Pydio Core 6.4.2 - Security Release
Pydio Core 6.4.2 fixes vulnerabilities discovered in remote download and some specific path filtering on Windows server OS. We also updated a third party library that could be vulnerable to the httpoxy issue.
Update is highly recommended as soon as possible. Installation is done via the "Stable" update channel in-app, or via Linux packages manager depending on your installation mode.
Most noticeable changes
Important security issues:
missing filters on remote download, path traversal on Windows, fix Httpoxy by updating Guzzle library.
UX fixes and improvements (icons, thumbnails view)
Fix indexation issues for synchronisation
Italian translations updated (DepaMarco), Czech translations updated (Svetlmodry)
See more in Detailed changelog.
Detailed Changelog
Update Italian translation for plugin 'access.ajxp_conf' (details)
Update Italian translation for plugin 'access.ajxp_home' (details)
Update Italian translation for plugin 'access.ajxp_user' (details)
Adding Italian translation for plugin 'access.inbox' (details)
Adding Italian translation for plugin 'action.disclaimer' (details)
Update Italian translation for plugin 'action.scheduler' (details)
Update Italian translation for plugin 'action.share' (details)
Added test for intl php extension as it is used to localize month names (see IntlDateFormatter in AJXP_Utils::relativeDate) (details)
Fixed test for detecting php apc extension (postive result even if apc was not loaded) (details)
Update README.md (details)
Update Release number (details)
adding disclaimer on plugin doc (details)
adding disclaimer on plugin doc and dependancies (details)
Make sure to invalidate repositories cache after accepting user in DuoSecurity. (details)
Add minimum characters number on UsersCompleter (details)
Update hooks extraction (details)
Update hooks extraction (details)
Use caching to agressively store directory listings, nodes metadata and nodes stats. Introduced caching namespaces, we could even provide different backends for differents namespaces. Todo: create a user namespace to flush only specific resources. (details)
Expand Doctrine caches implementation to add "deleteKeyStartingBy" when possible (currently only APC and Redis). If this feature is supported, activate the nodes cache layer (otherwise we cannot prune a full branch of the filesystem tree). (details)
Confusion possible if overriding private method. (details)
Fix cache invalidation (details)
Empty mask filtering on meta.syncable can create an issue with sync downloads. (details)
Make sure to Normalize_C the filename when uploaded from xhr. (details)
Feed.sql: index should not be declared unique. (details)
Delete imagick cache can be deferred. (details)
Add test for AbstractCacheDriver (details)
Fix APCIterator namespace Action.share : use ConfService::replaceRepository to trigger cache invalidation CoreCache: hook to workspace.after_update to clear associated cache contents (details)
New action MigrateLegacyShares (details)
Catch error on minisite migration (details)
Add a MetaCacheService on the client side, caching Shared Data and Activity Feed with clever invalidation rules. Keep in memory for the moment, always clearing on workspace switch (and thus on logout). (details)
Remove log. (details)
Use new cacheService for workspace.info (details)
Update README.md (details)
Like was causing multiple rows to be added to ajxp_index when changing directory pathname (details)
Correctly change index for children whose ancestors dir name changed (details)
Fix SMB issue when trying to delete folder with a file named '0' in it (details)
Rebase and update (details)
Updated Italian translation for plugin 'action.updater' (details)
Adding Italian translation for plugin 'auth.custom_db' (details)
Suggest FIX for English translation of plugin 'auth.custom_db': replace 'connexion' with 'connection' that is more common (details)
Fix error webdav in root folder (details)
Fix user's roles update (details)
Option to zip downloading files on the fly (details)
Czech translation - plugins editor.webodf (details)
editor.video czech translation (details)
editor.text translation to Czech (details)
editor.soundmanager translation (details)
editor.infopanel translation (details)
editor.exif czech translation (details)
editor.codepress czech translation (details)
editor.audio czech translation (details)
editor.ajxp_graphs czech translation (details)
Fix event on change error when cross-repository copy. (details)
Fix load users' feed (details)
Fix mapping to role id (details)
Adding Italian translation for plugin 'authfront.cyphered' (details)
Adding Italian translation for plugin 'authfront.duosecurity' (details)
Adding Italian translation for plugin 'authfront.http_basic' (details)
Adding Italian translation for plugin 'authfront.http_server' (details)
Adding Italian translation for plugin 'authfront.keystore' (details)
Adding Italian translation for plugin 'authfront.otp' (details)
Adding Italian translation for plugin 'authfront.session_login' (details)
Updated Italian translation for plugin 'core.ajaxplorer' (details)
Change S3 clients instanciation. (details)
SearchEngine: change "more results" messages, we may not know the exact total result count. (cherry picked from commit 58bbd23) (details)
Set REPO_SYNCABLE on default repositories (cherry picked from commit 86497a8) (details)
Adding react tap event clear dependency (cherry picked from commit 8c358fe) (details)
Fix group sorting in orderRoles ( close #1126 ) (details)
Fix URL for plugins documentation (details)
Set POST by default on client to avoid too long requests. (details)
Fix root node actions detection. Do not display inbox in cross repo list. (details)
Missing auto-complete styling for .e.g tags metadata. (details)
Fix fireContextChange by passing a dataModel: fix right-click instabilities. (cherry picked from commit 9d9851b) (details)
Fix possible issue in metastore for root node. (details)
Fix ShutdownScheduler that could skip deferred events when already in deferred loop. (details)
Dedup files in UserSelection (details)
Enable "Explore" action on root folder. (details)
Fix Team and Group listing and filtering by keeping an alt. pregexp value. (details)
Fix #1108: Caching issues for unoconv-generated previews of office files. (details)
Fix isUnique() function in datamodel. (details)
Missing var in disclaimer javascript. (details)
Refix group sorting. We must compare to 0. (details)
Fix TeamsList searching (details)
Css compile (details)
Adding support for latest versions of ElasticSearch #1184 (details)
Raise filtering level when downloading from remote or extarcting archive. (details)
Fix strange display in authentication panel by passing smbclient as param instead of global_param (details)
Get editable value in FormManager. Close #1124 (details)
Imagick: close session to avoid blocking request when generating preview. Fix resize when loading page. (details)
Multiple DL: get parent base for zip file. (details)
Making sure node metadata for file info is valid for a deleted file #1127 (details)
Fix thumb positioning for Imagick preview (details)
Implement font-based mime icons. (details)
Rework Grid display w/ more space for thumbnails Display overlay icons in tree, that way we can enable some actions on root node (inc. watch on workspaces). (cherry picked from commit 9e0df5b) (details)
update extensions (details)
Readapt styles for font-based mimes (details)
Css details (details)
Add some extensions (details)
New plugtype strings (details)
Reload messages when switching language (details)
i18n update (details)
Escape quotes and parenthesis before setting backgroundImage style (details)
fix FR typo (details)
Re-implement QRCode feature for shared links (details)
Add QRCode action for passing user / server name via qrcode to new mobile apps. Disabled by default. (details)
Performance improvements mail digest (details)
More detailed info about update sites (details)
Quick fixes for inlineEdition - Probably to be rewritten properly. (details)
Add pagination controllers in folders tree (when in Selector mode only) to allow copying/moving data around even if inside another page. Fix #1179 (details)
Make sure to save before trying to send an invitation to internal users. Fix #1166 (details)
Update abstractAuth plugin (details)
Pass & in string return (details)
Proxy latest_note to avoid re-asking authentification to update site. (details)
Revert previous change, we already had the display_upgrade_note action. (details)
Correcting security potential issue on windows in securePath (details)
Fix infoPanel action bars initialization when in editor mode. Fix #1145 (details)
Update DL page for Sync Clients (details)
Fix for #1117: don't remove tmp archive if using XSENDFILE (details)
Fix resize issues when display images fullscreen in minisite. Fix #1168 (details)
Fix #1176: catching all exceptions when sending mails and adding errors to the end report (details)
Fix z-index for videojs player, both in editor mode and fullscreen. Fix #1191 (details)
Use double-quotes instead of simple for links. Maybe see #1138 (details)
Fixing again parenthesis in background URL. (details)
