LiquidFiles Documentation
LiquidFiles Documentation

Release Notes Version 4.3.x

Major changes from version 4.2 to version 4.3

  • The Admin Dashboard has been redesigned and System Status page has been significantly expanded with comprehensive network diagnostics. New checks include outgoing HTTPS connectivity to LiquidFiles services, Ubuntu repositories, ClamAV mirror reachability, DNS server responsiveness, LDAP server connectivity and authentication, mail queue status, and a configurable TCP packet quality test. All checks run asynchronously with clear pass/fail indicators and troubleshooting guidance.
  • Added support for Microsoft Office 365 as an email relay using OAuth2 authentication (Device Code Flow). This replaces the need for basic SMTP credentials, which Microsoft has been deprecating. Administrators configure their Microsoft Entra tenant ID and Client ID, then complete a guided authorization flow.
  • Comprehensive accessibility overhaul to meet WCAG Level A and AA compliance. Includes skip navigation links, semantic HTML elements, keyboard-accessible tooltips and popovers, screen reader support with ARIA attributes, proper form labels, table header scoping, image alt text, and correct heading hierarchy.
  • Added session timeout warning with a countdown popup that lets users extend their session or re-authenticate with their password, TOTP code, or SMS token after expiry without losing their work.
  • Added secondary admin re-authentication. Administrators are now required to re-authenticate before accessing /admin and /system pages, providing defense-in-depth against session hijacking. Supports password, SAML email verification, and strong authentication (TOTP, SMS, Duo). Includes a configurable session timeout with an expiry warning modal. API access is not affected.
  • Restructured locale system now ships with 20 pre-translated languages. New sticky search/filter bar in the locale editor for quickly finding translation keys. Locale key remapping automatically migrates existing customizations when keys are reorganized.
  • Added configurable filename sanitizer to protect against malicious or problematic filenames. Applies multiple layers of protection including stripping invalid UTF-8 bytes, recursive percent-encoding decode, HTML entity decoding, and tag stripping. The sanitization pattern is configurable with regex validation and ReDoS protection.
  • Security: Added Cross-Origin-Resource-Policy (CORP), Cross-Origin-Opener-Policy (COOP) and Cross-Origin-Embedder-Policy (COEP) headers to all responses for cross-origin isolation. Added X-DNS-Prefetch-Control header to prevent DNS prefetching leakage. Added Clear-Site-Data header on logout to ensure complete cookie cleanup. Added Retry-After and X-RateLimit headers on brute force protection responses. Removed the legacy X-Frame-Options header for Outlook responses where it conflicted with the CSP frame-ancestors policy. See Frequent Responses after Security Reviews for details.
  • Security: SSO signature verification now uses constant-time comparison to prevent timing attacks.
  • Added Certificate API for managing SSL/TLS certificates programmatically. Enables external certificate automation tools (certbot, Venafi, internal PKI, etc.) to view and upload certificates via the REST API using a Sysadmin API key.
  • Added Bearer Token authentication as the preferred API authentication method. API clients can now use Authorization: Bearer <api_key> instead of HTTP Basic Auth. Both static and expiring API keys are supported. HTTP Basic Auth remains available for backward compatibility.
  • API clients now receive JSON-formatted error responses from nginx error pages instead of HTML, covering maintenance pages and HTTP errors 400, 403, 404, 405, 422, 429 and 500.
  • Added curve25519-sha256@libssh.org key exchange to SFTP defaults.
  • Fixed Outlook add-in authentication on browsers that block third-party cookies. Previously, the Outlook add-in set its authentication cookie inside a dialog window, which modern browsers (Safari, Firefox, and Chromium-based browsers with strict cookie policies) would silently discard as a third-party cookie — preventing users from logging in. Authentication now uses a secure one-time code handoff: after the user logs in via the dialog, a short-lived single-use code is passed back to the Outlook task pane, which exchanges it for an authentication cookie in its own browsing context. This ensures the cookie is always set as a first-party cookie, making login work reliably across all browsers. The exchange codes expire after 2 minutes and include brute-force protection.
  • FileLinks have been completely modernised. A single FileLink can now share multiple files under one URL, with files added or removed without changing the link or losing the download log. New recipient-facing experiences include an image gallery with fullscreen lightbox, in-browser video playback, an inline PDF viewer, and a choice of view modes (table, list, gallery, or single-file). Owners can set a memorable custom URL, send an email invite directly from the FileLink, customise the page header and footer, enable direct (hot-link) URLs for embedding, and download all files as a single zip. Views are now tracked separately from downloads. Each capability is governed by its own per-group permission.
  • Updated internal functions like Ruby and libraries to later versions.
Also, please see the Incompatibilities and Warnings section below before updating from LiquidFiles v4.2 and earlier.

Version 4.3 Beta 3 (4.2.53) (released 2026-05-29)

Including all fixes from v4.2.10 plus:

  • FileLink modernisation: multi-file FileLinks, custom URLs, image gallery with lightbox, in-browser video and PDF viewing, view modes, direct (hot-link) URLs, view tracking, customisable header/footer, "Download all (zip)", and a "Send Email Invite" option. See the major changes above for details.
  • Sender aliases can now be used on File Requests. Users with sender aliases see a "Send As" dropdown on the New File Request form, and the chosen alias drives the From, Reply-To and Return-Path of the outgoing email and the destination of the response.
  • When sending with files that fail local validation (blocked or unpermitted extension, size limit, or duplicate filename), the uploader now lists the invalid files in a modal and lets you edit them or send the valid files only, instead of silently dropping them.
  • Clarified the admin re-authentication page wording (it asks for your normal account password). Admin re-authentication is now opt-in for existing installs rather than being silently enabled on upgrade; enable it under Configuration → Settings → Admin Session Timeout.
  • The webserver access log in Admin → System Log now records the real client IP (X-Forwarded-For) when LiquidFiles is deployed behind a reverse proxy.
  • Fixed a race condition that could create duplicate folders when several files in the same subfolder were uploaded to a Share simultaneously.
  • Fixed Solid Queue orphaned and failed jobs inflating the job queue counter, and added a timeout to ClamAV scans of Share uploads so an unresponsive scanner no longer stalls new uploads.
  • Fixed standard SMTP relays incorrectly selecting the XOAUTH2 authentication mechanism when sasl-xoauth2 is installed (e.g. Office 365 hosts using basic username/password relay).
  • Faster worker startup: locale checksums are now computed in-process instead of spawning thousands of subprocesses, which could push boot time past the timeout on smaller instances.
  • Replaced shell-based DNS lookups with Ruby-native resolution.

Version 4.3 Beta 2 (4.2.52) (released 2026-05-01)

Including all fixes from v4.2.9 plus:

  • Use LDAP authentication for admin authentication when a sysadmin uses LDAP for authentication.
  • Fixed static routes being overwritten and delete not working on multi-NIC VMs.
  • FileLink expiration now respects group default setting.
  • Added curve25519-sha256@libssh.org key exchange to SFTP defaults.
  • Limited journald log size to prevent disk exhaustion.

Version 4.3 Beta 1 (4.2.51) (released 2026-04-13)

Including all fixes from v4.2.9 plus:

  • Initial Release of v4.3 Beta.

Incompatibilities and Warnings

These are a few things you need to be aware of when updating to LiquidFiles v4.3.

API Changes

Bearer Token authentication (Authorization: Bearer <api_key>) is now the preferred method for API authentication. HTTP Basic Auth continues to work but is deprecated and will be removed no earlier than April 2027. We recommend updating your API clients to use Bearer Token authentication. See the API Authentication documentation for details.

API clients sending Accept: application/json will now receive JSON-formatted error responses ([{"error": "..."}]) from nginx error pages instead of HTML. This includes maintenance pages and HTTP errors 400, 403, 404, 405, 422, 429 and 500.