Commit Graph

9841 Commits

Author SHA1 Message Date
Nick Craig-Wood
fee55edd15 build: update golang.org/x/image to v0.43.0 to fix image decoding vulnerabilities
govulncheck reported four vulnerabilities in golang.org/x/image v0.41.0,
all reachable via the internxt backend's thumbnail/image upload path:

- CVE-2026-46604 (GO-2026-5066): panic decoding a TIFF image with an
  out-of-bounds strip offset
- CVE-2026-46602 (GO-2026-5062): unbounded memory use from lack of a
  limit on TIFF tile sizes
- CVE-2026-46601 (GO-2026-5061): panic on a WEBP VP8 alpha channel size
  mismatch
- CVE-2026-33813 (GO-2026-4961): panic decoding a large WEBP image on
  32-bit platforms

Updating to v0.43.0 fixes all four.
2026-06-30 10:56:49 +01:00
Nick Craig-Wood
fb482756b5 Add Jan Schlien to contributors 2026-06-30 10:56:49 +01:00
Nick Craig-Wood
a7fb2367c4 Add happysnaker to contributors 2026-06-30 10:56:49 +01:00
Nick Craig-Wood
4274d8ec64 Add Bryan Stenson to contributors 2026-06-30 10:56:49 +01:00
Nick Craig-Wood
e72d4a1609 Add max to contributors 2026-06-30 10:56:49 +01:00
Nick Craig-Wood
4d07ba57e3 Add lewoberst to contributors 2026-06-30 10:56:49 +01:00
happysnaker
8ac978c269 docs: clarify copyto command description - Fixes #9527 2026-06-29 18:19:49 +01:00
Bryan Stenson
6bbc28cf02 docs: fix typo in remote setup docs 2026-06-28 23:53:05 +02:00
max
445528a3fb serve s3: fix spurious 404 on HEAD/GET during VFS writeback - fixes #8188
After an upload (notably multipart) to a slow backing remote, the file
lives in the VFS and is returned by ListBucket, but node.DirEntry() stays
nil until the --vfs-write-back writeback completes. HeadObject and
GetObject returned gofakes3.KeyNotFound while it was nil, so a HEAD/GET in
that window 404'd even though the object existed.

getFileHashByte already falls back to hashing the VFS cache when the
backing object isn't available yet. Drop the early nil return, pass the
node (not the fs.Object) to getFileHashByte, and take the Content-Type
from fs.MimeTypeFromName when the backing object isn't there yet.
2026-06-26 18:38:04 +01:00
lewoberst
c1df24f142 * s3: fix error mapping in GetObject to match HeadObject
The HeadObject path translates a 404 (Not Found) and a 405 (Method Not
Allowed) response into fs.ErrorObjectNotFound, but the GetObject path
returns the raw AWS SDK error instead. With --s3-no-head-object set,
Object.Open() is the first request to hit the source for a GET
operation, so callers that rely on fs.ErrorObjectNotFound see an
opaque "operation error S3: GetObject, ... StatusCode: 404" string
when --s3-no-head-object is set.

Mirror the error handling of HeadObject. The 405 (Method Not Allowed)
case applies to GetObject for the same reason it applies to
HeadObject: A request that specifies the versionId of a delete marker
returns 405 instead of 404 (commit 8470bdf810, AWS S3 delete-marker
docs).

Co-authored-by: Jan Schlien <rclone-github@jan-o-sch.net>
2026-06-26 18:37:02 +01:00
Gaurav
19e7562fbe dropbox: add--dropbox-skip-shared-folders and --dropbox-skip-unowned-folders
This adds two new Dropbox backend flags:

--dropbox-skip-shared-folders skips all shared folder mount points
regardless of ownership.

--dropbox-skip-unowned-folders only skips shared folders that are
not owned by the current user.

These help avoid backing up the same shared folder multiple times when
backing up multiple Dropbox accounts.

Fixes #9514
2026-06-25 11:54:14 +01:00
Nick Craig-Wood
9ab8e4724a filter: fix --files-from copy stopping at the first unreadable file
Before this change, with --files-from and --no-traverse, a single file
that could not be read (for example permission denied) stopped all the
other files in the list being copied.

This happened because the error was returned from the listing, which
caused the whole source listing to be discarded.

This change counts and logs such per-file errors and carries on, so the
readable files are still copied and rclone exits with a non-zero error
code.

Fixes #9115
2026-06-25 10:21:07 +01:00
Nick Craig-Wood
6338aba55a Add yashanil98 to contributors 2026-06-25 10:21:02 +01:00
yashanil98
c7c6646ea3 config: fix root-relative markdown links in interactive config help - fixes #8239
Option help strings are also used to generate the website documentation,
so some contain markdown links with root-relative targets such as
[encoding section in the overview](/overview/#encoding). These render
correctly on rclone.org but are confusing in the interactive config
prompt, where the user sees the raw markdown and the link has no
reachable root.

Rewrite such links to text (https://rclone.org/path) when showing an
option's help in the interactive config. The raw help is left unchanged
so documentation generation is unaffected.
2026-06-25 10:20:14 +01:00
Nick Craig-Wood
d1e85a7d9c github: add CODEOWNERS for per-area review routing
Add a .github/CODEOWNERS file mapping backends and core subsystems to
their maintainers so GitHub auto-requests reviews. Move the per-area
responsibility mapping out of MAINTAINERS.md into CODEOWNERS, leaving
MAINTAINERS.md as the maintainer list with a pointer to CODEOWNERS.
2026-06-22 15:18:26 +01:00
Nick Craig-Wood
89c745c0aa docs: Fix RELEASE.md 2026-06-22 15:18:26 +01:00
Nick Craig-Wood
d204b29cce ncdu: fix duplicated keystrokes on Windows by pinning tcell to v2.9.0
Since v1.74.0, ncdu doubled every keystroke on Windows: pressing Enter
entered a directory and immediately descended a level deeper, "n" sorted
by name and then reversed the order, and so on. Arrow keys were
unaffected.

The cause is an upstream regression in github.com/gdamore/tcell/v2
pulled in by the v2.9.0 -> v2.13.8 bump in commit 23917555. The same
regression affects lazygit and micro.

There is no fixed tcell release, so pin tcell back to v2.9.0, the last
version before that commit, until the input handling is fixed upstream.

See: https://github.com/gdamore/tcell/issues/1124
See: https://github.com/jesseduffield/lazygit/issues/5344
Fixes #9539
2026-06-22 12:16:27 +01:00
Nick Craig-Wood
99da9d36b9 gui: update embedded release to 1.1.10 2026-06-22 12:04:29 +01:00
Nick Craig-Wood
86d5d8b462 Add Yash Anil to contributors 2026-06-22 12:04:12 +01:00
Yash Anil
59c86b01bb completion: fix powershell completion corrupting non-ASCII names - fixes #9412
The Cobra generated PowerShell completion script captures rclone's output
through a pipeline with Invoke-Expression. PowerShell decodes that output
using [Console]::OutputEncoding, which on non-UTF-8 hosts (for example
PowerShell 5.1 on a Windows install with an OEM code page such as CP852)
misinterprets the UTF-8 bytes rclone emits and corrupts remote and path
names containing non-ASCII characters, so tab completion produces a path
that does not exist.

Inject "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8" into the
generated script immediately before the Invoke-Expression call. This is safe
on PowerShell 7+, where UTF-8 is already the default. If the expected line is
not present (for example after a Cobra template change) the script is emitted
unmodified so we never produce a corrupted completion script.
2026-06-18 13:28:23 +01:00
Nick Craig-Wood
3732e010e2 github: modernise issue and pull request templates
Convert the bug report and feature request templates to GitHub issue forms.

Rewrite the pull request template to require that non-trivial changes are
discussed in an issue first, and to spell out that backend changes need a
clean test_all run and a test account for the integration tester before
they can be merged. Document the latter requirement in CONTRIBUTING.md.

Remove the legacy ISSUE_TEMPLATE.md which is superseded by the forms.
2026-06-18 13:22:19 +01:00
Nick Craig-Wood
34176fb294 Add Yuhang Cao to contributors 2026-06-18 13:22:19 +01:00
Castronaut
056f20800a docs/crypt: fix encrypted size example - Fixes #9202 2026-06-15 12:49:36 +01:00
Yuhang Cao
710514afb3 fs/hash: fix xxh128 hasher size 2026-06-15 08:14:03 +02:00
Nick Craig-Wood
16091ce365 fshttp: add --dump trace to log connection level events via httptrace
The new "trace" dump flag attaches a net/http/httptrace ClientTrace to
each HTTP transaction and logs the connection level events - DNS
resolution, TCP connect, TLS handshake (including the negotiated TLS
version, cipher, ALPN protocol and server certificate), connection
reuse, request write and time to first response byte. Each line is
tagged with the time elapsed since the start of the transaction and the
request pointer so it can be correlated with the other dumps.

This is complementary to the existing dump flags: it shows how the
connection behaved rather than what was sent, which is useful for
debugging connectivity, DNS, TLS, proxy and keep-alive problems.
2026-06-11 21:29:45 +01:00
Nick Craig-Wood
875a666f9c fshttp: add --dump errors to dump only failed HTTP transactions - fixes #9471
The new "errors" dump flag makes the HTTP dump conditional on the
transaction failing with a retryable error (a transport error, HTTP 429
or HTTP 5xx), so first-failure diagnostics can be captured without the
noise of dumping every transaction. The existing dump flags continue to
control what is dumped, for example --dump errors,bodies, and on its own
--dump errors dumps the headers.
2026-06-11 21:29:20 +01:00
Nick Craig-Wood
9c9fbebf7f serve s3: skip TestS3Minio when the docker test framework is unavailable
TestS3Minio brings up a minio container via the fstest/testserver
framework, which exec's bash init.d scripts that shell out to docker.
This is not available on all platforms - Windows has no POSIX shell to
run the scripts, and macOS CI runners have no docker daemon - which
caused the build to fail there.

Add testy.SkipUnlessDocker to detect whether the framework can run and
skip the test when it cannot.
2026-06-11 17:13:11 +01:00
Nick Craig-Wood
3d246a2aea serve s3: stream multipart uploads to the backend instead of buffering in memory
Previously serve s3 buffered every part of a multipart upload in memory
(in the gofakes3 S3 library) and concatenated them when the upload
completed, so memory use grew with the size of the upload.

serve s3 now streams the parts, in part-number order, into a single
PutStream upload to the underlying remote, which performs its own upload
with bounded memory. The whole file is never held in memory - memory use
is bounded by the parts in flight. This works for any remote that
supports PutStream (nearly all, including crypt) and for any part size,
so clients that don't produce uniform-sized parts (for example
PostgreSQL backup tools such as pgBarman and pgBackRest) work too.

Parts must arrive in ascending, contiguous part-number order; parts
uploaded out of order are buffered until their turn, and there is no
per-part retry (a failure aborts the whole upload). These trade-offs are
documented.

Passing --disable-multipart-streaming, or using a remote without
PutStream, reverts to buffering the parts in memory (the previous
behaviour); a one-off NOTICE is logged the first time this happens.

Fixes #7453
2026-06-11 12:30:19 +01:00
Nick Craig-Wood
6267d29b86 servetest: add RunWithBackend so serve tests can pick a non-local backing
Run still uses a fresh local directory as the backing Fs that the
server wraps. RunWithBackend takes an extra remote name (e.g.
"TestS3Minio:") and uses a random subdirectory of that remote instead,
starting the matching fstest/testserver/init.d script on the way in
and tearing it down on the way out.

AuthProxy is only run for the local backend.
2026-06-11 12:30:19 +01:00
Nick Craig-Wood
a8c45fd262 docs: drive: note Google verification exemption for personal use apps 2026-06-11 12:30:19 +01:00
Nick Craig-Wood
3286540921 Add Gaurav to contributors 2026-06-11 12:30:19 +01:00
Gaurav
e15ce77c8d dropbox: add support for impersonate_admin - fixes #9497 2026-06-10 11:01:31 +01:00
Nick Craig-Wood
a37d54b11a rc: document that rc API access is equivalent to shell access 2026-06-09 15:29:40 +01:00
Nick Craig-Wood
64e124f4c5 Add Filippo to contributors 2026-06-09 15:29:40 +01:00
Filippo
fa87df9c4d docs: drive: update documentation about "Computers" folder
Added information about an alternative, easier way to access folders inside
"Computers" using rclone. Expanded details about folder behavior in "Computers".
2026-06-09 15:21:47 +01:00
Nick Craig-Wood
df9935d71e serve: fix auth proxy using stale config parameters when making a backend
Before this change, if the user changed their password or public-key
and the auth proxy script returned updated config parameters for the
backend (eg a rotated api_key) rclone would continue to re-use the old
backend with the old config parameters out of the fscache.

This was because both the VFS cache and the fs/cache key were derived
from the user name only, so a change in the user's password or
public-key did not invalidate the cached backend.

Fix this by deriving the cache key from the user plus a hash of the
password/public-key, so a credential change forces a fresh backend.
The hash uses a per-process random HMAC key so the fragment that
appears in logs cannot be brute-forced offline.
2026-06-08 16:10:20 +01:00
Nick Craig-Wood
a8f102ce8f accounting: fix goroutine leak in ResetCounters
ResetCounters unconditionally restarted the average loop, spawning a
ticker goroutine that pinned the StatsInfo even when no loop had been
running before. statsGroups.delete calls ResetCounters on every removed
group, so deleting N stats groups leaked N goroutines and prevented GC
of the underlying StatsInfo objects.

Only restart the loop if it was active before the reset.
2026-06-08 16:10:20 +01:00
Nick Craig-Wood
ae4a054818 docs: fix --windows-event-log-level help 2026-06-08 16:10:20 +01:00
Nick Craig-Wood
4bc5bdab97 Add bright to contributors 2026-06-08 16:10:20 +01:00
Nick Craig-Wood
67f3783215 Add nako-ruru to contributors 2026-06-08 16:10:20 +01:00
Nick Craig-Wood
f14f2ca4cf Add IceLocke to contributors 2026-06-08 16:10:20 +01:00
kingston125
e64480f634 backend/filelu: fix recursive listing path handling and file filtering 2026-06-08 11:54:43 +01:00
Jan-Philipp Reßler
ec97bb4d7f docs: bisync - clarify flag interaction and minor changes
The behavior of the --track-renames and --max-delete flags combination for
bisync have confused me and some other users. So with this PR i added a
paragraph to clarify this.
2026-06-06 12:17:06 +01:00
Leon Brocard
d3530cb317 ncdu/scan: add unit tests for the scan package
Tests cover Dir size/count accounting, AttrI behaviour for files and
directories, error propagation, and Remove correctly updating ancestor
totals up the tree.
2026-06-05 18:13:16 +01:00
Nick Craig-Wood
97aefa49a8 Changelog updates from Version v1.74.3 2026-06-05 17:43:07 +01:00
Nick Craig-Wood
53f972830c rc: stop global.* connection string options changing config CVE-2026-49980
A connection string can carry global.* options which change rclone's
process-wide configuration (e.g. global.http_proxy). This is
undesirable for the rc interface which was designed to have multiple
users or connections at once. The rc interface has the `_config`
mechanism for setting request scoped global config.

This blocks global.* options on all rc paths by marking the context as
a remote control request at the rc boundaries. fs.NewFs then skips
applying global.* to the process-wide config for a marked context.

The marker is reapplied in fs.CopyConfig, which is the call rclone
uses to detach context but keep config.

global.* options still apply to the individual backend they are set
on, exactly like override.* options; they just no longer leak into the
rest of the process. Remotes created directly on the command line are
unaffected as are remotes defined in the config file.

See: GHSA-qw24-gh76-8rvv
2026-06-05 15:21:01 +01:00
Nick Craig-Wood
2326ea79f7 rc: fix unauthenticated command execution via --rc-serve inline remotes CVE-2026-49980
The --rc-serve GET/HEAD file serving path accepted bracketed inline
remotes from the URL and instantiated them, so a single
unauthenticated request could run a command as the rclone user via
backend options such as webdav bearer_token_command or sftp ssh, read
arbitrary local files, or change process-wide config via global.*
options.

This was the GET/HEAD equivalent of the POST hole fixed for
CVE-2026-41179, which only guarded the rc call dispatch path.

Now, unless the rc server has authentication configured or
--rc-no-auth is set, the serve path only allows remotes already
present in the config file: inline remotes, connection string
parameters and bare local paths are rejected. Connection string
global.* options are never honoured on the serve path, even when
authenticated.

See: GHSA-qw24-gh76-8rvv
2026-06-05 15:21:01 +01:00
Nick Craig-Wood
25939a1d00 docs: Update RELEASE.md to use cherry-pick -x 2026-06-05 15:21:01 +01:00
nako-ruru
9693b3df09 webdav: fix mixed property statuses in multi-status responses
This PR fixes a bug in the WebDAV backend where directories or files could
randomly "disappear" from listings due to strict and fragile multi-status code
parsing.

Co-authored-by: bright <nako_ruru@sina.com>
2026-06-03 18:04:15 +01:00
IceLocke
e7b1eb774c s3: remove session token on cross-host redirects
Add a redirect policy to the S3 HTTP client so X-Amz-Security-Token is
removed once a redirect chain crosses hosts. Keep stripping it on later
same-host hops in the same chain, since net/http copies headers from the
initial request for each redirect and can otherwise restore the token.

Preserve same-host redirect behavior, retain the standard redirect limit,
and add tests for cross-host, same-host, multi-hop, and redirect-loop cases.
2026-06-03 17:58:26 +01:00