v2.5.0

New features

• WebUI: make error messages dismissible.
• WebAdmin: allow to search and export audit logs.
• WebAdmin: allow to configure SMTP and the most common ACME and SFTP settings from the WebUI.
• IP/network lists moved from files to provider. Therefore they can be managed from the WebAdmin UI.
• WebClient shares: replace basic auth with a proper login form.
• WebClient: added copy action.
• WebClient/REST API: remove default upload size limit.
• EventManager: added a notification action for users with expiring passwords.
• EventManager: added copy action.
• EventManager: added support for pre-* actions.
• EventManager: added on-demand trigger.
• EventManager: added IDP login trigger and check account actions.
• Added support for password policies (strength and expiration).
• Added role support to delegate user administrations.
• Allow to set a default expiration for newly created users.
• Added a CLI command to reset the admin password.
• Added a CLI command to check if the service is alive.
• GCS: allow to customize upload part/time.
• Conditional support for recursive renaming for cloud providers.
• Allow to disactivate event rules.
• Added support for monitoring and automatically reloading TLS certs.
• WebDAV: allow to define custom MIME type mappings.
• Fs events: added elapsed field.
• Groups: allow to overidde account expiration date.
• SSH: enable keyboard interactive authentication by default.
• HTTP to HTTPS redirect now allows the HTTP binding on port 80 to be used also for ACME HTTP-01 challenge.
• Portable mode: allow to read the password from a file.
• Capture logs from external auth, pre-login and check password hook commands.
• FTPD: allow hostnames for passive IP.
• Docker: build also for armv7.
• Added an experimental Terraform provider.

Backward incompatible changes

• Portable mode: remove support for service discovery via multicast DNS.
• REST API: remove merging of fields on update, respect the PUT verb.
• File based allow and block lists are not supported anymore.
• JSON serialization of the users: rename 2fa_protocols to two_factor_protocols to improve compatibility.

Other

• Support plans added to the SFTPGo website.
• Thanks to Polina Zvorykina, VK for reporting an XSS vulnerability in the new IP lists page before the official release, although we are not pleased that they don't support the project and they use a private SFTPGo fork.

v2.4.5

Bug fixes:

• Proxy PROTOCOL v1: fix parsing IPv4-mapped IPv6 address.
• PostgreSQL data provider (pgx library) now supports non-blocking I/O also on Windows. This improvement fixes several issues when using the Postgres data provider on Windows.
• Fix checking the create_dirs permissions in some edge cases.
• Improve error messages for errors that occur while reading/writing files.

v2.4.4

New features:

• defender: added score_no_auth

Bug fixes:

• FTPD: added support for non-print TYPE parameter

v2.4.3

Bug fixes:

• Fixes paths validation for some Windows specific edge cases: in previous versions, you can get high CPU usage if you reference a path on a missing drive.
• FTP: check the TYPE parameter in a case-insensitive manner: fixes compatibility with some scanners.
• S3: improve "directories" detection.
• WebUI: respect token validation mode for CSRF header.
• OpenAPI: fix charset and some wrong documented responses.
• EventManager: fix placeholders for filesystem events paths.

v2.4.2

New features:

• WebClient: add drag and drop upload UI.
• sftpd: add support for DH Group Exchange KEX.

Bug fixes:

• S3: fix SeaweedFS compatibility.
• AzBlob: fixed support for blobs with Data Lake Storage Gen2 feature enabled.
• AzBlob: fixed recursive directories deletion from the WebClient.

v2.4.1

New features

• EventManager: allow to access the backup file.
• EventManager: add a placeholder to get the parent directory.
• WebUI: try harder to prevent browsers from auto-filling in password fields.
• WebClient: make folder deletion recursive.

Bug fixes

• Shared providers: allow to immediately re-add soft-deleted users and event rules.
• Plugins: fix hash check.
• Fix restore of users with MFA configuration.

v2.4.0

New features

• EventManager: this is the major new feature in this release, it allows custom workflows based on server events or schedules. Take a look at the docs and some common use cases.
• Allow to set environment variables from files inside the env.d directory relative to config dir. This is the recommended method to configure SFTPGo if you are not using it in Docker/Kubernetes, so that after updating SFTPGo you will avoid merging your custom settings with the updated configuration file. Take a look at the updated getting started guide.
• WebAdmin: allow to simplify the add/update user page.
• WebClient: allow partial downloads from shares.
• Allow to refuse an upload if the post-upload hook/action fails.
• Allow cross virtual folder renaming if the underlying resource is the same.
• SFTP: fix relative symlinks handling.
• Postgres data provider: switch to pgx driver and add multi hosts support.
• Experimental HTTPFs storage backend: you can implement your own storage backend by implementing a REST API.
• Multi-node installations: added support for inter-node communications. The list of active sessions includes clients from all nodes.
• Added support for graceful shutdown.
• More granular log level control.
• WebDAV: allow to set last modification time.
• WebDAV: allow to disable the WWW-Authenticate header if the authentication fails.
• FTP/WebDAV: add support for anonymous users.
• FTP: allow to require TLS on a per-user basis.
• Allow to parametrize the default expiration for shares.
• Allow a client if its IP is both allowed and denied. So you can define a default group deny policy that can be overridden on a per-user basis.
• Allow to disable REST API.
• Command hooks: allow to set custom arguments.
• Build: added support for embedding templates and other static files.
• Add support for checking sha256crypt passwords.
• Azure Blob: port to the latest SDK.
• Other minor fixes and improvements.

Backward incompatible changes:

• Removed the auto-backup feature from the configuration file. You can now schedule backups using the EventManager.
• Removed the log-verbose flag from the serve sub-command. Replaced from the more generic log-level flag.
• Replaced retention report emails with CSV reports.
• Script based hooks don't receive anymore global environment variables for security reasons. You have to explicitly set any environment variable such as PATH etc., in the "command" configuration section, if you need them.

v2.3.6

• FTP: fix APPE command issued on non-existent files
• Azure Blob: use UUIDs as block IDs
• WebClient: validate PDF files before rendering

v2.3.5

• WebClient/HTTP API: ensure to check home dir, when needed, in multi-node setups
• FTPD: return paths relative to the working directory in NLST responses
• Security: fix XSS vulnerabilities in WebClient

v2.3.4

• OIDC: allow to get the role field from a sub-struct.
• Docker: add a variant with official plugins included. For now the only tag published is v2.3.4-plugins. The other usual tags will be added in the next release.
• FTP: fix MLST, the initial space prefix was missing.
• FTP: always generate a defender event if the client does not authenticate.
• Security: fix recovery codes abuse