chore(release): 2.33.1

macOS saves the download URL in the metadata of the downloaded file.
This means that the downloaded file contains a metadata item with the JWT
token of the user. If the user were to share this file with someone else,
they would have access to their account using the JWT in the metadata
during the validity of the JWT.

The JWT has been removed from the URLs. Since the user is logged in, there
is an authentication cookie set. A JWT in the URL is not necessary.

.dockerignore

@@ -1,5 +1,3 @@
 *
 !docker/*
-!healthcheck.sh
-!docker_config.json
-!filebrowser
+!filebrowser

.goreleaser.yml

@@ -19,31 +19,30 @@ builds:
       - freebsd
     goarch:
       - amd64
-      - 386
+      - "386"
       - arm
       - arm64
       - riscv64
     goarm:
-      - 5
-      - 6
-      - 7
+      - "5"
+      - "6"
+      - "7"
     ignore:
       - goos: darwin
-        goarch: 386
+        goarch: "386"
       - goos: freebsd
         goarch: arm
 
 archives:
-  -
-    name_template: "{{.Os}}-{{.Arch}}{{if .Arm}}v{{.Arm}}{{end}}-{{ .ProjectName }}"
-    formats: [ 'tar.gz' ]
+  - name_template: "{{.Os}}-{{.Arch}}{{if .Arm}}v{{.Arm}}{{end}}-{{ .ProjectName }}"
+    formats: ["tar.gz"]
     format_overrides:
       - goos: windows
-        formats: [ 'zip' ]
+        formats: ["zip"]
 
 dockers:
-  -
-    dockerfile: Dockerfile
+  # Alpine docker images
+  - dockerfile: Dockerfile
     use: buildx
     build_flag_templates:
       - "--pull"
@@ -59,10 +58,8 @@ dockers:
       - "filebrowser/filebrowser:{{ .Tag }}-amd64"
       - "filebrowser/filebrowser:v{{ .Major }}-amd64"
     extra_files:
-      - docker_config.json
-      - healthcheck.sh
-  -
-    dockerfile: Dockerfile
+      - docker
+  - dockerfile: Dockerfile
     use: buildx
     build_flag_templates:
       - "--pull"
@@ -78,10 +75,8 @@ dockers:
       - "filebrowser/filebrowser:{{ .Tag }}-arm64"
       - "filebrowser/filebrowser:v{{ .Major }}-arm64"
     extra_files:
-      - docker_config.json
-      - healthcheck.sh
-  -
-    dockerfile: Dockerfile
+      - docker
+  - dockerfile: Dockerfile
     use: buildx
     build_flag_templates:
       - "--pull"
@@ -93,15 +88,13 @@ dockers:
       - "--platform=linux/arm/v6"
     goos: linux
     goarch: arm
-    goarm: '6'
+    goarm: "6"
     image_templates:
       - "filebrowser/filebrowser:{{ .Tag }}-armv6"
       - "filebrowser/filebrowser:v{{ .Major }}-armv6"
     extra_files:
-      - docker_config.json
-      - healthcheck.sh
-  -
-    dockerfile: Dockerfile
+      - docker
+  - dockerfile: Dockerfile
     use: buildx
     build_flag_templates:
       - "--pull"
@@ -113,16 +106,15 @@ dockers:
       - "--platform=linux/arm/v7"
     goos: linux
     goarch: arm
-    goarm: '7'
+    goarm: "7"
     image_templates:
       - "filebrowser/filebrowser:{{ .Tag }}-armv7"
       - "filebrowser/filebrowser:v{{ .Major }}-armv7"
     extra_files:
-      - docker_config.json
-      - healthcheck.sh
-## s6 based docker images
-  -
-    dockerfile: Dockerfile.s6
+      - docker
+
+  ## s6-overlay docker images
+  - dockerfile: Dockerfile.s6
     use: buildx
     build_flag_templates:
       - "--pull"
@@ -138,10 +130,8 @@ dockers:
       - "filebrowser/filebrowser:{{ .Tag }}-amd64-s6"
       - "filebrowser/filebrowser:v{{ .Major }}-amd64-s6"
     extra_files:
-      - docker/root
-      - healthcheck.sh
-  -
-    dockerfile: Dockerfile.s6.aarch64
+      - docker
+  - dockerfile: Dockerfile.s6.aarch64
     use: buildx
     build_flag_templates:
       - "--pull"
@@ -157,8 +147,8 @@ dockers:
       - "filebrowser/filebrowser:{{ .Tag }}-arm64-s6"
       - "filebrowser/filebrowser:v{{ .Major }}-arm64-s6"
     extra_files:
-      - docker/root
-      - healthcheck.sh
+      - docker
+
 docker_manifests:
   - name_template: "filebrowser/filebrowser:latest"
     image_templates:
@@ -175,7 +165,7 @@ docker_manifests:
       - "filebrowser/filebrowser:v{{ .Major }}-amd64"
       - "filebrowser/filebrowser:v{{ .Major }}-arm64"
       - "filebrowser/filebrowser:v{{ .Major }}-armv7"
-## s6 image manifests
+  ## s6 image manifests
   - name_template: "filebrowser/filebrowser:s6"
     image_templates:
       - "filebrowser/filebrowser:{{ .Tag }}-amd64-s6"
@@ -199,11 +189,6 @@ homebrew_casks:
       email: robot@filebrowser.org
     homepage: https://github.com/filebrowser/filebrowser
     description: File Browser is a create-your-own-cloud-kind of software where you can install it on a server, direct it to a path and then access your files through a nice web interface
-    license: "MIT"
-    # make the old formula conflict with the cask:
-    conflicts:
-      - formula: filebrowser
-    # if your app/binary isn't signed and notarized, you'll need this:
     hooks:
       post:
         install: |

CHANGELOG.md

@@ -2,6 +2,22 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+### [2.33.1](https://github.com/filebrowser/filebrowser/compare/v2.33.0...v2.33.1) (2025-06-21)
+
+
+### Bug Fixes
+
+* downloadUrl of file preview ([#3728](https://github.com/filebrowser/filebrowser/issues/3728)) ([8a14018](https://github.com/filebrowser/filebrowser/commit/8a14018861fe581672bbd27cdc3ae5691f70a108))
+* remove auth query parameter from download and preview links ([cbb7124](https://github.com/filebrowser/filebrowser/commit/cbb712484d3bdabc033acaf3b696ef4f5865813d))
+* search uses ctrl+shift+f instead of hijacking browser's ctrl+f ([#4638](https://github.com/filebrowser/filebrowser/issues/4638)) ([a02b297](https://github.com/filebrowser/filebrowser/commit/a02b2972ebde2a58806ad1377bad46e748b63166))
+
+## [2.33.0](https://github.com/filebrowser/filebrowser/compare/v2.32.3...v2.33.0) (2025-06-18)
+
+
+### Features
+
+* improved docker image volumes and permissions ([#5160](https://github.com/filebrowser/filebrowser/issues/5160)) ([2e26393](https://github.com/filebrowser/filebrowser/commit/2e26393a022df0eaa9e08727407aba8b997aa728))
+
 ### [2.32.3](https://github.com/filebrowser/filebrowser/compare/v2.32.2...v2.32.3) (2025-06-17)
 
 ### [2.32.2](https://github.com/filebrowser/filebrowser/compare/v2.32.1...v2.32.2) (2025-06-17)

Dockerfile

@@ -1,19 +1,33 @@
-FROM alpine:latest
-RUN apk --update add ca-certificates \
-                     mailcap \
-                     curl \
-                     jq
+FROM alpine:3.22
 
-COPY healthcheck.sh /healthcheck.sh
-RUN chmod +x /healthcheck.sh  # Make the script executable
+RUN apk update && \
+  apk --no-cache add ca-certificates mailcap curl jq tini
 
-HEALTHCHECK --start-period=2s --interval=5s --timeout=3s \
-    CMD /healthcheck.sh || exit 1
+# Make user and create necessary directories
+ENV UID=1000
+ENV GID=1000
+
+RUN addgroup -g $GID user && \
+  adduser -D -u $UID -G user user && \
+  mkdir -p /config /database /srv && \
+  chown -R user:user /config /database /srv
+
+# Copy files and set permissions
+COPY filebrowser /bin/filebrowser
+COPY docker/common/ /
+COPY docker/alpine/ /
+
+RUN chown -R user:user /bin/filebrowser /defaults healthcheck.sh init.sh
+
+# Define healthcheck script
+HEALTHCHECK --start-period=2s --interval=5s --timeout=3s CMD /healthcheck.sh
+
+# Set the user, volumes and exposed ports
+USER user
+
+VOLUME /srv /config /database
 
-VOLUME /srv
 EXPOSE 80
 
-COPY docker_config.json /.filebrowser.json
-COPY filebrowser /filebrowser
-
-ENTRYPOINT [ "/filebrowser" ]
+ENTRYPOINT [ "tini", "--", "/init.sh" ]
+CMD [ "filebrowser", "--config", "/config/settings.json" ]

Dockerfile.s6

@@ -1,21 +1,23 @@
-FROM ghcr.io/linuxserver/baseimage-alpine:3.20
+FROM ghcr.io/linuxserver/baseimage-alpine:3.22
 
-RUN apk --update add ca-certificates \
-                     mailcap \
-                     curl \
-                     jq
+RUN apk update && \
+  apk --no-cache add ca-certificates mailcap curl jq
 
-COPY healthcheck.sh /healthcheck.sh
-RUN chmod +x /healthcheck.sh  # Make the script executable
+# Make user and create necessary directories
+RUN mkdir -p /config /database /srv && \
+  chown -R abc:abc /config /database /srv
 
-HEALTHCHECK --start-period=2s --interval=5s --timeout=3s \
-    CMD /healthcheck.sh || exit 1
+# Copy files and set permissions
+COPY filebrowser /bin/filebrowser
+COPY docker/common/ /
+COPY docker/s6/ /
 
-# copy local files
-COPY docker/root/ /
-RUN ln -s /config/settings.json /.filebrowser.json
-COPY filebrowser /usr/bin/filebrowser
+RUN chown -R abc:abc /bin/filebrowser /defaults healthcheck.sh
 
-# ports and volumes
+# Define healthcheck script
+HEALTHCHECK --start-period=2s --interval=5s --timeout=3s CMD /healthcheck.sh
+
+# Set the volumes and exposed ports
 VOLUME /srv /config /database
+
 EXPOSE 80

Dockerfile.s6.aarch64

@@ -1,21 +1,23 @@
-FROM ghcr.io/linuxserver/baseimage-alpine:arm64v8-3.20
+FROM ghcr.io/linuxserver/baseimage-alpine:arm64v8-3.22
 
-RUN apk --update add ca-certificates \
-                     mailcap \
-                     curl \
-                     jq
+RUN apk update && \
+  apk --no-cache add ca-certificates mailcap curl jq
 
-COPY healthcheck.sh /healthcheck.sh
-RUN chmod +x /healthcheck.sh  # Make the script executable
+# Make user and create necessary directories
+RUN mkdir -p /config /database /srv && \
+  chown -R abc:abc /config /database /srv
 
-HEALTHCHECK --start-period=2s --interval=5s --timeout=3s \
-    CMD /healthcheck.sh || exit 1
+# Copy files and set permissions
+COPY filebrowser /bin/filebrowser
+COPY docker/common/ /
+COPY docker/s6/ /
 
-# copy local files
-COPY docker/root/ /
-RUN ln -s /config/settings.json /.filebrowser.json
-COPY filebrowser /usr/bin/filebrowser
+RUN chown -R abc:abc /bin/filebrowser /defaults healthcheck.sh
 
-# ports and volumes
+# Define healthcheck script
+HEALTHCHECK --start-period=2s --interval=5s --timeout=3s CMD /healthcheck.sh
+
+# Set the volumes and exposed ports
 VOLUME /srv /config /database
+
 EXPOSE 80

docker/alpine/init.sh

@@ -0,0 +1,41 @@
+#!/bin/sh
+
+set -e
+
+# Backwards compatibility for old Docker image
+if [ -f "/.filebrowser.json" ]; then
+  ln -s /.filebrowser.json /config/settings.json
+
+  echo ""
+  echo "!!!!!!!!!!!!!!!!!!!!! IMPORTANT INFORMATION !!!!!!!!!!!!!!!!!!!!!"
+  echo "Symlinking /.filebrowser.json to /config/settings.json for backwards compatibility."
+  echo ""
+  echo "The volume mount configuration has changed in the latest release."
+  echo "Please rename .filebrowser.json to settings.json and mount the parent directory to /config".
+  echo "Read more on https://github.com/filebrowser/filebrowser/blob/master/docs/installation.md#docker"
+  echo ""
+  echo "This workaround will be removed in a future release."
+  echo ""
+fi
+
+# Backwards compatibility for old Docker image
+if [ -f "/database.db" ]; then
+  ln -s /database.db /database/filebrowser.db
+  
+  echo ""
+  echo "!!!!!!!!!!!!!!!!!!!!! IMPORTANT INFORMATION !!!!!!!!!!!!!!!!!!!!!"
+  echo ""
+  echo "The volume mount configuration has changed in the latest release."
+  echo "Please rename database.db to filebrowser.db and mount the parent directory to /database".
+  echo "Read more on https://github.com/filebrowser/filebrowser/blob/master/docs/installation.md#docker"
+  echo ""
+  echo "This workaround will be removed in a future release."
+  echo ""
+fi
+
+# Ensure configuration exists
+if [ ! -f "/config/settings.json" ]; then
+  cp -a /defaults/settings.json /config/settings.json
+fi
+
+exec "$@"

docker/common/healthcheck.sh

@@ -0,0 +1,9 @@
+#!/bin/sh
+
+set -e
+
+PORT=${FB_PORT:-$(jq -r .port /config/settings.json)}
+ADDRESS=${FB_ADDRESS:-$(jq -r .address /config/settings.json)}
+ADDRESS=${ADDRESS:-localhost}
+
+curl -f http://$ADDRESS:$PORT/health || exit 1

docker/root/etc/services.d/filebrowser/run

@@ -1,3 +0,0 @@
-#!/usr/bin/with-contenv bash
-
-exec s6-setuidgid abc filebrowser -c /config/settings.json -d /database/filebrowser.db;

docker/s6/custom-cont-init.d/20-config

@@ -1,9 +1,6 @@
 #!/usr/bin/with-contenv bash
 
-# make folders
-mkdir -p /database
-
-# copy config
+# Ensure configuration exists
 if [ ! -f "/config/settings.json" ]; then
   cp -a /defaults/settings.json /config/settings.json
 fi

docker/s6/etc/services.d/filebrowser/run

@@ -0,0 +1,3 @@
+#!/usr/bin/with-contenv bash
+
+exec s6-setuidgid abc filebrowser -c /config/settings.json;

docs/installation.md

@@ -46,22 +46,13 @@ File Browser is available as two different Docker images, which can be found on
 ```sh
 docker run \
   -v /path/to/srv:/srv \
-  -v /path/to/filebrowser.db:/database.db \
-  -v /path/to/.filebrowser.json:/.filebrowser.json \
-  -u $(id -u):$(id -g) \
+  -v /path/to/database:/database \
+  -v /path/to/config:/config \
   -p 8080:80 \
   filebrowser/filebrowser
 ```
 
-Where:
-
-- `/path/to/srv` contains the files root directory for File Browser
-- `/path/to/filebrowser.db` is the `database.db`
-- `/path/to/database` is the `.filebrowser.json`
-
-> [!Warning]
->
-> To use this image correctly, you need to first initialize a File Browser database outside of the Docker image and then start the Docker image with the database mounted. Otherwise, Docker will create an empty directory at the mounting point and fail to start.
+The default user has PID 1000 and GID 1000. Please make sure that this user has access to the different mounted volumes. To change the user running inside the Docker image, you need to use the [`--user` flag](https://docs.docker.com/engine/containers/run/#user).
 
 ### s6 overlay
 
@@ -78,8 +69,12 @@ docker run \
   filebrowser/filebrowser:s6
 ```
 
+### Notes
+
 Where:
 
 - `/path/to/srv` contains the files root directory for File Browser
 - `/path/to/config` contains a `settings.json` file
 - `/path/to/database` contains a `filebrowser.db` file
+
+Both `settings.json` and `filebrowser.db` will automatically be initialized if they don't exist.

docs/security.md

@@ -12,7 +12,9 @@ currently being supported with security updates.
 
 ## Reporting a Vulnerability
 
-Vulnerabilities should be reported to filebrowser@googlegroups.com - which is a private, maintainer-only group. Maintainers will attempt to respond to/confirm reports within 2-3 days, but if you believe your report to be "critical" to user safety and security, please note as such in the subject. We have tens of thousands of users using our software, and take security vulnerabilities seriously.
+Vulnerabilities with critical impact should be reported on the [Security](https://github.com/filebrowser/filebrowser/security) page of this repository, which is a private way of communicating vulnerabilities to maintainers. This project is in maintenance-only mode and it can take a while until someone gets back to you.
+
+If it is not a critical vulnerability, please open an issue and we will categorize it as a security issue. By giving visibility, we can get more help from the community at fixing such issues.
 
 When reporting an issue, where possible, please provide at least:
 
@@ -21,6 +23,4 @@ When reporting an issue, where possible, please provide at least:
 * Steps to reproduce
 * Your recommended remediation(s), if any.
 
-The FileBrowser team is a volunteer-only effort, and may reach back out for clarification.
-
-> Note: Please do not open public issues for security issues, as GitHub does not provide facility for private issues, and deleting the issue makes it hard to triage/respond back to the reporter.
+The File Browser team is a volunteer-only effort, and may reach back out for clarification.

frontend/src/api/files.ts

@@ -75,11 +75,6 @@ export function download(format: any, ...files: string[]) {
     url += `algo=${format}&`;
   }
 
-  const authStore = useAuthStore();
-  if (authStore.jwt) {
-    url += `auth=${authStore.jwt}&`;
-  }
-
   window.open(url);
 }
 

frontend/src/api/pub.ts

@@ -71,5 +71,5 @@ export function getDownloadURL(res: Resource, inline = false) {
     ...(res.token && { token: res.token }),
   };
 
-  return createURL("api/public/dl/" + res.hash + res.path, params, false);
+  return createURL("api/public/dl/" + res.hash + res.path, params);
 }

frontend/src/api/share.ts

@@ -41,5 +41,5 @@ export async function create(
 }
 
 export function getShareURL(share: Share) {
-  return createURL("share/" + share.hash, {}, false);
+  return createURL("share/" + share.hash, {});
 }

frontend/src/api/utils.ts

@@ -76,23 +76,13 @@ export function removePrefix(url: string): string {
   return url;
 }
 
-export function createURL(endpoint: string, params = {}, auth = true): string {
-  const authStore = useAuthStore();
-
+export function createURL(endpoint: string, searchParams = {}): string {
   let prefix = baseURL;
   if (!prefix.endsWith("/")) {
     prefix = prefix + "/";
   }
   const url = new URL(prefix + encodePath(endpoint), origin);
-
-  const searchParams: SearchParams = {
-    ...(auth && { auth: authStore.jwt }),
-    ...params,
-  };
-
-  for (const key in searchParams) {
-    url.searchParams.set(key, searchParams[key]);
-  }
+  url.search = new URLSearchParams(searchParams).toString();
 
   return url.toString();
 }

frontend/src/views/files/FileListing.vue

@@ -511,8 +511,11 @@ const keyEvent = (event: KeyboardEvent) => {
 
   switch (event.key) {
     case "f":
-      event.preventDefault();
-      layoutStore.showHover("search");
+    case "F":
+      if (event.shiftKey) {
+        event.preventDefault();
+        layoutStore.showHover("search");
+      }
       break;
     case "c":
     case "x":

frontend/src/views/files/Preview.vue

@@ -253,7 +253,7 @@ const hasPrevious = computed(() => previousLink.value !== "");
 const hasNext = computed(() => nextLink.value !== "");
 
 const downloadUrl = computed(() =>
-  fileStore.req ? api.getDownloadURL(fileStore.req, true) : ""
+  fileStore.req ? api.getDownloadURL(fileStore.req, false) : ""
 );
 
 const raw = computed(() => {
@@ -262,7 +262,7 @@ const raw = computed(() => {
   }
 
   if (isEpub.value) {
-    return createURL("api/raw" + fileStore.req?.path, {}, false);
+    return createURL("api/raw" + fileStore.req?.path, {});
   }
 
   return downloadUrl.value;

healthcheck.sh

@@ -1,5 +0,0 @@
-#!/bin/sh
-PORT=${FB_PORT:-$(jq -r .port /.filebrowser.json)}
-ADDRESS=${FB_ADDRESS:-$(jq -r .address /.filebrowser.json)}
-ADDRESS=${ADDRESS:-localhost}
-curl -f http://$ADDRESS:$PORT/health || exit 1

settings.json

@@ -3,6 +3,6 @@
   "baseURL": "",
   "address": "",
   "log": "stdout",
-  "database": "/database.db",
+  "database": "/database/filebrowser.db",
   "root": "/srv"
 }