Releases · linuxserver/docker-projectsend

CI Report:

https://ci-tests.linuxserver.io/linuxserver/projectsend/r2029-ls274/index.html

LinuxServer Changes:

Full Changelog: r2029-ls273...r2029-ls274

Remote Changes:

What's Changed in r2029

New Features

TOTP Two-Factor Authentication: Users can now set up an authenticator app (Google Authenticator, Authy, and others) as a second factor. Includes a QR code setup flow, login-time verification, and an admin toggle in security settings.
In-App Changelog Viewer: After a database upgrade, the upgrade notice includes a "See what's new" link that opens a modal with the full release changelog rendered inline.

Security Updates

Fix Stored XSS via Event Handler Attributes: strip_tags() with an allowlist preserved event handlers on allowed tags. All attributes are now stripped from allowed tags.
Harden Session Cookies: Added HttpOnly, Secure (on HTTPS), and SameSite=Lax flags to session cookies.
Restrict Auto-Update Downloads to Official Server: The updater now enforces an allowlist so only HTTPS downloads from projectsend.org are accepted.
Fix CSRF on File Upload Endpoint: The upload endpoint bypassed CSRF validation. The token is now sent with every upload chunk.

Improvements

Redesigned Error Pages: Each error type now shows a relevant icon, a descriptive subtitle, and a "Return to homepage" link. HTTP codes 400, 410, and 500 now route to the correct page.
PHP Version Pre-Check in Auto-Updater: The updater validates the server PHP version before proceeding, preventing updates from breaking installations running older PHP (#1536).
Refreshed GitHub Presence: Rewrote the README with screenshots, a comparison table, and a feature list. Added structured issue templates.

Bug Fixes

Fix 403 on All Downloads: The $allowed_levels definition was accidentally removed from process.php, causing all download requests to return 403.

Maintenance

PHP 8.2 minimum enforced. CI updated to test PHP 8.2–8.4, Node 16 replaced with Node 22.
PHPStan type hints added across Auth, AutoUpdate, Download, Encryption, Files, Folders, S3Storage, and Users classes.

SHA-256: 9d5eb455b1e39ee423759b9cede2c62ac57d3ab678e85438f3b6aa2599cf561f

Full Changelog: projectsend/projectsend@r2002...r2029

CI Report:

https://ci-tests.linuxserver.io/linuxserver/projectsend/r2029-ls273/index.html

LinuxServer Changes:

Full Changelog: r2029-ls272...r2029-ls273

Remote Changes:

What's Changed in r2029

New Features

TOTP Two-Factor Authentication: Users can now set up an authenticator app (Google Authenticator, Authy, and others) as a second factor. Includes a QR code setup flow, login-time verification, and an admin toggle in security settings.
In-App Changelog Viewer: After a database upgrade, the upgrade notice includes a "See what's new" link that opens a modal with the full release changelog rendered inline.

Security Updates

Fix Stored XSS via Event Handler Attributes: strip_tags() with an allowlist preserved event handlers on allowed tags. All attributes are now stripped from allowed tags.
Harden Session Cookies: Added HttpOnly, Secure (on HTTPS), and SameSite=Lax flags to session cookies.
Restrict Auto-Update Downloads to Official Server: The updater now enforces an allowlist so only HTTPS downloads from projectsend.org are accepted.
Fix CSRF on File Upload Endpoint: The upload endpoint bypassed CSRF validation. The token is now sent with every upload chunk.

Improvements

Redesigned Error Pages: Each error type now shows a relevant icon, a descriptive subtitle, and a "Return to homepage" link. HTTP codes 400, 410, and 500 now route to the correct page.
PHP Version Pre-Check in Auto-Updater: The updater validates the server PHP version before proceeding, preventing updates from breaking installations running older PHP (#1536).
Refreshed GitHub Presence: Rewrote the README with screenshots, a comparison table, and a feature list. Added structured issue templates.

Bug Fixes

Fix 403 on All Downloads: The $allowed_levels definition was accidentally removed from process.php, causing all download requests to return 403.

Maintenance

PHP 8.2 minimum enforced. CI updated to test PHP 8.2–8.4, Node 16 replaced with Node 22.
PHPStan type hints added across Auth, AutoUpdate, Download, Encryption, Files, Folders, S3Storage, and Users classes.

SHA-256: 9d5eb455b1e39ee423759b9cede2c62ac57d3ab678e85438f3b6aa2599cf561f

Full Changelog: projectsend/projectsend@r2002...r2029

CI Report:

https://ci-tests.linuxserver.io/linuxserver/projectsend/r2029-ls272/index.html

LinuxServer Changes:

Full Changelog: r2029-ls271...r2029-ls272

Remote Changes:

What's Changed in r2029

New Features

TOTP Two-Factor Authentication: Users can now set up an authenticator app (Google Authenticator, Authy, and others) as a second factor. Includes a QR code setup flow, login-time verification, and an admin toggle in security settings.
In-App Changelog Viewer: After a database upgrade, the upgrade notice includes a "See what's new" link that opens a modal with the full release changelog rendered inline.

Security Updates

Fix Stored XSS via Event Handler Attributes: strip_tags() with an allowlist preserved event handlers on allowed tags. All attributes are now stripped from allowed tags.
Harden Session Cookies: Added HttpOnly, Secure (on HTTPS), and SameSite=Lax flags to session cookies.
Restrict Auto-Update Downloads to Official Server: The updater now enforces an allowlist so only HTTPS downloads from projectsend.org are accepted.
Fix CSRF on File Upload Endpoint: The upload endpoint bypassed CSRF validation. The token is now sent with every upload chunk.

Improvements

Redesigned Error Pages: Each error type now shows a relevant icon, a descriptive subtitle, and a "Return to homepage" link. HTTP codes 400, 410, and 500 now route to the correct page.
PHP Version Pre-Check in Auto-Updater: The updater validates the server PHP version before proceeding, preventing updates from breaking installations running older PHP (#1536).
Refreshed GitHub Presence: Rewrote the README with screenshots, a comparison table, and a feature list. Added structured issue templates.

Bug Fixes

Fix 403 on All Downloads: The $allowed_levels definition was accidentally removed from process.php, causing all download requests to return 403.

Maintenance

PHP 8.2 minimum enforced. CI updated to test PHP 8.2–8.4, Node 16 replaced with Node 22.
PHPStan type hints added across Auth, AutoUpdate, Download, Encryption, Files, Folders, S3Storage, and Users classes.

SHA-256: 9d5eb455b1e39ee423759b9cede2c62ac57d3ab678e85438f3b6aa2599cf561f

Full Changelog: projectsend/projectsend@r2002...r2029

CI Report:

https://ci-tests.linuxserver.io/linuxserver/projectsend/r2029-ls271/index.html

LinuxServer Changes:

Full Changelog: r2029-ls270...r2029-ls271

Remote Changes:

What's Changed in r2029

New Features

TOTP Two-Factor Authentication: Users can now set up an authenticator app (Google Authenticator, Authy, and others) as a second factor. Includes a QR code setup flow, login-time verification, and an admin toggle in security settings.
In-App Changelog Viewer: After a database upgrade, the upgrade notice includes a "See what's new" link that opens a modal with the full release changelog rendered inline.

Security Updates

Fix Stored XSS via Event Handler Attributes: strip_tags() with an allowlist preserved event handlers on allowed tags. All attributes are now stripped from allowed tags.
Harden Session Cookies: Added HttpOnly, Secure (on HTTPS), and SameSite=Lax flags to session cookies.
Restrict Auto-Update Downloads to Official Server: The updater now enforces an allowlist so only HTTPS downloads from projectsend.org are accepted.
Fix CSRF on File Upload Endpoint: The upload endpoint bypassed CSRF validation. The token is now sent with every upload chunk.

Improvements

Redesigned Error Pages: Each error type now shows a relevant icon, a descriptive subtitle, and a "Return to homepage" link. HTTP codes 400, 410, and 500 now route to the correct page.
PHP Version Pre-Check in Auto-Updater: The updater validates the server PHP version before proceeding, preventing updates from breaking installations running older PHP (#1536).
Refreshed GitHub Presence: Rewrote the README with screenshots, a comparison table, and a feature list. Added structured issue templates.

Bug Fixes

Fix 403 on All Downloads: The $allowed_levels definition was accidentally removed from process.php, causing all download requests to return 403.

Maintenance

PHP 8.2 minimum enforced. CI updated to test PHP 8.2–8.4, Node 16 replaced with Node 22.
PHPStan type hints added across Auth, AutoUpdate, Download, Encryption, Files, Folders, S3Storage, and Users classes.

SHA-256: 9d5eb455b1e39ee423759b9cede2c62ac57d3ab678e85438f3b6aa2599cf561f

Full Changelog: projectsend/projectsend@r2002...r2029

CI Report:

https://ci-tests.linuxserver.io/linuxserver/projectsend/r2029-ls270/index.html

LinuxServer Changes:

Full Changelog: r2029-ls269...r2029-ls270

Remote Changes:

What's Changed in r2029

New Features

TOTP Two-Factor Authentication: Users can now set up an authenticator app (Google Authenticator, Authy, and others) as a second factor. Includes a QR code setup flow, login-time verification, and an admin toggle in security settings.
In-App Changelog Viewer: After a database upgrade, the upgrade notice includes a "See what's new" link that opens a modal with the full release changelog rendered inline.

Security Updates

Fix Stored XSS via Event Handler Attributes: strip_tags() with an allowlist preserved event handlers on allowed tags. All attributes are now stripped from allowed tags.
Harden Session Cookies: Added HttpOnly, Secure (on HTTPS), and SameSite=Lax flags to session cookies.
Restrict Auto-Update Downloads to Official Server: The updater now enforces an allowlist so only HTTPS downloads from projectsend.org are accepted.
Fix CSRF on File Upload Endpoint: The upload endpoint bypassed CSRF validation. The token is now sent with every upload chunk.

Improvements

Redesigned Error Pages: Each error type now shows a relevant icon, a descriptive subtitle, and a "Return to homepage" link. HTTP codes 400, 410, and 500 now route to the correct page.
PHP Version Pre-Check in Auto-Updater: The updater validates the server PHP version before proceeding, preventing updates from breaking installations running older PHP (#1536).
Refreshed GitHub Presence: Rewrote the README with screenshots, a comparison table, and a feature list. Added structured issue templates.

Bug Fixes

Fix 403 on All Downloads: The $allowed_levels definition was accidentally removed from process.php, causing all download requests to return 403.

Maintenance

PHP 8.2 minimum enforced. CI updated to test PHP 8.2–8.4, Node 16 replaced with Node 22.
PHPStan type hints added across Auth, AutoUpdate, Download, Encryption, Files, Folders, S3Storage, and Users classes.

SHA-256: 9d5eb455b1e39ee423759b9cede2c62ac57d3ab678e85438f3b6aa2599cf561f

Full Changelog: projectsend/projectsend@r2002...r2029

CI Report:

https://ci-tests.linuxserver.io/linuxserver/projectsend/r2029-ls269/index.html

LinuxServer Changes:

Full Changelog: r2029-ls268...r2029-ls269

Remote Changes:

What's Changed in r2029

New Features

TOTP Two-Factor Authentication: Users can now set up an authenticator app (Google Authenticator, Authy, and others) as a second factor. Includes a QR code setup flow, login-time verification, and an admin toggle in security settings.
In-App Changelog Viewer: After a database upgrade, the upgrade notice includes a "See what's new" link that opens a modal with the full release changelog rendered inline.

Security Updates

Fix Stored XSS via Event Handler Attributes: strip_tags() with an allowlist preserved event handlers on allowed tags. All attributes are now stripped from allowed tags.
Harden Session Cookies: Added HttpOnly, Secure (on HTTPS), and SameSite=Lax flags to session cookies.
Restrict Auto-Update Downloads to Official Server: The updater now enforces an allowlist so only HTTPS downloads from projectsend.org are accepted.
Fix CSRF on File Upload Endpoint: The upload endpoint bypassed CSRF validation. The token is now sent with every upload chunk.

Improvements

Redesigned Error Pages: Each error type now shows a relevant icon, a descriptive subtitle, and a "Return to homepage" link. HTTP codes 400, 410, and 500 now route to the correct page.
PHP Version Pre-Check in Auto-Updater: The updater validates the server PHP version before proceeding, preventing updates from breaking installations running older PHP (#1536).
Refreshed GitHub Presence: Rewrote the README with screenshots, a comparison table, and a feature list. Added structured issue templates.

Bug Fixes

Fix 403 on All Downloads: The $allowed_levels definition was accidentally removed from process.php, causing all download requests to return 403.

Maintenance

PHP 8.2 minimum enforced. CI updated to test PHP 8.2–8.4, Node 16 replaced with Node 22.
PHPStan type hints added across Auth, AutoUpdate, Download, Encryption, Files, Folders, S3Storage, and Users classes.

SHA-256: 9d5eb455b1e39ee423759b9cede2c62ac57d3ab678e85438f3b6aa2599cf561f

Full Changelog: projectsend/projectsend@r2002...r2029

CI Report:

https://ci-tests.linuxserver.io/linuxserver/projectsend/r2029-ls268/index.html

LinuxServer Changes:

Full Changelog: r2029-ls267...r2029-ls268

Remote Changes:

What's Changed in r2029

New Features

TOTP Two-Factor Authentication: Users can now set up an authenticator app (Google Authenticator, Authy, and others) as a second factor. Includes a QR code setup flow, login-time verification, and an admin toggle in security settings.
In-App Changelog Viewer: After a database upgrade, the upgrade notice includes a "See what's new" link that opens a modal with the full release changelog rendered inline.

Security Updates

Fix Stored XSS via Event Handler Attributes: strip_tags() with an allowlist preserved event handlers on allowed tags. All attributes are now stripped from allowed tags.
Harden Session Cookies: Added HttpOnly, Secure (on HTTPS), and SameSite=Lax flags to session cookies.
Restrict Auto-Update Downloads to Official Server: The updater now enforces an allowlist so only HTTPS downloads from projectsend.org are accepted.
Fix CSRF on File Upload Endpoint: The upload endpoint bypassed CSRF validation. The token is now sent with every upload chunk.

Improvements

Redesigned Error Pages: Each error type now shows a relevant icon, a descriptive subtitle, and a "Return to homepage" link. HTTP codes 400, 410, and 500 now route to the correct page.
PHP Version Pre-Check in Auto-Updater: The updater validates the server PHP version before proceeding, preventing updates from breaking installations running older PHP (#1536).
Refreshed GitHub Presence: Rewrote the README with screenshots, a comparison table, and a feature list. Added structured issue templates.

Bug Fixes

Fix 403 on All Downloads: The $allowed_levels definition was accidentally removed from process.php, causing all download requests to return 403.

Maintenance

PHP 8.2 minimum enforced. CI updated to test PHP 8.2–8.4, Node 16 replaced with Node 22.
PHPStan type hints added across Auth, AutoUpdate, Download, Encryption, Files, Folders, S3Storage, and Users classes.

SHA-256: 9d5eb455b1e39ee423759b9cede2c62ac57d3ab678e85438f3b6aa2599cf561f

Full Changelog: projectsend/projectsend@r2002...r2029

CI Report:

https://ci-tests.linuxserver.io/linuxserver/projectsend/r2029-ls267/index.html

LinuxServer Changes:

Full Changelog: r2029-ls266...r2029-ls267

Remote Changes:

What's Changed in r2029

New Features

TOTP Two-Factor Authentication: Users can now set up an authenticator app (Google Authenticator, Authy, and others) as a second factor. Includes a QR code setup flow, login-time verification, and an admin toggle in security settings.
In-App Changelog Viewer: After a database upgrade, the upgrade notice includes a "See what's new" link that opens a modal with the full release changelog rendered inline.

Security Updates

Fix Stored XSS via Event Handler Attributes: strip_tags() with an allowlist preserved event handlers on allowed tags. All attributes are now stripped from allowed tags.
Harden Session Cookies: Added HttpOnly, Secure (on HTTPS), and SameSite=Lax flags to session cookies.
Restrict Auto-Update Downloads to Official Server: The updater now enforces an allowlist so only HTTPS downloads from projectsend.org are accepted.
Fix CSRF on File Upload Endpoint: The upload endpoint bypassed CSRF validation. The token is now sent with every upload chunk.

Improvements

Redesigned Error Pages: Each error type now shows a relevant icon, a descriptive subtitle, and a "Return to homepage" link. HTTP codes 400, 410, and 500 now route to the correct page.
PHP Version Pre-Check in Auto-Updater: The updater validates the server PHP version before proceeding, preventing updates from breaking installations running older PHP (#1536).
Refreshed GitHub Presence: Rewrote the README with screenshots, a comparison table, and a feature list. Added structured issue templates.

Bug Fixes

Fix 403 on All Downloads: The $allowed_levels definition was accidentally removed from process.php, causing all download requests to return 403.

Maintenance

PHP 8.2 minimum enforced. CI updated to test PHP 8.2–8.4, Node 16 replaced with Node 22.
PHPStan type hints added across Auth, AutoUpdate, Download, Encryption, Files, Folders, S3Storage, and Users classes.

SHA-256: 9d5eb455b1e39ee423759b9cede2c62ac57d3ab678e85438f3b6aa2599cf561f

Full Changelog: projectsend/projectsend@r2002...r2029

CI Report:

https://ci-tests.linuxserver.io/linuxserver/projectsend/r2029-ls266/index.html

LinuxServer Changes:

Full Changelog: r2029-ls265...r2029-ls266

Remote Changes:

What's Changed in r2029

New Features

TOTP Two-Factor Authentication: Users can now set up an authenticator app (Google Authenticator, Authy, and others) as a second factor. Includes a QR code setup flow, login-time verification, and an admin toggle in security settings.
In-App Changelog Viewer: After a database upgrade, the upgrade notice includes a "See what's new" link that opens a modal with the full release changelog rendered inline.

Security Updates

Fix Stored XSS via Event Handler Attributes: strip_tags() with an allowlist preserved event handlers on allowed tags. All attributes are now stripped from allowed tags.
Harden Session Cookies: Added HttpOnly, Secure (on HTTPS), and SameSite=Lax flags to session cookies.
Restrict Auto-Update Downloads to Official Server: The updater now enforces an allowlist so only HTTPS downloads from projectsend.org are accepted.
Fix CSRF on File Upload Endpoint: The upload endpoint bypassed CSRF validation. The token is now sent with every upload chunk.

Improvements

Redesigned Error Pages: Each error type now shows a relevant icon, a descriptive subtitle, and a "Return to homepage" link. HTTP codes 400, 410, and 500 now route to the correct page.
PHP Version Pre-Check in Auto-Updater: The updater validates the server PHP version before proceeding, preventing updates from breaking installations running older PHP (#1536).
Refreshed GitHub Presence: Rewrote the README with screenshots, a comparison table, and a feature list. Added structured issue templates.

Bug Fixes

Fix 403 on All Downloads: The $allowed_levels definition was accidentally removed from process.php, causing all download requests to return 403.

Maintenance

PHP 8.2 minimum enforced. CI updated to test PHP 8.2–8.4, Node 16 replaced with Node 22.
PHPStan type hints added across Auth, AutoUpdate, Download, Encryption, Files, Folders, S3Storage, and Users classes.

SHA-256: 9d5eb455b1e39ee423759b9cede2c62ac57d3ab678e85438f3b6aa2599cf561f

Full Changelog: projectsend/projectsend@r2002...r2029

CI Report:

https://ci-tests.linuxserver.io/linuxserver/projectsend/r2029-ls265/index.html

LinuxServer Changes:

Full Changelog: r2029-ls264...r2029-ls265

Remote Changes:

What's Changed in r2029

New Features

TOTP Two-Factor Authentication: Users can now set up an authenticator app (Google Authenticator, Authy, and others) as a second factor. Includes a QR code setup flow, login-time verification, and an admin toggle in security settings.
In-App Changelog Viewer: After a database upgrade, the upgrade notice includes a "See what's new" link that opens a modal with the full release changelog rendered inline.

Security Updates

Fix Stored XSS via Event Handler Attributes: strip_tags() with an allowlist preserved event handlers on allowed tags. All attributes are now stripped from allowed tags.
Harden Session Cookies: Added HttpOnly, Secure (on HTTPS), and SameSite=Lax flags to session cookies.
Restrict Auto-Update Downloads to Official Server: The updater now enforces an allowlist so only HTTPS downloads from projectsend.org are accepted.
Fix CSRF on File Upload Endpoint: The upload endpoint bypassed CSRF validation. The token is now sent with every upload chunk.

Improvements

Redesigned Error Pages: Each error type now shows a relevant icon, a descriptive subtitle, and a "Return to homepage" link. HTTP codes 400, 410, and 500 now route to the correct page.
PHP Version Pre-Check in Auto-Updater: The updater validates the server PHP version before proceeding, preventing updates from breaking installations running older PHP (#1536).
Refreshed GitHub Presence: Rewrote the README with screenshots, a comparison table, and a feature list. Added structured issue templates.

Bug Fixes

Fix 403 on All Downloads: The $allowed_levels definition was accidentally removed from process.php, causing all download requests to return 403.

Maintenance

PHP 8.2 minimum enforced. CI updated to test PHP 8.2–8.4, Node 16 replaced with Node 22.
PHPStan type hints added across Auth, AutoUpdate, Download, Encryption, Files, Folders, S3Storage, and Users classes.

SHA-256: 9d5eb455b1e39ee423759b9cede2c62ac57d3ab678e85438f3b6aa2599cf561f

Full Changelog: projectsend/projectsend@r2002...r2029

Uh oh!

Releases: linuxserver/docker-projectsend

r2029-ls274

What's Changed in r2029

New Features

Security Updates

Improvements

Bug Fixes

Maintenance

Uh oh!

r2029-ls273

What's Changed in r2029

New Features

Security Updates

Improvements

Bug Fixes

Maintenance

Uh oh!

r2029-ls272

What's Changed in r2029

New Features

Security Updates

Improvements

Bug Fixes

Maintenance

Uh oh!

r2029-ls271

What's Changed in r2029

New Features

Security Updates

Improvements

Bug Fixes

Maintenance

Uh oh!

r2029-ls270

What's Changed in r2029

New Features

Security Updates

Improvements

Bug Fixes

Maintenance

Uh oh!

r2029-ls269

What's Changed in r2029

New Features

Security Updates

Improvements

Bug Fixes

Maintenance

Uh oh!

r2029-ls268

What's Changed in r2029

New Features

Security Updates

Improvements

Bug Fixes

Maintenance

Uh oh!

r2029-ls267

What's Changed in r2029

New Features

Security Updates

Improvements

Bug Fixes

Maintenance

Uh oh!

r2029-ls266

What's Changed in r2029

New Features

Security Updates

Improvements

Bug Fixes

Maintenance

Uh oh!

r2029-ls265

What's Changed in r2029

New Features

Security Updates

Improvements

Bug Fixes