LiquidFiles Documentation
LiquidFiles Documentation

Release Notes Version 3.6.x

Major changes from version 3.5 to version 3.6

  • Bootstrap v5 — This is a major change in the look and feel of the LiquidFiles web interface. There shouldn't be any functionality changes unless where noted below or possibly if you have made custom changes using custom StyleSheet or JavaScripts. One of the benefits of moving to Bootstrap v5 is that LiquidFiles now meets more accessibility standards.
  • Accessibility — LiquidFiles now meets WCAG 2.1 (A/AA) accessibility standards.
  • All pages, including all admin pages, now uses the standard Bootstrap form elements and page styling so all pages are now responsive. For instance, the Admin → System → Network pages in v3.5 and below where not responsive.
  • Security — LiquidFiles v3.5 removed unsafe-inline for any JavaScript in its Content-Security-Policy. LiquidFiles v3.6 has now extended this also to StyleSheets so there's an even stronger Content-Security-Policy with LiquidFiles v3.6 and onwards.
  • Added Local Domains that contains a list of your Local Domains. This is used to make it easier to differentiate between Local and External Users. Any recipient in any Local Domain will not receive a Secure Token or Temporary User Remote Authentication. Users registering on the front page of your LiquidFiles system from one of your Local Domains will automatically be added as a Local User, and so on.
  • Added a flexible interface for Content-Security-Policy changes (Admin → Configuration → Settings).
  • Security — Readded (short-lived) Secure Token as External User Authentication method in addition to Temporary Users. In LiquidFiles v3.6 you can now choose which method to use.
  • Each Secure Token (External User authentication) can only be used once.
  • Added Actionscript for SMS Token Delivery.
  • Added Bulk Change Email Domain. Lets you quickly change user emails from to
  • Added Bulk Move Local Users from Remote Groups. In case you have any Local Users in Remote User Groups, which is not permitted since this release, this bulk edit lets you quickly move these users to a Local User Group.
  • Updated backup username and password mechanism to remove previous username and password character restrictions.
  • Set the JSON max upload file size to 150MB raw (less Base64 increases so just above 100MB), remove the binary upload file size limit (only really noticable when using the API).
  • More robust internal Queue engine. The new queue engine uses PostgreSQL as it's data store so less external dependencies.
  • Reworked the validation for the Secure Message Compose page.
  • Updated internal libraries.
Also, please see the Incompatibilies and Warnings section below before updating from LiquidFiles v3.5 and earlier.
A CentOS update around the 10th of April, 2023 caused updates to fail. We've since released v3.6.16 that fixes this. All previous updates have been pulled as they wouldn't work anyway.

Version 3.6.16 (released 2023-04-10)

  • Fixes issue where updates wasn't working since a recent CentOS update.
  • Fixes a disk warning message.
  • Sanitize Message Request message.
  • Better validation of emails for User Invites.
  • Fixes an issue restoring from legacy v2.x systems.

Version 3.6.15 (released 2023-01-04)

  • Fixed an issue where the syslog database wasn't correctly cleaned up.
  • Validate syslog has hostname or fqdn, not IP address.
  • Added a redirect if someone accessed using http on a https port.
  • Fixed a Postfix error when installing a new EC2 instance.

Version 3.6.14 (released 2022-11-30)

  • Fixed an issue when uploading files to a Share (issue with v3.6.13).

Version 3.6.13 (released 2022-11-21)

  • Fixed an issue when uploading many (thousands) of files to a Share.
  • Fixed an issue when admins clicked verify user it wouldn't save properly.
  • Fixed an issue when deleting ip addresses from the permanent IP blocklist.
  • Fixed a migration issue from older systems.

Version 3.6.12 (released 2022-10-19)

  • Fixed an issue where CSV files sometimes couldn't be downloaded.
  • Improved encoding detection of files uploaded in shares in extended character sets.
  • On phone size view, the menubar didn't expand properly.
  • Fixed an issue where download of FileLinks wasn't working properly when skip AV scans for local users was enabled.
  • Only send one new email token if entered incorrectly.
  • Security: Removed legacy attachment upload functions.
  • Security: Improved input validation for (remaining) legacy attachment upload functions.
  • Security: Improved processing of files in the watchdog.

Version 3.6.11 (released 2022-09-13)

  • Added separate graphs and alerts for the system disk for systems with both system and data disks.
  • Fixes an issue where the menubar title wasn't visible unless a logo was added.
  • Fixes an issue where admins could not administer shares if they don't have access to users data.
  • Fixes an issue where a sender of a Filedrop could sometimes delete files they've just sent when reloading the Filedrop directly after sending.
  • Fixes an issue where quotation marks wasn't escaped properly in CSV files.
  • Fixes an issue where the "Fix Delete Attachments Larger than" setting wasn't processed properly when set to zero (0) for FileLink.
  • Remove space at the beginning and the end of emails when authorizing messages.
  • Ensure unconfirmed users gets deleted by delete inactive users function.
  • Fixes an issue where in rare occations the file assembly process could start for a file already being assembled.
  • Use the too many requests HTTP status code instead of forbidden when returning a brute force response using the API.
  • Ensure users in group that requires Strong Authentication are forced to use Strong Authentication when using SAML authentication.
  • Improved handling of the sms authentication sending process.
  • Security: Improved maintenance cleanup cleanup functions.
  • Security: Improved input validation for uploaded attachments.
  • Security: Improved file and folder permission validation when the system boots.
  • Security: Improved escaping of potentially dangerous characters when generating CSV files.

Version 3.6.10 (released 2022-06-16)

  • Fixes an issue where Temporary Users couldn't login on the front page.
  • Fixes an issue where SAML autologin networks could cause a redirect loop.

Version 3.6.9 (released 2022-06-02)

  • Fixes an issue where setting a users max upload to zero (0) to remove the upload limitation wasn't applied properly.
  • Fixes an issue where the user sometimes wasn't returned to the correct page after SAML authentication.
  • Fixes for saml autologin networks that wasn't applied in all places it should.
  • Fixes an issue where the FileLink list page wasn't viewable if the license had expired.
  • Fixes an issue with the Activity and System Log export visible wasn't sorting properly and didn't select the correct entries beyond the initial page.
  • Fixes an issue where if a user that was authenticated with LDAP and had their group locked, the group locking wasn't applied when applying saml group authentication required.
  • Fixes an issue where Filedrops could not be created using the API with the owner attribute set.
  • When deleting or restoring folders, ensure descendant files and folders are marked as deleted or not deleted respectively.
  • Added a function to disable SSO Secret key authentication (and make that the default for new installations).
  • Fixes an issue where entering a very large page number for paginated functions would cause a 500 error.
  • Security: Fixed an issue where some admin pages could be accessed by admins with lesser privileges than required.
  • Security: Updated Ruby on Rails and libraries with later versions.
  • Internal fixes.

Version 3.6.8 (released 2022-04-07)

  • Security: Fixes an issue with FileLinks where a user could update attributes on someone elses FileLink using special crafted requests.
  • Additional localization of error messages.
  • Fixed an issue where message authorization error notifications wasn't displayed properly.
  • Better description of Shares in Admin → Shares.
  • Fix User Filedrop submits for users with apostrophies in their email addresses.
  • Ensure phone numbers are only stored with numeric characters (i.e. strip any leading plus and parantheses).
  • Updated libraries including Rails, Puma and Nokogiri with security fixes.

Version 3.6.7 (released 2022-02-07)

  • Fixed an issue where sometimes in Filedrops and File Requests, only only one file would be sent. This is an issue that was present in v3.6.5 and v3.6.6 and these releases have been removed.
  • Fixed an issue where AV information wasn't displayed properly in the Message Compose window if an attachment was blocked.
  • Fixed an issue where the Email Relay Password would be removed when the configuration was saved without it. Updated the Email Relay Configuration to be more robust.
  • Display Detected Time Zone and Locale/Language in the User → Account page making it clearer what's being detected and why each setting has been set.
  • Updated Branding settings for the simple footer and header settings.

Version 3.6.6 (released 2022-01-31)

  • Accessability and HTML compliance fixes.
  • Updated the JavaScript Timezone detection library.
  • Fix for a bug in Firefox that doesn't display select dropdown fields properly.
  • Updating LiquidFiles will also update the underlying system. Installing this update will ensure you have installed a fix for CVE 2021-4034 (PwnKit).

Version 3.6.5 (released 2022-01-19)

  • Added SAML redirect autologin and group require authentication fixes when authenticating with Secure Message, FileLink and Filedrops.
  • When license code wasn't found on the LiquidFiles license server, the error was reported as a connection error.
  • Added has_email_logo to the default email layout template to only show the email footer logo if one exists.
  • Fixed a couple of issues with the Getting Started pages which would sometimes report issues with Local Domains, the Email Relay configuration didn't have the correct default setting and the create admin didn't show the correct error when the dictionary validation failed.
  • There's a bug in Firefox that sometimes garbles hidden form fields. Added a rudimentary fix for this that should make Firefox work better when administrating LiquidFiles.
  • When managing users with autoassigned groups, the strong authentication additional settings (like the phone number for SMS authentication) wasn't visible on default.
  • Accessibility Tweaks.
  • Fixed an issue where the User Admin API didn't permit only change the group belonging.
  • Don't validate recipients on User Filedrops and File Request responses. Fixes an issue when blocked domains was configured which would sometimes block File Requests and User Filedrops from being sent.
  • Cleaned up cookie alert and fix so that cookies can be accepted from any page.
  • Only permit one upload using the drop function in FileLinks.
  • Add resend button to File Request index page.
  • Fixed CSP migration translating commas to spaces when migrating from versions before v3.6.
  • Fixed an issue in FTPdrops and FTPdirs that wouldn't send the correct certificate chain for FTPs connections.
  • Added backup custom port configuration.
  • Internal fixes and updated libraries.

Version 3.6.4 (released 2021-11-16)

  • Security: Additional fix for the privilege escalation issue fixed in v3.6.3.
  • Added ability to limit Secure Message Recipients to specific LiquidFiles groups.
  • Added logging of users trying to send to recipients they are not permitted to send to.
  • Fixed an issue where an attachment larger than the FileLink max file size wasn't detected before the upload started.
  • Fixed an issue where unencrypted FTP couldn't be disabled.
  • Updated watchdog to process unprocessed attachments.
  • UI fixes to the User Edit page, displaying the users full Filedrop URL.

Version 3.6.3 (released 2021-11-09)

  • Security: Fixed a privilege escalation issue where User Admins and Admins could elevate their privileges to Sysadmins.
  • Reworked External User Message Recipient Limitation configuration, make the setting more obvious to limit recipients to Local Users only, Local Domains only or Unrestricted.
  • When setting Message Recipients to Local Users Only, lookup potential recipients in LDAP.
  • Improved the responsive interface for smaller devices (phones), making the editor smaller on default.
  • Improved background processing, launching fewer background jobs. This could sometimes cause issues on busy/high load systems.
  • Fixed an issue where Filedrops with private message settings couldn't send without attachments.
  • The body locale class was not added unless logged in.
  • Improved the branding html sanitize function to permit more html tags and attributes.
  • Fixed an issue where replies to Message replies would have the incorrect recipient.
  • Fixed viewing PDF's inline in Shares.
  • Fixed an issue where external_user_token in email templates wasn't set correctly.
  • Fixed add existing files in Message replies.
  • Fixed an issue setting timezone on cloud platforms.
  • Fixed doubleclick on resend validation email.
  • Fixed an issue where it was possible to set the FileLink expiration past the max expiration date.

Version 3.6.2 (released 2021-10-18)

  • Fixed admin navbar expand in small views.
  • Internal update to the Locale Editor, making it more robust.
  • Added html santizing of locale input that accepts html
  • Fixed the view on map link in FileLink read receipt emails.
  • Add Local Domains if not present after moving from an onlder system.
  • Ensure actionscript output with non-UTF8 characters won't crash the actionscript.
  • Added localized messages for invalid parameters message.
  • Fixed matching permitted extensions with mixed case.
  • Added LiquidFiles v3.6 update video.

Version 3.6.1 (released 2021-09-24)

  • Santize HTML Branding Inputs.
  • Fixed alignment of the menubar and home page branding with some branding options.
  • Fixed CSR generation of public hostnames with ports.
  • Fixed an issue in v3.6.0 accessing the System → Console page.
  • Fixed an issue in v3.6.0 that didn't show the password validation for user Account settings.
  • Added IMCP timestamp and redirect blocks in the builtin firewall.
  • Added `ft restart` command to restart the LiquidFiles web application.

Version 3.6.0 (released 2021-09-15)

  • Initial v3.6.0 release.

Video Highlights

A video outlining the changes is available here:

Incompatibilities and Warnings

These are a few things you need to be aware of when updating to LiquidFiles v3.6.

Internet Explorer No Longer Supported

LiquidFiles v3.6 has switched User Interface Library from Bootstrap v3.x to Bootstrap v5. Bootstrap v5 is no longer compatible with Internet Explorer (any version) and Microsoft Edge Legacy (< v79).

If support for Internet Explorer or Micrsoft Edge Legacy is a requirement for you, please don't upgrade from LiquidFiles v3.5.

License Restriction Enforcement Change

Starting with LiquidFiles v3.6, there's now an additional setting: Local Domains in Admin → Configuration → Settings. Local Domains contain your Local Domains (,, ...). Your Local Users are the ones in your Local Domains and External Users are those outside of your Local Domains. You can't have External Users in Local Domains or Local Users outside of Local Domains. Please see the Local vs External Users documentation for more information.

Please note that there's no change in the License Requirements. LiquidFiles requires that all you have licenses to cover your Local Users. This is the same in LiquidFiles v3.6 as it was before. The only thing that's changed is that there's now stricter validation that your Local Users are configured as Local Users.

Custom Branding, StyleSheets and JavaScript overrides

With the changes from Bootstrap 3 to Bootstrap 5 in LiquidFiles v3.6, it will likely affect Custom StyleSheets and JavaScript you've created. A lot of underlying classes in the HTML has been rewritten to match Bootstrap 5 classes. Depending on what changes you've made, you may need to do some tweaks, or you may need to rewrite large portions of it. If you've made substantial changes, please make sure to test your custom branding on a test/dev system running LiquidFiles v3.6.x before updating your production system.

Also, please note that with the default new Content Security Policy, it's no longer permitted to have inline styles in html or to make style changes in JavaScript. So if you have a home page branding with something like: <h1 style="font-size: 200px;"> or a JavaScript override like: $('h1').css('font-size', '200px');, this is no longer permitted (style in html or css in JavaScript). Any inline styles will either have to be moved to the StyleSheet override or alternatively, you can add 'unsafe-inline' (with the single quotation marks) in the Style Src setting in Admin → Configuration → Settings, in the CSP tab.

Content-Security-Policy Changes

In LiquidFiles v3.5 and earlier, there was a single Content Security Policy configuration that was added to all CSP statements. In v3.6 it's possible to configure a flexible CSP policy. If you had anything previously configured, this has now been added to the style-src, script-src, img-src and frame-src. You most likely don't need all of those so please verify the Content Security Policy and adjust to what you actually need (remove the host from style-src, img-src and frame-src if you're loading an external JavaScript for instance).