ProjectSend r2002 - Security, Stability & Compatibility Fixes

Security

A critical path traversal vulnerability has been patched to protect your installation against directory traversal attacks.

Fix Path Traversal Vulnerability in import-orphans.php (#994)

Sanitize filenames with basename() before constructing file paths in both the import and delete actions, preventing directory traversal attacks via crafted files[] POST values

Bug Fixes

Key fixes addressing storage calculations, build tooling, template rendering, and PHP 8.2 compatibility issues reported by the community.

Fix Dashboard Storage Usage Calculation with Lightweight Migration

The original file size migration instantiated full Files objects per row, triggering heavy DB queries that caused PHP memory/time limits. Added lightweight migration + "Recalculate Storage" button on dashboard. Fixes #1533

Fix Gulp 5 Corrupting Binary Font Files During Build

Gulp 5 changed gulp.src() to default to UTF-8 encoding, corrupting fonts. Added { encoding: false } for binary streams. Fixes #1531

Fix HTML Output of File Descriptions in Templates

File descriptions with CKEditor formatting showed raw HTML tags instead of rendered content. Fixed across all templates. Fixes #1528

Fix PHP 8.2 Deprecated Dynamic Property Warnings in CustomAsset

Resolved deprecated dynamic property warnings triggered on PHP 8.2 in the CustomAsset class

Fix Bullets Alignment in Public Download Descriptions

Corrected the alignment of bullet points in public download file descriptions

Improvements

Code quality and architecture improvements for better maintainability.

Refactor Timezone Select to Separate Data from Presentation

Rewrote timezones.php to use standard form system with optgroup support

Maintenance

Ongoing maintenance to keep ProjectSend up to date.

Translation Strings Updates

Updated translation files with the latest strings

What's New in ProjectSend r2002

Security

Bug Fixes

Improvements

Maintenance

Ready to Upgrade to r2002?