release(v3.8.0): share-link admin guards and centralized safe-upload policy

- shares(security): require authenticated admin + CSRF for file share link listing and deletion
- uploads(policy): add centralized safe-upload policy with strict default and code-friendly admin override
- webdav(policy): enforce the shared write-name policy for WebDAV file and folder creation paths
- admin(ui): expose safe upload policy in Admin Panel and persist the normalized config value
- admin(fix): guard partial config updates that omit oidc payloads

Author: error311

CHANGELOG.md

@@ -1,5 +1,56 @@
 # Changelog
 
+## Changes 03/12/2026 (v3.8.0)
+
+`release(v3.8.0): share-link admin guards and centralized safe-upload policy`
+
+**Commit message**  
+
+```text
+release(v3.8.0): share-link admin guards and centralized safe-upload policy
+
+- shares(security): require authenticated admin + CSRF for file share link listing and deletion
+- uploads(policy): add centralized safe-upload policy with strict default and code-friendly admin override
+- webdav(policy): enforce the shared write-name policy for WebDAV file and folder creation paths
+- admin(ui): expose safe upload policy in Admin Panel and persist the normalized config value
+- admin(fix): guard partial config updates that omit oidc payloads
+```
+
+**Added**  
+
+- **Centralized safe-upload policy**
+  - Added `src/FileRise/Support/UploadNamePolicy.php` to centralize write-path filename policy decisions.
+  - Added admin-configurable policy modes:
+    - `strict` (default)
+    - `code_friendly`
+
+**Changed**  
+
+- **File share admin endpoints**
+  - `getShareLinks.php` now requires an authenticated admin session.
+  - `deleteShareLink.php` now requires an authenticated admin session and a valid CSRF token.
+  - Updated the generated OpenAPI spec to reflect the authenticated share-link route behavior.
+- **Write-path filename enforcement**
+  - Normal uploads, file create/save flows, selected folder write paths, and WebDAV now use the shared write-name policy instead of relying only on the generic filename regex.
+  - Added an Admin Panel control under upload settings so operators can switch between `strict` and `code_friendly` behavior.
+
+**Fixed**  
+
+- **Partial admin config saves**
+  - Fixed admin config updates failing when the submitted payload omits the `oidc` object during narrower settings changes.
+- **WebDAV folder-name validation**
+  - WebDAV folder creation now rejects invalid path-like names such as empty names, `.` / `..`, and names containing path separators.
+
+**Security**  
+
+- **Safe-upload defaults**
+  - New write operations default to `strict` mode.
+  - `.htaccess`, `.user.ini`, and `web.config` remain blocked in all policy modes.
+- **Share-link guard consistency**
+  - File share-link listing and deletion now use the same authenticated admin expectations as the rest of the admin share management surface.
+
+---
+
 ## Changes 03/08/2026 (v3.7.0)
 
 **Demo videos**  

openapi.json.dist

@@ -1914,7 +1914,7 @@
                     "Shares"
                 ],
                 "summary": "Delete a share link by token",
-                "description": "Deletes a share token. NOTE: Current implementation does not require authentication.",
+                "description": "Deletes a share token. Requires an authenticated admin session and a valid CSRF token.",
                 "operationId": "deleteShareLink",
                 "requestBody": {
                     "required": true,
@@ -1938,8 +1938,19 @@
                 "responses": {
                     "200": {
                         "description": "Deletion result (success or not found)"
+                    },
+                    "401": {
+                        "description": "Unauthorized"
+                    },
+                    "403": {
+                        "description": "Forbidden"
                     }
-                }
+                },
+                "security": [
+                    {
+                        "cookieAuth": []
+                    }
+                ]
             }
         },
         "/api/file/deleteTrashFiles.php": {
@@ -2386,13 +2397,24 @@
                     "Shares"
                 ],
                 "summary": "Get (raw) share links file",
-                "description": "Returns the full share links JSON (no auth in current implementation).",
+                "description": "Returns the full share links JSON. Requires an authenticated admin session.",
                 "operationId": "getShareLinks",
                 "responses": {
                     "200": {
                         "description": "Share links (model-defined JSON)"
+                    },
+                    "401": {
+                        "description": "Unauthorized"
+                    },
+                    "403": {
+                        "description": "Forbidden"
                     }
-                }
+                },
+                "security": [
+                    {
+                        "cookieAuth": []
+                    }
+                ]
             }
         },
         "/api/file/getTrashItems.php": {
@@ -7160,4 +7182,4 @@
             "description": "Uploads"
         }
     ]
-}
+}

public/api/file/deleteShareLink.php

@@ -5,7 +5,7 @@
  * @OA\Post(
  *   path="/api/file/deleteShareLink.php",
  *   summary="Delete a share link by token",
- *   description="Deletes a share token. NOTE: Current implementation does not require authentication.",
+ *   description="Deletes a share token. Requires an authenticated admin session and a valid CSRF token.",
  *   operationId="deleteShareLink",
  *   tags={"Shares"},
  *   @OA\RequestBody(
@@ -18,7 +18,9 @@
  *       )
  *     )
  *   ),
- *   @OA\Response(response=200, description="Deletion result (success or not found)")
+ *   @OA\Response(response=200, description="Deletion result (success or not found)"),
+ *   @OA\Response(response=401, description="Unauthorized"),
+ *   @OA\Response(response=403, description="Forbidden")
  * )
  */
 

public/api/file/getShareLinks.php

@@ -4,15 +4,17 @@
  * @OA\Get(
  *   path="/api/file/getShareLinks.php",
  *   summary="Get (raw) share links file",
- *   description="Returns the full share links JSON (no auth in current implementation).",
+ *   description="Returns the full share links JSON. Requires an authenticated admin session.",
  *   operationId="getShareLinks",
  *   tags={"Shares"},
- *   @OA\Response(response=200, description="Share links (model-defined JSON)")
+ *   @OA\Response(response=200, description="Share links (model-defined JSON)"),
+ *   @OA\Response(response=401, description="Unauthorized"),
+ *   @OA\Response(response=403, description="Forbidden")
  * )
  */
 
 
 require_once __DIR__ . '/../../../config/config.php';
 
 $fileController = new \FileRise\Http\Controllers\FileController();
-$fileController->getShareLinks();
+$fileController->getShareLinks();

public/js/adminPanel.js

@@ -5221,6 +5221,7 @@ function captureInitialAdminConfig() {
     authBypass: !!document.getElementById("authBypass")?.checked,
 
     enableWebDAV: !!document.getElementById("enableWebDAV")?.checked,
+    safeUploadPolicy: (document.getElementById("safeUploadPolicy")?.value || "strict").trim(),
     sharedMaxUploadSize: (document.getElementById("sharedMaxUploadSize")?.value || "").trim(),
     resumableChunkMb: (document.getElementById("resumableChunkMb")?.value || "").trim(),
     resumableTtlHours: (document.getElementById("resumableTtlHours")?.value || "").trim(),
@@ -5286,6 +5287,7 @@ function hasUnsavedChanges() {
     getChk("authBypass") !== o.authBypass ||
 
     getChk("enableWebDAV") !== o.enableWebDAV ||
+    getVal("safeUploadPolicy") !== (o.safeUploadPolicy || "strict") ||
     getVal("sharedMaxUploadSize") !== o.sharedMaxUploadSize ||
     getVal("resumableChunkMb") !== o.resumableChunkMb ||
     getVal("resumableTtlHours") !== o.resumableTtlHours ||
@@ -7723,6 +7725,22 @@ export function openAdminPanel() {
     ${tf("upload_settings", "Upload settings")}
   </div>
 
+  <div class="form-group" style="margin-top:10px;">
+    <label for="safeUploadPolicy">
+      ${tf("safe_upload_policy_label", "Safe upload policy")}
+    </label>
+    <select id="safeUploadPolicy" class="form-control">
+      <option value="strict">${tf("safe_upload_policy_strict", "Strict (recommended)")}</option>
+      <option value="code_friendly">${tf("safe_upload_policy_code_friendly", "Code-friendly")}</option>
+    </select>
+    <small class="text-muted d-block mt-1">
+      ${tf(
+          "safe_upload_policy_help",
+          "Strict blocks executable and script-style filenames on new writes. Code-friendly allows them for editor workflows, but .htaccess, .user.ini, and web.config are always blocked."
+        )}
+    </small>
+  </div>
+
   <div class="form-group" style="margin-top:10px;">
     <label for="resumableChunkMb">
       ${tf("resumable_chunk_size_label", "Resumable chunk size (MB)")}
@@ -9214,6 +9232,7 @@ ${t("shared_max_upload_size_bytes")}
         }
 
         document.getElementById("enableWebDAV").checked = config.enableWebDAV === true;
+        document.getElementById("safeUploadPolicy").value = config.safeUploadPolicy || "strict";
         document.getElementById("sharedMaxUploadSize").value = config.sharedMaxUploadSize || "";
         const uploadCfg = (config.uploads && typeof config.uploads === "object") ? config.uploads : {};
         const chunkEl = document.getElementById("resumableChunkMb");
@@ -9320,6 +9339,7 @@ ${t("shared_max_upload_size_bytes")}
         }
 
         document.getElementById("enableWebDAV").checked = config.enableWebDAV === true;
+        document.getElementById("safeUploadPolicy").value = config.safeUploadPolicy || "strict";
         document.getElementById("sharedMaxUploadSize").value = config.sharedMaxUploadSize || "";
         const uploadCfg2 = (config.uploads && typeof config.uploads === "object") ? config.uploads : {};
         const chunkEl2 = document.getElementById("resumableChunkMb");
@@ -9582,6 +9602,7 @@ function handleSave() {
       authHeaderName,
     },
     enableWebDAV: !!document.getElementById("enableWebDAV")?.checked,
+    safeUploadPolicy: (document.getElementById("safeUploadPolicy")?.value || "strict").trim(),
     sharedMaxUploadSize: parseInt(
       document.getElementById("sharedMaxUploadSize").value || "0",
       10

src/FileRise/Domain/AdminModel.php

@@ -3,6 +3,7 @@
 namespace FileRise\Domain;
 
 use FileRise\Http\Controllers\AdminController;
+use FileRise\Support\UploadNamePolicy;
 use FileRise\Storage\SourcesConfig;
 use ProAudit;
 
@@ -152,6 +153,7 @@ public static function buildPublicSubset(array $config): array
             ],
             'globalOtpauthUrl'    => $config['globalOtpauthUrl'] ?? '',
             'enableWebDAV'        => (bool)($config['enableWebDAV'] ?? false),
+            'safeUploadPolicy'    => UploadNamePolicy::normalizeMode($config['safeUploadPolicy'] ?? UploadNamePolicy::MODE_STRICT),
             'sharedMaxUploadSize' => (int)($config['sharedMaxUploadSize'] ?? 0),
             'oidc' => [
                 'providerUrl' => (string)($config['oidc']['providerUrl'] ?? ''),
@@ -440,6 +442,9 @@ public static function updateConfig(array $configUpdate): array
         $configUpdate['enableWebDAV'] = isset($configUpdate['enableWebDAV'])
             ? (bool)$configUpdate['enableWebDAV']
             : false;
+        $configUpdate['safeUploadPolicy'] = UploadNamePolicy::normalizeMode(
+            $configUpdate['safeUploadPolicy'] ?? UploadNamePolicy::MODE_STRICT
+        );
 
         // Validate sharedMaxUploadSize if provided
         if (array_key_exists('sharedMaxUploadSize', $configUpdate)) {
@@ -902,6 +907,9 @@ public static function getConfig(): array
             if (!isset($config['enableWebDAV'])) {
                 $config['enableWebDAV'] = false;
             }
+            $config['safeUploadPolicy'] = UploadNamePolicy::normalizeMode(
+                $config['safeUploadPolicy'] ?? UploadNamePolicy::MODE_STRICT
+            );
 
             // sharedMaxUploadSize: default if missing; clamp if present
             $maxBytes = self::parseSize(TOTAL_UPLOAD_SIZE);

src/FileRise/Domain/FileModel.php

@@ -5,6 +5,7 @@
 use FileRise\Support\ACL;
 use FileRise\Support\CryptoAtRest;
 use FileRise\Support\FS;
+use FileRise\Support\UploadNamePolicy;
 use FileRise\Storage\StorageAdapterInterface;
 use FileRise\Storage\SourceContext;
 use FileRise\Storage\StorageRegistry;
@@ -1165,7 +1166,7 @@ public static function renameFile($folder, $oldName, $newName)
         $newName = basename(trim($newName));
 
         // Validate file names using REGEX_FILE_NAME.
-        if (!preg_match(REGEX_FILE_NAME, $oldName) || !preg_match(REGEX_FILE_NAME, $newName)) {
+        if (!preg_match(REGEX_FILE_NAME, $oldName) || !UploadNamePolicy::isAllowedForWrite($newName)) {
             return ["error" => "Invalid file name."];
         }
 
@@ -1220,7 +1221,7 @@ public static function saveFile(string $folder, string $fileName, $content, ?str
         if (strtolower($folder) !== 'root' && !preg_match(REGEX_FOLDER_NAME, $folder)) {
             return ["error" => "Invalid folder name"];
         }
-        if (!preg_match(REGEX_FILE_NAME, $fileName)) {
+        if (!UploadNamePolicy::isAllowedForWrite($fileName)) {
             return ["error" => "Invalid file name"];
         }
 
@@ -1996,7 +1997,7 @@ public static function extractZipArchive($folder, $files)
             return '';
         };
 
-        $stampExtractedFiles = function (array $allowedFiles) use ($folderPathReal, $folderNorm, $safeFileNamePattern, $stampMeta, &$extractedFiles): int {
+        $stampExtractedFiles = function (array $allowedFiles) use ($folderPathReal, $folderNorm, $stampMeta, &$extractedFiles): int {
             $found = 0;
             foreach ($allowedFiles as $entryName) {
                 // Normalize entry path for filesystem checks
@@ -2009,7 +2010,7 @@ public static function extractZipArchive($folder, $files)
                 }
 
                 $basename = basename($entryFsRel);
-                if ($basename === '' || !preg_match($safeFileNamePattern, $basename)) {
+                if (!UploadNamePolicy::isAllowedForWrite($basename)) {
                     continue;
                 }
 
@@ -3954,7 +3955,7 @@ public static function createFile(string $folder, string $filename, string $uplo
     {
         // 1) basic validation
         $filename = basename(trim($filename));
-        if (!preg_match(REGEX_FILE_NAME, $filename)) {
+        if (!UploadNamePolicy::isAllowedForWrite($filename)) {
             return ['success' => false, 'error' => 'Invalid filename', 'code' => 400];
         }
 

src/FileRise/Domain/FolderModel.php

@@ -5,6 +5,7 @@
 use FileRise\Support\ACL;
 use FileRise\Support\CryptoAtRest;
 use FileRise\Support\FS;
+use FileRise\Support\UploadNamePolicy;
 use FileRise\Storage\StorageAdapterInterface;
 use FileRise\Storage\SourceContext;
 use FileRise\Storage\StorageRegistry;
@@ -3041,6 +3042,9 @@ public static function uploadToSharedFolder(string $token, array $fileUpload, st
         // New safe filename
         $safeBase   = preg_replace('/[^A-Za-z0-9_\-\.]/', '_', $uploadedName);
         $newFilename = uniqid('', true) . "_" . $safeBase;
+        if (!UploadNamePolicy::isAllowedForWrite($newFilename)) {
+            return ["error" => "Invalid file name."];
+        }
         $targetPath = $targetDir . DIRECTORY_SEPARATOR . $newFilename;
 
         if ($storage->isLocal()) {

src/FileRise/Domain/UploadModel.php

@@ -6,6 +6,7 @@
 use FileRise\Support\AuditHook;
 use FileRise\Support\CryptoAtRest;
 use FileRise\Support\EventBus;
+use FileRise\Support\UploadNamePolicy;
 use FileRise\Storage\StorageAdapterInterface;
 use FileRise\Storage\SourceContext;
 use FileRise\Storage\StorageRegistry;
@@ -427,7 +428,7 @@ private static function parseRelativePath(string $raw): array
         }
 
         $file = basename($raw);
-        if ($file === '' || !preg_match(REGEX_FILE_NAME, $file)) {
+        if (!UploadNamePolicy::isAllowedForWrite($file)) {
             return [null, null];
         }
 
@@ -733,7 +734,7 @@ public static function handleUpload(array $post, array $files): array
                 $relativeSubDir = $subDir;
             }
 
-            if (!preg_match(REGEX_FILE_NAME, $resumableFilename)) {
+            if (!UploadNamePolicy::isAllowedForWrite($resumableFilename)) {
                 return ['error' => "Invalid file name: $resumableFilename"];
             }
 
@@ -938,7 +939,6 @@ public static function handleUpload(array $post, array $files): array
                 return ['error' => 'Failed to create upload directory'];
             }
 
-            $safeFileNamePattern = REGEX_FILE_NAME;
             $metadataCollection  = [];
             $metadataChanged     = [];
 
@@ -981,7 +981,7 @@ public static function handleUpload(array $post, array $files): array
                             . str_replace('/', DIRECTORY_SEPARATOR, $relativeSubDir) . DIRECTORY_SEPARATOR;
                     }
                 }
-                if (!preg_match($safeFileNamePattern, $safeFileName)) {
+                if (!UploadNamePolicy::isAllowedForWrite($safeFileName)) {
                     return ['error' => 'Invalid file name: ' . $fileName];
                 }