From 880e59e188149478221d2af9f76599ac07ff843b Mon Sep 17 00:00:00 2001 From: Your Name Date: Wed, 29 Apr 2020 10:17:57 +0200 Subject: [PATCH 01/16] support mcrypt --- Dockerfile | 36 +++++++++++++++++++++++++----------- 1 file changed, 25 insertions(+), 11 deletions(-) diff --git a/Dockerfile b/Dockerfile index 569a0fa..848048d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,24 +1,38 @@ FROM php:7.3-fpm-alpine MAINTAINER "Jérôme Jutteau " +ARG USER_UID=0 +# install base RUN apk update && \ - apk add lighttpd git && \ ln -snf /usr/share/zoneinfo/Etc/UTC /etc/localtime && \ - echo "UTC" > /etc/timezone && \ - mkdir -p /usr/local/etc/php / && \ - mkdir /www + echo "UTC" > /etc/timezone -WORKDIR /www +# install jirafou +RUN mkdir /www +WORKDIR /www COPY .git .git -RUN git reset --hard && rm -rf .git .gitignore .gitlab-ci.yml CONTRIBUTING.md Dockerfile README.md +RUN apk add git && \ + git reset --hard && rm -rf .git .gitignore .gitlab-ci.yml CONTRIBUTING.md Dockerfile README.md && \ + apk del git && \ + chown -R $USER_UID /www && \ + chmod o=,ug=rwX -R /www && \ + chmod +x docker/cleanup + + +# install lighttpd +RUN apk add lighttpd php7-mcrypt && \ + echo "extension=/usr/lib/php7/modules/mcrypt.so" > /usr/local/etc/php/conf.d/mcrypt.ini && \ + chown -R $USER_UID /var/log/lighttpd && \ + chmod oug=rwX /run && \ + mkdir -p /usr/local/etc/php COPY docker/php.ini /usr/local/etc/php/php.ini COPY docker/lighttpd.conf /etc/lighttpd/lighttpd.conf -RUN chown -R www-data. . && \ - chmod o=,ug=rwX -R . && \ - apk del git && \ - rm -rf /var/cache/apk/* -CMD php-fpm -D && lighttpd -D -f /etc/lighttpd/lighttpd.conf +# cleanup +RUN rm -rf /var/cache/apk/* + + +CMD /www/docker/cleanup & php-fpm -D && lighttpd -D -f /etc/lighttpd/lighttpd.conf EXPOSE 80 -- 2.34.1 From b7cba998a553a2c2050a44161c08e2cdb507b514 Mon Sep 17 00:00:00 2001 From: Your Name Date: Wed, 29 Apr 2020 11:11:36 +0200 Subject: [PATCH 02/16] dayly cleanup --- docker/cleanup | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100755 docker/cleanup diff --git a/docker/cleanup b/docker/cleanup new file mode 100755 index 0000000..2d2697e --- /dev/null +++ b/docker/cleanup @@ -0,0 +1,9 @@ +#!/bin/sh -e + +while true +do + php /www/admin.php clean_expired + php /www/admin.php clean_async + # wait 24 hours + sleep 86400 +done \ No newline at end of file -- 2.34.1 From e91b93baaaa5e4bb1baa2e565c2db4776c211039 Mon Sep 17 00:00:00 2001 From: Your Name Date: Wed, 29 Apr 2020 11:50:20 +0200 Subject: [PATCH 03/16] unprivilidged user, port 8080, docs --- Dockerfile | 2 +- docker/README.md | 15 ++++++++++++--- docker/lighttpd.conf | 5 +++-- 3 files changed, 16 insertions(+), 6 deletions(-) diff --git a/Dockerfile b/Dockerfile index 848048d..e88b532 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ FROM php:7.3-fpm-alpine MAINTAINER "Jérôme Jutteau " -ARG USER_UID=0 +ARG USER_UID=2009 # install base RUN apk update && \ diff --git a/docker/README.md b/docker/README.md index 5dc4c2c..432c351 100644 --- a/docker/README.md +++ b/docker/README.md @@ -20,17 +20,26 @@ docker build -t mojo42/jirafeau:latest . Once you have your Jirafeau's image, you can run a quick & dirty Jirafeau using: ``` -docker run -d -p 8000:80 mojo42/jirafeau +docker run -d -p 8080:8080 mojo42/jirafeau ``` -and then connect on [locahost:8000](http://localhost:8000) and proceed to installation. +and then connect on [locahost:8080](http://localhost:8080) and proceed to installation. An other way to run Jirafeau (in a more controlled way) is to mount your Jirafeau's reprository in /www folder so your data are outside the container. This way, you will be able to easily make backups, upgrade Jirafeau, change configuration and develop Jirafeau. ``` -docker run -d -p 8000:80 -v$(pwd):/www mojo42/jirafeau +docker run -d -p 8080:8080 -v$(pwd):/www mojo42/jirafeau ``` There are also other ways to manage your container (like docker's volumes) but this is out of the scope of this documentation. +## Security + +Jirafeau is run without privilidges with user id 2009. To make it able to open privilidged ports you can pass the capability, just stay with 8080 and use a reverse proxy or map the port 80:8080. +``` +docker run -d -p 80:80 --sysctl net.ipv4.ip_unprivileged_port_start=80 mojo42/jirafeau +docker run -d -p 8080:8080 mojo42/jirafeau +docker run -d -p 80:8080 mojo42/jirafeau +``` + ## Few notes - SSL is currently not enabled in docker's image for the moment diff --git a/docker/lighttpd.conf b/docker/lighttpd.conf index 0e4bb5d..b7032d9 100644 --- a/docker/lighttpd.conf +++ b/docker/lighttpd.conf @@ -2,6 +2,7 @@ var.basedir = "/www" var.logdir = "/var/log/lighttpd" var.statedir = "/var/lib/lighttpd" +server.port = 8080 server.modules = ( "mod_access", "mod_usertrack", @@ -12,8 +13,8 @@ server.modules = ( include "mime-types.conf" include "mod_fastcgi_fpm.conf" -server.username = "lighttpd" -server.groupname = "lighttpd" +#server.username = "lighttpd" +#server.groupname = "lighttpd" server.pid-file = "/run/lighttpd.pid" server.errorlog = var.logdir + "/error.log" -- 2.34.1 From 7991901d3f74146678b9f9c64b66aca2b3fae2e4 Mon Sep 17 00:00:00 2001 From: flsabourin Date: Fri, 10 Apr 2020 01:00:20 +0200 Subject: [PATCH 04/16] Add Upload password capabilities --- script.php | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/script.php b/script.php index 105023f..695f6db 100644 --- a/script.php +++ b/script.php @@ -229,6 +229,7 @@ url='' # Or set JIRAFEAU_URL. time='' # Or set JIRAFEAU_TIME. one_time='' # Or set JIRAFEAU_ONE_TIME. curl='' # Or set JIRAFEAU_CURL_PATH. +upload_password='' # Or set JIRAFEAU_UPLOAD_PASSWD # Config end if [ -n "$JIRAFEAU_PROXY" ]; then @@ -251,6 +252,10 @@ if [ -n "$JIRAFEAU_ONE_TIME" ]; then one_time='1' fi +if [ -n "$UPLOAD_PASSWD" ]; then + upload_password="$JIRAFEAU_UPLOAD_PASSWORD" +fi + if [ -z "$curl" ]; then curl="$JIRAFEAU_CURL_PATH" fi @@ -285,6 +290,7 @@ if [ -z "$2" ]; then echo " JIRAFEAU_TIME : expiration time, eg. »minute«, »hour«, »day«, »week«, »month«, »quarter«, »year« or »none«" echo " JIRAFEAU_ONE_TIME : self-destroy after first download, eg. »1« to enable or »« (empty) to disable" echo " JIRAFEAU_CURL : alternative path to curl binary" + echo " JIRAFEAU_UPLOAD_PASSWD : upload password" exit 0 fi @@ -298,6 +304,10 @@ if [ -n "$one_time" ]; then options="$options -F one_time_download=1" fi +f [ -n "$upload_password" ]; then + options="$options -F upload_password=$upload_password" +fi + password='' if [ -n "$3" ]; then password="$3" -- 2.34.1 From cd4892472b534b68a094ea582f79efc27dda3924 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Allan=20Nordh=C3=B8y?= Date: Mon, 29 Jun 2020 03:56:52 +0000 Subject: [PATCH 05/16] Spelling: Apostrophe added, bangs removed --- lib/locales/en.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/lib/locales/en.json b/lib/locales/en.json index 412f377..b14ac03 100644 --- a/lib/locales/en.json +++ b/lib/locales/en.json @@ -25,9 +25,9 @@ "UP_PSW": "Upload password", "2_BIG": "The file is too big", "FILE_LIM": "File size limited to", - "FILE_DIR_W": "The file directory is not writable!", - "LINK_DIR_W": "The link directory is not writable!", - "ASYNC_DIR_W": "The async directory is not writable!", + "FILE_DIR_W": "The file directory is not writable.", + "LINK_DIR_W": "The link directory is not writable.", + "ASYNC_DIR_W": "The async directory is not writable.", "INSTALL_SCRIPT_HERE": "Installer script still present", "ERR_OCC": "An error occurred.", "FILE_UP": "File uploaded.", @@ -60,7 +60,7 @@ "GIMME_W": "You should give the write permission to the web server on this directory.", "HERE_SOLUTION": "Here is a solution", "CONF_SOLUTION": "The local configuration file could not be created. Create a lib/config.local.php file and grant write permission to the web server (preferred solution), or grant write permission to the web server in the lib directory.", - "CONF_SOLUTION_2": "The local configuration is not writable by the web server. Grant write permission to the web server in the 'lib/config.local.php file.", + "CONF_SOLUTION_2": "The local configuration is not writable by the web server. Grant write permission to the web server in the 'lib/config.local.php' file.", "JI_INSTALL": "Installation of Jirafeau", "STEP": "step", "OUT_OF": "out of", -- 2.34.1 From 9d07b167c00155c1d60041f02ccd2f5293940aa5 Mon Sep 17 00:00:00 2001 From: Jerome Jutteau Date: Sun, 15 Nov 2020 21:09:42 +0100 Subject: [PATCH 06/16] Ignore file starting with dot (commit from @Indigo744) --- .gitignore | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.gitignore b/.gitignore index c1bcf70..9241e2f 100644 --- a/.gitignore +++ b/.gitignore @@ -5,3 +5,8 @@ var-* *._* /vendor .idea/ + +# Ignore file starting with dot, but keep others +.* +!.gitlab-ci.yml +!.gitignore \ No newline at end of file -- 2.34.1 From a9ab012f12e417222a082bbb80515c781601e7a2 Mon Sep 17 00:00:00 2001 From: Jerome Jutteau Date: Sun, 15 Nov 2020 21:16:30 +0100 Subject: [PATCH 07/16] [TASK] remove outdated comment fixes #232 --- script.php | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/script.php b/script.php index 695f6db..791e950 100644 --- a/script.php +++ b/script.php @@ -17,11 +17,8 @@ * along with this program. If not, see . */ -/* - * This file permits to easyly script file sending, receiving, deleting, ... - * If you don't want this feature, you can simply delete this file from your - * web directory. - */ +/* This file offer a kind of API for jirafeau. */ + define('JIRAFEAU_ROOT', dirname(__FILE__) . '/'); require(JIRAFEAU_ROOT . 'lib/settings.php'); -- 2.34.1 From eff708d9f129fd6919401d77e1ad99966849ef8e Mon Sep 17 00:00:00 2001 From: Jerome Jutteau Date: Sun, 15 Nov 2020 21:20:11 +0100 Subject: [PATCH 08/16] [TASK] fix documentation closes #229 Signed-off-by: Jerome Jutteau --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 615c3ea..416ffcc 100644 --- a/README.md +++ b/README.md @@ -72,7 +72,7 @@ Installation steps: - The script will redirect to you to a minimal installation wizard to set up all required options - All optional parameters may be set in ```lib/config.local.php```, take a look at ```lib/config.original.php``` to see all default values - B) Setup without the installation wizard (cli): - - Just copy ```config.original.php``` to ```config.local.php``` and customize it + - Just copy ```lib/config.original.php``` to ```lib/config.local.php``` and customize it ## Upgrade @@ -143,7 +143,7 @@ If you have some troubles, consider the following cases ## Security -```var``` directory contain all files and links. It is randomly named to limit access but you may add better protection to prevent un-authorized access to it. +```var``` directory contains all files and links. It is randomly named to limit access but you may add better protection to prevent un-authorized access to it. You have several options: - Configure a ```.htaccess``` - Move var folder to a place on your server which can't be directly accessed -- 2.34.1 From 2e4d09c8651f80fc4272803602bd813269618383 Mon Sep 17 00:00:00 2001 From: Jerome Jutteau Date: Sun, 15 Nov 2020 21:37:35 +0100 Subject: [PATCH 09/16] [BUGFIX] fixing upload speed units closes #225 Signed-off-by: Jerome Jutteau --- lib/functions.js.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/functions.js.php b/lib/functions.js.php index b2580b5..8ce56d3 100644 --- a/lib/functions.js.php +++ b/lib/functions.js.php @@ -623,17 +623,17 @@ function upload_time_estimation_speed_string() if (s <= 1000) { res = s.toString(); - scale = "Bit/s"; + scale = "B/s"; } else if (s < 1000000) { res = Math.floor(s/100) / 10; - scale = "KBit/s"; + scale = "KB/s"; } else { res = Math.floor(s/100000) / 10; - scale = "Mbit/s"; + scale = "MB/s"; } if (res == 0) return ''; -- 2.34.1 From 78a1c41c40bb216e3879220fc544f8ae816d3c1b Mon Sep 17 00:00:00 2001 From: Jerome Jutteau Date: Sun, 15 Nov 2020 21:41:14 +0100 Subject: [PATCH 10/16] =?utf8?q?[TASK]=20fix=20email=20of=20J=C3=A9r=C3=B4?= =?utf8?q?me=20Jutteau?= MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Signed-off-by: Jerome Jutteau --- Dockerfile | 2 +- admin.php | 2 +- f.php | 2 +- index.php | 2 +- lib/config.original.php | 2 +- lib/functions.js.php | 2 +- lib/functions.php | 2 +- lib/lang.php | 2 +- media/courgette/style.css.php | 2 +- media/dark-courgette/style.css.php | 2 +- media/elegantish/style.css.php | 2 +- media/modern/style.css.php | 2 +- script.php | 2 +- 13 files changed, 13 insertions(+), 13 deletions(-) diff --git a/Dockerfile b/Dockerfile index e88b532..fe59b7e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,5 @@ FROM php:7.3-fpm-alpine -MAINTAINER "Jérôme Jutteau " +MAINTAINER "Jérôme Jutteau " ARG USER_UID=2009 # install base diff --git a/admin.php b/admin.php index 54fcde1..a42b20f 100644 --- a/admin.php +++ b/admin.php @@ -1,7 +1,7 @@ + * Copyright (C) 2015 Jerome Jutteau * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Affero General Public License as diff --git a/f.php b/f.php index c19232d..d61caeb 100644 --- a/f.php +++ b/f.php @@ -2,7 +2,7 @@ /* * Jirafeau, your web file repository * Copyright (C) 2008 Julien "axolotl" BERNARD - * Copyright (C) 2015 Jerome Jutteau + * Copyright (C) 2015 Jerome Jutteau * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Affero General Public License as diff --git a/index.php b/index.php index faeb8db..63906c1 100644 --- a/index.php +++ b/index.php @@ -2,7 +2,7 @@ /* * Jirafeau, your web file repository * Copyright (C) 2013 - * Jerome Jutteau + * Jerome Jutteau * Jimmy Beauvois * * This program is free software: you can redistribute it and/or modify diff --git a/lib/config.original.php b/lib/config.original.php index 1a2c0cc..f522944 100644 --- a/lib/config.original.php +++ b/lib/config.original.php @@ -2,7 +2,7 @@ /* * Jirafeau, your web file repository * Copyright (C) 2008 Julien "axolotl" BERNARD - * Copyright (C) 2015 Jerome Jutteau + * Copyright (C) 2015 Jerome Jutteau * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Affero General Public License as diff --git a/lib/functions.js.php b/lib/functions.js.php index 8ce56d3..d9a75ee 100644 --- a/lib/functions.js.php +++ b/lib/functions.js.php @@ -1,7 +1,7 @@ + * Copyright (C) 2015 Jerome Jutteau * Copyright (C) 2015 Nicola Spanti (RyDroid) * * This program is free software: you can redistribute it and/or modify diff --git a/lib/functions.php b/lib/functions.php index 84f2a44..5c5fea7 100644 --- a/lib/functions.php +++ b/lib/functions.php @@ -2,7 +2,7 @@ /* * Jirafeau, your web file repository * Copyright (C) 2008 Julien "axolotl" BERNARD - * Copyright (C) 2015 Jerome Jutteau + * Copyright (C) 2015 Jerome Jutteau * Copyright (C) 2015 Nicola Spanti (RyDroid) * * This program is free software: you can redistribute it and/or modify diff --git a/lib/lang.php b/lib/lang.php index 3bdef6a..bd7478c 100644 --- a/lib/lang.php +++ b/lib/lang.php @@ -1,7 +1,7 @@ + * Copyright (C) 2015 Jerome Jutteau * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Affero General Public License as diff --git a/media/courgette/style.css.php b/media/courgette/style.css.php index 36836ed..183364c 100644 --- a/media/courgette/style.css.php +++ b/media/courgette/style.css.php @@ -2,7 +2,7 @@ /* * Jyraphe, your web file repository * Copyright (C) 2013 - * Jerome Jutteau + * Jerome Jutteau * Jimmy Beauvois * * This program is free software: you can redistribute it and/or modify diff --git a/media/dark-courgette/style.css.php b/media/dark-courgette/style.css.php index 93b52d6..4d38d5b 100644 --- a/media/dark-courgette/style.css.php +++ b/media/dark-courgette/style.css.php @@ -2,7 +2,7 @@ /* * Jyraphe, your web file repository * Copyright (C) 2013 - * Jerome Jutteau + * Jerome Jutteau * Jimmy Beauvois * * This program is free software: you can redistribute it and/or modify diff --git a/media/elegantish/style.css.php b/media/elegantish/style.css.php index b48e3f5..7107195 100644 --- a/media/elegantish/style.css.php +++ b/media/elegantish/style.css.php @@ -2,7 +2,7 @@ /* * Jyraphe, your web file repository * Copyright (C) 2013 - * Jerome Jutteau + * Jerome Jutteau * Jimmy Beauvois * * This program is free software: you can redistribute it and/or modify diff --git a/media/modern/style.css.php b/media/modern/style.css.php index 22ec2f0..fcdf9ca 100644 --- a/media/modern/style.css.php +++ b/media/modern/style.css.php @@ -2,7 +2,7 @@ /* * Jyraphe, your web file repository * Copyright (C) 2013 - * Jerome Jutteau + * Jerome Jutteau * Jimmy Beauvois * * This program is free software: you can redistribute it and/or modify diff --git a/script.php b/script.php index 791e950..ab9adee 100644 --- a/script.php +++ b/script.php @@ -1,7 +1,7 @@ + * Copyright (C) 2015 Jerome Jutteau * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Affero General Public License as -- 2.34.1 From 1adc7273904dc3be64b309739d9eb9ecdbd67622 Mon Sep 17 00:00:00 2001 From: Jerome Jutteau Date: Sun, 15 Nov 2020 22:09:11 +0100 Subject: [PATCH 11/16] [TASK] move changelog and upgrade doc to separate file Signed-off-by: Jerome Jutteau --- CHANGELOG.md | 183 ++++++++++++++++++++++++++++++++++++++++++++ CONTRIBUTING.md | 4 +- README.md | 198 +----------------------------------------------- 3 files changed, 186 insertions(+), 199 deletions(-) create mode 100644 CHANGELOG.md diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..55d697c --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,183 @@ +# Note about upgrading + +"in-place upgrade" refers to this general procedure: + +1. Backup your Jirafeau installation! +2. Block access to Jirafeau +3. Checkout the new version with Git using the [tagged release](https://gitlab.com/mojo42/Jirafeau/tags) + * If you have installed Jirafeau just by uploading files on your server, you can download the desired version, overwrite/remove all files and chown/chmod files if needed. Keep a backup of your local configuration file tough. +4. With you browser, go to your Jirafeau root page +5. Follow the installation wizard, it should propose you the same data folder or even update automatically +6. Check your ```/lib/config.local.php``` and compare it with the ```/lib/config.original.php``` to see if new configuration items are available + +# Version 4.1.1 + +- Fix lang sanity check +- Upgrade from 4.1.0: in-place upgrade + +# Version 4.1.0 + +- Fix upload password and allowed ip (#201) +- Code refactorisation of IP checking +- Fix expiration dates +- Add better support for Accept-Language +- Cosmetic fixes +- More languages supported and language fixes +- Upgrade from 4.0.0: in-place upgrade + +# Version 4.0.0 + +- Removed plain-text password support for admin auth (breaking change). +- Default folder sub-division to 8 characters (breaking change). +- New option `upload_ip_nopassword` to allow a list of IP to access Jirafeau without password +- Bugfix with LibreJS +- Other minor bug fixes +- More languages supported + +## Upgrade from 3.4.1 to 4.0.0 + +You may have to change your administrator password in your config file as admin password are only stored using sha256 (SHA2). +To do so, edit `lib/config.local.php` and update `admin_password` option using `echo -n MyNewPassw0rd | sha256sum` command. + +Subfolder division changed in Jirafeau storage. You can either start from a fresh `var-` folder or you need to migrate your data. + +In order to migrate your existing data: +1. Be sure to have a working backup of your Jirafeau instance and/or the rest of your hosting before any operation +2. Go to `var-` folder +3. Be sure you have read and write permissions on files and folders with your current user +4. Run the following commands: +```bash +# Migrate files folder +find files -type f ! -name "*_count" | while read f; do bn="$(basename "$f")"; dst="files/${bn:0:8}/${bn:8:8}/${bn:16:8}/${bn:24:8}/"; mkdir -p "$dst"; mv "$f" "$dst" ; mv "${f}_count" "$dst"; done; find files -maxdepth 1 -type d -iname "?" -exec rm -rf {} \; +# Migrate links folder +find links -type f | while read link; do bn="$(basename "$link")"; mkdir "links/$bn"; mv "$link" "links/$bn/"; done; find links -maxdepth 1 -type d -iname "?" -exec rm -rf {} \; +``` + +# Version 3.4.1 + +- Security fixes, thanks [Bishopfox Team](https://www.bishopfox.com/) +- Translation fixes +- Docker fix +- Advertise javascript license for LibreJS compatibility +- other minor fixes +- Upgrade from 3.4.0: in-place upgrade + +# Version 3.4.0 + +- Add encryption support in bash script +- Refactoring of lang system for simpler management +- Removed installation step asking for language +- Merged weblate contributions +- Fixed some spelling issues +- Upgrade from 3.3.0 : in-place upgrade + +# Version 3.3.0 + +- Added Docker Support +- Added a copy button next to links to copy URLs in clipboard +- Now use a delete page to confirm file deletion (#136) +- Fixed object ProgressEvent Error (#127) +- Added configuration tips for web servers +- More translations +- Style fixes +- Removed useless alias API support (some old toy) +- Upgrade from 3.2.1 : in-place upgrade + +# Version 3.2.1 + +- fix download view after an upload +- Upgrade from 3.2.0 : in-place upgrade + +# Version 3.2.0 + +- Update translations from Update translations from weblate +- Better style +- Fix regression on admin password setting +- Upgrade from 3.1.0 : in-place upgrade + +# Version 3.1.0 + +- Fix regression on user authentication (see #113) +- Some cosmetic change +- Upgrade from 3.0.0 : in-place upgrade + +# Version 3.0.0 + +- Remove XHTML doctype, support HTML5 only → breaking change for older browsers +- Remove redundant code +- Remove baseurl usage and set absolute links instead, which for example fixes SSL issues +- Extend contribution guide +- Switch to PSR-2 code style (fix line endings, indentations, whitespaces, etc) +- Declare system requirements +- Catch API errors in upload form +- Allow clients to upload files depending on IP or password +- Set UTC as timezone to prevent date/time issues +- Show readable date & time information +- Fix UI glitches in admin panel and upload form +- Upgrade from 2.0.0 : in-place upgrade + +# Version 2.0.0 + +- Various documentation improvements +- Simplify automatic generation of local configuration file +- Set a custom title +- Bash Script: Enhanced help, show version, return link to web view as well +- »Terms of Service« refactored - Enable admin to overwrite the ToS, without changing existing source code → breaking, see upgrade notes + +## Upgrade from version 1.2.0 to 2.0.0 + +The "Terms of Service" text file changed. +To reuse a custom version of your ToS, move your ```/tos_text.php``` file to ```/lib/tos.local.txt``` and remove all HTML und PHP Tags, leaving a regular text file. + +# Version 1.2.0 + +- Link on API page to generate bash script +- More informative error codes for API +- Security Fix: Prevent authentication bypass for admin interface +- CLI script to remove expired files automatically with a cronjob +- SHA-256 hash the admin password +- New theme "elegantish" +- Fix for JavaScript MIME-Type, prevents blocking the resource on some servers +- Show download link for a file in admin interface +- Default time for expiration (set to 'month' by default) +- New expiration time: 'quarter' +- A lof of translation contributions +- Code cleanups +- Upgrade from 1.1: in-place upgrade + +# Version 1.1 + +- New skins +- Add optional server side encryption +- Unlimited file size upload using HTML5 file API +- Show speed and estimated time during upload +- A lot of fixes +- A lot of new langages +- Small API to upload files +- Limit access to Jirafeau using IP, mask, passwords +- Manage (some) proxy headers +- Configure your maximal upload size +- Configure file's lifetime durations +- Preview URL +- Get Jirafeau's version in admin interface + +### From version 1.0 to 1.1 + +- Download URL changed. Add a rewrite rule in your web server configuration to rename ```file.php``` to ```f.php``` to make older, still existing links work again- +- The default theme changed. Optionally change the theme in ```lib/config.local.php``` to "courgette" + +## Version 1.0 + +The very first version of Jirafeau after the fork of Jyraphe. + +- Security fix +- Keep uploader's ip +- Delete link for each upload +- No more clear text password storage +- Simple langage support +- Add an admin interface +- New Design +- Add term of use +- New path system to manage large number of files +- New option to show a page at download time +- Add option to activate or not preview mode diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 295522a..245a6e7 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -92,8 +92,8 @@ Quick walktrough: * If the release is not done for security purposes: create a new issue and freeze next-release branch for at least week. * Compare the [»next-release« branch to »master«](https://gitlab.com/mojo42/Jirafeau/compare/master...next-release) -* Add a list of noteworthy features and bugfixes to the README -* Fill upgrade procedure in README +* Add a list of noteworthy features and bugfixes to `CHANGELOG.md` +* Add eventual upgrade procedure to `CHANGELOG.md` * Change the version, using [semantic versioning](http://semver.org/), in ```settings.php``` * Merge »next-release« branch to »master« * Update the demo page diff --git a/README.md b/README.md index 416ffcc..37fdfc7 100644 --- a/README.md +++ b/README.md @@ -74,66 +74,6 @@ Installation steps: - B) Setup without the installation wizard (cli): - Just copy ```lib/config.original.php``` to ```lib/config.local.php``` and customize it -## Upgrade - -### General procedure for all versions - -1. Backup your Jirafeau installation! -2. Block access to Jirafeau -3. Checkout the new version with Git using the [tagged release](https://gitlab.com/mojo42/Jirafeau/tags) - * If you have installed Jirafeau just by uploading files on your server, you can download the desired version, overwrite/remove all files and chown/chmod files if needed. Keep a backup of your local configuration file tough. -4. With you browser, go to your Jirafeau root page -5. Follow the installation wizard, it should propose you the same data folder or even update automatically -7. Check your ```/lib/config.local.php``` and compare it with the ```/lib/config.original.php``` to see if new configuration items are available - -### From version 1.0 to 1.1 - -1. The download URL changed - * Add a rewrite rule in your web server configuration to rename ```file.php``` to ```f.php``` to make older, still existing links work again -1. The default theme changed - * Optionally change the theme in ```lib/config.local.php``` to »courgette« - -### From version 1.2.0 to 2.0.0 - -1. The "Terms of Service" text file changed - * To reuse previous changes to the ToS, move the old ```/tos_text.php``` file to ```/lib/tos.local.txt``` and remove all HTML und PHP Tags, leaving a regular text file - -### From version 2.0.0 to 3.4.1 - -There is nothing special to do to update from/to the following versions: -- 2.0.0 -> 3.0.0 -- 3.0.0 -> 3.1.0 -- 3.1.0 -> 3.2.0 -- 3.2.0 -> 3.2.1 -- 3.2.1 -> 3.3.0 -- 3.3.0 -> 3.4.0 -- 3.4.0 -> 3.4.1 - -### From 3.4.1 to 4.0.0 - -You may have to change your administrator password in your config file as admin password are only stored using sha256 (SHA2). -To do so, edit `lib/config.local.php` and update `admin_password` option using `echo -n MyNewPassw0rd | sha256sum` command. - -Subfolder division changed in Jirafeau storage. You can either start from a fresh `var-` folder or you need to migrate your data. - -In order to migrate your existing data: -1. Be sure to have a working backup of your Jirafeau instance and/or the rest of your hosting before any operation -2. Go to `var-` folder -3. Be sure you have read and write permissions on files and folders with your current user -4. Run the following commands: -```bash -# Migrate files folder -find files -type f ! -name "*_count" | while read f; do bn="$(basename "$f")"; dst="files/${bn:0:8}/${bn:8:8}/${bn:16:8}/${bn:24:8}/"; mkdir -p "$dst"; mv "$f" "$dst" ; mv "${f}_count" "$dst"; done; find files -maxdepth 1 -type d -iname "?" -exec rm -rf {} \; -# Migrate links folder -find links -type f | while read link; do bn="$(basename "$link")"; mkdir "links/$bn"; mv "$link" "links/$bn/"; done; find links -maxdepth 1 -type d -iname "?" -exec rm -rf {} \; -``` - -### From 4.0.0 to 4.1.1 - -There is nothing special to do to update from/to the following versions: -- 4.0.0 -> 4.1.0 -- 4.1.0 -> 4.1.1 - ### Troubleshooting If you have some troubles, consider the following cases @@ -227,7 +167,7 @@ Thanks to all contributors ! :) ### How do I upgrade my Jirafeau? -See upgrade instructions above. +See change log and upgrade procedure in [CHANGELOG.md](https://gitlab.com/mojo42/Jirafeau/blob/master/CHANGELOG.md). ### How can I limit upload access? @@ -346,139 +286,3 @@ So: ### How to contact someone from Jirafeau? Feel free to create an issue if you found a bug. - -## Release notes - -### Version 1.0 - -The very first version of Jirafeau after the fork of Jyraphe. - -- Security fix -- Keep uploader's ip -- Delete link for each upload -- No more clear text password storage -- Simple langage support -- Add an admin interface -- New Design -- Add term of use -- New path system to manage large number of files -- New option to show a page at download time -- Add option to activate or not preview mode - -### Version 1.1 - -- New skins -- Add optional server side encryption -- Unlimited file size upload using HTML5 file API -- Show speed and estimated time during upload -- A lot of fixes -- A lot of new langages -- Small API to upload files -- Limit access to Jirafeau using IP, mask, passwords -- Manage (some) proxy headers -- Configure your maximal upload size -- Configure file's lifetime durations -- Preview URL -- Get Jirafeau's version in admin interface - -## Version 1.2.0 - -- Link on API page to generate bash script -- More informative error codes for API -- Security Fix: Prevent authentication bypass for admin interface -- CLI script to remove expired files automatically with a cronjob -- SHA-256 hash the admin password -- New theme "elegantish" -- Fix for JavaScript MIME-Type, prevents blocking the resource on some servers -- Show download link for a file in admin interface -- Default time for expiration (set to 'month' by default) -- New expiration time: 'quarter' -- A lof of translation contributions -- Code cleanups - -## Version 2.0.0 - -- Various documentation improvements -- Simplify automatic generation of local configuration file -- Set a custom title -- Bash Script: Enhanced help, show version, return link to web view as well -- »Terms of Service« refactored - Enable admin to overwrite the ToS, without changing existing source code → breaking, see upgrade notes - -## Version 3.0.0 - -- Remove XHTML doctype, support HTML5 only → breaking change for older browsers -- Remove redundant code -- Remove baseurl usage and set absolute links instead, which for example fixes SSL issues -- Extend contribution guide -- Switch to PSR-2 code style (fix line endings, indentations, whitespaces, etc) -- Declare system requirements -- Catch API errors in upload form -- Allow clients to upload files depending on IP or password -- Set UTC as timezone to prevent date/time issues -- Show readable date & time information -- Fix UI glitches in admin panel and upload form - -## Version 3.1.0 - -- Fix regression on user authentication (see #113) -- Some cosmetic change - -## Version 3.2.0 - -- Update translations from Update translations from weblate -- Better style -- Fix regression on admin password setting - -## Version 3.2.1 - -- fix download view after an upload - -## Version 3.3.0 - -- Added Docker Support -- Added a copy button next to links to copy URLs in clipboard -- Now use a delete page to confirm file deletion (#136) -- Fixed object ProgressEvent Error (#127) -- Added configuration tips for web servers -- More translations -- Style fixes -- Removed useless alias API support (some old toy) - -## Version 3.4.0 - -- Add encryption support in bash script -- Refactoring of lang system for simpler management -- Removed installation step asking for language -- Merged weblate contributions -- Fixed some spelling issues - -## Version 3.4.1 - -- Security fixes, thanks [Bishopfox Team](https://www.bishopfox.com/) -- Translation fixes -- Docker fix -- Advertise javascript license for LibreJS compatibility -- other minor fixes - -## Version 4.0.0 - -- Removed plain-text password support for admin auth (breaking change). -- Default folder sub-division to 8 characters (breaking change). -- New option `upload_ip_nopassword` to allow a list of IP to access Jirafeau without password -- Bugfix with LibreJS -- Other minor bug fixes -- More languages supported - -## Version 4.1.0 - -- Fix upload password and allowed ip (#201) -- Code refactorisation of IP checking -- Fix expiration dates -- Add better support for Accept-Language -- Cosmetic fixes -- More languages supported and language fixes - -## Version 4.1.1 - -- Fix lang sanity check - -- 2.34.1 From 04a1d908e1fded89eae1b5594c4a8a3a459d4d91 Mon Sep 17 00:00:00 2001 From: Jerome Jutteau Date: Sun, 15 Nov 2020 23:29:28 +0100 Subject: [PATCH 12/16] [TASK] add default lighttpd max-request-value usefull for eventual debug purposes Signed-off-by: Jerome Jutteau --- docker/lighttpd.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/docker/lighttpd.conf b/docker/lighttpd.conf index b7032d9..bb3d548 100644 --- a/docker/lighttpd.conf +++ b/docker/lighttpd.conf @@ -21,6 +21,7 @@ server.errorlog = var.logdir + "/error.log" server.indexfiles = ("index.php", "index.html", "index.htm") server.follow-symlink = "enable" server.document-root = var.basedir +server.max-request-size = 0 dir-listing.show-header = "disable" dir-listing.hide-header-file = "enable" -- 2.34.1 From 0a6bf57aaa63053eb60b49985036b51078741414 Mon Sep 17 00:00:00 2001 From: Jerome Jutteau Date: Sun, 15 Nov 2020 23:30:05 +0100 Subject: [PATCH 13/16] [BUGFIX] detect and adapt server limitation This fix retry to transfer when js client gets a 413 (Request Entity Too Large). Chunk size is lowered at each retry. Jirafeau administrators seeing 413 errors should check their server settings. fixes #234 Signed-off-by: Jerome Jutteau --- lib/functions.js.php | 34 ++++++++++++++++++++++------------ 1 file changed, 22 insertions(+), 12 deletions(-) diff --git a/lib/functions.js.php b/lib/functions.js.php index d9a75ee..73e901f 100644 --- a/lib/functions.js.php +++ b/lib/functions.js.php @@ -398,6 +398,7 @@ var async_global_ref = ''; var async_global_max_size = 0; var async_global_time; var async_global_transfering = 0; +var async_global_last_code; function async_upload_start (max_size, file, time, password, one_time, upload_password) { @@ -470,6 +471,7 @@ function async_upload_progress (e) function async_upload_push (code) { + async_global_last_code = code; if (async_global_transfered == async_global_file.size) { hide_upload_progression (); @@ -482,27 +484,35 @@ function async_upload_push (code) req.addEventListener ("abort", pop_failure, false); req.onreadystatechange = function () { - if (req.readyState == 4 && req.status == 200) + if (req.readyState == 4) { - var res = req.responseText; + if (req.status == 200) + { + var res = req.responseText; - if (/^Error/.test(res)) + if (/^Error/.test(res)) + { + pop_failure (res); + return; + } + + res = res.split ("\n"); + var code = res[0] + async_global_transfered = async_global_transfering; + async_upload_push (code); + } + else if (req.status == 413) // Request Entity Too Large { - pop_failure (res); - return; + // lower async_global_max_size and retry + async_global_max_size = parseInt (async_global_max_size * 0.8); + async_upload_push (async_global_last_code); } - - res = res.split ("\n"); - var code = res[0] - async_global_transfered = async_global_transfering; - async_upload_push (code); } } req.open ("POST", 'script.php?push_async' , true); - var chunk_size = parseInt (async_global_max_size * 0.50); var start = async_global_transfered; - var end = start + chunk_size; + var end = start + async_global_max_size; if (end >= async_global_file.size) end = async_global_file.size; var blob = async_global_file.slice (start, end); -- 2.34.1 From 196fff8e98e6615285ea2861755f870b1e135510 Mon Sep 17 00:00:00 2001 From: Jerome Jutteau Date: Sun, 15 Nov 2020 23:44:33 +0100 Subject: [PATCH 14/16] [BUGFIX] retry on communication error with server Signed-off-by: Jerome Jutteau --- lib/functions.js.php | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/lib/functions.js.php b/lib/functions.js.php index 73e901f..5b4ad60 100644 --- a/lib/functions.js.php +++ b/lib/functions.js.php @@ -501,10 +501,13 @@ function async_upload_push (code) async_global_transfered = async_global_transfering; async_upload_push (code); } - else if (req.status == 413) // Request Entity Too Large + else { - // lower async_global_max_size and retry - async_global_max_size = parseInt (async_global_max_size * 0.8); + if (req.status == 413) // Request Entity Too Large + { + // lower async_global_max_size and retry + async_global_max_size = parseInt (async_global_max_size * 0.8); + } async_upload_push (async_global_last_code); } } -- 2.34.1 From 2cca8753a5d894f285a3dfbbac7bb7f76baf3cf9 Mon Sep 17 00:00:00 2001 From: Jerome Jutteau Date: Sun, 15 Nov 2020 23:53:27 +0100 Subject: [PATCH 15/16] [BUGFIX] show proper error on classic upload failure Signed-off-by: Jerome Jutteau --- lib/functions.js.php | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/lib/functions.js.php b/lib/functions.js.php index 5b4ad60..1527d01 100644 --- a/lib/functions.js.php +++ b/lib/functions.js.php @@ -370,6 +370,10 @@ function classic_upload (file, time, password, one_time, upload_password) show_link (res[0], res[1], res[2], expiryDate); } + else + { + pop_failure (""); + } } req.open ("POST", 'script.php' , true); -- 2.34.1 From 964faa704b2ed91aa5df77906cdb38909dff21b6 Mon Sep 17 00:00:00 2001 From: Jerome Jutteau Date: Sun, 15 Nov 2020 23:54:31 +0100 Subject: [PATCH 16/16] [BUGFIX] always prefer using HTML5 features if available Classic uploads (one single post request) were used even if HTML5 features were available as an optimization to avoid more requests than needed. However, in case of badly configured server Jirafeau cannot try to resend a file with a lower size like async uploads. Now, the js client is always using async uploads if HTML5 feature is available. ref #234 Signed-off-by: Jerome Jutteau --- lib/functions.js.php | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/lib/functions.js.php b/lib/functions.js.php index 1527d01..ebf8531 100644 --- a/lib/functions.js.php +++ b/lib/functions.js.php @@ -577,8 +577,7 @@ function upload (max_size) { var one_time_checkbox = document.getElementById('one_time_download'); var one_time = one_time_checkbox !== null ? one_time_checkbox.checked : false; - if (check_html5_file_api () - && document.getElementById('file_select').files[0].size >= max_size) + if (check_html5_file_api ()) { async_upload_start ( max_size, -- 2.34.1