Begin a new release cycle

diff --git a/AUTHORS.md b/AUTHORS.md
index a5d94aef5463218b629e874778e4c95e9ab408bf..a8e247e5895c6ac1d9437c2186d8b0e7cc0da373 100644 (file)
--- a/AUTHORS.md
+++ b/AUTHORS.md
@@ -106,7 +106,6 @@ This is a list of people who contributed to Jirafeau over the years. The list wa
 - Vasilis Giann
 - Victor Lamoine
 - Viktar Vauchkevich
 - Vasilis Giann
 - Victor Lamoine
 - Viktar Vauchkevich

-- Weblate

 - Wim Livens
 - Yaron Shahrabani
 - YFdyh000
 - Wim Livens
 - Yaron Shahrabani
 - YFdyh000

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6f55e0809691aa2c254958fb77f78fee85163f4c..2ab4d40104b774978cb1dffc5749cee1968d1193 100644 (file)
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,12 +12,20 @@
 5. Follow the installation wizard, it should propose you the same data folder or even update automatically
 6. Check your `/lib/config.local.php` and compare it with the `/lib/config.original.php` to see if new configuration items are available. If a new item is missing in your `config.local.php`, this may trigger some errors as Jirafeau may expect to have them.
 
 5. Follow the installation wizard, it should propose you the same data folder or even update automatically
 6. Check your `/lib/config.local.php` and compare it with the `/lib/config.original.php` to see if new configuration items are available. If a new item is missing in your `config.local.php`, this may trigger some errors as Jirafeau may expect to have them.
 

-## Current snapshots
+## Version 4.6.x (not yet released)
+
+- ...
+
+## Version 4.6.1

 
 - Removed the download button and the corresponding link for encrypted files from the admin interface
 
 - Removed the download button and the corresponding link for encrypted files from the admin interface

+- Fixed an issue with sending the wrong filesize after decrypting an encrypted file
+- Fixed the possibility to bypass the check for CVE-2022-30110 (prevent preview of SVG images) by sending a manipulated HTTP request with a MIME type like "image/svg+XML".
+- We now provide Docker images for AMD64 and ARM64 systems

 - Lots of code refactoring and cleanup
 - Few more little fixes
 - Typo and spelling mistakes
 - Lots of code refactoring and cleanup
 - Few more little fixes
 - Typo and spelling mistakes

+- Upgrade from 4.6.0: in-place upgrade

 
 New configuration items:
 - `one_time_download_preselected` for preselecting the checkbox for deleting the file after the first download
 
 New configuration items:
 - `one_time_download_preselected` for preselecting the checkbox for deleting the file after the first download


@@ -32,6 +40,7 @@ New configuration items:
 - Removed usage of deprecated `strftime()` function
 - Few more little fixes
 - Typo and spelling mistakes
 - Removed usage of deprecated `strftime()` function
 - Few more little fixes
 - Typo and spelling mistakes

+- Upgrade from 4.5.0: in-place upgrade

 
 New configuration items:
 - `download_password_requirement`, `download_password_gen_len`, `download_password_gen_chars`, `download_password_policy` and `download_password_policy_regex` for configuring file download passwords
 
 New configuration items:
 - `download_password_requirement`, `download_password_gen_len`, `download_password_gen_chars`, `download_password_policy` and `download_password_policy_regex` for configuring file download passwords

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index c80c1cddf5054a5e78fb921f1cae0fbf45226bd9..bde45e89b834853bb172dbd457e5fb5111a59e47 100644 (file)
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -54,11 +54,11 @@ view only to show the most important files and their role.
 
 ## Translations
 
 
 ## Translations
 

-Translation may be added via [Jirafeau's Weblate](https://hosted.weblate.org/projects/jirafeau/master/).
+Translations may be added by creating a new JSON file under `locales` and submitting a merge request.

 
 ## Coding style
 
 
 ## Coding style
 

-- This project follows the [PSR-2](http://www.php-fig.org/psr/psr-2/) Coding Style
+- This project follows the [PSR-12](https://www.php-fig.org/psr/psr-12/) coding style

 - Files must be in UTF-8 without BOM and use Unix Line Endings (LF)
 
 ## Branches
 - Files must be in UTF-8 without BOM and use Unix Line Endings (LF)
 
 ## Branches


@@ -90,7 +90,6 @@ Quick walkthrough:
 
 ## New Releases
 
 
 ## New Releases
 

-* Fetch weblate and rebase and import translations

 * If the release is not done for security purposes: create a new issue and freeze next-release branch for at least week.
 * Compare the [`next-release` branch to `master`](https://gitlab.com/jirafeau/Jirafeau/compare/master...next-release)
 * Add a list of noteworthy features and bugfixes to `CHANGELOG.md`
 * If the release is not done for security purposes: create a new issue and freeze next-release branch for at least week.
 * Compare the [`next-release` branch to `master`](https://gitlab.com/jirafeau/Jirafeau/compare/master...next-release)
 * Add a list of noteworthy features and bugfixes to `CHANGELOG.md`

diff --git a/docker/README.md b/docker/README.md
index 343c69e2edee4d2fa7ab60a29fdea8196568f46b..10ee3224e986b53c79bc7930754b38f78ac1426c 100644 (file)
--- a/docker/README.md
+++ b/docker/README.md
@@ -89,6 +89,8 @@ mkdir /tmp/jirafeau_data
 docker run -it --rm -p 8080:80 -v /tmp/jirafeau_data:/data registry.gitlab.com/jirafeau/jirafeau:latest
 ```
 
 docker run -it --rm -p 8080:80 -v /tmp/jirafeau_data:/data registry.gitlab.com/jirafeau/jirafeau:latest
 ```
 

+Please note that the files and directories created in the directory outside the container will probably be owned by UID 100.
+

 ## Few notes
 
 - `var-...` folder where lives all uploaded data is protected from direct access
 ## Few notes
 
 - `var-...` folder where lives all uploaded data is protected from direct access

diff --git a/lib/functions.php b/lib/functions.php
index 2843e29d685f34fd0963ac7fe2d4fc203a77e163..03725073dae490118cf8ae4837578c99e4d58e03 100644 (file)
--- a/lib/functions.php
+++ b/lib/functions.php
@@ -623,7 +623,7 @@ function jirafeau_is_viewable($mime)
     if (!empty($mime)) {
         $viewable = array('image', 'video', 'audio');
         $decomposed = explode('/', $mime);
     if (!empty($mime)) {
         $viewable = array('image', 'video', 'audio');
         $decomposed = explode('/', $mime);

-        if (in_array($decomposed[0], $viewable) && strpos($mime, 'image/svg+xml') === false) {
+        if (in_array($decomposed[0], $viewable) && stripos($mime, 'image/svg+xml') === false) {

             return true;
         }
         $viewable = array('text/plain');
             return true;
         }
         $viewable = array('text/plain');


@@ -1197,6 +1197,11 @@ function jirafeau_async_end($ref, $code, $crypt, $link_name_length, $file_hash_m
         return "Error: referenced file does not exist";
     }
 
         return "Error: referenced file does not exist";
     }
 

+    /* Store filesize before encrypting the file */
+    /* Otherwise we would send the size of the encrypted file and the data of the unencrypted file */
+    /* This would break some browsers */
+    $size = filesize($p);
+

     $crypted = false;
     $crypt_key = '';
     if ($crypt == true && extension_loaded('sodium') == true) {
     $crypted = false;
     $crypt_key = '';
     if ($crypt == true && extension_loaded('sodium') == true) {


@@ -1209,7 +1214,6 @@ function jirafeau_async_end($ref, $code, $crypt, $link_name_length, $file_hash_m
     }
 
     $hash = jirafeau_hash_file($file_hash_method, $p);
     }
 
     $hash = jirafeau_hash_file($file_hash_method, $p);

-    $size = filesize($p);

     $np = s2p($hash);
     $delete_link_code = jirafeau_gen_random(5);
 
     $np = s2p($hash);
     $delete_link_code = jirafeau_gen_random(5);
 

diff --git a/lib/template/footer.php b/lib/template/footer.php
index 637ce42b429cb93f9211575a5ab95edfaeaf5c48..64132c70966c4a6e5e2b0f8943422a245608764d 100644 (file)
--- a/lib/template/footer.php
+++ b/lib/template/footer.php
@@ -4,14 +4,18 @@
         <?php
           echo t('MADE_WITH') .
             ' <a href="' . JIRAFEAU_WEBSITE . '" target="_blank" rel="noopener noreferrer">' . t('JI_PROJECT') . '</a>' .
         <?php
           echo t('MADE_WITH') .
             ' <a href="' . JIRAFEAU_WEBSITE . '" target="_blank" rel="noopener noreferrer">' . t('JI_PROJECT') . '</a>' .

-            '<p> ' . t('DESIGNED')  . ' ' .  $cfg['contactperson'] . '</p>'  .

             ' (<a href="https://www.gnu.org/licenses/agpl.html" target="_blank" rel="noopener noreferrer"><abbr title="GNU Affero General Public License v3">AGPL-3.0</abbr></a>)';
         ?>
         <!-- Installation dependent links -->
         <?php
         if (false === empty($cfg['installation_done'])) {
             ' (<a href="https://www.gnu.org/licenses/agpl.html" target="_blank" rel="noopener noreferrer"><abbr title="GNU Affero General Public License v3">AGPL-3.0</abbr></a>)';
         ?>
         <!-- Installation dependent links -->
         <?php
         if (false === empty($cfg['installation_done'])) {

+            if(false === empty($cfg['organisation'])) {
+                echo ' <span>|</span> ';
+                echo ' ' . t('DESIGNED')  . ' ' .  $cfg['organisation'];
+            }
+

             echo ' <span>|</span> ';
             echo ' <span>|</span> ';

-            echo '<a href="tos.php" target="_blank" rel="noopener noreferrer">' . t('TOS') . '</a>';
+            echo '<a href="tos.php" target="_blank" rel="nooener noreferrer">' . t('TOS') . '</a>';

         }
         ?>
     </p>
         }
         ?>
     </p>