Skip to main content

Sync-in 2.4 - Euro-Office, Tasks, and Security

· 4 min read

Sync-in version 2.4 is now available.

It adds Euro-Office support as a new online document editor, improves file task management with a task queue, clearer tracking for long-running operations, and cancellation of some actions from the task panel. It also strengthens authentication and synchronization security, and brings several reliability improvements.

Euro-office integration and tasks in Sync-in

✨ New Features

  • Euro-Office editor support
    Euro-Office is now supported as an additional online document editor, alongside OnlyOffice and Collabora.

  • Cancellation from the task panel
    Uploads, downloads, archive creation, extraction, copies, moves, and deletions can now be canceled from the task panel.

  • Task queue
    File-related tasks are now queued and limited per user to avoid running too many heavy operations in parallel.

  • More detailed task progress
    Some long-running tasks now show more detailed progress when the operation allows it, instead of only showing a running state.

  • ZIP archive support
    Sync-in can now create ZIP archives, in addition to the existing TAR and TGZ formats.

  • Optional OIDC verified email check
    Administrators can now require OIDC users to have a verified email address before account linking or profile synchronization.

  • Grouped editor configuration
    Editor settings are now grouped under applications.files.editors.

    The previous applications.files.onlyoffice and applications.files.collabora settings are still supported for now, but are deprecated.

🐞 Fixes

  • More reliable URL downloads
    URL imports now better handle servers that compress content, preventing size errors or incomplete downloads.

  • CJK full-text search support
    Full-text search now supports Chinese, Japanese, and Korean text, as well as other languages that are not separated by spaces.

  • Text and Markdown editor fixes
    Text and Markdown editors now preserve focus more reliably, detect changes correctly and refresh the file size after saving.

  • More reliable filtered selection
    File selection stays more consistent when the list is filtered, especially during multi-selection.

  • More reliable server startup
    MySQL connection errors are now detected earlier, with a clean exit to allow automatic restart.

  • More reliable configuration loading
    Sensitive values wrapped in single quotes, such as secrets, database URLs, and initial credentials, are now loaded without keeping the quotes in the final value.

🛡️ Security

  • Stronger 2FA enforcement for API tokens
    Fixed vulnerability GHSA-92cr-jxw4-5wjg.

    Users with 2FA enabled could obtain API tokens after validating only their login and password. API tokens now require the second factor as expected.

  • Stronger protection against repeated TOTP attempts
    Fixed vulnerability GHSA-274f-6w77-8qm9.

    Failed TOTP attempts during desktop sync client registration are now counted correctly, including repeated or concurrent attempts.

  • Safer sync filters
    Fixed vulnerability GHSA-jx63-h26r-8cph.

    Malicious sync filters could overload the server during synchronization. Filters are now validated and limited before being used.

  • Safer synchronization uploads
    Uploaded files are now checked before replacing the final file, keeping the existing file unchanged in case of size, quota, or checksum errors.

  • Sessions better aligned with account state
    Browser and WebSocket sessions now better reflect account changes, including roles, permissions, and active/inactive status.

  • OIDC and LDAP hardening
    The new OIDC directives security.requireVerifiedEmail and security.allowPrivateIpAvatarDownload respectively allow administrators to require a verified email address and explicitly allow avatars served from private or internal IP ranges.

    Defaults have also been hardened: security.allowInsecureRequests, options.enablePasswordAuth for OIDC, and options.enablePasswordAuthFallback for LDAP are now disabled by default. Administrator break-glass access remains available.

  • Stricter user login validation
    Logins from external identity providers are now limited to valid names, preventing them from being interpreted as file paths.

  • Safer archive extraction
    Sync-in now better blocks unexpected paths inside archives, cleans up interrupted extractions, and applies storage quotas during extraction.

📥 Upgrade to Sync-in 2.4 to benefit from Euro-Office support, improved file task management, and important security and reliability improvements.

➡️ View the release on GitHub