From ea13ecd5272b130c028b76b91b2a05ea65fd565b Mon Sep 17 00:00:00 2001 From: Patrick Canterino Date: Mon, 14 Oct 2024 16:26:16 +0200 Subject: [PATCH 01/16] Fixed every error detected by php-cs-fixer (except the single_space_around_construct type) --- admin.php | 9 +- index.php | 30 +++---- install.php | 2 +- lib/functions.js.php | 24 +++-- lib/functions.php | 193 +++++++++++++++++++--------------------- lib/template/header.php | 4 +- script.php | 6 +- 7 files changed, 133 insertions(+), 135 deletions(-) diff --git a/admin.php b/admin.php index a6bacd3..f8270a2 100644 --- a/admin.php +++ b/admin.php @@ -37,17 +37,18 @@ if (php_sapi_name() == "cli") { if ($cfg['installation_done'] == false) { die("Installation not completed yet.\n"); } - if ((count($argv)>1) && $argv[1]=="clean_expired") { + if ((count($argv) > 1) && $argv[1] == 'clean_expired') { $total = jirafeau_admin_clean(); echo "$total expired files deleted.\n"; - } elseif ((count($argv)>1) && $argv[1]=="clean_async") { + } elseif ((count($argv) > 1) && $argv[1] == 'clean_async') { $total = jirafeau_admin_clean_async(); echo "$total old unfinished transfers deleted.\n"; } else { die("No command found. Should be admin.php .\n"); } -// Second check: Challenge by IP -} elseif (true === jirafeau_challenge_admin_ip($cfg, get_ip_address($cfg))) { +} +/* Second check: Challenge by IP */ +elseif (true === jirafeau_challenge_admin_ip($cfg, get_ip_address($cfg))) { /* Disable admin interface if we have a empty admin password. */ if (empty($cfg['admin_password']) && empty($cfg['admin_http_auth_user'])) { require(JIRAFEAU_ROOT . 'lib/template/header.php'); diff --git a/index.php b/index.php index da6ee2f..435e059 100644 --- a/index.php +++ b/index.php @@ -130,7 +130,7 @@ elseif (true === jirafeau_challenge_upload_ip($cfg, get_ip_address($cfg))) { 0) { echo t('2_BIG') . ', ' . t('FILE_LIM') . " " . $cfg['maximal_upload_size'] . " MB."; } @@ -143,26 +143,26 @@ elseif (true === jirafeau_challenge_upload_ip($cfg, get_ip_address($cfg))) { if ($cfg['one_time_download']) { echo '' . t('ONE_TIME_DL') . ':'; echo ''; } - if ($cfg['download_password_requirement'] === 'generated') { - echo ''; - } else { - echo ''; - echo ''; - }?> +if ($cfg['download_password_requirement'] === 'generated') { + echo ''; +} else { + echo ''; + echo ''; +}?> diff --git a/install.php b/install.php index 2550aa6..ebda6f5 100644 --- a/install.php +++ b/install.php @@ -153,7 +153,7 @@ break; 'abcdefghijklmnopqrstuvwxyz' . '0123456789'; $len_alphanum = strlen($alphanum); $var = 'var-'; - for ($i = 0; $i . */ - function template_js_preview_link() { +function template_js_preview_link() +{ ?> if (!!document.getElementById('preview_link')) { @@ -44,8 +45,9 @@ } } // Download page var download_link_href = 'f.php?h=' + reference; @@ -60,7 +62,8 @@ function template_js_download_page() { } // Email link var b = encodeURIComponent(" \"" + filename + "\":") + "%0D" + "%0A"; @@ -72,7 +75,8 @@ function template_js_email_link() { } // Delete link var delete_link_href = 'f.php?h=' + reference + '&d=' + delete_code; @@ -80,7 +84,8 @@ function template_js_delete_link() { document.getElementById('delete_link_text').innerHTML = web_root + delete_link_href; // Direct download link var direct_download_link_href = 'f.php?h=' + reference + '&d=1'; @@ -91,8 +96,9 @@ function template_js_delete_link() { document.getElementById('direct_link').href = direct_download_link_href; document.getElementById('direct_link_text').innerHTML = web_root + direct_download_link_href; // Validity date if (isEmpty(date)) @@ -111,7 +117,7 @@ function template_js_delete_link() { document.getElementById('date').style.display = ''; } ' . date_format($ts, 'Y-m-d H:i') . ' (GMT)'; - + return $content; } @@ -397,7 +397,7 @@ function jirafeau_hash_file($method, $file_path) function jirafeau_md5_outside($file_path) { $out = false; - $handle = fopen($file_path, "r"); + $handle = fopen($file_path, 'r'); if ($handle === false) { return false; } @@ -450,12 +450,13 @@ function jirafeau_upload($file, $one_time_download, $key, $time, $ip, $crypt, $l } /** - * - * @param bool $crypt_module_enabled - * @param string $file_path + * + * @param bool $crypt_module_enabled + * @param string $file_path * @return array [bool, string] */ -function jirafeau_handle_add_file_encryption($crypt_module_enabled, $file_path) { +function jirafeau_handle_add_file_encryption($crypt_module_enabled, $file_path) +{ /* Crypt file if option is enabled. */ $crypted = false; $crypt_key = ''; @@ -501,7 +502,6 @@ function jirafeau_add_file($file, $one_time_download, $key, $time, $ip, $crypt, $crypt_key = ''; list($crypted, $crypt_key) = jirafeau_handle_add_file_encryption($crypt, $file['tmp_name']); - /* file information */ $hash = jirafeau_hash_file($file_hash_method, $file['tmp_name']); $name = str_replace(NL, '', trim($file['name'])); @@ -513,12 +513,9 @@ function jirafeau_add_file($file, $one_time_download, $key, $time, $ip, $crypt, $p = s2p("$hash"); if (file_exists(VAR_FILES . $p . $hash)) { $rc = unlink($file['tmp_name']); - } elseif ((file_exists(VAR_FILES . $p) || @mkdir(VAR_FILES . $p, 0755, true)) - && - //move_uploaded_file($file['tmp_name'], VAR_FILES . $p . $hash)) - $move_operation($file['tmp_name'], VAR_FILES . $p . $hash)) - { - + } elseif ( + (file_exists(VAR_FILES . $p) || @mkdir(VAR_FILES . $p, 0755, true)) && + $move_operation($file['tmp_name'], VAR_FILES . $p . $hash)) { $rc = true; } if (!$rc) { @@ -526,7 +523,7 @@ function jirafeau_add_file($file, $one_time_download, $key, $time, $ip, $crypt, 'error' => array('has_error' => true, 'why' => t('INTERNAL_ERROR_DEL')), - 'link' =>'', + 'link' => '', 'delete_link' => '')); } @@ -580,7 +577,7 @@ function jirafeau_add_file($file, $one_time_download, $key, $time, $ip, $crypt, 'error' => array('has_error' => true, 'why' => t('Internal error during file creation. ')), - 'link' =>'', + 'link' => '', 'delete_link' => ''); } return array( 'error' => $noerr, @@ -589,8 +586,8 @@ function jirafeau_add_file($file, $one_time_download, $key, $time, $ip, $crypt, 'crypt_key' => $crypt_key); } - -function jirafeau_admin_list_table ($name, $file_hash, $link_hash, $visitor_function = null) { +function jirafeau_admin_list_table($name, $file_hash, $link_hash, $visitor_function = null) +{ echo '
'; if (!empty($name)) { echo t('FILENAME') . ": " . jirafeau_escape($name); @@ -616,10 +613,6 @@ function jirafeau_admin_list_table ($name, $file_hash, $link_hash, $visitor_func echo '
'; } - - - - /** * Tells if a mime-type is viewable in a browser * @param $mime the mime type @@ -748,8 +741,8 @@ function jirafeau_get_link($hash) */ function jirafeau_admin_list($name, $file_hash, $link_hash) { - $function = function($name, $file_hash, $link_hash) { - /* Get all links files. */ + $function = function ($name, $file_hash, $link_hash) { + /* Get all links files. */ $stack = array(VAR_LINKS); while (($d = array_shift($stack)) && $d != null) { $dir = scandir($d); @@ -785,8 +778,7 @@ function jirafeau_admin_list($name, $file_hash, $link_hash) if (!$l['crypted'] && !$l['crypted_legacy']) { echo'' . jirafeau_escape($l['file_name']) . ''; - } - else { + } else { echo jirafeau_escape($l['file_name']); } @@ -829,8 +821,9 @@ function jirafeau_admin_list($name, $file_hash, $link_hash) } } } - }; - jirafeau_admin_list_table($name, $file_hash, $link_hash, $function); + }; + + jirafeau_admin_list_table($name, $file_hash, $link_hash, $function); } /** @@ -1341,7 +1334,7 @@ function jirafeau_decrypt_file($fp_src, $fp_dst, $k) for ($i = SODIUM_CRYPTO_SECRETSTREAM_XCHACHA20POLY1305_HEADERBYTES; $i < $fs; $i += JIRAFEAU_SODIUM_CHUNKSIZE + SODIUM_CRYPTO_SECRETSTREAM_XCHACHA20POLY1305_ABYTES) { $to_dec = fread($r, JIRAFEAU_SODIUM_CHUNKSIZE + SODIUM_CRYPTO_SECRETSTREAM_XCHACHA20POLY1305_ABYTES); [$dec, $crypt_tag] = sodium_crypto_secretstream_xchacha20poly1305_pull($crypt_state, $to_dec); - + if (fwrite($w, $dec) === false) { return false; } @@ -1758,7 +1751,7 @@ function jirafeau_get_download_stats($hash) $filename = VAR_LINKS . s2p("$hash") . $hash . '_download'; if (!file_exists($filename)) { - return array('count'=>0); + return array('count' => 0); } $c = file($filename); @@ -1782,7 +1775,8 @@ function jirafeau_write_download_stats($hash, $ip) fclose($handle); } -function jirafeau_create_upload_finished_box($preview = true) { +function jirafeau_create_upload_finished_box($preview = true) +{ ?>
@@ -1798,8 +1792,8 @@ function jirafeau_create_upload_finished_box($preview = true) {

- +

@@ -1809,7 +1803,8 @@ function jirafeau_create_upload_finished_box($preview = true) {

+ } + ?>

@@ -1834,77 +1829,76 @@ function jirafeau_create_upload_finished_box($preview = true) {

- 'minute', - 'label' => '1_MIN' + 'value' => 'minute', + 'label' => '1_MIN' ), array( - 'value' => 'hour', - 'label' => '1_H' + 'value' => 'hour', + 'label' => '1_H' ), array( - 'value' => 'day', - 'label' => '1_D' + 'value' => 'day', + 'label' => '1_D' ), array( - 'value' => 'week', - 'label' => '1_W' + 'value' => 'week', + 'label' => '1_W' ), array( 'value' => 'fortnight', 'label' => '2_W' ), array( - 'value' => 'month', - 'label' => '1_M' + 'value' => 'month', + 'label' => '1_M' ), array( - 'value' => 'quarter', - 'label' => '1_Q' + 'value' => 'quarter', + 'label' => '1_Q' ), array( - 'value' => 'year', - 'label' => '1_Y' + 'value' => 'year', + 'label' => '1_Y' ), array( - 'value' => 'none', - 'label' => 'NONE' + 'value' => 'none', + 'label' => 'NONE' ) - ); + ); } +/** + * + * creates the time selection field + * @param mixed $cfg + * @return void + */ +function jirafeau_create_selection_array($cfg) +{ + echo ''; - - - $expirationTimeOptions = jirafeau_get_expiration_time_options(); - - foreach ($expirationTimeOptions as $expirationTimeOption) { - $selected = ($expirationTimeOption['value'] === $cfg['availability_default'])? 'selected="selected"' : ''; - if (true === $cfg['availabilities'][$expirationTimeOption['value']]) { - echo ''; - } + foreach ($expirationTimeOptions as $expirationTimeOption) { + $selected = ($expirationTimeOption['value'] === $cfg['availability_default']) ? 'selected="selected"' : ''; + if (true === $cfg['availabilities'][$expirationTimeOption['value']]) { + echo ''; } - echo ''; - } + } + + echo ''; +} - function jirafeau_datestr_to_int ($time_str) { +function jirafeau_datestr_to_int($time_str) +{ $time = time(); switch ($time_str) { case 'minute': @@ -1931,7 +1925,7 @@ function jirafeau_get_expiration_time_options() { case 'year': $time += JIRAFEAU_YEAR; break; - default: + default: $time = JIRAFEAU_INFINITY; break; } @@ -1942,10 +1936,10 @@ function jirafeau_get_expiration_time_options() { /** - * links or copy a local file + * links or copy a local file * TODO: boolean in config for linking - * @param string $filepath - * @param $one_time_download is the file a one time download ? + * @param string $filepath + * @param $one_time_download is the file a one time download? * @param $key if not empty, protect the file with this key * @param $time the time of validity of the file * @param $ip uploader's ip @@ -1956,21 +1950,20 @@ function jirafeau_get_expiration_time_options() { * 'link' => the link name of the uploaded file * 'delete_link' => the link code to delete file */ -function jirafeau_copy_local_file($local_file_path, $one_time_download, $key, $time, $ip, $crypt, $link_name_length, $file_hash_method) { - +function jirafeau_copy_local_file($local_file_path, $one_time_download, $key, $time, $ip, $crypt, $link_name_length, $file_hash_method) +{ if (!file_exists($local_file_path)) { return (array( 'error' => array('has_error' => true, 'why' => t('INTERNAL_ERROR_FILE_NOT_EXIST')), - 'link' =>'', + 'link' => '', 'delete_link' => '')); } - if( + if ( // sanity check if file can be opened - $file = fopen($local_file_path, "r") - ) - { + $file = fopen($local_file_path, 'r') + ) { // close file pointer - it's not needed here fclose($file); $time_in_int = jirafeau_datestr_to_int($time); @@ -1985,25 +1978,23 @@ function jirafeau_copy_local_file($local_file_path, $one_time_download, $key, $t $file_hash_method, false ); - } - else { + } else { return (array( 'error' => array('has_error' => true, 'why' => t('INTERNAL_ERROR_FP_OPEN_LOCAL')), - 'link' =>'', + 'link' => '', 'delete_link' => '')); } - } -function jirafeau_create_file_array($file_path) { - return - [ - 'type' => mime_content_type($file_path), - 'tmp_name' => $file_path, - 'name' => basename($file_path), - 'size' => filesize($file_path), +function jirafeau_create_file_array($file_path) +{ + return [ + 'type' => mime_content_type($file_path), + 'tmp_name' => $file_path, + 'name' => basename($file_path), + 'size' => filesize($file_path), ]; } diff --git a/lib/template/header.php b/lib/template/header.php index 8be36c7..93f7e18 100644 --- a/lib/template/header.php +++ b/lib/template/header.php @@ -6,7 +6,7 @@ header('x-ua-compatible: ie=edge'); - <?php echo (true === empty($cfg['title']))? t('JI_WEB_RE') : $cfg['title']; ?> + <?php echo (true === empty($cfg['title'])) ? t('JI_WEB_RE') : $cfg['title']; ?> @@ -17,6 +17,6 @@ header('x-ua-compatible: ie=edge');

- +

diff --git a/script.php b/script.php index c0cee68..5f3bc6f 100644 --- a/script.php +++ b/script.php @@ -175,7 +175,7 @@ if (isset($_FILES['file']) && is_writable(VAR_FILES) } if (strlen($d) > 0 && $d == $link['link_code']) { jirafeau_delete_link($link_name); - echo "Ok"; + echo 'Ok'; exit; } if ($link['time'] != JIRAFEAU_INFINITY && time() > $link['time']) { @@ -217,8 +217,8 @@ if (isset($_FILES['file']) && is_writable(VAR_FILES) } elseif (isset($_GET['get_version'])) { echo JIRAFEAU_VERSION; } elseif (isset($_GET['lang'])) { - $l=$_GET['lang']; - if ($l == "bash") { + $l = $_GET['lang']; + if ($l == 'bash') { ?> #!/bin/bash -- 2.34.1 From c7a40125d620f159bef2f1979f3d43063961f73f Mon Sep 17 00:00:00 2001 From: Patrick Canterino Date: Mon, 14 Oct 2024 19:23:13 +0200 Subject: [PATCH 02/16] Skip single_space_around_construct check in CI --- .gitlab-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index e7a6227..a3e6a0d 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -22,7 +22,7 @@ job_lint_app_81: - php composer.phar install script: &linter_script - ./vendor/bin/parallel-lint --exclude vendor . - - ./vendor/bin/php-cs-fixer -vvv check . --using-cache=no --rules=@PSR12 + - ./vendor/bin/php-cs-fixer -vvv check . --using-cache=no --rules=@PSR12,-single_space_around_construct # Run tests for php:7.4 job_lint_app_74: -- 2.34.1 From 9d1f580b9e6168927debdf0a072377532cf5463f Mon Sep 17 00:00:00 2001 From: Patrick Canterino Date: Mon, 14 Oct 2024 19:28:35 +0200 Subject: [PATCH 03/16] Added pipeline for PHP 8.2 --- .gitlab-ci.yml | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index a3e6a0d..fe75178 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -3,9 +3,9 @@ cache: paths: - vendor/ -# Run tests for php:8.1 -job_lint_app_81: - image: php:8.1 +# Run tests for php:8.2 +job_lint_app_82: + image: php:8.2 before_script: &before_linter_script # Install git, the docker php image doesn't have it installed by default - apt-get update -yqq @@ -24,6 +24,12 @@ job_lint_app_81: - ./vendor/bin/parallel-lint --exclude vendor . - ./vendor/bin/php-cs-fixer -vvv check . --using-cache=no --rules=@PSR12,-single_space_around_construct +# Run tests for php:8.1 +job_lint_app_81: + image: php:8.1 + before_script: *before_linter_script + script: *linter_script + # Run tests for php:7.4 job_lint_app_74: image: php:7.4 -- 2.34.1 From ca3530a0f3710ccd12247f008b3257d0c1ccd251 Mon Sep 17 00:00:00 2001 From: Patrick Canterino Date: Sat, 19 Oct 2024 15:24:08 +0200 Subject: [PATCH 04/16] Build Docker images for linux/arm/v7, linux/arm64/v8 and linux/amd64 --- .gitlab-ci.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index fe75178..65d241e 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -43,9 +43,7 @@ publish: - docker:dind script: - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" "$CI_REGISTRY" - - docker build -t $CI_REGISTRY/$CI_REGISTRY_IMAGE:$CI_COMMIT_TAG . - # If we're on the default branch, also tag the image as latest - - docker build -t $CI_REGISTRY/$CI_REGISTRY_IMAGE:$CI_COMMIT_TAG -t $CI_REGISTRY/$CI_REGISTRY_IMAGE:latest . - - docker push $CI_REGISTRY/$CI_REGISTRY_IMAGE --all-tags + - docker buildx create --use + - docker buildx build --push --platform linux/arm/v7,linux/arm64/v8,linux/amd64 --tag $CI_REGISTRY/$CI_REGISTRY_IMAGE:$CI_COMMIT_TAG --tag $CI_REGISTRY/$CI_REGISTRY_IMAGE:latest . only: - tags -- 2.34.1 From debc642fd652b05c5deb74c5588c97da62deab77 Mon Sep 17 00:00:00 2001 From: Patrick Canterino Date: Tue, 22 Oct 2024 20:17:59 +0200 Subject: [PATCH 05/16] Added some comments explaining the build job for the Docker image --- .gitlab-ci.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 65d241e..627ed17 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -42,8 +42,14 @@ publish: services: - docker:dind script: + # Login to GitLab's Docker registry - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" "$CI_REGISTRY" + # Create a new builder instance and switch to it - docker buildx create --use + # Build the image: + # 1. Build a Docker image for linux/arm/v7, linux/arm64/v8 and linux/amd64 + # 2. Tag it with the current commit tag and "latest" + # 3. Push it to GitLab's Docker registry - docker buildx build --push --platform linux/arm/v7,linux/arm64/v8,linux/amd64 --tag $CI_REGISTRY/$CI_REGISTRY_IMAGE:$CI_COMMIT_TAG --tag $CI_REGISTRY/$CI_REGISTRY_IMAGE:latest . only: - tags -- 2.34.1 From 10042e82ac236401153b1d0ae6e690452b00ae4f Mon Sep 17 00:00:00 2001 From: Patrick Canterino Date: Fri, 25 Oct 2024 20:50:18 +0200 Subject: [PATCH 06/16] Added "one_time_download_preselected" to Docker options --- docker/docker_config.php | 1 + 1 file changed, 1 insertion(+) diff --git a/docker/docker_config.php b/docker/docker_config.php index 976f366..75c6fb8 100644 --- a/docker/docker_config.php +++ b/docker/docker_config.php @@ -170,6 +170,7 @@ function run_setup(&$cfg) env_2_cfg_string($cfg, 'availability_default'); env_2_cfg_string($cfg, 'dark_style'); env_2_cfg_bool($cfg, 'one_time_download'); + env_2_cfg_bool($cfg, 'one_time_download_preselected'); env_2_cfg_bool($cfg, 'enable_crypt'); env_2_cfg_bool($cfg, 'debug'); env_2_cfg_int($cfg, 'maximal_upload_size'); -- 2.34.1 From 37a47dbd255874bcdfc14f2e7a5dc1461ddd145e Mon Sep 17 00:00:00 2001 From: Patrick Canterino Date: Sun, 10 Nov 2024 14:03:40 +0100 Subject: [PATCH 07/16] Store filesize before encrypting the file This currently applies only for async uploads. Otherwise we would send the size of the encrypted file and the data of the unencrypted file. The encrypted file is usually larger than the unencrypted one. So the browser expects more data and aborts the download because it thinks it didn't receive all the data. --- lib/functions.php | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/lib/functions.php b/lib/functions.php index 2843e29..9091af7 100644 --- a/lib/functions.php +++ b/lib/functions.php @@ -1197,6 +1197,11 @@ function jirafeau_async_end($ref, $code, $crypt, $link_name_length, $file_hash_m return "Error: referenced file does not exist"; } + /* Store filesize before encrypting the file */ + /* Otherwise we would send the size of the encrypted file and the data of the unencrypted file */ + /* This would break some browsers */ + $size = filesize($p); + $crypted = false; $crypt_key = ''; if ($crypt == true && extension_loaded('sodium') == true) { @@ -1209,7 +1214,6 @@ function jirafeau_async_end($ref, $code, $crypt, $link_name_length, $file_hash_m } $hash = jirafeau_hash_file($file_hash_method, $p); - $size = filesize($p); $np = s2p($hash); $delete_link_code = jirafeau_gen_random(5); -- 2.34.1 From 23a68ba6e720d9d9449ccea4dd366cb002b4aa0f Mon Sep 17 00:00:00 2001 From: Patrick Canterino Date: Sun, 10 Nov 2024 14:47:41 +0100 Subject: [PATCH 08/16] Updated Docker README --- docker/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docker/README.md b/docker/README.md index 33c9fc0..343c69e 100644 --- a/docker/README.md +++ b/docker/README.md @@ -2,7 +2,7 @@ ## Run Jirafeau through a pre-made Docker image -Jirafeau is a small PHP application so running it inside a docker container is pretty straightforward. +Jirafeau is a small PHP application so running it inside a Docker container is pretty straightforward. Container images are built for AMD64 and ARM64 systems and can be downloaded from our registry at `registry.gitlab.com`. ```shell docker pull registry.gitlab.com/jirafeau/jirafeau:latest @@ -49,6 +49,7 @@ Available options: - `DARK_STYLE`: apply a specific style for browsers in dark mode. - `AVAILABILITY_DEFAULT`: setup which availability shows by default. - `ONE_TIME_DOWNLOAD`: set to 1 or 0 to enable or disable one time downloads. +- `ONE_TIME_DOWNLOAD_PRESELECTED`: set to 1 or 0 to preselect the checkbox for one time downloads. - `ENABLE_CRYPT`: set to 1 or 0 to enable or disable server side encryption. - `DEBUG`: set to 1 or 0 to enable or disable debug mode. - `MAXIMAL_UPLOAD_SIZE`: maximal file size allowed (expressed in MB). @@ -86,7 +87,6 @@ It is also possible to put Jirafeau data into an already existing directory outs ```shell mkdir /tmp/jirafeau_data docker run -it --rm -p 8080:80 -v /tmp/jirafeau_data:/data registry.gitlab.com/jirafeau/jirafeau:latest - ``` ## Few notes -- 2.34.1 From 071702bff9dacc7269d3726eb61cf20238e64d23 Mon Sep 17 00:00:00 2001 From: Patrick Canterino Date: Fri, 22 Nov 2024 14:41:51 +0100 Subject: [PATCH 09/16] Updated Docker README --- docker/README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docker/README.md b/docker/README.md index 343c69e..10ee322 100644 --- a/docker/README.md +++ b/docker/README.md @@ -89,6 +89,8 @@ mkdir /tmp/jirafeau_data docker run -it --rm -p 8080:80 -v /tmp/jirafeau_data:/data registry.gitlab.com/jirafeau/jirafeau:latest ``` +Please note that the files and directories created in the directory outside the container will probably be owned by UID 100. + ## Few notes - `var-...` folder where lives all uploaded data is protected from direct access -- 2.34.1 From 471c7b967a8ca4efb933aa93a89665c1bb466706 Mon Sep 17 00:00:00 2001 From: Patrick Canterino Date: Fri, 22 Nov 2024 14:47:04 +0100 Subject: [PATCH 10/16] Updated CHANGELOG --- CHANGELOG.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6f55e08..11a3fcd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,9 +12,11 @@ 5. Follow the installation wizard, it should propose you the same data folder or even update automatically 6. Check your `/lib/config.local.php` and compare it with the `/lib/config.original.php` to see if new configuration items are available. If a new item is missing in your `config.local.php`, this may trigger some errors as Jirafeau may expect to have them. -## Current snapshots +## Version 4.6.1 (not yet released) - Removed the download button and the corresponding link for encrypted files from the admin interface +- Fixed an issue with sending the wrong filesize after decrypting an encrypted file +- We now provide Docker images for AMD64 and ARM64 systems - Lots of code refactoring and cleanup - Few more little fixes - Typo and spelling mistakes -- 2.34.1 From 62b537d70111349385342d657034a9e26731ca51 Mon Sep 17 00:00:00 2001 From: Patrick Canterino Date: Fri, 22 Nov 2024 15:56:24 +0100 Subject: [PATCH 11/16] Removed references to weblate --- AUTHORS.md | 1 - CONTRIBUTING.md | 5 ++--- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/AUTHORS.md b/AUTHORS.md index a5d94ae..a8e247e 100644 --- a/AUTHORS.md +++ b/AUTHORS.md @@ -106,7 +106,6 @@ This is a list of people who contributed to Jirafeau over the years. The list wa - Vasilis Giann - Victor Lamoine - Viktar Vauchkevich -- Weblate - Wim Livens - Yaron Shahrabani - YFdyh000 diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index c80c1cd..bde45e8 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -54,11 +54,11 @@ view only to show the most important files and their role. ## Translations -Translation may be added via [Jirafeau's Weblate](https://hosted.weblate.org/projects/jirafeau/master/). +Translations may be added by creating a new JSON file under `locales` and submitting a merge request. ## Coding style -- This project follows the [PSR-2](http://www.php-fig.org/psr/psr-2/) Coding Style +- This project follows the [PSR-12](https://www.php-fig.org/psr/psr-12/) coding style - Files must be in UTF-8 without BOM and use Unix Line Endings (LF) ## Branches @@ -90,7 +90,6 @@ Quick walkthrough: ## New Releases -* Fetch weblate and rebase and import translations * If the release is not done for security purposes: create a new issue and freeze next-release branch for at least week. * Compare the [`next-release` branch to `master`](https://gitlab.com/jirafeau/Jirafeau/compare/master...next-release) * Add a list of noteworthy features and bugfixes to `CHANGELOG.md` -- 2.34.1 From e1740d86dfd1ee8c5bc02321984e6666bc71266f Mon Sep 17 00:00:00 2001 From: Patrick Canterino Date: Mon, 25 Nov 2024 17:24:07 +0100 Subject: [PATCH 12/16] Fixed footer ("designed by") --- lib/template/footer.php | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/lib/template/footer.php b/lib/template/footer.php index 637ce42..64132c7 100644 --- a/lib/template/footer.php +++ b/lib/template/footer.php @@ -4,14 +4,18 @@ ' . t('JI_PROJECT') . '' . - '

' . t('DESIGNED') . ' ' . $cfg['contactperson'] . '

' . ' (AGPL-3.0)'; ?> | '; + echo ' ' . t('DESIGNED') . ' ' . $cfg['organisation']; + } + echo ' | '; - echo '' . t('TOS') . ''; + echo '' . t('TOS') . ''; } ?>

-- 2.34.1 From 6cfca8753d54e2025c6020b2af32529e25f58c66 Mon Sep 17 00:00:00 2001 From: Patrick Canterino Date: Sun, 1 Dec 2024 15:05:34 +0100 Subject: [PATCH 13/16] Made check for MIME type "image/svg+xml" case insensitive It was possible to bypass this check by sending a manipulated HTTP request with a MIME type like "image/svg+XML". This check was originally implemented to address CVE-2022-30110. Reported by: - Yann CAM (ycam) (https://yann.cam/) - Georges TAUPIN (jo) (https://www.georgestaupin.com/) --- lib/functions.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/functions.php b/lib/functions.php index 9091af7..0372507 100644 --- a/lib/functions.php +++ b/lib/functions.php @@ -623,7 +623,7 @@ function jirafeau_is_viewable($mime) if (!empty($mime)) { $viewable = array('image', 'video', 'audio'); $decomposed = explode('/', $mime); - if (in_array($decomposed[0], $viewable) && strpos($mime, 'image/svg+xml') === false) { + if (in_array($decomposed[0], $viewable) && stripos($mime, 'image/svg+xml') === false) { return true; } $viewable = array('text/plain'); -- 2.34.1 From 57b10c2bca7fd2727c3eb131bf4d7030094781ed Mon Sep 17 00:00:00 2001 From: Patrick Canterino Date: Sun, 1 Dec 2024 15:25:15 +0100 Subject: [PATCH 14/16] Updated CHANGELOG --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 11a3fcd..31b9ec0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,6 +16,7 @@ - Removed the download button and the corresponding link for encrypted files from the admin interface - Fixed an issue with sending the wrong filesize after decrypting an encrypted file +- Fixed the possibility to bypass the check for CVE-2022-30110 (prevent preview of SVG images) by sending a manipulated HTTP request with a MIME type like "image/svg+XML". - We now provide Docker images for AMD64 and ARM64 systems - Lots of code refactoring and cleanup - Few more little fixes -- 2.34.1 From 3d007ac30c40c8262fa259bcc8e8a1cabba1d9ef Mon Sep 17 00:00:00 2001 From: Patrick Canterino Date: Sun, 1 Dec 2024 15:25:51 +0100 Subject: [PATCH 15/16] Jirafeau 4.6.1 is ready --- CHANGELOG.md | 2 +- lib/settings.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 31b9ec0..8a63821 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,7 +12,7 @@ 5. Follow the installation wizard, it should propose you the same data folder or even update automatically 6. Check your `/lib/config.local.php` and compare it with the `/lib/config.original.php` to see if new configuration items are available. If a new item is missing in your `config.local.php`, this may trigger some errors as Jirafeau may expect to have them. -## Version 4.6.1 (not yet released) +## Version 4.6.1 - Removed the download button and the corresponding link for encrypted files from the admin interface - Fixed an issue with sending the wrong filesize after decrypting an encrypted file diff --git a/lib/settings.php b/lib/settings.php index cbdfaff..f0f193e 100644 --- a/lib/settings.php +++ b/lib/settings.php @@ -43,7 +43,7 @@ if ($cfg['debug'] === true) { /* Jirafeau package */ define('JIRAFEAU_PACKAGE', 'Jirafeau'); -define('JIRAFEAU_VERSION', '4.6.x-dev'); +define('JIRAFEAU_VERSION', '4.6.1'); define('JIRAFEAU_WEBSITE', 'https://gitlab.com/jirafeau/Jirafeau'); -- 2.34.1 From 233f1f25a00926f0a74650856fd431357690ed2b Mon Sep 17 00:00:00 2001 From: Patrick Canterino Date: Sun, 1 Dec 2024 15:27:35 +0100 Subject: [PATCH 16/16] Updated CHANGELOG --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8a63821..13564df 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -21,6 +21,7 @@ - Lots of code refactoring and cleanup - Few more little fixes - Typo and spelling mistakes +- Upgrade from 4.6.0: in-place upgrade New configuration items: - `one_time_download_preselected` for preselecting the checkbox for deleting the file after the first download @@ -35,6 +36,7 @@ New configuration items: - Removed usage of deprecated `strftime()` function - Few more little fixes - Typo and spelling mistakes +- Upgrade from 4.5.0: in-place upgrade New configuration items: - `download_password_requirement`, `download_password_gen_len`, `download_password_gen_chars`, `download_password_policy` and `download_password_policy_regex` for configuring file download passwords -- 2.34.1