[1.4.1]
Update sftpgo to 2.7.1
Full Changelog
SFTPD: Added support for OpenPubkey SSH, enabling tighter integration between OpenID Connect and SFTP.
Enforced password validation rules also when applied through a group.
Fixed an issue where JSON dumps containing command actions failed to load correctly at startup when loaded as initial data.
Data Provider: Fixed lock handling issues during migrations that could affect MySQL when migrations are executed concurrently by multiple instances.
Fixed a potential path traversal and permission bypass involving specially crafted paths. CVE-2026-30914.
Fixed placeholder sanitization in group home directories and key prefixes. CVE-2026-30915.
Unified path handling: Prior to this release, the backslash character (\) was treated differently depending on the host operating system: on Linux, it was considered a standard character within a file or directory name, while on Windows, it acted as a path separator. We have now unified path handling across all platforms. Moving forward, both forward slashes (/) and backslashes (\) are strictly evaluated as path separators, independently of the underlying OS.
