SFTPPlus Release 3.34.0

Mon 28 May 2018 | security release

We are pleased to announce the latest release of SFTPPlus version 3.34.0.

A number of changes have been made in regards to how permissions are set in SFTPPlus.

If you are planning to upgrade your existing installation and you have custom permissions for SFTPPlus accounts and / or groups, we encourage you to read the changes below as it may affect your configuration.

New Features

  • You can now set up an UNC path or a symbolic link to Windows Shares as home folder for an account. [#4635]
  • The HTTP/HTTPS file transfer service and the Local Manager service now provide the option to configure a set of headers which are sent for all responses. You can use this to set the Strict-Transport-Security header or the use a custom Server header in an attempt to conceal the identity of the server. [security] [#4784]
  • The LDAP authentication method can now connect to LDAP servers using IPv6 address literals. [server-side] [#4824-1]
  • It is now possible to dynamically associate LDAP accounts to SFTPPlus groups based on arbitrary LDAP entry attributes. This is designed to augment the LDAP configuration without requiring any updates to the LDAP database. [server-side] [#4824]
  • We now provide limited support for running SFTPPlus on legacy Windows 2003 Servers. For more details, check the known issues section in our documentation. [#4896]
  • Ubuntu 18.04 LTS on X86_64 is now a supported platform. [#4912]
  • A new permission, allow-traverse, was added to allow viewing only the folder structure without any files. In this way, accounts can traverse the folder hierarchy without seeing what files are already there. [#4931]
  • A new permission allow-list was added to allow configuration of only the folder/directory listing operations. This has no effect for the SCP protocol, as the protocol itself does not support the folder listing operation. [#4932]
  • A new permission allow-rename was added to allow configuration of only the rename operations available in the SFTP and FTP/FTPS file transfer servers. [#4933]
  • The Ban IP for a time interval authentication method is now enabled by default in new installations. [#4934]

Defect Fixes

  • The HTTP/HTTPS file transfer service and the Local Manager service now advertise a set of HTTP headers to mitigate CSRF and XSS attacks. [security] [#4930]
  • The low-level JSON-RPC used by the Local Manager service now explicitly informs the web browser not to cache its POST responses. In the previous version, only GET requests were instructing the web browser not to cache the response. [security] [#4937]
  • The LDAP authentication method no longer accepts credentials with empty passwords. [server-side][security] [#4939-1]
  • When receiving a request which is authenticated via SSH key or SSL/X.509 certificates, the LDAP authentication method now emits a message informing that only password credentials are supported. [server-side] [#4939]

Deprecations and Removals

  • The allow-read permission will no longer allow listing the content of a folder. If you want to allow folder listing, you will need to update the configuration and add the new explicit allow-list permission. [#4932-1]
  • The error message returned when denying a folder listing operation was changed to include allow-list instead of the previous allow-read details. [#4932]
  • The error message returned when denying a rename operation was changed to include allow-rename instead of the previous allow-full-control details. [#4933]

You can check the full release notes here.