Tipi Files

Release notes

🚨 An important security patch is included in this release. The flaw allows an authenticated user to execute arbitrary system commands on the host server by injecting shell metacharacters into backup filenames. For more details see the linked security advisory We recommend everyone to upgrade to the latest version.

New features - Runtipi now supports native docker-compose.yml syntax for custom apps. Alongside the existing docker compose json format, users can now define their apps in a docker-compose.yml file by including the x-runtipi meta tags to define the app behavior - New setting to manually disable the force pull for each application - In the "Files" tab of an app, where the user can configure their custom configs the main docker-compose.yml file is now visible as well as the app.env

Improvements - The OTP input is now auto focused when the page loads - During an app udpate, the compose file is not shown in the diff viewer if it didn't change - Add support for cachyos in the install script - The generated compose will not include an extra network if the stack is only composed of 1 service

Fixes - App logs are now correctly escaping XML tags. This was previously allowing an app to display HTML formatted text in the logs - Properly sanitize backup filenames during upload to prevent authenticated RCE vulnerability

How to update

From the root folder of your runtipi install

• ./runtipi-cli update v4.7.0

If you are coming from version 3 or lower please follow the migration guide

Please report any issue you encounter so we can fix it in a timely manner.