From 2a9e952b38e03a96bf40c9eb6e8e22199865ee3b Mon Sep 17 00:00:00 2001
From: Nick Craig-Wood <nick@craig-wood.com>
Date: Tue, 14 Apr 2026 17:08:55 +0100
Subject: [PATCH] operations: add AuthRequired to operations/fsinfo to prevent
 backend creation CVE-2026-41179

The operations/fsinfo RC endpoint was registered without AuthRequired,
allowing unauthenticated callers to instantiate arbitrary backends via
inline backend definitions.

See GHSA-jfwf-28xr-xw6q
---
 fs/operations/rc.go | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/fs/operations/rc.go b/fs/operations/rc.go
index ce92a0024..cb2eb4fe4 100644
--- a/fs/operations/rc.go
+++ b/fs/operations/rc.go
@@ -430,9 +430,10 @@ func rcPublicLink(ctx context.Context, in rc.Params) (out rc.Params, err error)
 
 func init() {
 	rc.Add(rc.Call{
-		Path:  "operations/fsinfo",
-		Fn:    rcFsInfo,
-		Title: "Return information about the remote",
+		Path:         "operations/fsinfo",
+		AuthRequired: true,
+		Fn:           rcFsInfo,
+		Title:        "Return information about the remote",
 		Help: `This takes the following parameters:
 
 - fs - a remote name string e.g. "drive:"