mirror of
https://github.com/rclone/rclone.git
synced 2026-05-12 10:03:35 -04:00
f191448b0d
Replace AuthRequired bool with NoAuth bool on the rc.Call struct and flip the auth check logic. Previously endpoints were unauthenticated by default and had to opt in with AuthRequired: true, which led to security vulnerabilities when developers forgot to set the flag. Now all endpoints require authentication by default. Only explicitly safe read-only endpoints are marked with NoAuth: true: - rc/noop - rc/error - rc/list - core/version - core/stats - core/group-list - core/transferred - core/du - cache/stats - vfs/list - vfs/stats - vfs/queue - job/status - job/list See GHSA-25qr-6mpr-f7qx, GHSA-jfwf-28xr-xw6q