2025-07-18 14:00:25 +00:00
8 changed files with 42 additions and 107 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -2,15 +2,6 @@

 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.

-### [2.33.7](https://github.com/filebrowser/filebrowser/compare/v2.33.6...v2.33.7) (2025-06-25)
-
-
-### Bug Fixes
-
-* correctly parse negative boolean flags ([221451a](https://github.com/filebrowser/filebrowser/commit/221451a5179c8f139819a315b80d0ecb0e7220c3))
-* linting issues ([4bfbf33](https://github.com/filebrowser/filebrowser/commit/4bfbf332499fc8aea5f6df6aae1efa0de918d1ae))
-* linting issues ([e74c958](https://github.com/filebrowser/filebrowser/commit/e74c95886226c0ee429af1860eed21dd1f8601aa))
-
 ### [2.33.6](https://github.com/filebrowser/filebrowser/compare/v2.33.5...v2.33.6) (2025-06-24)


--- a/cmd/root.go
+++ b/cmd/root.go
@ -68,7 +68,7 @@ func addServerFlags(flags *pflag.FlagSet) {
 	flags.Int("img-processors", 4, "image processors count") //nolint:gomnd
 	flags.Bool("disable-thumbnails", false, "disable image thumbnails")
 	flags.Bool("disable-preview-resize", false, "disable resize of image previews")
-	flags.Bool("disable-exec", true, "disables Command Runner feature")
+	flags.Bool("disable-exec", false, "disables Command Runner feature")
 	flags.Bool("disable-type-detection-by-header", false, "disables type detection by reading file headers")
 }

@ -201,42 +201,42 @@ func getRunParams(flags *pflag.FlagSet, st *storage.Storage) *settings.Server {
 	server, err := st.Settings.GetServer()
 	checkErr(err)

-	if val, set := getStringParamB(flags, "root"); set {
+	if val, set := getParamB(flags, "root"); set {
 		server.Root = val
 	}

-	if val, set := getStringParamB(flags, "baseurl"); set {
+	if val, set := getParamB(flags, "baseurl"); set {
 		server.BaseURL = val
 	}

-	if val, set := getStringParamB(flags, "log"); set {
+	if val, set := getParamB(flags, "log"); set {
 		server.Log = val
 	}

 	isSocketSet := false
 	isAddrSet := false

-	if val, set := getStringParamB(flags, "address"); set {
+	if val, set := getParamB(flags, "address"); set {
 		server.Address = val
 		isAddrSet = isAddrSet || set
 	}

-	if val, set := getStringParamB(flags, "port"); set {
+	if val, set := getParamB(flags, "port"); set {
 		server.Port = val
 		isAddrSet = isAddrSet || set
 	}

-	if val, set := getStringParamB(flags, "key"); set {
+	if val, set := getParamB(flags, "key"); set {
 		server.TLSKey = val
 		isAddrSet = isAddrSet || set
 	}

-	if val, set := getStringParamB(flags, "cert"); set {
+	if val, set := getParamB(flags, "cert"); set {
 		server.TLSCert = val
 		isAddrSet = isAddrSet || set
 	}

-	if val, set := getStringParamB(flags, "socket"); set {
+	if val, set := getParamB(flags, "socket"); set {
 		server.Socket = val
 		isSocketSet = isSocketSet || set
 	}
@ -250,69 +250,33 @@ func getRunParams(flags *pflag.FlagSet, st *storage.Storage) *settings.Server {
 		server.Socket = ""
 	}

-	disableThumbnails := getBoolParam(flags, "disable-thumbnails")
+	_, disableThumbnails := getParamB(flags, "disable-thumbnails")
 	server.EnableThumbnails = !disableThumbnails

-	disablePreviewResize := getBoolParam(flags, "disable-preview-resize")
+	_, disablePreviewResize := getParamB(flags, "disable-preview-resize")
 	server.ResizePreview = !disablePreviewResize

-	disableTypeDetectionByHeader := getBoolParam(flags, "disable-type-detection-by-header")
+	_, disableTypeDetectionByHeader := getParamB(flags, "disable-type-detection-by-header")
 	server.TypeDetectionByHeader = !disableTypeDetectionByHeader

-	disableExec := getBoolParam(flags, "disable-exec")
+	_, disableExec := getParamB(flags, "disable-exec")
 	server.EnableExec = !disableExec

-	if server.EnableExec {
-		log.Println("WARNING: Command Runner feature enabled!")
-		log.Println("WARNING: This feature has known security vulnerabilities and should not")
-		log.Println("WARNING: you fully understand the risks involved. For more information")
-		log.Println("WARNING: read https://github.com/filebrowser/filebrowser/issues/5199")
-	}
-
-	if val, set := getStringParamB(flags, "token-expiration-time"); set {
+	if val, set := getParamB(flags, "token-expiration-time"); set {
 		server.TokenExpirationTime = val
 	}

 	return server
 }

-// getBoolParamB returns a parameter as a string and a boolean to tell if it is different from the default
+// getParamB returns a parameter as a string and a boolean to tell if it is different from the default
 //
 // NOTE: we could simply bind the flags to viper and use IsSet.
 // Although there is a bug on Viper that always returns true on IsSet
 // if a flag is binded. Our alternative way is to manually check
 // the flag and then the value from env/config/gotten by viper.
 // https://github.com/spf13/viper/pull/331
-func getBoolParamB(flags *pflag.FlagSet, key string) (value, ok bool) {
-	value, _ = flags.GetBool(key)
-
-	// If set on Flags, use it.
-	if flags.Changed(key) {
-		return value, true
-	}
-
-	// If set through viper (env, config), return it.
-	if v.IsSet(key) {
-		return v.GetBool(key), true
-	}
-
-	// Otherwise use default value on flags.
-	return value, false
-}
-
-func getBoolParam(flags *pflag.FlagSet, key string) bool {
-	val, _ := getBoolParamB(flags, key)
-	return val
-}
-
-// getStringParamB returns a parameter as a string and a boolean to tell if it is different from the default
-//
-// NOTE: we could simply bind the flags to viper and use IsSet.
-// Although there is a bug on Viper that always returns true on IsSet
-// if a flag is binded. Our alternative way is to manually check
-// the flag and then the value from env/config/gotten by viper.
-// https://github.com/spf13/viper/pull/331
-func getStringParamB(flags *pflag.FlagSet, key string) (string, bool) {
+func getParamB(flags *pflag.FlagSet, key string) (string, bool) {
 	value, _ := flags.GetString(key)

 	// If set on Flags, use it.
@ -329,8 +293,8 @@ func getStringParamB(flags *pflag.FlagSet, key string) (string, bool) {
 	return value, false
 }

-func getStringParam(flags *pflag.FlagSet, key string) string {
-	val, _ := getStringParamB(flags, key)
+func getParam(flags *pflag.FlagSet, key string) string {
+	val, _ := getParamB(flags, key)
 	return val
 }

@ -385,7 +349,7 @@ func quickSetup(flags *pflag.FlagSet, d pythonData) {
 	}

 	var err error
-	if _, noauth := getStringParamB(flags, "noauth"); noauth {
+	if _, noauth := getParamB(flags, "noauth"); noauth {
 		set.AuthMethod = auth.MethodNoAuth
 		err = d.store.Auth.Save(&auth.NoAuth{})
 	} else {
@ -398,27 +362,27 @@ func quickSetup(flags *pflag.FlagSet, d pythonData) {
 	checkErr(err)

 	ser := &settings.Server{
-		BaseURL: getStringParam(flags, "baseurl"),
-		Port:    getStringParam(flags, "port"),
-		Log:     getStringParam(flags, "log"),
-		TLSKey:  getStringParam(flags, "key"),
-		TLSCert: getStringParam(flags, "cert"),
-		Address: getStringParam(flags, "address"),
-		Root:    getStringParam(flags, "root"),
+		BaseURL: getParam(flags, "baseurl"),
+		Port:    getParam(flags, "port"),
+		Log:     getParam(flags, "log"),
+		TLSKey:  getParam(flags, "key"),
+		TLSCert: getParam(flags, "cert"),
+		Address: getParam(flags, "address"),
+		Root:    getParam(flags, "root"),
 	}

 	err = d.store.Settings.SaveServer(ser)
 	checkErr(err)

-	username := getStringParam(flags, "username")
-	password := getStringParam(flags, "password")
+	username := getParam(flags, "username")
+	password := getParam(flags, "password")

 	if password == "" {
 		var pwd string
 		pwd, err = users.RandomPwd()
 		checkErr(err)

-		log.Println("Randomly generated password for user 'admin':", pwd)
+		log.Println("Generated random admin password for quick setup:", pwd)

 		password, err = users.HashPwd(pwd)
 		checkErr(err)
@ -456,7 +420,6 @@ func initConfig() {
 	v.SetEnvPrefix("FB")
 	v.AutomaticEnv()
 	v.SetEnvKeyReplacer(strings.NewReplacer(".", "_"))
-	v.SetEnvKeyReplacer(strings.NewReplacer("-", "_"))

 	if err := v.ReadInConfig(); err != nil {
 		var configParseError v.ConfigParseError
--- a/cmd/upgrade.go
+++ b/cmd/upgrade.go
@ -25,7 +25,7 @@ this version.`,
 		flags := cmd.Flags()
 		oldDB := mustGetString(flags, "old.database")
 		oldConf := mustGetString(flags, "old.config")
-		err := importer.Import(oldDB, oldConf, getStringParam(flags, "database"))
+		err := importer.Import(oldDB, oldConf, getParam(flags, "database"))
 		checkErr(err)
 	},
 }
--- a/cmd/utils.go
+++ b/cmd/utils.go
@ -14,7 +14,6 @@ import (
 	"github.com/spf13/pflag"
 	yaml "gopkg.in/yaml.v2"

-	"github.com/filebrowser/filebrowser/v2/files"
 	"github.com/filebrowser/filebrowser/v2/settings"
 	"github.com/filebrowser/filebrowser/v2/storage"
 	"github.com/filebrowser/filebrowser/v2/storage/bolt"
@ -87,7 +86,7 @@ func python(fn pythonFunc, cfg pythonConfig) cobraFunc {
 	return func(cmd *cobra.Command, args []string) {
 		data := pythonData{hadDB: true}

-		path := getStringParam(cmd.Flags(), "database")
+		path := getParam(cmd.Flags(), "database")
 		absPath, err := filepath.Abs(path)
 		if err != nil {
 			panic(err)
@ -106,7 +105,7 @@ func python(fn pythonFunc, cfg pythonConfig) cobraFunc {

 		log.Println("Using database: " + absPath)
 		data.hadDB = exists
-		db, err := storm.Open(path, storm.BoltOptions(files.PermFile, nil))
+		db, err := storm.Open(path)
 		checkErr(err)
 		defer db.Close()
 		data.store, err = bolt.NewStorage(db)
--- a/files/file.go
+++ b/files/file.go
@ -27,8 +27,8 @@ import (
 	"github.com/filebrowser/filebrowser/v2/rules"
 )

-const PermFile = 0640
-const PermDir = 0750
+const PermFile = 0644
+const PermDir = 0755

 var (
 	reSubDirs = regexp.MustCompile("(?i)^sub(s|titles)$")
--- a/frontend/package.json
+++ b/frontend/package.json
@ -24,7 +24,6 @@
    "ace-builds": "^1.37.5",
    "core-js": "^3.40.0",
    "dayjs": "^1.11.10",
-    "dompurify": "^3.2.6",
    "epubjs": "^0.3.93",
    "filesize": "^10.1.1",
    "js-base64": "^3.7.7",
--- a/frontend/pnpm-lock.yaml
+++ b/frontend/pnpm-lock.yaml
@ -26,9 +26,6 @@ importers:
      dayjs:
        specifier: ^1.11.10
        version: 1.11.13
-      dompurify:
-        specifier: ^3.2.6
-        version: 3.2.6
      epubjs:
        specifier: ^0.3.93
        version: 0.3.93
@ -949,8 +946,8 @@ packages:
    resolution: {integrity: sha512-dF2iMMy8P9uKVHV/20LA1ulFLL+MKSbfMiixSmn6fpwqzvix38OIc7ebgnFbBqElvghZCW9ACtzKTGKsTGTWGA==}
    engines: {node: '>= 16'}

-  '@intlify/shared@11.1.7':
-    resolution: {integrity: sha512-4yZeMt2Aa/7n5Ehy4KalUlvt3iRLcg1tq9IBVfOgkyWFArN4oygn6WxgGIFibP3svpaH8DarbNaottq+p0gUZQ==}
+  '@intlify/shared@11.1.3':
+    resolution: {integrity: sha512-pTFBgqa/99JRA2H1qfyqv97MKWJrYngXBA/I0elZcYxvJgcCw3mApAoPW3mJ7vx3j+Ti0FyKUFZ4hWxdjKaxvA==}
    engines: {node: '>= 16'}

  '@intlify/shared@12.0.0-alpha.2':
@ -1177,9 +1174,6 @@ packages:
  '@types/node@22.10.10':
    resolution: {integrity: sha512-X47y/mPNzxviAGY5TcYPtYL8JsY3kAq2n8fMmKoRCxq/c4v4pyGNCzM2R6+M5/umG4ZfHuT+sgqDYqWc9rJ6ww==}

-  '@types/trusted-types@2.0.7':
-    resolution: {integrity: sha512-ScaPdn1dQczgbl0QFTeTOmVHFULt394XJgOQNoyVhZ6r2vLnMLJfBPd53SB52T/3G36VI1/g2MZaX0cwDuXsfw==}
-
  '@types/web-bluetooth@0.0.20':
    resolution: {integrity: sha512-g9gZnnXVq7gM7v3tJCWV/qw7w+KeOlSHAhgF9RytFyifW6AF61hdT2ucrYhPq9hLs5JIryeupHV3qGk95dH9ow==}

@ -1608,9 +1602,6 @@ packages:
  dom-walk@0.1.2:
    resolution: {integrity: sha512-6QvTW9mrGeIegrFXdtQi9pk7O/nSK6lSdXW2eqUspN5LWD7UTji2Fqw5V2YLjBpHEoU9Xl/eUWNpDeZvoyOv2w==}

-  dompurify@3.2.6:
-    resolution: {integrity: sha512-/2GogDQlohXPZe6D6NOgQvXLPSYBqIWMnZ8zzOhn09REE4eyAzb+Hed3jhoM9OkuaJ8P6ZGTTVWQKAi8ieIzfQ==}
-
  electron-to-chromium@1.5.67:
    resolution: {integrity: sha512-nz88NNBsD7kQSAGGJyp8hS6xSPtWwqNogA0mjtc2nUYeEf3nURK9qpV18TuBdDmEDgVWotS8Wkzf+V52dSQ/LQ==}

@ -3637,7 +3628,7 @@ snapshots:

  '@intlify/shared@11.1.2': {}

-  '@intlify/shared@11.1.7': {}
+  '@intlify/shared@11.1.3': {}

  '@intlify/shared@12.0.0-alpha.2': {}

@ -3645,8 +3636,8 @@ snapshots:
    dependencies:
      '@eslint-community/eslint-utils': 4.4.1(eslint@9.19.0)
      '@intlify/bundle-utils': 10.0.0(vue-i18n@11.1.2(vue@3.5.13(typescript@5.6.3)))
-      '@intlify/shared': 11.1.7
-      '@intlify/vue-i18n-extensions': 8.0.0(@intlify/shared@11.1.7)(@vue/compiler-dom@3.5.13)(vue-i18n@11.1.2(vue@3.5.13(typescript@5.6.3)))(vue@3.5.13(typescript@5.6.3))
+      '@intlify/shared': 11.1.3
+      '@intlify/vue-i18n-extensions': 8.0.0(@intlify/shared@11.1.3)(@vue/compiler-dom@3.5.13)(vue-i18n@11.1.2(vue@3.5.13(typescript@5.6.3)))(vue@3.5.13(typescript@5.6.3))
      '@rollup/pluginutils': 5.1.4(rollup@4.40.1)
      '@typescript-eslint/scope-manager': 8.21.0
      '@typescript-eslint/typescript-estree': 8.21.0(typescript@5.6.3)
@ -3668,11 +3659,11 @@ snapshots:
      - supports-color
      - typescript

-  '@intlify/vue-i18n-extensions@8.0.0(@intlify/shared@11.1.7)(@vue/compiler-dom@3.5.13)(vue-i18n@11.1.2(vue@3.5.13(typescript@5.6.3)))(vue@3.5.13(typescript@5.6.3))':
+  '@intlify/vue-i18n-extensions@8.0.0(@intlify/shared@11.1.3)(@vue/compiler-dom@3.5.13)(vue-i18n@11.1.2(vue@3.5.13(typescript@5.6.3)))(vue@3.5.13(typescript@5.6.3))':
    dependencies:
      '@babel/parser': 7.26.7
    optionalDependencies:
-      '@intlify/shared': 11.1.7
+      '@intlify/shared': 11.1.3
      '@vue/compiler-dom': 3.5.13
      vue: 3.5.13(typescript@5.6.3)
      vue-i18n: 11.1.2(vue@3.5.13(typescript@5.6.3))
@ -3821,9 +3812,6 @@ snapshots:
    dependencies:
      undici-types: 6.20.0

-  '@types/trusted-types@2.0.7':
-    optional: true
-
  '@types/web-bluetooth@0.0.20': {}

  '@typescript-eslint/eslint-plugin@8.21.0(@typescript-eslint/parser@8.21.0(eslint@9.19.0)(typescript@5.6.3))(eslint@9.19.0)(typescript@5.6.3)':
@ -4294,10 +4282,6 @@ snapshots:

  dom-walk@0.1.2: {}

-  dompurify@3.2.6:
-    optionalDependencies:
-      '@types/trusted-types': 2.0.7
-
  electron-to-chromium@1.5.67: {}

  emoji-regex@8.0.0: {}
--- a/frontend/src/views/files/Editor.vue
+++ b/frontend/src/views/files/Editor.vue
@ -41,7 +41,6 @@ import url from "@/utils/url";
 import ace, { Ace, version as ace_version } from "ace-builds";
 import modelist from "ace-builds/src-noconflict/ext-modelist";
 import "ace-builds/src-noconflict/ext-language_tools";
-import DOMPurify from "dompurify";

 import HeaderBar from "@/components/header/HeaderBar.vue";
 import Action from "@/components/header/Action.vue";
@ -84,7 +83,7 @@ onMounted(() => {
    if (isMarkdownFile && isPreview.value) {
      const new_value = editor.value?.getValue() || "";
      try {
-        previewContent.value = DOMPurify.sanitize(await marked(new_value));
+        previewContent.value = await marked(new_value);
      } catch (error) {
        console.error("Failed to convert content to HTML:", error);
        previewContent.value = "";