prefixed with “Guest” to distinguish from users editing via the FileRun user interface.
- ImprovementThe option “Copy direct link” is now available also for files and folders shared by other users.
- Improvement The installer allows you to choose to use an existing database. This would reset the credentials for the FileRun superuser account while keeping all the existing settings and data. It can be used to reset access to a FileRun installation when there is no command line access.
FileRun Update 20220113 (January 2022)
- Important fix Updating/synching files via the desktop apps.
- Important fix Text editing on mobile devices.
- Important fix Downloading files via newly created web links when sending files via e-mail.
- Important fix Vips failing to generate thumbnails for files with non-latin characters in their names.
- Important fix Hiding files and folders via $config[‘app’][‘hidden_file_names’].
- Important UI fix Better fit the logo in the main user interface.
- Important fix Uploading, other file management operations and navigation when the current folder is no longer present in the folder tree, for example when a parent folder has been reloaded.
- Important fix Admin users, except the superuser, not being able to update web link settings without setting a password.
- Big improvement Thumbnails for plain text files (such as .txt, .md, etc) and source code files (ex: javascript, css, etc), are now generated almost instantaneously, with no server requirements whatsoever, and no space taking on the server. The text is also very sharp so that you can easily read the file contents and locate the file of interest. Note: the update will not remove the thumbnails already cached for these files and you won’t see a difference until you clear the thumbnail cache for the existing text files.
- New small feature New plugin for viewing EML and MSG e-mail message files. Requires “mailparse” PHP extension for EML files and “msgconvert” for MSG files.
- Improvement Usernames can now contain the plus character (to allow for alias e-mail addresses).
- Small improvement Added support for editing TSV, tab-separated values files using the CSV plugin.
- Small improvement Added yml to be recognized as a YAML file type.
- UI improvement the transparency pattern when viewing image previews using the dark theme.
- UI improvement made the copy/move window resizable.
- UI fix “Copy direct link” and “Control panel” file context menu options are now shown for files under “Photos"/"Videos"/"Music” > "Last uploaded"/"By date"/"By tag".
- UI fix “Copy direct link” file context menu option is now shown for files under a collection, and under "Starred".
- UI fix login form fields not visible on Firefox and Safari
- UI fix Made audio player track bar fit the available space.
- UI fix opening the audio player no longer makes changes to the grid columns.
- Fix Character encoding handling for “Text Editor” and “Text Viewer” plugins.
- Fix Better error reporting when checking for the “vipsthumbnail” binary path from the control panel.
- Fix WebDrive error saying that there is no available space on the server when “Enable Quota Processing” setting is enabled.
- Fix Browsing shared folders with many subfolders (more than 100) maintains permissions in the user interface.
- Fix LibreOffice preview of office files when FileRun runs via Docker.
- Fix command line script ‘cron/empty_trash.php’ not working.
- Fix PHP notice from css/ext.php.
- Fix A couple of small UI glitches.
**FileRun Update **2021.12.07****
New User Interface
The entire user interface has been reworked, with high attention to every little detail.
- Great mobile experience. It adapts to screens of any size to provide a smooth and intuitive experience. Supports touchscreen laptops, handling both mouse and touch selection in the best way.
- It is now a progressive web app (PWA), so that you can add it to your desktop or mobile phone home screen. (Requires HTTPS access.)
New UI options
- The folder tree panel can be collapsed for more space for the files list. It is particularlly useful when browsing photos in the new “Photo” view, or documents in the new “Large thumbnails” view. The setting is remembered in the browser.
- Listing files and folders in “Detailed list” now allows you to sort without keeping the list split between folders and files. The option is found under the file list options menu.
- New display mode “Large”
- It shows twice larger thumbnails.
- It displays both documents and photos in full aspect ratio.
- It shows when an image file has transparency.
- It is great for brwosing documents and photos.
- It replaces the previous “Photos” view mode.
- Filter files by metadata file type. You can leave the filter enabled and continue browsing around folders looking for particular types of files. The Image/Audio/Video file list view modes have been removed.
- Tags can be added to multiple files/folders at the same time. Simply select multiple items and use the “Add tags” field on the “Details” panel.
- Multiple files can be star rated at the same time. Just select the desired files and use the star rating option found on the “Details” panel. If any of the selected files already has a rating, its value will be overwritten.
UI Performance improvements
- Direct links to subfolders now open instantly, regardless of how deep the folder is located. Browsing directly to a sub folder no longer loads the parent folders unnecessarily. Yet, it still displays the full location, allowing you to browse parent folders.
- Uploading folders now updates the folders structure in the tree menu in real time, so you can browse directly to a subfolder that was just uploaded, or that it hasn’t even finished uploading!
- Optimized code for faster display, snappier feeling and less browser memory usage.
- Creating new folders now shows the new folders in the folders tree menu instantly.
- Pagination for large folders! The maximum number of files you wish to list per page can be configured from the FileRun control panel. The pagination also applies to search results, so you can now see the full number of results. (Current limitation to be addressed in the future: sorting inside paginated folders is always done in an alphanumeric way by file name.)
- Very fast thumbnail generation
- Using “libvips” (https://www.libvips.org) instead of ImageMagick/GraphicsMagick, generating thumbnails can be almost instantaneous for average photo files on average server hardware.
- The supported file formats are "jpg,jpeg,tif,tiff,png,webp,pdf,hdr,gif,exr,svg". Other file formats would still be processed with your current ImageMagick/GraphicsMagick configuration.
- The “vipsthumbnail” binary must be installed on the server, and enabled from the FileRun control panel. Make sure you are using Vips version 8.10 or higher.
- Long file management operations, including calculating a large folder size, no longer lock other FileRun action.
- Space quotas no longer slow down the login and the loading of the user interface. Refreshing the quota usage no longer blocks other requests.
- Listing more than 100 subfolders in the folder tree panel no longer loads metadata for the folders, as it becomes too slow to browse. Therefore, in these cases the folders in the tree panel would no longer show if they are shared or if they have notifications or changes.
Much improved file viewer
- Much better image viewing experience.
- Shows now all files in the list, regardless if FileRun can generate thubmnails and previews for.
- Faster loading previews for non-image files.
- If files are selected, the viewer will cycle only through the selected files. Use this to preview only certain files.
- It now shows if an image has transparency.
- Added information when previewing an empty file (0 bytes file size).
- Opening the file viewer no longer disturbs the file list scroll position.
Uploading
- Uploading a folder which contains files or folders with names which are not allowed, automatically skips those files, no longer interrupting the whole transfer anymore for user input.
- Uploading folders now updates the folder tree in real time. This allows you to browse/manage the uploaded folders before the whole transfer completes.
- The upload panel shows the file upload speed again.
- The large Nextcloud uploads no longer show temporary folders inside the user’s home folder. The temporary folders are now hidden. Added support for deleting a temporary upload folder by Nextcloud on a failed chunked upload, so no folders are left behind.
Usability improvements
- The list of files is sorted in a more natural way. Sorting is now done in a case-insensitive way, non-latin characters and numbers are sorted better as well. The browser’s first preferred language is also taken into consideration.
- The “Activity” panel
- The “Activity” tab now shows also own user actions. $config[‘app’][‘folder_activity’][‘show_own’] config option no longer exists.
- The “Activity” tab now includes the actions made on the folder iteself, when a folder is selected, not only actions made on content.
- When no file or folder in the list is selected, the activity tab will show all the activity inside that folder and subfolders. The list is grouped by file/folder, so instead of seeing multiple actions made on the same file or folder, you will only see the last action for that file/folder. The number of other actions made is shown.
- When selecting a particular file or folder in the list, you see all the actions performed on that file, no longer groupped. $config[‘app’][‘folder_activity’][‘show_all_actions’] config option no longer exists.
- The “Details” panel
- The details panel is collapsed by default on screen sizes that are not large. It can be displayed using the info button on the top toolbar, or by using the new file context menu option "View details".
- The preview on the details panel now shows if the image has a transparent background. This helps also identify the image aspect ratio.
- Added option to change label from the details panel.
- The details panel shows when the file list is filtered (by audio/video/photos).
- The “Deleted from” details now links for quickly opening the location an item was deleted from.
- The “Details” tab now shows the metadata type for the selected file or folder.
- Thumbnails
- Thumbnails are focusing the center for photos and the top for documents.
- Document thumbnail loading is animated, to provide hints on the page size.
- The thumbnail display mode is now flexible, stretching and shrinking folders and files as needed to use all the available space.
- Added control panel option for choosing the seek time for the frame selected out of videos for thumbnails.
- The audio player
- The audio player no longer closes when leaving the music media library folders.
- The audio player no longer opens automatically when browsing the music media library.
- For users who do not have download permissions but they have only preview permission, the audio player now opens directly rather than inside the file viewer.
- It can now be disabled from the control panel.
- Added option to disable autoplaying the next file in the audioplayer.
- Inside the trash folder
- Files in the trash folder can now be previewd.
- You can now read comments on files/folders inside the trash folder.
- The trash folder no longer groups folders at the top, but shows files and folders sorted by deletion date.
- Increased the text/code editor font size.
- Added contextual menu option for copying a folder’s path to clipboard.
- Added tooltips on most clickable actions.
- Dragging files and folders over the “Collections” item automatically expands it to be able to drop into a collection.
- Added ability to calculate total file size of multiple collections and photo albums together.
- Better handling renaming current folder.
- Selecting more than one file to delete now shows a confirmation prompt. This can also be used for deleting permanently instead of to the trash.
- Added warning when deleting files from outside the home folder or a shared folder in order to prevent accidental deletion from places such as the Starred, Collections or other virtual locations.
- To prevent accidental file changes, creating a new file from the “+ New” menu no longer allows overwriting existing files.
- Autosave is now enabled by default for the ONLYOFFICE editors.
- The Download cart
- Better feedback adding files and folders to the download cart.
- Added contextual menu option for adding files to download cart, without having to drag the files from the list to the toolbar menu item.
- Prevented dragging folders to the download cart without the permission of downloading folders.
- Keyboards shortcuts
- Added CTRL+A keyboard shortcut to select all files in the list.
- Added ESC keyboard shortcut to clear the file selection.
- Added F5 keyboard shortcut to refresh the file list.
- The keyboard shortcuts 1-5 for star rating files have been removed.
- The logo and welcome message are always shown on the login page, even on small screens.
- Various fixes and improvements regarding toolbars and menu options.
The shared links now follow the current theme.
The OAuth2/API authorization pages now follow the configured theme.
And various other user interface improvements.
Photos Media section
- Photo and video thumbnails show with the actual aspect ratio of the image.
- The “Photos” media library now shows both photos and videos.
- The sorting is done by the date the photos or videos were taken.
- Video files are visually identified by having a play icon on the thumbnail.
- Image and video orientation detection has been improved.
- Added support for HEIC metadata import. Requires Imagick PHP extension, enabled from the FileRun control panel.
Media Albums
- Photos and videos can be organized in albums, which work exactly like the regular FileRun collections.
- Sharing albums with a link, set by default the link mode to gallery.
- Files and folders can be added to albums from the right-click menu, or by dragging to the left folder menu.
- Photo albums can include any other types of files and folders.
- In the future, albums will be shareable with other FileRun users.
Improved apps compatibility
- Desktop Sync Nextcloud
- Desktop sync can be now used also when the user doesn’t have a home folder. Files and folders shared by other FileRun users can be now kept in sync with the desktop sync app.
- If a user syncs all shares from all users (@Shares) or all shares from a particular user, new shares will get synced as well.
- Sharing files and folders using links from the desktop now works. Changing permissions of existing shared links and removing links also works.
- Use the right-click menu “Nextcloud” to get private or public links to the files.
- Android app Nextcloud
- Sharing files and folders using links now works. Changing permissions of existing shared links and removing links also works.
- Previewing various types of files works.
- You can now add a Nextcloud account to the mobile app by scanning the QR code displayed when generating WebDAV credentials from the FileRun “Account settings” panel.
- Added compatibility with Synology Cloud Sync.
- Added support for Nextcloud/Owncloud Thunderbird addons.
- Tested compatibility with Joplin note-taking app: A FileRun folder can server as a synching source for note taking on various devices.
- Desktop Sync Nextcloud
Added “Folder Index” plugin for generating printable indexes of folder contents.
Security
- Fix against CSRF via HTML files opening in the browser, and via MIME sniffing.
Thanks to Febin Mon Saji (https://www.linkedin.com/in/febin-mon-saji-1787951b1) - Improved protection against CSRF attacks.
- Fixed minor undisclosed security vulnerability.
- For security reasons, SVG files are no longer used natively for thumbnails and previews, but they get PNG rendered versions.
- Improved login security.
- Added option under Password Policy, to enfore two-factor authentication (2FA) on all FileRun user accounts, except guest accounts which they still login using just a link.
- FileRun is now making sure the session cookies are secure, regardless of the PHP configuration.
- Fix against CSRF via HTML files opening in the browser, and via MIME sniffing.
Other Improvements
- General server-side speed improvements.
- Sped up the thumbnail generation process via command line.
- Adding/changing file/folder labels no longer require download permission.
- Changing file tags is now logged to the user activity log.
- Better error handling in the “Index file metadata” folder control panel option.
- Audio files get year and genre metadata extracted as tags.
- Web linked galleries now show thumbnails in the natural aspect ratio of the pictures.
- Comments can be added to the user’s home folder.
- Better error handling on MySQL connection drop while zipping large folders.
- The metadata autocomplete, such as for adding tags, searches not only terms starting with the typed word, but wider.
- Added support for ImageMagick being used in Imagick PHP extension mode to the “Create photo proof sheet” plugin.
- The user accounts created via the authentication plugin can now have a different role associated with them, compared to accounts created via the self-registration procces.
- Troubleshooting thumbnail or preview generation from the file control panel now keeps the generated thumbnail/preview files, so one can use this to manually request thumbnail generation for a file for which the generation previously failed.
- New FileRun branding.
Fixes
- Fixed display of checkboxes in file grid when thumbnails are not enabled.
- Fixed taking into account EXIF orientation when retrieving width and height of images and videos.
- Fixed creating web links via Nextcloud apps.
- Fixed regression bug: GraphicsMagick support.
- Fixed removing password protection from web links.
- Fixed adding file comments using mobile browsers.
- File comments can now be added via the media folders (Photos, Videos, Music).
- The file activity log now shows correct filenames for files in the trash folder.
- Fixed video player showing full size video via web links.
- Fixed image editor skewing the images on particular image orientations.
- Fixed display of login background image when the URL contains ampersand characters.
- The “Forgot password?” function is now available when using an authentication plugin but having the “Allow local users to login” enabled.
- Fixed search results showing files that might be in other users trash folders. This happens only when the other user’s home folders are located inside the home folder of the user that is doing the searching.
- Disabling plugins now applies also for the plugins already configured to be used with web links.
- The option of creating file requests is no longer visible if the user had permission to create web links but now he does not have permission to download files.
- Files and folders that are shared without alter permissions can now be added to starred.
- Better handling of zipping folders with large number of items. Better error reporting.
- Better compatiblity with RSS readers for the folders shared with web link in RSS mode. The file URLs now point directly to the file, rather than the file’s preview page.
Other changes
- FileRun installations need to be registered in order to feature custom logos. Unregistered installs will feature the FileRun branding.
- FileRun no longer works with Internet Explorer. Finally! 🥳
- The “Default display mode:” can no longer be set to Photos, Videos or Music. The only options are now List, Grid or Large grid. The media views are now reserved for the media library sections.
- The Zoho theme has been removed.
- Deprecated $config[‘app’][‘ui’][‘enable_favicon_ico’]. Favicons are enabled now by default and can be disabled from the FileRun control panel.
- Improved debug output for “Thumbnail generation” file control panel action.
- Updated SimpleSAMLphp plugin description to confirm compatibility with version 1.19.
- Removed the option of linking the UI logo to a URL.
- Fixed files showing under Starred when their parent folders were moved to trash.
Hidden files and folders
- Hidden files and folders will still be visible and accessible via the API, WebDAV and apps.
- Hidden files and folders can be created and uploaded by users, even if they don’t show in the list.
- Downloading a folder containing hidden files and folders, will not include these files.
- $config[‘app’][‘hidden_folder_names’] has been deprecated.
- $config[‘app’][‘hidden_file_names’] applies to both file and folder names and it only hides items in the web interface.
- Dot files and folders (.*) can be now made visible, using the new option available under the control panel “Interface” section. They are hidden by default.
- If you want to completely exlude certain file and folder names, you can use $config[‘app’][‘excluded_filenames’]. Excluded files and folders will not be visible, accessible or manageable by any means.
June 28, 2021 (2021.06.27)
- Security Fixes
- Fixed critical security vulnerabilities.
Security audit by Christian Poeschl and Tobias Braeutigam, from "syntegris information solutions GmbH".
- Fixed critical security vulnerabilities.
- Other Improvements
- ONLYOFFICE can be now used to share documents via web links without download permission (requires enabling from the FileRun control panel).
- Added API call for extracting archives.
- Added "-path" option to “cron/make_thumbs.php” command line, to process only a specific folder.
- Other Fixes
- Fixed ocassional error while moving larger folders that have versioned files in subfolders.
- Regression fixes:
- Uploading via web links.
- Right-click on files for independent admin users.
- Alphanumeric sorting in the file grid.
- Uploading CSV files for user import.
- Compatibility warning with Nextcloud deskop app.
- “HTML Editor” plugin security changes:
- Added option to automatically clean the HTML code before opening files in the “HTML Editor” plugin. The option is now enabled by default, but can be turned off from the plugin’s settings. Turn off only if you understand the high security risk involved.
- The plugin’s option to be used for creating new file is now disabled by default. You can manually enable it back by editing the plugin settings.
- The plugin’s option to be used for creating new file is not disabled. You can manually enable it back by editing the plugin settings.
- The plugin is now disabled by default in new FileRun installations.
- Fixed exporting activity log when no date is selected.
- Better handling trying to preview a file after session expired.
- Fixed image editor not preserving file extension case.
- Increased timeout for indexing via Apache Tika in server mode from 5 to 50 seconds.
- Fixed some missing translations.
April 1, 2021 (2021.03.26)
Summary of the most important changes:
File plugins can be now used with shared web links.
Allow visitors to edit files shared via web links.
“Preview without download” permission available for both user accounts or web links.
New plugins for spliting and merging PDF documents.
Three new themes.
Other improvements and fixes
Web links improvements
- The following plugins can be now used to display files shared via web links: 3D Viewer, LibreOffice Viewer, ONLYOFFICE, Office Web Viewer, Zoho, OpenDocument Viewer, Markdown Viewer, Bing Maps, Google Maps, Text Editor, E-book Reader, Markdown Viewer, Open in browser, Video Player, Google Docs Viewer, Link Opener, Audio Player.
The plugins used for previewing or editing files via web links can be selected from the FileRun control panel section "Files > Plugins > Defaults". - A web link to a file can now be shared in 4 different modes:
- With preview: it opens a HTML page with a preview.
The preview is generated by the plugin configured for the particular type of files.
Image Viewer plugin can be used to show previews for non web-safe image files, such as raw images, PSD, etc.
Important: This is the default way web links open now. Old links that you might have used to embed files into other applications or web sites, would require the following parameter "&fmode=open" appended to them. - Open in browser
Just lets the browser handle the file. If it’s a plain text file, a PDF document, or an image file that is supported by the browser, the browser will open it directly. If browsers can’t handle the file type, they usually provide the visitors with the option to save the file to their computers. - Force download
The browser will always provide the visitors with the option to save the file to their computers. - Editable
This mode looks similar to the preview mode, but it can use a different FileRun file plugin, that might provide the ability to edit the file. The plugins used with this mode are configurable for the various types of files from the FileRun control panel, under "Files > Plugins > Defaults".
This mode is available only with the permission to edit the file. This new permission is enabled under the “Advanced” panel when editing the web link.
- With preview: it opens a HTML page with a preview.
- You can now disable the download permission on a link.
- If you set a preview plugin for the web links, the preview will still be shown.
The plugins that can handle non-download previews are the same as above.
If you do not configure plugin previews for web links, they would just show a file type icon with the message that there is no preview available. - This works also when sharing entire folders.
- If you set a preview plugin for the web links, the preview will still be shown.
- The “Prevent the browser from opening the file.” option is no longer available. If you wish the links to provide the download, select “Force download” option under the web link URL, or append “&fmode=download” to old web links. $config[‘app’][‘weblinks’][‘force_download’] = ['txt’, ‘csv’]; can still be used to prevent the browser from opening files that have the specific extensions (txt and csv for this example).
- The following plugins can be now used to display files shared via web links: 3D Viewer, LibreOffice Viewer, ONLYOFFICE, Office Web Viewer, Zoho, OpenDocument Viewer, Markdown Viewer, Bing Maps, Google Maps, Text Editor, E-book Reader, Markdown Viewer, Open in browser, Video Player, Google Docs Viewer, Link Opener, Audio Player.
Preview without download
Users that are not allowed to download files can be now given permission to preview files.
You can also now disable the download permission on a link which might still allow previewing.
Available preview options:- “LibreOffice Viewer” and “Open in browser” plugins can be configured to allow PDF previews even when the user doesn’t have download permissions but has preview permission. The PDF files will open without toolbar, making it difficult (but not impossible!) to save the PDF preview file.
- “Zoho” plugin can also be configured to allow previewing without download permission. Note though that Zoho allows exporting spreadsheets and presentations from the editor to the original file format, so it does not protect from downloading. For word documents, it allows printing, so that can be used for exporting as PDF.
- The “Autodesk” plugin allows previews without permission to download the file. This is safe as the original file never gets on the user’s computer.
- The “Audio Player” and “Video Player” plugins can be configured to allow playback of media files without the permission to download the file. Note that this does not keep the original files safe!
- Other plugins, without download permission, will either show the file’s thumbnail, an icon or no preview at all.
- In the future, more plugins will be able to display limited previews without downloading capabilities.
- If you do not configure plugin previews for web links, they would just show a file type icon with the message that there is no preview available.
Very important notes:* This is not a safe view-only access to data. There is no such technology. Use this only with non-sensitive data that you do not mind sharing with other people.
- It is still possible to select and copy text, or extract image data from the generated PDF previews.
- It is technically possible to extract textual content out of an image preview.
- It is still technically possible to download/save the generated PDF files to the users computers.
- For image files of smaller resolution, the thumbnail is the same as the file, so saving the thumbnail to the visitors computers would technically be the same as downloading the original file.
Unified file preview
- Preview all files in a folder, or from a search result, with next and previous buttons. All file types are now included.
- More screen space for previewing documents and the preview can be made fullscreen.
- Shows edit option for editable files. (This option shows only when the file type has a default editing plugin configured inside the FileRun control panel “Files” > “Plugins” > "Default".)
New plugins:
- Extract PDF pages. You can extract a range of pages (1-5 or 5-1), or a list of separate pages (1,2,3), or any combination of ranges and separate pages (1, 5-10). The extracted pages can be in separate PDF files or in a combined one.
- Merge PDF files. Two or more PDF documents can be merged into a new document. The order you select the files dictates the order the pages are copied into the merged document.
- CSV Editor: edit .csv files in a spreadsheet-like way.
- Text Viewer: read plain text files more comfortable and with support for the dark theme.
Videos can be now browsed through the Videos media library option by the date their were taken and by tags. Date taken and GPS location metadata is now imported from video files, if available. Note that this requires a metadata reindexing.
User interface improvements
- New theme "Google Drive". Similar to the default blue, but flat with white top bar.
- New theme "Microsoft OneDrive". Flat with square corners, thin and blue top bar, orange folders.
- New theme "Zoho". Flat with squarer corners, black folder tree, green highlights.
- Added “Edit” right-click option. This option shows only when the file type has a default editing plugin configured inside the FileRun control panel “Files” > “Plugins” > "Default".
- Audio files can be opened in the audio player in a new browser tab.
- Multiple files and folders can be now selected without using the keyboard, but instead using checkboxes that show over their icons when one or more items are selected.
- You can now configure file plugins to hide the options for creating new files. You can allow users to edit files with plugins such as Google Editor without having the options of creating new documents with this plugin under the “NEW” button.
- Added dark theme support for Markdown viewer.
- Various cosmetic and ergonomic improvements.
Other Improvements
- The “Autodesk” plugin now reuses uploaded documents for generating previews instead of uploading the files to the Autodesk server on every preview.
- Added option to the “Create photo proof sheet” plugin to autorient images.
- Creating weblinks via API can be now done with all the options available via the user interface.
- Added DPX and EXR as supported image file types.
- Added the possibility of creating a new group of users from other groups or from all existing users.
- The “Image Editor” plugin has now options for adjusting brightness, contrast, saturation and sharpness.
- The E-book reader now opens the book where you left them. It also provides options for adding bookmarks. Note that information on bookmarks and the last read page is saved in the browser’s cache.
- Downloading a single file now takes advantage of Chromium automatic download resuming, so it resumes the download when the connection gets interrupted.
- Sped up thumbnail generation for video files by using ffmpeg also for scaling.
- The Image Viewer plugin, which is used when previewing images via web links can now show small resolution previews for non web-compatible image files. This plugin can also be used to show quick previews for non web-safe image files via the versioning panel.
- The metadata fields of type “Single value” can be now filed quicker by typing to jump to a predefined value.
- The metadata fields of type "Small text", “Normal text” and “Multiple values” can be configured with autocompletion, where metadata values from other files are being suggested as the user types in.
Other Fixes
- Fixed opening PDF files and previews in newer Chromium versions.
- Fixed possibility of downloading entire home folder.
- Fixed LibreOffice Viewer support for non-Latin characters in file names.
- Fixed file versions being left behind in the file system after a file is being deleted, either directly or via the trash folder.
- Fixed reloading current folder on rename.
- Fixed listing user activity logs for independent admins.
- Labels and other metadata not showing for files in the search results, when searching just by filename.
- Fixed deleting metadata file types.
- Users can no longer create/upload folders with names that makes them hidden (for example folders with names starting with a dot character), nor they can create/upload files with names that makes them hidden (such as ".htaccess", ".DS_Store", or if a custom hidden pattern is configured for the user/group/role). This applies to any method: user interface, API, WebDAV, sync clients.
- Fixed exporting user activity logs when specifying a date range.
- The “Link Opener” plugin which allows you to upen .URL (Internet bookmarks) files now opens the links in separate windows, as most websites block frames nowdays.
- Fixed display of file owner group name under the file control panel.
- Fixed folder listing when locating a file from the search result when the file is located in the root folder of the search.
- Fixed display of large lists of file tags in the file details panel.
- The videos media folder is now hidden for users without download permissions.
- Collections tree option is no longer shown when the user doesn’t have download permission.
Other changes
New web links that have an expiration date, will expire at the end of the specified day, rather than the beginning. This does not apply to existing web links.
Files and folders can now be moved inside a folder shared without download permission. The purpose is to allow file management for uploading files in an organized way, while still preventing the users from moving files from a folder without download permissions to a folder with download permissions.
‘Thumbs.db’ is no longer a hidden file.
The control panel now opens in a new window and its various sections can be bookmarked for quick access.
“cron/paths_cleanup.php” can now take the following arguments:
–deep Cleans all data related to the cleaned/removed file paths. This includes: shares, web links, metadata, comments, labels, stars, file activity logs, thumbnail caches, old file versions, search indexes, previews, etc.
–aggressive Cleans also files that might exist and are accessible by their paths, but their paths are not perfect (for example, using back slashes or multiple consecutive forward slashes).
–remove-hidden Cleans from FileRun database files and folders that start with a dot character.
–path /your/path Limit the process to a particular folder.Deprecated config options: $config[‘app’][‘weblinks’][‘show_page_before_download’]
November 21, 2020 (2020.11.21)
- Improvements
- Multiple files and folders can be now shared with other FileRun users at the same time.
Do note that changing the sharing setting for multiple items at the same time, will apply the exact same settings to all files and folders and override any other existing sharing options. - Added “LibreOffice Viewer” plugin which can generate browser-friendly previews for Microsoft Office and OpenOffice type documents. The previews are generated on first view, then cached on the server just as thumbnails are, so subsequent previews open without delay. Requires that LibreOffice is installed on the server, and path configured under the FileRun control panel section "Thumbnails and preview".
- Users can now share files metadata via web links. You can choose to prevent sharing of certain fields, by editing the metadata fields options from the FileRun control panel.
- Direct links to files and folders can be copied to clipboard via the contextual menu (under “More options…”) or from the sharing panel. These links can be shared with other FileRun users that have access to the file, for pointing to a particular file or folder while collaborating.
- Users can now search for files that have a metadata value equal or larger/lower than a particular numerical value. For example, to list all files rated 3 stars or lower, one would search for "Rating: 3-". To list all files rated 4 stars or higher, one would search for "Rating: 3+".
- Files and folders can be rated with keyboard shortcuts by selecting one item and pressing a key from 0 to 5.
- PDF documents are now handled by the browser on the mobile devices. This means that, if the browser can open the file, it will open it directly, if not, it will prompt the user to save the file to the device before opening with a native app.
- Added “Videos” display mode, which shows only the video files in the current file list.
- Added “Videos” media folder which lists the videos in the user’s home folder, sorted by the date the files where uploaded to FileRun.
- Added “Last uploaded” section under "Photos". It shows any type of image file sorted by the date it was uploaded to FileRun.
- Added "[All]" folder under “Photos > By Date > Year” to list all photos taken that particular year, instead of browsing each month separately.
- A metadata field can now offer multiple predefined options of which the user can select multiple ones. For that, create fields of type “Multiple values” and you will get the option of setting predefined values the user can select from.
- Added support for uploading high resolution screenshots via pasting even when the server is configured with small upload limits.
- One user’s list of shared folders is now sorted in a natural way.
- The comments input field is resizable for writing larger comments more comfortable.
- Improved compatiblity with the latest version of SimpleSAMLphp. Also made it so that local FileRun user accounts can login, as altenative to SimpleSAMLphp SSO. Added an option to import group names returned by SimpleSAMLphp and an option to restrict access to only certain groups.
- Added control panel option, under "Interface options", to hide the “Download All” button from folders shared by web links.
- Non-image files now open with their own preview, instead of just showing a thumbnail, under folders shared via web links as image galleries.
- Opening HTML files in a new tab now adds HTTP security headers to block forms, JavaScript and other HTTP requests, to prevent XSS attacks.
- Multiple files and folders can be now shared with other FileRun users at the same time.
- Fixes
- Fixed Office Web Viewer plugin.
- The “Photos” media library section no longer shows files which are of a different file type than “Photos” or no type. This is to prevent for example a scan of a document to be shown as a photo.
- Fixed bug preventing users from changing their passwords while 2FA is enabled.
- File activity log not displaying when browser extensions for ad blocking, such as uBlock, are enabled.
- Improved handling of short MySQL wait timeouts, causing database connectivity problems when users download larger files or over slow network connections.
- Fixed login page redirecting to SSO when “Allow local user accounts to login” is unchecked even though SSO is not enabled.
- Fixed the “Shares” section under a file’s or folder’s control panel not listing shares on the item itself but only for contained items.
- Fixed choosing users and groups for sending files via e-mail.
- Fixed bug preventing users from creating file requests without being password protected.
- Fixed Zoho Editor plugin error when FileRun user name contains non-Latin characters.
- Fixed error message while using Zoho Editor plugin.
- Fixed error when trying to make thumbnails for broken PNG files.
- Copying and moving files (not folders) inside another user’s home folder, from the current user’s home folder, now logs the receiving actions, for sending notifications.
- Added compatibility with Bitly V4 API.
- When setting manual notifications for "Folder received (via copy)" and for "Folder received (via move)", the messages now include details about the folder name and location and the name of the user that provided the folder.
- Fixed regression bug: selecting multiple items in the list of files was not updating the details panel properly.
- Fixed memory limit hitting when running the “cron/paths_cleanup.php” script.
- Web link records are no longer automatically cleaned if the file/folder is not found. This is to prevent loss of web links in case the storage is temporarily inaccessible.
- Improved display of Markdown content in comments and from files.
- Previewing older versions of the same file with ONLYOFFICE now opens the appropriate version.
- Fixed incorrect space quota calculation, showing wrong information in the user interface and preventing chunked uploads to complete successfully.
- Fixed possible error regarding failing to create subfolders when a race condition happens when uploading folders.
- The “Connected apps” section of the personal settings panel is no longer displayed if the API is disabled.
- Fixed bug leaving empty upload temporary folders when Nextcloud apps are being used to upload larger files.
- Fixed ability of setting different permissions to different users/groups when sharing a file/folder for the first time.
- Various smaller UI fixes and improvements.
December 25, 2019 (2019.12.25)
- File Control Panel
- It’s a per file/folder control panel available only for the FileRun superuser.
- It provides a central place for retrieving additional information in relation to a file or a folder and provides tools for troubleshooting FileRun features such as the content indexing, metadata extraction and thumbnail and preview generation.
- The contextual menu option “More options…” > “Index files” is now an option under the File Control Panel.
- The plugin “Admin: Text Indexer Test” is now an option under the File Control Panel.
- The plugin “Admin: Thumbnail troubleshooter” is now an option under the File Control Panel.
- Folder Notifications
- Added control panel option for automatically subscribing users so that they receive notifications when files, comments or labels are being added inside folders that have been shared with them. The option is available under “Files” > "Misc options".
- The folder notification options are now split into the following:
- “New files” -> If the previous option titled “Upload, Delete, Rename, etc.” was enabled, it now only covers new files. For getting notifications on deletes, renames, etc. the users now need to manually change the notification options to include the new “Other actions” option. The FileRun update will not enable this automatically for the existing settings.
- “New comments and labels”
- “Downloads and previews” -> This is the previous option titled “Download, Preview, Copy, etc.”
- “Other actions”
- Thumbnails and image preview
- The generated image previews are now cached on the server.
- Added option to choose the resolution of the image previews and even allowed image files to be served as they are.
- Image previews are now loading with lower resolution on non-retina displays.
- Added support for the IMagick PHP extension for generating thumbnails using ImageMagick when PHP doesn’t have permission to run external programs. Useful for shared hosting environments.
- Additional options for controling the behavior of thumbnail and preview generation have been added to the control panel, under “Interface” > "Thumbnails and preview".
- Added option to rotate previews in the image viewer.
- The same preview system and cached images are now also used when previewing images via shared web links opened in “Image gallery” mode.
- The gallery web links image viewer now supports non web-safe images as well, so you can share folders with raw photographs as galleries that include larger previews.
- To generate previews from the command line, you can use the script cron> php make_thumbs.php --username admin --size large.
- Fixed clearing thumbnail cache via the folder properties panel when a custom cache location is configured.
- Fixed generating thumbnails via command line (cron/make_thumbs.php).
- If the Google Static Maps API key is set, FileRun will generate thumbnails for GPX files.
- Authentication
- Users can now generate additional credentials to be used with third-party WebDAV apps. The option is available under the “Account settings” panel. This is particularly useful when connecting using the WebDAV protocol and your FileRun user account uses 2-Step verification (2FA). (Note that this feature requires the API to be enabled.)
- Authenticating to FileRun via OAuth2 now works with authentication plugins that use SSO (Single sign-on).
- Added the possiblity to limit users login to more than one IP address or range. "$config[‘app’][‘login’][‘restrict_ip’][$USERNAME]" can now be an array of IP addresses or ranges.
- No longer logging failed login attempts when the user is setting up 2FA or being asked for the 2FA code.
- Failed login attempts made from unauthorized IP addresses are now logged to the user activity log.
- Failed logins not attributed to a particular user account are now logged as well to the user activity log, under the FileRun superuser account. Paricularly useful to see when invalid usernames are being used or various other errors from a third-party authentication plugin are happening.
- Nextcloud apps
- Added compatiblity with the version 2.6 of the Nextcloud desktop app.
- Fixed synching shared folders with Nextcloud desktop sync.
- Fixed synching folder renames for Nextcloud apps.
- Nextcloud desktop app showing avatar on account.
- Nextcloud desktop app allowing to open a file/folder in the FileRun web UI. (Note that this currently doesn’t work for shared items but only for items inside a FileRun user’s home folder.)
- Activity Panel
- The activity panel is now available for the currently opened folder and also for files.
- Added config option ($config[‘app’][‘folder_activity’][‘show_own’] = true;) for enabling own actions to be listed in the Folder Activity panel.
- Added config option ($config[‘app’][‘folder_activity’][‘show_all_actions’] = true;) for disabling grouping of actions in the Folder Activity panel by file.
- Fixed functionality of the “Folder Activity” panel when enabled for shared folders.
- User Interface
- The default view mode using for web links can now be changed from the control panel (Interface > Options). Changing the default mode affects all existing web links, unless they were specifically shared with a view mode other than the default one. Web links that were shared with the parameter “mode” in the URL will not be affected.
- Added file size information for the files shared via “List view” links.
- The width of the folder panel is now being remembered on the same computer accross sessions.
- Links to files from the e-mail notifications are now opening the FileRun user interface with highlighting the file.
- Enabling/disabling or making changes to the FileRun plugins no longer requires users to clear their browser’s cache in order to see the change.
- Clicking a file’s label in the details panel will search the current folder for all files with that label.
- Clicking to “locate” a file from a search results it now closes the search panel, instead of performing another search inside the found file’s folder.
- Text from the Control Panel grids can now be selected for copying.
- Fixed bug causing the file list to scroll up when clicking next to a file.
- The text editor now allows copying, pasting and text selection on mobile devices.
- Making any changes to metadata fields, field sets or file types will reflect immediately, without the users needing to clear their browsers’ cache.
- You can hide the list of system default metadata file types (Audio, Documents, Photos, Videos) in the metadata file type search by setting "$config[‘app’][‘metadata’][‘search’][‘exclude_system_filetypes’] = true;".
- You can hide the list of system default metadata fields (the ones that belong to the "Audio", "Documents", "Photos", “Videos” file types) in the metadata file search by setting "$config[‘app’][‘metadata’][‘search’][‘exclude_system_fields’] = true;".
- The metadata fields with predefined lists of values now offer the user the option of setting no value.
- Metadata field sets are now sorted alphanumerically based on their names.
- The metadata field type “Date/time” now shows a calendar for choosing a value. The field expects the format "2019-01-29 23:59:59".
- Fix: The login form no longer moves out of the screen when typing in credentials on mobile devices.
- Fixed “Open with…” > “New tab” to allow multiple files to be left opened at the same time.
- Fixed Autodesk plugin opening in a new window.
- Fixed avatar letters being wrong in some cases.
- Fixed downloading file from the image viewer by pressing the Enter key.
- Fixed group avatar when group name contains multibyte characters (non-latin characters)
- Fixed: keyboard shortcuts on Firefox (non-Windows).
- Fixed sharing panel UI glitch preventing users with long names to be removed from a share.
- Fixed folder notification messages to include users’ full names.
- Various other small UI improvements and fixes.
- Other Improvements
- Added control panel option for disabling/hiding the “Collections” feature. This applies system-wide.
- The ONLYOFFICE plugin is now available for all filetypes support by ONLYOFFICE, rather than only the common office documents. The full list is the following: "doc", "docx", "dotx", "odt", "ott", "rtf", "txt", "pdf", "html", "epub", "xps", "djvu", "xls", "xlsx", "xltx", "ods", "ots", "csv", "ppt", "pptx", "potx", "odp", "otp".
- The ONLYOFFICE plugin supports JWT authentication.
- The ONLYOFFICE plugin no longer autosaves changes. The user needs to click “File” -> “Save” or use the keyboard shortcut for the changes to be saved to the document.
- Change: the upload chunk size is no longer limited to a max of 20MB but instead it is determined automatically based on the PHP configured “upload_max_filesize” and “post_max_size” (the smallest of these two values). This has two important consequences. One is a potentially negative one, smaller files will be reuploaded from the start if the transfer is interrupted or paused (interrupted downloads are being resumed from the last uploaded chunk). The second consequence, is a positive one, with large files uploaded over fast connections will be uploaded much faster than before (particularly noticeable in local networks). The chunk size can still be manually using '$config[‘app’][‘upload’][‘chunk_size’]' (see https://docs.filerun.com/advanced_configuration).
- Changing a folder’s notifications options is now logged to the user activity log.
- Adding/removing a user to/from a group is now logged to the user activity log.
- Sending files/folders via e-mail, using web links, now logs the action of creating the web link.
- Saving changes on a web link’s settings is no longer logged as an action if no changes were actually made.
- $config[‘app’][‘email_notification’][‘per_item’][‘limit_actions’] is an array containing a list of actions that notifications are being triggered when using per folder notifications.
- Apache Tika in server mode now requires version 1.22.
- Added options for enabling file indexing for image files and scanned PDFs through OCR. It requires Tesseract. For more informatiom please see https://docs.filerun.com/file_indexing
- Added option for loading a configuration file for Apache Tika.
- The text editor can now open GPX and KML files, with XML code highlighting.
- E-mail notifications for uploading and downloading empty files are no longer instant. This allows users to create new text files and add content to them without having too many notification messages being sent about the particular activity.
- The control panel export function for the user activity logs search results is now triggering a file download rather than saving the file in the superuser’s home folder. The activity details are now json encoded.
- Added API method for changing the password.
- Added possiblity of specifying additional options for connecting to the MySQL database by editing “system/data/autoconfig.php” and adding the ‘options’ element which lists PDO predefined constants.
- File or folder names that end with a space or a dot character are no longer allowed.
- Users with the permission to share files with other FileRun users can now share their entire home folders.
- Other Fixes
- Fixed: Removing a user from a group leaving behind settings attached to files/folders shared with the group.
- Fixed: Removing a user from a shared folder leaving behind settings attached to the files/folders. For example, per-folder notifications enabled, having the users that no longer have access to the shared folder to still receive related notifications.
- Fixed regression bug: superuser not being able to assign users or groups using the “Can interact with” permissions.
- Fix: allow “memory limit hitting fatal error” to be logged to the PHP error log when trying to process Exif data from very large files.
- Fix: FileRun no long attempts to read Exif data from PSD/PSB files.
- Fixed compatiblity with the newer Autodesk API to allow opening CAD files.
- Fixed problem with browsing shared folders with certain WebDAV programs.
- Fixed PHP warning when importing users via CSV.
- Fixed PHP error (Call to undefined function FileRun\Utils\xdebug_get_function_stack() …) when installing FileRun updates.
- Fixed extracting tar.gz archives.
- Fixed “cron/metadata_index.php” not processing all users when ran without paramaters.
- Fixed delay in reflecting changed control panel settings when PHP OPcache is enabled.
- Fixed error when accessing collections that are supposed to contain files that were removed from outside FileRun.
- Fixed problem with HTML characters typed in the message when sending files via e-mail.
July 01, 2019 (2019.06.01)
New features:
- 3D model file support* Added 3D viewer with support for: OBJ/MTL, STL, FBX, DAE, X, GLTF/GLB, 3DS, 3MF.
- It supports external resources (texture files located in the same folder).
- It provides the option of saving screenshots from the renders.
- Added icon and file type description for various 3D model files.
- Added option to use https://github.com/unlimitedbacon/stl-thumb for generating thumbnails for STL 3D models.
- Added back the download cart. It is hidden by default and it can be enabled from the control panel, under “Interface” -> "Options".
- Added the possiblity of setting custom icons to specific folders. See this page for more details.
Fixes:
Fixed several medium and low risk security vulnerabilities.
Regression fix: Sharing as a link a sub folder of a shared folder would share the parent folder instead. (The current FileRun version has been patched shortly after release.)
Added “index.html” files to prevent web servers from listing various FileRun application folders.
Fixed emojis in filenames affecting thumbnail display mode.
Fixed PHP warning when FileRun user is changing own password.
Fix: Simple admin users unable to change passwords for the existing user accounts.
Fixed folder listing sorting in the main UI.
Fix: Filename with non-ASCII characters on file download on Edge.
Fix: Form field sizing in the “Options” panel of the “Web Link” panel, on non-English translation, making last field inaccessible.
Better handling of non-ASCII characters for generating user avatars.
Fixed the progress bar UI on the upload panel.
Fixed various UI glitches.
Other changes
- Change: Due to security reasons, FileRun no longer allows filesystem paths/filenames that contain the < or > characters.
- To prevent getting locked out, the superuser account now has 20 failed login attempt until the account is locked, regardless of the settings for the other user accounts. Make sure you set a secure password for the user account.
- Behavior change: Closing the “Web Link” panel using the “Done” button no longer copies the URL to clipboard. Users have to press the “Copy” button instead.
- Added field for setting the name e-mail notifications are being sent from.
- Added informative notification when assigning the same home folder path to more than one user account.
May 22, 2019 (2019.05.21)
Important notes
- Making a backup of the FileRun installation before installing updates is highly recommended. Read here how.
- The minimum required PHP version for this update is 7.1. For best performance and security, we highly recommend PHP 7.2 or 7.3. The PHP versions 5.6 and 7.0 reached end-of-life from PHP developers, which means no security updates are being released for them. For the safety of your data, FileRun no longer supports them either. (Please see this guide for upgrading to PHP 7.1+.)
- This update breaks compatibility with the FileRun Android app, which will need updating. Please note that a compatible FileRun Android app might not be yet available.
- Using the desktop sync apps or the Nextcloud Android app is now requiring the FileRun API to be enabled. Read here how to enable it.
- After this update, the default language will be set to “English” and the installation will have no translations. The translation system has changed and any files previously uploaded to “system/data/languages” will be removed by this update. For adding translations, please see: https://docs.filerun.com/translating_filerun
- Users without the permission "User can make changes to files and folders", can no longer make copies of files/folders, even if they have the “User can upload files and folders” permission.
- The config option "$config[‘app’][‘thumbs’][‘output_small_filesize’]" changed to "$config[‘thumbs’][‘output_small_max_filesize’]".
- The configuration option "$config[‘app’][‘ui’][‘custom_css_url’]" is no longer active or available. For customizations, please create the file “customizables/theme.css” and enabled it from the control panel under "Branding".
- The download cart feature has been removed. Please use the new collections feature or the starring feature to achieve the same.
- The “Creative Cloud” and “Pixlr” plugins have been removed as the services have been discontinued by their developers.
New features
- Collections
- Files and folders can be added to virtual folders called collections.
- Same file or folder can be added to more than one collection.
- Entire collections can be downloaded with a single click.
- Multiple collections can be downloaded at the same time with a single click.
- Collections can be dragged into each other to add items from one collection to another. (The original collections will still preserve the same items.)
- Collections can be shared using web links. All options still apply:
- You can share the collections as image galleries or audio playlists, password protect the access, etc.
- You can enable file requests (ie. allow uploads from visitors), and all the folders contained in the collection will allow uploads. If the option “Allow visitors to see and download the existing files.” is not enabled, the visitors will not have access to the folders contents, but only be able to upload new files.
- Files and folders can be renamed or moved, yet they will still remain in the collections to which they were added.
- Pro tip: use the search to locate files of interest, and add them to a collection, right from the search result.
- Pro tip #2: Share the same file/folder via multiple weblinks with different options, by placing them into collections and sharing the collections instead.
- Note: Collections can currently only contain files and folders from the user’s own home folder and not from folders shared by other users.
- Image editor
- Basic functionality: resize, crop, rotate, flip.
- Has no third-party requirements.
- All types of image files can be opened, as FileRun will convert the data format if necessary. Note, very large image files will be converted to a maximum resolution of 4000x4000 pixels. Editing a RAW image file, for example, will save the edited version as a separate JPG image.
- Can be used to convert various images file formats to JPG.
- The image viewer has a button shortcut for opening the current image in the editor.
- Added Laravel authentication plugin.
- Added dark theme.
- PDF documents can be edited with Google Docs Editor.
API
- Added API method for removing web links (http://docs.filerun.com/api#removing_web_links).
- Fixed weblink information when listing via the API files and folders with weblinks.w
- The API endpoint user/info provides now also information about the user’s permissions.
Various
- Many performance improvements, making FileRun significantly quicker to load and react.
- Added compatibility with latest Nextcloud Android and desktop apps.
- Added configuration option for the LDAP plugin, to limit access only to users that are members of particular groups.
- The activity logs for files and folders can now be checked also for items from the trash folder.
- User Interface
- Improvements for mobile browser access:
- The default display mode is “Detailed list” and the control panel set display mode applies only on large screen devices. The user can still change the display mode at any time.
- All inner popups open full screen. Users can rotate device to landscape for better use of wider content.
- Increased various text and element sizes for better accessibility.
- Improved the image viewer’s details panel.
- Fix size of the Android app login prompt.
- Added support for LibreOffice for generating thumbnails for office documents, including plain text files and HTML. (https://en.wikipedia.org/wiki/LibreOffice#Supported_file_formats)
- Added breadcrumbs navigation which shows the path of the currently browsed folder and provides a quick way of browsing to the parent folders.
- Added blank theme for custom themeing.
- The custom theme file now loads on top of the selected color theme. To customize an existing theme, enable the option "Apply “customizables/theme.css"” and create the file “customizables/theme.css” where you write your custom CSS code.
- Target folder selector
- Shows a small window for browsing existing folders for performing various actions.
- It is used for copying or moving files and folders. The copy/paste option has been replaced by this feature.
- It is used also for extracting archives to specific locations.
- The web page’s title gets updated based on the browsed folder. This helps identify between multiple opened tabs and improve bookmarking.
- Thumbnails
- Narrower thumbnails are now displayed from the top instead from the center. This makes identifying text documents easier.
- File icons are now monochrome, to better distinguish between system icons and thumbnails.
- Improved browser caching for thumbnails sent out from original file contents.
- Improved the loading speed from the server for cached thumbnails.
- Thumbnails are displayed now also for very small image files (smaller than 1KB). This is useful for small SVG icons, or plain text files without much content.
- Better cache handling for files that thumbnail generation fails or provides no output. For example, FileRun tries to generate cover images for MP3 files. Before, even if a file wasn’t having one, the server was looking into the file for one, every time the user was listing the file. Now it doesn’t.
- Small SVG files no longer employ ImageMagick for thumbnail generation but instead they are displayed natively.
- Default thumbnail size has been increased from 140 pixels to 170.
- Added lazy-loading for thumbnails displayed via weblinks.
- Searching: choosing a metadata field that has a predefined list of options now shows the actual list to the user.
- The refresh button is now on the top toolbar, for easier access.
- The meta-icons have been moved to allow longer file and folder names to display better.
- Added keyboard shortcut “n” (or “N”) for creating a new folder.
- The “Locate” context menu option now shows for items in the search result.
- Failed actions now show a red colored message in the left-bottom corner of the screen, to inform the user that there was a problem.
- Restoring files from trash updates only the changes instead of reloading the trash file list.
- Added option for (calculating and) viewing folder sizes.
- Dragging files up and down the grid automatically scrolls the list.
- Added automatic scrolling when dragging items to the folders tree.
- Dragging folders from the tree panel is no longer enabled to prevent accidental folder moves. Moving folders is now done only by dragging from the grid.
- When dragging files and folders around, it’s now clearer to see what files/folders are being dragged.
- Fix: the rating and tags widgets are no longer displayed for users that do not have permission to access metadata.
- Fix: file list scroll when playing an audio file from a display mode other than "Music".
- Various other interface improvements and fixes.
- Improvements for mobile browser access:
- Desktop sync
- Fixed uploading new files. The error message was "The server did not acknowledge the last chunk. (No e-tag was present)".
- Fixed uploading files inside the home folder (@Home). The error message was "Not allowed because you don’t have permission to add files in that folder".
- Added option to preview old file versions. Versions open in separate browser tabs for easy comparison. They open with the default configured file preview method. If the default file preview method is an editor, saving changes will not update the old version, but it will save it as the current version.
- Files can be permanently deleted (skipping the trash folder) by holding the shift key when performing the action.
- Security: The option “Maximum login attempts” applies now also when a third-party authentication plugin is in use, preventing brute force attacks.
- The admin users can now reset a user’s 2-step verification. Useful in case of lost devices.
- Fix: removed limitation on number of users and groups that can be listed inside the “Can interact with” user permission.
- Fix: loading high-res version of images in folders with single quote characters in their names.
- Fix: adding files to an existing Zip archive no longer resets the archive file, so weblinks and other metadata already attached to the archive get preserved.
- Fix: extracting files from a Zip archive, if they overwrite existing files, it no longer resets the target files, so weblinks and other metadata already attached to the existing files get preserved.
- Fix: The option of sharing a web link via QR-code is now enabled by default. (The optional config "$config[‘app’][‘weblinks’][‘showQRCode’]" is now called "$config[‘app’][‘weblinks’][‘hideQRCode’]".)
- Fixed “User info HTTP method” option not being taken into consideration for the OAuth2 authentication plugin.
- Fix SSO not setting a CSRF token causing users to be unable to delete files or the admin to make changes in the control panel. Affects only the cases where “Inactivity timeout” is set to 0.
- Fix ImageMagick crash when $config[‘imagemagick_limit_resources’] is enabled.
- Added plugin for troubleshooting the thumbnail generation process. The plugin is available only to the FileRun superuser and disabled by default.
- Added config option $config[‘app’][‘enable_catch_all_event’]. Set to true, will have FileRun look for “customizables/events/catch-all.php” and run it every time a user performs an action.
- Fix: trying to move a folder to the same location ends with an error message instead of renaming the folder to "Copy of …".
- Improvement: when a file/folder move attempt fails, the user now gets to know to which of the selected files/folders the returned error refers to.
- Fix: error listing user accounts when the option “Inactive accounts” is set to “Do not delete” under the guest user settings.
- Improvement: when trying to empty the trash folder, if there is an item with errors, the operation will continue with the remaining of the files rather than stop there.
- Fix: user self registration process wasn’t registering the user details (Phone, Company, Website) correctly.
- Raw image files 'cr2’, 'mos’, 'mef’, 'nef’, 'arw’, '3fr’, 'iiq’, if they don’t have an XMP sidecar file, are processed as TIFF for extracting basic Exif data (width, height and date taken).
- Added ‘webp’ image file format support and it is handled as a web-safe image (just as JPG or PNG). Note that at this time, Safari, the old Internet Explorer, the old Firefox versions and Edge versions 12-17, do not support this file format.
- Fixed error message when trying to import users from a file without mapping both first and last name columns.
- Added AIF, AIFF, 7Z, DCM as recognizable file formats.
- Removed FLV and SWF video playback support.
- Fixed full-screen on EPUB reader on Chrome.
- Added support for vertical languages EPUB books.
- ‘file.download’ hook has been renamed to ‘file.read’
- ‘file.upload’ hook has been renamed to ‘file.write’ and it executes before the file is write but after all the needed information has been collected (does not include file contents data). To target particular types of file writing, there are the available hook names "file.write.string", "file.write.upload", "file.write.move", “file.write.copy”
- Other changes
- File downloads (regardless of method - which includes opening a file in the browser for viewing, previewing a bit of a media file, etc.) no longer logs the action to FileRun’s activity logs and the per-file activity logs, unless the very end part of the file’s contents has been transfered from the server to the client. This is done to avoid thousands of log entries caused by Firefox and other browser that might make very large number of small partial requests when downloading a file. This change means that if a user opens an audio file or video file and doesn’t wait until the entire file gets downloaded, the action will not be logged on the server. If this is not a desired behavior for your particular use-case, you can change back to the previous behavior, by adding “$config[‘app’][‘logging’][‘partial_downloads’] = true;” inside “customizables/config.php” (http://docs.filerun.com/advanced_configuration
- The config options “$config[‘app’][‘api’][‘oauth2’][‘allow_over_http’] = true;” is no longer available, with the option now added to the FileRun control panel.
For a list of changes prior to 2019, please contact us.
The automatic software update system was introduced on January 17, 2008.