chore(release): 2.33.10

fix: ignore linting error
fix: correctly check if command is allowed when using shell
2025-06-26 21:23:35 +02:00 · 2025-06-26 21:12:24 +02:00 · 2025-06-26 21:09:16 +02:00 · 2025-06-26 21:07:45 +02:00 · 2025-06-26 19:45:36 +02:00 · 2025-06-26 19:43:20 +02:00
24 changed files with 225 additions and 92 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,76 @@

 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.

+### [2.33.10](https://github.com/filebrowser/filebrowser/compare/v2.33.9...v2.33.10) (2025-06-26)
+
+
+### Bug Fixes
+
+* correctly check if command is allowed when using shell ([4d830f7](https://github.com/filebrowser/filebrowser/commit/4d830f707fc4314741fd431e70c2ce50cd5a3108))
+* correctly split shell ([f84a6db](https://github.com/filebrowser/filebrowser/commit/f84a6db680b6df1c7c8f06f1816f7e4c9e963668))
+* ignore linting error ([e735491](https://github.com/filebrowser/filebrowser/commit/e735491c57b12c3b19dd2e4b570723df78f4eb44))
+
+### [2.33.9](https://github.com/filebrowser/filebrowser/compare/v2.33.8...v2.33.9) (2025-06-26)
+
+
+### Bug Fixes
+
+* check exact match on command allow list ([e2e1e49](https://github.com/filebrowser/filebrowser/commit/e2e1e4913085cca8917e0f69171dc28d3c6af1b6))
+* remove auth token from /api/command ([d5b39a1](https://github.com/filebrowser/filebrowser/commit/d5b39a14fd3fc0d1c364116b41289484df7c27b2))
+* remove unused import ([c232d41](https://github.com/filebrowser/filebrowser/commit/c232d41f903d3026ec290bbe819b6c59a933048e))
+
+### [2.33.8](https://github.com/filebrowser/filebrowser/compare/v2.33.7...v2.33.8) (2025-06-25)
+
+### [2.33.7](https://github.com/filebrowser/filebrowser/compare/v2.33.6...v2.33.7) (2025-06-25)
+
+
+### Bug Fixes
+
+* correctly parse negative boolean flags ([221451a](https://github.com/filebrowser/filebrowser/commit/221451a5179c8f139819a315b80d0ecb0e7220c3))
+* linting issues ([4bfbf33](https://github.com/filebrowser/filebrowser/commit/4bfbf332499fc8aea5f6df6aae1efa0de918d1ae))
+* linting issues ([e74c958](https://github.com/filebrowser/filebrowser/commit/e74c95886226c0ee429af1860eed21dd1f8601aa))
+
+### [2.33.6](https://github.com/filebrowser/filebrowser/compare/v2.33.5...v2.33.6) (2025-06-24)
+
+
+### Bug Fixes
+
+* remove incorrect default for password flag ([23bd8f6](https://github.com/filebrowser/filebrowser/commit/23bd8f67155081d707d4799393d3b1e2bebeaa34))
+
+### [2.33.5](https://github.com/filebrowser/filebrowser/compare/v2.33.4...v2.33.5) (2025-06-24)
+
+
+### Features
+
+* update languages for project File Browser ([#5190](https://github.com/filebrowser/filebrowser/issues/5190)) ([f330764](https://github.com/filebrowser/filebrowser/commit/f33076462a133935ca97fb6c7345303fe350e167))
+
+
+### Bug Fixes
+
+* actually register the czech language ([#5189](https://github.com/filebrowser/filebrowser/issues/5189)) ([0268506](https://github.com/filebrowser/filebrowser/commit/0268506f80d33d2d31e38055e12530241d27a11b))
+
+### [2.33.4](https://github.com/filebrowser/filebrowser/compare/v2.33.3...v2.33.4) (2025-06-22)
+
+
+### Features
+
+* translation updates for project File Browser ([#5179](https://github.com/filebrowser/filebrowser/issues/5179)) ([f714e71](https://github.com/filebrowser/filebrowser/commit/f714e71a356c2301f394d651c9b6c467440508e3))
+
+### [2.33.3](https://github.com/filebrowser/filebrowser/compare/v2.33.2...v2.33.3) (2025-06-22)
+
+
+### Bug Fixes
+
+* keep command behavior in Dockerfile ([7c0c782](https://github.com/filebrowser/filebrowser/commit/7c0c7820efbbed2f0499353cc76ecb85d00ff7c3))
+* update search hotkey in help prompt ([#5178](https://github.com/filebrowser/filebrowser/issues/5178)) ([2741616](https://github.com/filebrowser/filebrowser/commit/2741616473636d40b7e9f14c9906ada08d328c3c))
+
+### [2.33.2](https://github.com/filebrowser/filebrowser/compare/v2.33.1...v2.33.2) (2025-06-21)
+
+
+### Bug Fixes
+
+* create user dir on signup ([0ca8059](https://github.com/filebrowser/filebrowser/commit/0ca8059d8dea4fe079146471ce4f24acc96021f2))
+
 ### [2.33.1](https://github.com/filebrowser/filebrowser/compare/v2.33.0...v2.33.1) (2025-06-21)


--- a/3
+++ b/3
@@ -29,5 +29,4 @@ VOLUME /srv /config /database

 EXPOSE 80

-ENTRYPOINT [ "tini", "--", "/init.sh" ]
-CMD [ "filebrowser", "--config", "/config/settings.json" ]
+ENTRYPOINT [ "tini", "--", "/init.sh", "filebrowser", "--config", "/config/settings.json" ]
--- a/README.md
+++ b/README.md
@@ -38,6 +38,9 @@ File Browser is a **create-your-own-cloud-kind** of software where you can insta
 | :----------------------: | :----------------------: | :----------------------: |
 | ![](./docs/assets/4.jpg) | ![](./docs/assets/5.jpg) | ![](./docs/assets/6.jpg) |

+> [!CAUTION]
+>
+> The **command execution** functionality has been disabled for all existent and new installations by default from version v2.33.8 and onwards, due to continuous and known security vulnerabilities. You should only use this feature if you are aware of all of the security risks involved. For more up to date information, consult issue [#5199](https://github.com/filebrowser/filebrowser/issues/5199).

 ## Install

--- a/cmd/root.go
+++ b/cmd/root.go
@@ -48,7 +48,7 @@ func init() {
 	persistent.StringP("database", "d", "./filebrowser.db", "database path")
 	flags.Bool("noauth", false, "use the noauth auther when using quick setup")
 	flags.String("username", "admin", "username for the first user when using quick config")
-	flags.String("password", "", "hashed password for the first user when using quick config (default \"admin\")")
+	flags.String("password", "", "hashed password for the first user when using quick config")

 	addServerFlags(flags)
 }
@@ -68,7 +68,7 @@ func addServerFlags(flags *pflag.FlagSet) {
 	flags.Int("img-processors", 4, "image processors count") //nolint:gomnd
 	flags.Bool("disable-thumbnails", false, "disable image thumbnails")
 	flags.Bool("disable-preview-resize", false, "disable resize of image previews")
-	flags.Bool("disable-exec", false, "disables Command Runner feature")
+	flags.Bool("disable-exec", true, "disables Command Runner feature")
 	flags.Bool("disable-type-detection-by-header", false, "disables type detection by reading file headers")
 }

@@ -201,42 +201,42 @@ func getRunParams(flags *pflag.FlagSet, st *storage.Storage) *settings.Server {
 	server, err := st.Settings.GetServer()
 	checkErr(err)

-	if val, set := getParamB(flags, "root"); set {
+	if val, set := getStringParamB(flags, "root"); set {
 		server.Root = val
 	}

-	if val, set := getParamB(flags, "baseurl"); set {
+	if val, set := getStringParamB(flags, "baseurl"); set {
 		server.BaseURL = val
 	}

-	if val, set := getParamB(flags, "log"); set {
+	if val, set := getStringParamB(flags, "log"); set {
 		server.Log = val
 	}

 	isSocketSet := false
 	isAddrSet := false

-	if val, set := getParamB(flags, "address"); set {
+	if val, set := getStringParamB(flags, "address"); set {
 		server.Address = val
 		isAddrSet = isAddrSet || set
 	}

-	if val, set := getParamB(flags, "port"); set {
+	if val, set := getStringParamB(flags, "port"); set {
 		server.Port = val
 		isAddrSet = isAddrSet || set
 	}

-	if val, set := getParamB(flags, "key"); set {
+	if val, set := getStringParamB(flags, "key"); set {
 		server.TLSKey = val
 		isAddrSet = isAddrSet || set
 	}

-	if val, set := getParamB(flags, "cert"); set {
+	if val, set := getStringParamB(flags, "cert"); set {
 		server.TLSCert = val
 		isAddrSet = isAddrSet || set
 	}

-	if val, set := getParamB(flags, "socket"); set {
+	if val, set := getStringParamB(flags, "socket"); set {
 		server.Socket = val
 		isSocketSet = isSocketSet || set
 	}
@@ -250,33 +250,69 @@ func getRunParams(flags *pflag.FlagSet, st *storage.Storage) *settings.Server {
 		server.Socket = ""
 	}

-	_, disableThumbnails := getParamB(flags, "disable-thumbnails")
+	disableThumbnails := getBoolParam(flags, "disable-thumbnails")
 	server.EnableThumbnails = !disableThumbnails

-	_, disablePreviewResize := getParamB(flags, "disable-preview-resize")
+	disablePreviewResize := getBoolParam(flags, "disable-preview-resize")
 	server.ResizePreview = !disablePreviewResize

-	_, disableTypeDetectionByHeader := getParamB(flags, "disable-type-detection-by-header")
+	disableTypeDetectionByHeader := getBoolParam(flags, "disable-type-detection-by-header")
 	server.TypeDetectionByHeader = !disableTypeDetectionByHeader

-	_, disableExec := getParamB(flags, "disable-exec")
+	disableExec := getBoolParam(flags, "disable-exec")
 	server.EnableExec = !disableExec

-	if val, set := getParamB(flags, "token-expiration-time"); set {
+	if server.EnableExec {
+		log.Println("WARNING: Command Runner feature enabled!")
+		log.Println("WARNING: This feature has known security vulnerabilities and should not")
+		log.Println("WARNING: you fully understand the risks involved. For more information")
+		log.Println("WARNING: read https://github.com/filebrowser/filebrowser/issues/5199")
+	}
+
+	if val, set := getStringParamB(flags, "token-expiration-time"); set {
 		server.TokenExpirationTime = val
 	}

 	return server
 }

-// getParamB returns a parameter as a string and a boolean to tell if it is different from the default
+// getBoolParamB returns a parameter as a string and a boolean to tell if it is different from the default
 //
 // NOTE: we could simply bind the flags to viper and use IsSet.
 // Although there is a bug on Viper that always returns true on IsSet
 // if a flag is binded. Our alternative way is to manually check
 // the flag and then the value from env/config/gotten by viper.
 // https://github.com/spf13/viper/pull/331
-func getParamB(flags *pflag.FlagSet, key string) (string, bool) {
+func getBoolParamB(flags *pflag.FlagSet, key string) (value, ok bool) {
+	value, _ = flags.GetBool(key)
+
+	// If set on Flags, use it.
+	if flags.Changed(key) {
+		return value, true
+	}
+
+	// If set through viper (env, config), return it.
+	if v.IsSet(key) {
+		return v.GetBool(key), true
+	}
+
+	// Otherwise use default value on flags.
+	return value, false
+}
+
+func getBoolParam(flags *pflag.FlagSet, key string) bool {
+	val, _ := getBoolParamB(flags, key)
+	return val
+}
+
+// getStringParamB returns a parameter as a string and a boolean to tell if it is different from the default
+//
+// NOTE: we could simply bind the flags to viper and use IsSet.
+// Although there is a bug on Viper that always returns true on IsSet
+// if a flag is binded. Our alternative way is to manually check
+// the flag and then the value from env/config/gotten by viper.
+// https://github.com/spf13/viper/pull/331
+func getStringParamB(flags *pflag.FlagSet, key string) (string, bool) {
 	value, _ := flags.GetString(key)

 	// If set on Flags, use it.
@@ -293,8 +329,8 @@ func getParamB(flags *pflag.FlagSet, key string) (string, bool) {
 	return value, false
 }

-func getParam(flags *pflag.FlagSet, key string) string {
-	val, _ := getParamB(flags, key)
+func getStringParam(flags *pflag.FlagSet, key string) string {
+	val, _ := getStringParamB(flags, key)
 	return val
 }

@@ -349,7 +385,7 @@ func quickSetup(flags *pflag.FlagSet, d pythonData) {
 	}

 	var err error
-	if _, noauth := getParamB(flags, "noauth"); noauth {
+	if _, noauth := getStringParamB(flags, "noauth"); noauth {
 		set.AuthMethod = auth.MethodNoAuth
 		err = d.store.Auth.Save(&auth.NoAuth{})
 	} else {
@@ -362,27 +398,27 @@ func quickSetup(flags *pflag.FlagSet, d pythonData) {
 	checkErr(err)

 	ser := &settings.Server{
-		BaseURL: getParam(flags, "baseurl"),
-		Port:    getParam(flags, "port"),
-		Log:     getParam(flags, "log"),
-		TLSKey:  getParam(flags, "key"),
-		TLSCert: getParam(flags, "cert"),
-		Address: getParam(flags, "address"),
-		Root:    getParam(flags, "root"),
+		BaseURL: getStringParam(flags, "baseurl"),
+		Port:    getStringParam(flags, "port"),
+		Log:     getStringParam(flags, "log"),
+		TLSKey:  getStringParam(flags, "key"),
+		TLSCert: getStringParam(flags, "cert"),
+		Address: getStringParam(flags, "address"),
+		Root:    getStringParam(flags, "root"),
 	}

 	err = d.store.Settings.SaveServer(ser)
 	checkErr(err)

-	username := getParam(flags, "username")
-	password := getParam(flags, "password")
+	username := getStringParam(flags, "username")
+	password := getStringParam(flags, "password")

 	if password == "" {
 		var pwd string
 		pwd, err = users.RandomPwd()
 		checkErr(err)

-		log.Println("Generated random admin password for quick setup:", pwd)
+		log.Println("Randomly generated password for user 'admin':", pwd)

 		password, err = users.HashPwd(pwd)
 		checkErr(err)
@@ -420,6 +456,7 @@ func initConfig() {
 	v.SetEnvPrefix("FB")
 	v.AutomaticEnv()
 	v.SetEnvKeyReplacer(strings.NewReplacer(".", "_"))
+	v.SetEnvKeyReplacer(strings.NewReplacer("-", "_"))

 	if err := v.ReadInConfig(); err != nil {
 		var configParseError v.ConfigParseError
--- a/cmd/upgrade.go
+++ b/cmd/upgrade.go
@@ -25,7 +25,7 @@ this version.`,
 		flags := cmd.Flags()
 		oldDB := mustGetString(flags, "old.database")
 		oldConf := mustGetString(flags, "old.config")
-		err := importer.Import(oldDB, oldConf, getParam(flags, "database"))
+		err := importer.Import(oldDB, oldConf, getStringParam(flags, "database"))
 		checkErr(err)
 	},
 }
--- a/cmd/utils.go
+++ b/cmd/utils.go
@@ -14,6 +14,7 @@ import (
 	"github.com/spf13/pflag"
 	yaml "gopkg.in/yaml.v2"

+	"github.com/filebrowser/filebrowser/v2/files"
 	"github.com/filebrowser/filebrowser/v2/settings"
 	"github.com/filebrowser/filebrowser/v2/storage"
 	"github.com/filebrowser/filebrowser/v2/storage/bolt"
@@ -86,7 +87,7 @@ func python(fn pythonFunc, cfg pythonConfig) cobraFunc {
 	return func(cmd *cobra.Command, args []string) {
 		data := pythonData{hadDB: true}

-		path := getParam(cmd.Flags(), "database")
+		path := getStringParam(cmd.Flags(), "database")
 		absPath, err := filepath.Abs(path)
 		if err != nil {
 			panic(err)
@@ -105,7 +106,7 @@ func python(fn pythonFunc, cfg pythonConfig) cobraFunc {

 		log.Println("Using database: " + absPath)
 		data.hadDB = exists
-		db, err := storm.Open(path)
+		db, err := storm.Open(path, storm.BoltOptions(files.PermFile, nil))
 		checkErr(err)
 		defer db.Close()
 		data.store, err = bolt.NewStorage(db)
--- a/files/file.go
+++ b/files/file.go
@@ -27,8 +27,8 @@ import (
 	"github.com/filebrowser/filebrowser/v2/rules"
 )

-const PermFile = 0644
-const PermDir = 0755
+const PermFile = 0640
+const PermDir = 0750

 var (
 	reSubDirs = regexp.MustCompile("(?i)^sub(s|titles)$")
--- a/frontend/package.json
+++ b/frontend/package.json
@@ -24,6 +24,7 @@
    "ace-builds": "^1.37.5",
    "core-js": "^3.40.0",
    "dayjs": "^1.11.10",
+    "dompurify": "^3.2.6",
    "epubjs": "^0.3.93",
    "filesize": "^10.1.1",
    "js-base64": "^3.7.7",
--- a/frontend/pnpm-lock.yaml
+++ b/frontend/pnpm-lock.yaml
@@ -26,6 +26,9 @@ importers:
      dayjs:
        specifier: ^1.11.10
        version: 1.11.13
+      dompurify:
+        specifier: ^3.2.6
+        version: 3.2.6
      epubjs:
        specifier: ^0.3.93
        version: 0.3.93
@@ -946,8 +949,8 @@ packages:
    resolution: {integrity: sha512-dF2iMMy8P9uKVHV/20LA1ulFLL+MKSbfMiixSmn6fpwqzvix38OIc7ebgnFbBqElvghZCW9ACtzKTGKsTGTWGA==}
    engines: {node: '>= 16'}

-  '@intlify/shared@11.1.3':
-    resolution: {integrity: sha512-pTFBgqa/99JRA2H1qfyqv97MKWJrYngXBA/I0elZcYxvJgcCw3mApAoPW3mJ7vx3j+Ti0FyKUFZ4hWxdjKaxvA==}
+  '@intlify/shared@11.1.7':
+    resolution: {integrity: sha512-4yZeMt2Aa/7n5Ehy4KalUlvt3iRLcg1tq9IBVfOgkyWFArN4oygn6WxgGIFibP3svpaH8DarbNaottq+p0gUZQ==}
    engines: {node: '>= 16'}

  '@intlify/shared@12.0.0-alpha.2':
@@ -1174,6 +1177,9 @@ packages:
  '@types/node@22.10.10':
    resolution: {integrity: sha512-X47y/mPNzxviAGY5TcYPtYL8JsY3kAq2n8fMmKoRCxq/c4v4pyGNCzM2R6+M5/umG4ZfHuT+sgqDYqWc9rJ6ww==}

+  '@types/trusted-types@2.0.7':
+    resolution: {integrity: sha512-ScaPdn1dQczgbl0QFTeTOmVHFULt394XJgOQNoyVhZ6r2vLnMLJfBPd53SB52T/3G36VI1/g2MZaX0cwDuXsfw==}
+
  '@types/web-bluetooth@0.0.20':
    resolution: {integrity: sha512-g9gZnnXVq7gM7v3tJCWV/qw7w+KeOlSHAhgF9RytFyifW6AF61hdT2ucrYhPq9hLs5JIryeupHV3qGk95dH9ow==}

@@ -1602,6 +1608,9 @@ packages:
  dom-walk@0.1.2:
    resolution: {integrity: sha512-6QvTW9mrGeIegrFXdtQi9pk7O/nSK6lSdXW2eqUspN5LWD7UTji2Fqw5V2YLjBpHEoU9Xl/eUWNpDeZvoyOv2w==}

+  dompurify@3.2.6:
+    resolution: {integrity: sha512-/2GogDQlohXPZe6D6NOgQvXLPSYBqIWMnZ8zzOhn09REE4eyAzb+Hed3jhoM9OkuaJ8P6ZGTTVWQKAi8ieIzfQ==}
+
  electron-to-chromium@1.5.67:
    resolution: {integrity: sha512-nz88NNBsD7kQSAGGJyp8hS6xSPtWwqNogA0mjtc2nUYeEf3nURK9qpV18TuBdDmEDgVWotS8Wkzf+V52dSQ/LQ==}

@@ -3628,7 +3637,7 @@ snapshots:

  '@intlify/shared@11.1.2': {}

-  '@intlify/shared@11.1.3': {}
+  '@intlify/shared@11.1.7': {}

  '@intlify/shared@12.0.0-alpha.2': {}

@@ -3636,8 +3645,8 @@ snapshots:
    dependencies:
      '@eslint-community/eslint-utils': 4.4.1(eslint@9.19.0)
      '@intlify/bundle-utils': 10.0.0(vue-i18n@11.1.2(vue@3.5.13(typescript@5.6.3)))
-      '@intlify/shared': 11.1.3
-      '@intlify/vue-i18n-extensions': 8.0.0(@intlify/shared@11.1.3)(@vue/compiler-dom@3.5.13)(vue-i18n@11.1.2(vue@3.5.13(typescript@5.6.3)))(vue@3.5.13(typescript@5.6.3))
+      '@intlify/shared': 11.1.7
+      '@intlify/vue-i18n-extensions': 8.0.0(@intlify/shared@11.1.7)(@vue/compiler-dom@3.5.13)(vue-i18n@11.1.2(vue@3.5.13(typescript@5.6.3)))(vue@3.5.13(typescript@5.6.3))
      '@rollup/pluginutils': 5.1.4(rollup@4.40.1)
      '@typescript-eslint/scope-manager': 8.21.0
      '@typescript-eslint/typescript-estree': 8.21.0(typescript@5.6.3)
@@ -3659,11 +3668,11 @@ snapshots:
      - supports-color
      - typescript

-  '@intlify/vue-i18n-extensions@8.0.0(@intlify/shared@11.1.3)(@vue/compiler-dom@3.5.13)(vue-i18n@11.1.2(vue@3.5.13(typescript@5.6.3)))(vue@3.5.13(typescript@5.6.3))':
+  '@intlify/vue-i18n-extensions@8.0.0(@intlify/shared@11.1.7)(@vue/compiler-dom@3.5.13)(vue-i18n@11.1.2(vue@3.5.13(typescript@5.6.3)))(vue@3.5.13(typescript@5.6.3))':
    dependencies:
      '@babel/parser': 7.26.7
    optionalDependencies:
-      '@intlify/shared': 11.1.3
+      '@intlify/shared': 11.1.7
      '@vue/compiler-dom': 3.5.13
      vue: 3.5.13(typescript@5.6.3)
      vue-i18n: 11.1.2(vue@3.5.13(typescript@5.6.3))
@@ -3812,6 +3821,9 @@ snapshots:
    dependencies:
      undici-types: 6.20.0

+  '@types/trusted-types@2.0.7':
+    optional: true
+
  '@types/web-bluetooth@0.0.20': {}

  '@typescript-eslint/eslint-plugin@8.21.0(@typescript-eslint/parser@8.21.0(eslint@9.19.0)(typescript@5.6.3))(eslint@9.19.0)(typescript@5.6.3)':
@@ -4282,6 +4294,10 @@ snapshots:

  dom-walk@0.1.2: {}

+  dompurify@3.2.6:
+    optionalDependencies:
+      '@types/trusted-types': 2.0.7
+
  electron-to-chromium@1.5.67: {}

  emoji-regex@8.0.0: {}
--- a/frontend/src/api/commands.ts
+++ b/frontend/src/api/commands.ts
@@ -1,6 +1,5 @@
-import { removePrefix } from "./utils";
 import { baseURL } from "@/utils/constants";
-import { useAuthStore } from "@/stores/auth";
+import { removePrefix } from "./utils";

 const ssl = window.location.protocol === "https:";
 const protocol = ssl ? "wss:" : "ws:";
@@ -11,10 +10,8 @@ export default function command(
  onmessage: WebSocket["onmessage"],
  onclose: WebSocket["onclose"]
 ) {
-  const authStore = useAuthStore();
-
  url = removePrefix(url);
-  url = `${protocol}//${window.location.host}${baseURL}/api/command${url}?auth=${authStore.jwt}`;
+  url = `${protocol}//${window.location.host}${baseURL}/api/command${url}`;

  const conn = new window.WebSocket(url);
  conn.onopen = () => conn.send(command);
--- a/frontend/src/components/prompts/Help.vue
+++ b/frontend/src/components/prompts/Help.vue
@@ -11,7 +11,7 @@
        <li><strong>DEL</strong> - {{ $t("help.del") }}</li>
        <li><strong>ESC</strong> - {{ $t("help.esc") }}</li>
        <li><strong>CTRL + S</strong> - {{ $t("help.ctrl.s") }}</li>
-        <li><strong>CTRL + F</strong> - {{ $t("help.ctrl.f") }}</li>
+        <li><strong>CTRL + SHIFT + F</strong> - {{ $t("help.ctrl.f") }}</li>
        <li><strong>CTRL + Click</strong> - {{ $t("help.ctrl.click") }}</li>
        <li><strong>Click</strong> - {{ $t("help.click") }}</li>
        <li><strong>Double click</strong> - {{ $t("help.doubleClick") }}</li>
--- a/frontend/src/components/settings/Languages.vue
+++ b/frontend/src/components/settings/Languages.vue
@@ -19,6 +19,7 @@ export default {
      hu: "Magyar",
      ar: "العربية",
      ca: "Català",
+      cs: "Čeština",
      de: "Deutsch",
      el: "Ελληνικά",
      en: "English",
--- a/frontend/src/i18n/cz_cs.json
+++ b/frontend/src/i18n/cz_cs.json
@@ -24,6 +24,7 @@
    "ok": "OK",
    "permalink": "Získat trvalý odkaz",
    "previous": "Předchozí",
+    "preview": "Preview",
    "publish": "Publikovat",
    "rename": "Přejmenovat",
    "replace": "Nahradit",
--- a/frontend/src/i18n/de.json
+++ b/frontend/src/i18n/de.json
@@ -3,14 +3,17 @@
    "cancel": "Abbrechen",
    "clear": "Schließen",
    "close": "Schließen",
+    "continue": "Fortfahren",
    "copy": "Kopieren",
    "copyFile": "Kopiere Datei",
    "copyToClipboard": "In Zwischenablage kopieren",
+    "copyDownloadLinkToClipboard": "Download-Link in die Zwischenablage kopieren",
    "create": "Neu",
    "delete": "Löschen",
    "download": "Herunterladen",
    "file": "Datei",
    "folder": "Ordner",
+    "fullScreen": "Vollbildmodus umschalten",
    "hideDotfiles": "Versteckte Dateien ausblenden",
    "info": "Info",
    "more": "mehr",
@@ -21,6 +24,7 @@
    "ok": "OK",
    "permalink": "permanenten Verweis anzeigen",
    "previous": "vorherige",
+    "preview": "Vorschau",
    "publish": "Veröffentlichen",
    "rename": "umbenennen",
    "replace": "Ersetzen",
@@ -37,13 +41,17 @@
    "toggleSidebar": "Seitenleiste anzeigen",
    "update": "Update",
    "upload": "Upload",
-    "openFile": "Datei öffnen"
+    "openFile": "Datei öffnen",
+    "discardChanges": "Verwerfen"
  },
  "download": {
    "downloadFile": "Download Datei",
    "downloadFolder": "Download Ordner",
    "downloadSelected": "Auswahl herunterladen"
  },
+  "upload": {
+    "abortUpload": "Sind Sie sicher, dass Sie den Vorgang abbrechen möchten?"
+  },
  "errors": {
    "forbidden": "Sie haben keine Berechtigung dies abzurufen.",
    "internal": "Etwas ist schiefgelaufen.",
@@ -102,6 +110,7 @@
    "deleteMessageMultiple": "Sind Sie sicher, dass Sie {count} Datei(en) löschen möchten?",
    "deleteMessageSingle": "Sind Sie sicher, dass Sie diesen Ordner/diese Datei löschen möchten?",
    "deleteMessageShare": "Sind Sie sicher, dass Sie diese Freigabe löschen möchten ({path})?",
+    "deleteUser": "Sind Sie sicher, dass Sie diesen Benutzer löschen möchten?",
    "deleteTitle": "Lösche Dateien",
    "displayName": "Anzeigename:",
    "download": "Lade Dateien",
@@ -130,7 +139,9 @@
    "upload": "Upload",
    "uploadFiles": "Upload von {files} Dateien...",
    "uploadMessage": "Wählen Sie eine Upload-Methode",
-    "optionalPassword": "Optionales Passwort"
+    "optionalPassword": "Optionales Passwort",
+    "resolution": "Auflösung",
+    "discardEditorChanges": "Möchten Sie die vorgenommenen Änderungen wirklich verwerfen?"
  },
  "search": {
    "images": "Bilder",
@@ -163,6 +174,9 @@
    "tusUploadsHelp": "File Browser unterstützt das Hochladen von gestückelten Dateien und ermöglicht so einen effizienten, zuverlässigen, fortsetzbaren und gestückelten Datei-Upload auch in unzuverlässigen Netzwerken.",
    "tusUploadsChunkSize": "Gibt die maximale Größe pro Anfrage an (direkte Uploads werden für kleinere Uploads verwendet). Bitte geben Sie eine Byte-Angabe oder eine Zeichenfolge wie 10 MB, 1 GB usw. an",
    "tusUploadsRetryCount": "Anzahl der Wiederholungsversuche, wenn das Hochladen eines Stückes fehlschlägt.",
+    "userHomeBasePath": "Basispfad für Benutzer-Home-Verzeichnisse",
+    "userScopeGenerationPlaceholder": "Scope wird automatisch generiert",
+    "createUserHomeDirectory": "Benutzer-Home-Verzeichnis erstellen",
    "customStylesheet": "Individuelles Stylesheet",
    "defaultUserDescription": "Das sind die Standardeinstellung für Benutzer",
    "disableExternalLinks": "Externe Links deaktivieren (außer Dokumentation)",
@@ -209,6 +223,7 @@
    "shareDeleted": "Freigabe gelöscht!",
    "singleClick": "Einfacher Klick zum Öffnen von Dateien und Ordnern",
    "themes": {
+      "default": "Systemstandard",
      "dark": "Dunkel",
      "light": "Hell",
      "title": "Erscheinungsbild"
--- a/frontend/src/i18n/index.ts
+++ b/frontend/src/i18n/index.ts
@@ -26,6 +26,7 @@ import("dayjs/locale/uk");
 import("dayjs/locale/vi");
 import("dayjs/locale/zh-cn");
 import("dayjs/locale/zh-tw");
+import("dayjs/locale/cs");

 // All i18n resources specified in the plugin `include` option can be loaded
 // at once using the import syntax
--- a/frontend/src/i18n/vi.json
+++ b/frontend/src/i18n/vi.json
@@ -262,4 +262,4 @@
    "seconds": "Giây",
    "unit": "Đơn vị"
  }
-}
+}
--- a/frontend/src/views/files/Editor.vue
+++ b/frontend/src/views/files/Editor.vue
@@ -41,6 +41,7 @@ import url from "@/utils/url";
 import ace, { Ace, version as ace_version } from "ace-builds";
 import modelist from "ace-builds/src-noconflict/ext-modelist";
 import "ace-builds/src-noconflict/ext-language_tools";
+import DOMPurify from "dompurify";

 import HeaderBar from "@/components/header/HeaderBar.vue";
 import Action from "@/components/header/Action.vue";
@@ -83,7 +84,7 @@ onMounted(() => {
    if (isMarkdownFile && isPreview.value) {
      const new_value = editor.value?.getValue() || "";
      try {
-        previewContent.value = await marked(new_value);
+        previewContent.value = DOMPurify.sanitize(await marked(new_value));
      } catch (error) {
        console.error("Failed to convert content to HTML:", error);
        previewContent.value = "";
--- a/frontend/src/views/settings/Global.vue
+++ b/frontend/src/views/settings/Global.vue
@@ -321,7 +321,10 @@ const save = async () => {
        .filter((cmd: string) => cmd !== "");
    }
  }
-  newSettings.shell = shellValue.value.split("\n");
+  newSettings.shell = shellValue.value
+    .trim()
+    .split(" ")
+    .filter((s) => s !== "");

  if (newSettings.branding.theme !== getTheme()) {
    setTheme(newSettings.branding.theme);
--- a/http/auth.go
+++ b/http/auth.go
@@ -157,6 +157,9 @@ var signupHandler = func(_ http.ResponseWriter, r *http.Request, d *data) (int,
 	}

 	user.Password = pwd
+	if d.settings.CreateUserDir {
+		user.Scope = ""
+	}

 	userHome, err := d.settings.MakeUserDir(user.Username, user.Scope, d.server.Root)
 	if err != nil {
--- a/http/commands.go
+++ b/http/commands.go
@@ -6,6 +6,7 @@ import (
 	"log"
 	"net/http"
 	"os/exec"
+	"slices"
 	"strings"
 	"time"

@@ -60,7 +61,16 @@ var commandsHandler = withUser(func(w http.ResponseWriter, r *http.Request, d *d
 		}
 	}

-	command, err := runner.ParseCommand(d.settings, raw)
+	// Fail fast
+	if !d.server.EnableExec || !d.user.Perm.Execute {
+		if err := conn.WriteMessage(websocket.TextMessage, cmdNotAllowed); err != nil { //nolint:govet
+			wsErr(conn, r, http.StatusInternalServerError, err)
+		}
+
+		return 0, nil
+	}
+
+	command, name, err := runner.ParseCommand(d.settings, raw)
 	if err != nil {
 		if err := conn.WriteMessage(websocket.TextMessage, []byte(err.Error())); err != nil { //nolint:govet
 			wsErr(conn, r, http.StatusInternalServerError, err)
@@ -68,7 +78,7 @@ var commandsHandler = withUser(func(w http.ResponseWriter, r *http.Request, d *d
 		return 0, nil
 	}

-	if !d.server.EnableExec || !d.user.CanExecute(command[0]) {
+	if !slices.Contains(d.user.Commands, name) {
 		if err := conn.WriteMessage(websocket.TextMessage, cmdNotAllowed); err != nil { //nolint:govet
 			wsErr(conn, r, http.StatusInternalServerError, err)
 		}
--- a/runner/parser.go
+++ b/runner/parser.go
@@ -1,33 +1,24 @@
 package runner

 import (
-	"os/exec"
-
 	"github.com/filebrowser/filebrowser/v2/settings"
 )

 // ParseCommand parses the command taking in account if the current
 // instance uses a shell to run the commands or just calls the binary
-// directyly.
-func ParseCommand(s *settings.Settings, raw string) ([]string, error) {
-	var command []string
+// directly.
+func ParseCommand(s *settings.Settings, raw string) (command []string, name string, err error) {
+	name, args, err := SplitCommandAndArgs(raw)
+	if err != nil {
+		return
+	}

 	if len(s.Shell) == 0 || s.Shell[0] == "" {
-		cmd, args, err := SplitCommandAndArgs(raw)
-		if err != nil {
-			return nil, err
-		}
-
-		_, err = exec.LookPath(cmd)
-		if err != nil {
-			return nil, err
-		}
-
-		command = append(command, cmd)
+		command = append(command, name)
 		command = append(command, args...)
 	} else {
 		command = append(s.Shell, raw) //nolint:gocritic
 	}

-	return command, nil
+	return command, name, nil
 }
--- a/runner/runner.go
+++ b/runner/runner.go
@@ -60,7 +60,7 @@ func (r *Runner) exec(raw, evt, path, dst string, user *users.User) error {
 		raw = strings.TrimSpace(strings.TrimSuffix(raw, "&"))
 	}

-	command, err := ParseCommand(r.Settings, raw)
+	command, _, err := ParseCommand(r.Settings, raw)
 	if err != nil {
 		return err
 	}
--- a/transifex.yml
+++ b/transifex.yml
@@ -8,7 +8,6 @@ filters:
 settings:
  language_mapping:
    sv_SE: sv-se
-    cz-CS: cz_cs
    pt_BR: pt-br
    zh_CN: zh-cn
    zh_HK: zh-hk
--- a/users/users.go
+++ b/users/users.go
@@ -2,7 +2,6 @@ package users

 import (
 	"path/filepath"
-	"regexp"

 	"github.com/spf13/afero"

@@ -104,18 +103,3 @@ func (u *User) Clean(baseScope string, fields ...string) error {
 func (u *User) FullPath(path string) string {
 	return afero.FullBaseFsPath(u.Fs.(*afero.BasePathFs), path)
 }
-
-// CanExecute checks if an user can execute a specific command.
-func (u *User) CanExecute(command string) bool {
-	if !u.Perm.Execute {
-		return false
-	}
-
-	for _, cmd := range u.Commands {
-		if regexp.MustCompile(cmd).MatchString(command) {
-			return true
-		}
-	}
-
-	return false
-}
Author	SHA1	Message	Date
Henrique Dias	da03728cd7	chore(release): 2.33.10	2025-06-26 21:23:35 +02:00
Henrique Dias	e735491c57	fix: ignore linting error	2025-06-26 21:12:24 +02:00
Henrique Dias	4d830f707f	fix: correctly check if command is allowed when using shell	2025-06-26 21:09:16 +02:00
Henrique Dias	f84a6db680	fix: correctly split shell	2025-06-26 21:07:45 +02:00
Henrique Dias	a430eb2e60	chore(release): 2.33.9	2025-06-26 19:45:36 +02:00
Henrique Dias	c232d41f90	fix: remove unused import	2025-06-26 19:43:20 +02:00
Henrique Dias	c1e4fd648b	docs: add warning regarding the custom commands feature	2025-06-26 19:42:13 +02:00
Henrique Dias	d5b39a14fd	fix: remove auth token from /api/command	2025-06-26 19:42:13 +02:00
Henrique Dias	e2e1e49130	fix: check exact match on command allow list	2025-06-26 19:42:12 +02:00
Henrique Dias	b0f92dd2d7	chore(release): 2.33.8	2025-06-25 20:53:47 +02:00
Henrique Dias	21b0827808	Merge commit from fork	2025-06-25 20:50:38 +02:00
Henrique Dias	d6d84e2b48	chore(release): 2.33.7	2025-06-25 17:47:23 +02:00
Henrique Dias	ca86f91621	Merge commit from fork	2025-06-25 17:42:39 +02:00
Henrique Dias	4bfbf33249	fix: linting issues	2025-06-25 17:37:18 +02:00
Henrique Dias	f19943a42e	Merge commit from fork	2025-06-25 17:35:15 +02:00
Henrique Dias	e74c958862	fix: linting issues	2025-06-25 17:34:00 +02:00
Henrique Dias	221451a517	fix: correctly parse negative boolean flags	2025-06-25 17:24:06 +02:00
Henrique Dias	f46641b038	chore(release): 2.33.6	2025-06-24 22:00:57 +02:00
Henrique Dias	23bd8f6715	fix: remove incorrect default for password flag	2025-06-24 21:43:44 +02:00
Henrique Dias	506fc08577	chore(release): 2.33.5	2025-06-24 17:11:40 +02:00
transifex-integration[bot]	f33076462a	feat: update languages for project File Browser (#5190 ) Co-authored-by: transifex-integration[bot] <43880903+transifex-integration[bot]@users.noreply.github.com>	2025-06-24 17:08:28 +02:00
Henrique Dias	6c29fabdc8	chore: remove cz_CS from transifex.yaml	2025-06-24 17:05:12 +02:00
Adam	0268506f80	fix: actually register the czech language (#5189 )	2025-06-24 17:02:01 +02:00
Henrique Dias	ad864a97e9	chore(release): 2.33.4	2025-06-22 17:59:45 +02:00
transifex-integration[bot]	f714e71a35	feat: translation updates for project File Browser (#5179 ) Co-authored-by: transifex-integration[bot] <43880903+transifex-integration[bot]@users.noreply.github.com>	2025-06-22 17:59:23 +02:00
Henrique Dias	dbdbbab4d7	chore(release): 2.33.3	2025-06-22 17:57:34 +02:00
Henrique Dias	7c0c7820ef	fix: keep command behavior in Dockerfile	2025-06-22 17:55:57 +02:00
Arion2000	2741616473	fix: update search hotkey in help prompt (#5178 )	2025-06-22 12:45:21 +02:00
Henrique Dias	ffb858e4ef	chore(release): 2.33.2	2025-06-21 10:37:30 +02:00
Henrique Dias	0ca8059d8d	fix: create user dir on signup	2025-06-21 10:32:50 +02:00