commit 2c12ca64d451d79252982fcf96b09dff1d55b55e
Author: Nick Craig-Wood <nick@craig-wood.com>
Date:   Sun Apr 19 11:42:48 2026 +0100

    Version v1.73.5

commit 2a9e952b38e03a96bf40c9eb6e8e22199865ee3b
Author: Nick Craig-Wood <nick@craig-wood.com>
Date:   Tue Apr 14 17:08:55 2026 +0100

    operations: add AuthRequired to operations/fsinfo to prevent backend creation CVE-2026-41179
    
    The operations/fsinfo RC endpoint was registered without AuthRequired,
    allowing unauthenticated callers to instantiate arbitrary backends via
    inline backend definitions.
    
    See GHSA-jfwf-28xr-xw6q

commit c097c36064e1674467393d750d262bca754a5547
Author: Nick Craig-Wood <nick@craig-wood.com>
Date:   Tue Apr 14 17:01:18 2026 +0100

    rc: snapshot NoAuth at startup to prevent runtime auth bypass CVE-2026-41176
    
    Snapshot the NoAuth setting when the RC server is created rather than
    reading it from the mutable options struct on each request. This
    prevents any runtime mutation of rc.NoAuth (e.g. via options/set)
    from disabling the auth gate for protected RC methods.
    
    See GHSA-25qr-6mpr-f7qx

commit cfa9072d9f6bd7c5b5672f7d4cabaa3410d1f8f4
Author: Nick Craig-Wood <nick@craig-wood.com>
Date:   Tue Apr 14 17:00:25 2026 +0100

    rc: add AuthRequired to options/set to prevent auth bypass CVE-2026-41176
    
    The options/set RC endpoint was registered without AuthRequired,
    allowing unauthenticated callers to mutate global runtime options
    including rc.NoAuth, which disables the auth gate for all protected
    RC methods. Require authentication for options/set.
    
    See GHSA-25qr-6mpr-f7qx

commit 03eed87045d4d0d64427f35a479d886bcc86d893
Author: Nick Craig-Wood <nick@craig-wood.com>
Date:   Wed Apr 15 12:19:18 2026 +0100

    s3: fix empty delimiter parameter rejected by Archiware P5 server
    
    Some S3-compatible servers (e.g. Archiware P5) reject requests with an
    empty `?delimiter=` query parameter. For recursive listings, pass `nil`
    instead of a pointer to an empty string so the parameter is omitted
    entirely from the request.
    
    Fixes #9342

commit e4e4c5efe084d6b1289a95086ad41599b2b9d516
Author: Nick Craig-Wood <nick@craig-wood.com>
Date:   Mon Apr 13 15:27:20 2026 +0100

    azureblob/auth: add Microsoft Partner Network User-Agent prefix
    
    Set the User-Agent to include the APN prefix for Azure backends
    (azureblob, azurefiles, onelake) to identify rclone as a Microsoft
    Partner. The User-Agent is now:
    
        APN/1.0 rclone/1.0 rclone/<version>

commit 08eecf4cc8348a39c98ee268d3102a68f17801ad
Author: a1pcm <a1pcm@users.noreply.github.com>
Date:   Thu Apr 9 16:32:41 2026 -0500

    drime: fix User.EntryPermissions JSON unmarshalling
    
    `json:"entry_permissions"` is known to be either empty [] or of
    structure {string: boolean}. This may have been a breaking API change on
    Drime's side. Because EntryPermissions is not used, the type was changed
    to `any` to capture both cases, otherwise we could implement custom
    unmarshalling for that type.

commit 5cd87e2d751b8d9d0b294c1be3424e0b1e54cb0f
Author: Nick Craig-Wood <nick@craig-wood.com>
Date:   Fri Mar 27 14:46:17 2026 +0000

    filter: fix debug logs that fire before logger is configured - fixes #9291
    
    These Debugf calls in NewFilter() ran during GlobalOptionsInit(), before
    InitLogging() configured the JSON log format. This caused plain-text
    debug lines to leak to stderr when --use-json-log was set, breaking
    tooling that expected only JSON output.
    
    The resolved time values are already available via --dump filters so
    this commit removes the debug messages.

commit f86f0518c3ccda6aa535d12840aefc744cb26eb8
Author: Mozi <29089388+pzhlkj6612@users.noreply.github.com>
Date:   Sun Apr 5 18:04:32 2026 +0000

    s3: fix TencentCOS CDN endpoint failing on bucket check
    
    The Global Acceleration Endpoint (cos.accelerate.myqcloud.com) of
    Tencent COS does not seem to support "CreateBucket" (maybe also other
    bucket management operations). Since the acceleration functionality must
    be enabled per-bucket in the Tencent Cloud console, the bucket will
    always exist before this endpoint is used, so this check can be safely
    skipped.
    
    Now, "no_check_bucket = true" will be auto set when using this endpoint.
    
    Why "NewFs()": on-the-fly remotes (connection string remotes), for
    example, ":s3,provider=TencentCOS,...:..." will also be fixed.
    
    Why no unit test: I can't find a good way to test "NewFs()" without
    leveraging live endpoints. I think we can extract all existing mutations
    for different providers (e.g., AWS, Fastly, and Rabata) from "NewFs()"
    to a new function in the future.
    
    Some Tencent docs about this CDN endpoint:
    - English: Global Acceleration Endpoint | https://www.tencentcloud.com/pt/document/product/436/40700
    - Chinese: 对象存储 全球加速概述_腾讯云 | https://cloud.tencent.com/document/product/436/38866
    
    Assisted-By: OpenCode

commit d6c937f90802c37a6eba1a9a5169b73afd40403a
Author: Brais Couce <braiscouce@gmail.com>
Date:   Fri Apr 3 20:40:51 2026 +0200

    iclouddrive: fix 'directory not found' error when the directory contains accent marks

commit b5465afd1c91f87bb973246ed8a9b85c601d95b5
Author: Nick Craig-Wood <nick@craig-wood.com>
Date:   Wed Apr 8 16:42:50 2026 +0100

    Start v1.73.5-DEV development
