From 10042e82ac236401153b1d0ae6e690452b00ae4f Mon Sep 17 00:00:00 2001
From: Patrick Canterino <patrick@patrick-canterino.de>
Date: Fri, 25 Oct 2024 20:50:18 +0200
Subject: [PATCH 01/11] Added "one_time_download_preselected" to Docker options

---
 docker/docker_config.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/docker/docker_config.php b/docker/docker_config.php
index 976f366..75c6fb8 100644
--- a/docker/docker_config.php
+++ b/docker/docker_config.php
@@ -170,6 +170,7 @@ function run_setup(&$cfg)
     env_2_cfg_string($cfg, 'availability_default');
     env_2_cfg_string($cfg, 'dark_style');
     env_2_cfg_bool($cfg, 'one_time_download');
+    env_2_cfg_bool($cfg, 'one_time_download_preselected');
     env_2_cfg_bool($cfg, 'enable_crypt');
     env_2_cfg_bool($cfg, 'debug');
     env_2_cfg_int($cfg, 'maximal_upload_size');
-- 
2.34.1


From 23a68ba6e720d9d9449ccea4dd366cb002b4aa0f Mon Sep 17 00:00:00 2001
From: Patrick Canterino <patrick@patrick-canterino.de>
Date: Sun, 10 Nov 2024 14:47:41 +0100
Subject: [PATCH 02/11] Updated Docker README

---
 docker/README.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docker/README.md b/docker/README.md
index 33c9fc0..343c69e 100644
--- a/docker/README.md
+++ b/docker/README.md
@@ -2,7 +2,7 @@
 
 ## Run Jirafeau through a pre-made Docker image
 
-Jirafeau is a small PHP application so running it inside a docker container is pretty straightforward.
+Jirafeau is a small PHP application so running it inside a Docker container is pretty straightforward. Container images are built for AMD64 and ARM64 systems and can be downloaded from our registry at `registry.gitlab.com`.
 
 ```shell
 docker pull registry.gitlab.com/jirafeau/jirafeau:latest
@@ -49,6 +49,7 @@ Available options:
 - `DARK_STYLE`: apply a specific style for browsers in dark mode.
 - `AVAILABILITY_DEFAULT`: setup which availability shows by default.
 - `ONE_TIME_DOWNLOAD`: set to 1 or 0 to enable or disable one time downloads.
+- `ONE_TIME_DOWNLOAD_PRESELECTED`: set to 1 or 0 to preselect the checkbox for one time downloads.
 - `ENABLE_CRYPT`: set to 1 or 0 to enable or disable server side encryption.
 - `DEBUG`: set to 1 or 0 to enable or disable debug mode.
 - `MAXIMAL_UPLOAD_SIZE`: maximal file size allowed (expressed in MB).
@@ -86,7 +87,6 @@ It is also possible to put Jirafeau data into an already existing directory outs
 ```shell
 mkdir /tmp/jirafeau_data
 docker run -it --rm -p 8080:80 -v /tmp/jirafeau_data:/data registry.gitlab.com/jirafeau/jirafeau:latest
-
 ```
 
 ## Few notes
-- 
2.34.1


From 071702bff9dacc7269d3726eb61cf20238e64d23 Mon Sep 17 00:00:00 2001
From: Patrick Canterino <patrick@patrick-canterino.de>
Date: Fri, 22 Nov 2024 14:41:51 +0100
Subject: [PATCH 03/11] Updated Docker README

---
 docker/README.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/docker/README.md b/docker/README.md
index 343c69e..10ee322 100644
--- a/docker/README.md
+++ b/docker/README.md
@@ -89,6 +89,8 @@ mkdir /tmp/jirafeau_data
 docker run -it --rm -p 8080:80 -v /tmp/jirafeau_data:/data registry.gitlab.com/jirafeau/jirafeau:latest
 ```
 
+Please note that the files and directories created in the directory outside the container will probably be owned by UID 100.
+
 ## Few notes
 
 - `var-...` folder where lives all uploaded data is protected from direct access
-- 
2.34.1


From 471c7b967a8ca4efb933aa93a89665c1bb466706 Mon Sep 17 00:00:00 2001
From: Patrick Canterino <patrick@patrick-canterino.de>
Date: Fri, 22 Nov 2024 14:47:04 +0100
Subject: [PATCH 04/11] Updated CHANGELOG

---
 CHANGELOG.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6f55e08..11a3fcd 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,9 +12,11 @@
 5. Follow the installation wizard, it should propose you the same data folder or even update automatically
 6. Check your `/lib/config.local.php` and compare it with the `/lib/config.original.php` to see if new configuration items are available. If a new item is missing in your `config.local.php`, this may trigger some errors as Jirafeau may expect to have them.
 
-## Current snapshots
+## Version 4.6.1 (not yet released)
 
 - Removed the download button and the corresponding link for encrypted files from the admin interface
+- Fixed an issue with sending the wrong filesize after decrypting an encrypted file
+- We now provide Docker images for AMD64 and ARM64 systems
 - Lots of code refactoring and cleanup
 - Few more little fixes
 - Typo and spelling mistakes
-- 
2.34.1


From 62b537d70111349385342d657034a9e26731ca51 Mon Sep 17 00:00:00 2001
From: Patrick Canterino <patrick@patrick-canterino.de>
Date: Fri, 22 Nov 2024 15:56:24 +0100
Subject: [PATCH 05/11] Removed references to weblate

---
 AUTHORS.md      | 1 -
 CONTRIBUTING.md | 5 ++---
 2 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/AUTHORS.md b/AUTHORS.md
index a5d94ae..a8e247e 100644
--- a/AUTHORS.md
+++ b/AUTHORS.md
@@ -106,7 +106,6 @@ This is a list of people who contributed to Jirafeau over the years. The list wa
 - Vasilis Giann
 - Victor Lamoine
 - Viktar Vauchkevich
-- Weblate
 - Wim Livens
 - Yaron Shahrabani
 - YFdyh000
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index c80c1cd..bde45e8 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -54,11 +54,11 @@ view only to show the most important files and their role.
 
 ## Translations
 
-Translation may be added via [Jirafeau's Weblate](https://hosted.weblate.org/projects/jirafeau/master/).
+Translations may be added by creating a new JSON file under `locales` and submitting a merge request.
 
 ## Coding style
 
-- This project follows the [PSR-2](http://www.php-fig.org/psr/psr-2/) Coding Style
+- This project follows the [PSR-12](https://www.php-fig.org/psr/psr-12/) coding style
 - Files must be in UTF-8 without BOM and use Unix Line Endings (LF)
 
 ## Branches
@@ -90,7 +90,6 @@ Quick walkthrough:
 
 ## New Releases
 
-* Fetch weblate and rebase and import translations
 * If the release is not done for security purposes: create a new issue and freeze next-release branch for at least week.
 * Compare the [`next-release` branch to `master`](https://gitlab.com/jirafeau/Jirafeau/compare/master...next-release)
 * Add a list of noteworthy features and bugfixes to `CHANGELOG.md`
-- 
2.34.1


From e1740d86dfd1ee8c5bc02321984e6666bc71266f Mon Sep 17 00:00:00 2001
From: Patrick Canterino <patrick@patrick-canterino.de>
Date: Mon, 25 Nov 2024 17:24:07 +0100
Subject: [PATCH 06/11] Fixed footer ("designed by")

---
 lib/template/footer.php | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/lib/template/footer.php b/lib/template/footer.php
index 637ce42..64132c7 100644
--- a/lib/template/footer.php
+++ b/lib/template/footer.php
@@ -4,14 +4,18 @@
         <?php
           echo t('MADE_WITH') .
             ' <a href="' . JIRAFEAU_WEBSITE . '" target="_blank" rel="noopener noreferrer">' . t('JI_PROJECT') . '</a>' .
-            '<p> ' . t('DESIGNED')  . ' ' .  $cfg['contactperson'] . '</p>'  .
             ' (<a href="https://www.gnu.org/licenses/agpl.html" target="_blank" rel="noopener noreferrer"><abbr title="GNU Affero General Public License v3">AGPL-3.0</abbr></a>)';
         ?>
         <!-- Installation dependent links -->
         <?php
         if (false === empty($cfg['installation_done'])) {
+            if(false === empty($cfg['organisation'])) {
+                echo ' <span>|</span> ';
+                echo ' ' . t('DESIGNED')  . ' ' .  $cfg['organisation'];
+            }
+
             echo ' <span>|</span> ';
-            echo '<a href="tos.php" target="_blank" rel="noopener noreferrer">' . t('TOS') . '</a>';
+            echo '<a href="tos.php" target="_blank" rel="nooener noreferrer">' . t('TOS') . '</a>';
         }
         ?>
     </p>
-- 
2.34.1


From 6cfca8753d54e2025c6020b2af32529e25f58c66 Mon Sep 17 00:00:00 2001
From: Patrick Canterino <patrick@patrick-canterino.de>
Date: Sun, 1 Dec 2024 15:05:34 +0100
Subject: [PATCH 07/11] Made check for MIME type "image/svg+xml" case
 insensitive

It was possible to bypass this check by sending a manipulated HTTP request with a MIME type like "image/svg+XML".
This check was originally implemented to address CVE-2022-30110.

Reported by:
- Yann CAM (ycam) (https://yann.cam/)
- Georges TAUPIN (jo) (https://www.georgestaupin.com/)
---
 lib/functions.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/functions.php b/lib/functions.php
index 9091af7..0372507 100644
--- a/lib/functions.php
+++ b/lib/functions.php
@@ -623,7 +623,7 @@ function jirafeau_is_viewable($mime)
     if (!empty($mime)) {
         $viewable = array('image', 'video', 'audio');
         $decomposed = explode('/', $mime);
-        if (in_array($decomposed[0], $viewable) && strpos($mime, 'image/svg+xml') === false) {
+        if (in_array($decomposed[0], $viewable) && stripos($mime, 'image/svg+xml') === false) {
             return true;
         }
         $viewable = array('text/plain');
-- 
2.34.1


From 57b10c2bca7fd2727c3eb131bf4d7030094781ed Mon Sep 17 00:00:00 2001
From: Patrick Canterino <patrick@patrick-canterino.de>
Date: Sun, 1 Dec 2024 15:25:15 +0100
Subject: [PATCH 08/11] Updated CHANGELOG

---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 11a3fcd..31b9ec0 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -16,6 +16,7 @@
 
 - Removed the download button and the corresponding link for encrypted files from the admin interface
 - Fixed an issue with sending the wrong filesize after decrypting an encrypted file
+- Fixed the possibility to bypass the check for CVE-2022-30110 (prevent preview of SVG images) by sending a manipulated HTTP request with a MIME type like "image/svg+XML".
 - We now provide Docker images for AMD64 and ARM64 systems
 - Lots of code refactoring and cleanup
 - Few more little fixes
-- 
2.34.1


From 3d007ac30c40c8262fa259bcc8e8a1cabba1d9ef Mon Sep 17 00:00:00 2001
From: Patrick Canterino <patrick@patrick-canterino.de>
Date: Sun, 1 Dec 2024 15:25:51 +0100
Subject: [PATCH 09/11] Jirafeau 4.6.1 is ready

---
 CHANGELOG.md     | 2 +-
 lib/settings.php | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 31b9ec0..8a63821 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,7 +12,7 @@
 5. Follow the installation wizard, it should propose you the same data folder or even update automatically
 6. Check your `/lib/config.local.php` and compare it with the `/lib/config.original.php` to see if new configuration items are available. If a new item is missing in your `config.local.php`, this may trigger some errors as Jirafeau may expect to have them.
 
-## Version 4.6.1 (not yet released)
+## Version 4.6.1
 
 - Removed the download button and the corresponding link for encrypted files from the admin interface
 - Fixed an issue with sending the wrong filesize after decrypting an encrypted file
diff --git a/lib/settings.php b/lib/settings.php
index cbdfaff..f0f193e 100644
--- a/lib/settings.php
+++ b/lib/settings.php
@@ -43,7 +43,7 @@ if ($cfg['debug'] === true) {
 
 /* Jirafeau package */
 define('JIRAFEAU_PACKAGE', 'Jirafeau');
-define('JIRAFEAU_VERSION', '4.6.x-dev');
+define('JIRAFEAU_VERSION', '4.6.1');
 
 define('JIRAFEAU_WEBSITE', 'https://gitlab.com/jirafeau/Jirafeau');
 
-- 
2.34.1


From 233f1f25a00926f0a74650856fd431357690ed2b Mon Sep 17 00:00:00 2001
From: Patrick Canterino <patrick@patrick-canterino.de>
Date: Sun, 1 Dec 2024 15:27:35 +0100
Subject: [PATCH 10/11] Updated CHANGELOG

---
 CHANGELOG.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8a63821..13564df 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -21,6 +21,7 @@
 - Lots of code refactoring and cleanup
 - Few more little fixes
 - Typo and spelling mistakes
+- Upgrade from 4.6.0: in-place upgrade
 
 New configuration items:
 - `one_time_download_preselected` for preselecting the checkbox for deleting the file after the first download
@@ -35,6 +36,7 @@ New configuration items:
 - Removed usage of deprecated `strftime()` function
 - Few more little fixes
 - Typo and spelling mistakes
+- Upgrade from 4.5.0: in-place upgrade
 
 New configuration items:
 - `download_password_requirement`, `download_password_gen_len`, `download_password_gen_chars`, `download_password_policy` and `download_password_policy_regex` for configuring file download passwords
-- 
2.34.1


From ef82d9482cca75efe13a50198677073be9e91d5f Mon Sep 17 00:00:00 2001
From: Patrick Canterino <patrick@patrick-canterino.de>
Date: Sun, 1 Dec 2024 15:33:14 +0100
Subject: [PATCH 11/11] Begin a new release cycle

---
 CHANGELOG.md     | 4 ++++
 lib/settings.php | 2 +-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 13564df..2ab4d40 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,6 +12,10 @@
 5. Follow the installation wizard, it should propose you the same data folder or even update automatically
 6. Check your `/lib/config.local.php` and compare it with the `/lib/config.original.php` to see if new configuration items are available. If a new item is missing in your `config.local.php`, this may trigger some errors as Jirafeau may expect to have them.
 
+## Version 4.6.x (not yet released)
+
+- ...
+
 ## Version 4.6.1
 
 - Removed the download button and the corresponding link for encrypted files from the admin interface
diff --git a/lib/settings.php b/lib/settings.php
index f0f193e..cbdfaff 100644
--- a/lib/settings.php
+++ b/lib/settings.php
@@ -43,7 +43,7 @@ if ($cfg['debug'] === true) {
 
 /* Jirafeau package */
 define('JIRAFEAU_PACKAGE', 'Jirafeau');
-define('JIRAFEAU_VERSION', '4.6.1');
+define('JIRAFEAU_VERSION', '4.6.x-dev');
 
 define('JIRAFEAU_WEBSITE', 'https://gitlab.com/jirafeau/Jirafeau');
 
-- 
2.34.1