From: Patrick Canterino Date: Fri, 5 Jun 2026 14:01:33 +0000 (+0200) Subject: Merge branch 'md5_to_sha256' into 'next-release' X-Git-Tag: 4.7.2~10 X-Git-Url: https://git.p6c8.net/jirafeau/jirafeau.git/commitdiff_plain/1733d88de2fe686cf95ef396eb1566e7db336b0a?hp=35b1450b75b61e0c19cc7b6ea98c7ec103475042 Merge branch 'md5_to_sha256' into 'next-release' Md5 to sha256 See merge request jirafeau/Jirafeau!33 --- diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 627ed17..613ab9b 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -3,10 +3,12 @@ cache: paths: - vendor/ -# Run tests for php:8.2 -job_lint_app_82: - image: php:8.2 - before_script: &before_linter_script +# Aliases and Anchors for reuse + +.linter_script: &linter_script + - ./vendor/bin/parallel-lint --gitlab --exclude vendor . + - ./vendor/bin/php-cs-fixer -vvv check . --using-cache=no --rules=@PSR12,-single_space_around_construct +.before_script: &before_linter_script # Install git, the docker php image doesn't have it installed by default - apt-get update -yqq - apt-get install git -yqq @@ -17,24 +19,63 @@ job_lint_app_82: - curl -sS https://getcomposer.org/installer | php # Create composer.json file manually, since this is a project without any non-dev dependencies yet - php composer.phar require --dev php-parallel-lint/php-parallel-lint - - php composer.phar require --dev friendsofphp/php-cs-fixer:3.64.0 + - php composer.phar require --dev friendsofphp/php-cs-fixer:3.93.1 # Install all project dependencies - php composer.phar install - script: &linter_script - - ./vendor/bin/parallel-lint --exclude vendor . - - ./vendor/bin/php-cs-fixer -vvv check . --using-cache=no --rules=@PSR12,-single_space_around_construct + +.enableWarningOnFailure: &linter_warning + allow_failure: + exit_codes: + - 1 + + +# Run tests for php:8.5 +job_lint_app_85: + image: php:8.5 + before_script: *before_linter_script + script: *linter_script + +# Run tests for php:8.4 +job_lint_app_84: + image: php:8.4 + before_script: *before_linter_script + script: *linter_script + +job_lint_app_83: + image: php:8.3 + before_script: *before_linter_script + script: *linter_script + +# Run tests for php:8.2 +job_lint_app_82: + image: php:8.2 + before_script: *before_linter_script + script: *linter_script + + +# ================= +# Deprecated ones START +# ================= # Run tests for php:8.1 job_lint_app_81: image: php:8.1 before_script: *before_linter_script script: *linter_script + <<: *linter_warning + + # Run tests for php:7.4 job_lint_app_74: image: php:7.4 before_script: *before_linter_script script: *linter_script + <<: *linter_warning + +# ================= +# Deprecated ones END +# ================= publish: image: docker:latest diff --git a/CHANGELOG.md b/CHANGELOG.md index ed7b741..5e614ec 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -19,7 +19,7 @@ ## Version 4.7.1 -- Fixed another possibility to bypass the checks for [CVE-2022-30110](https://www.cve.org/CVERecord?id=CVE-2022-30110), [CVE-2024-12326](https://www.cve.org/CVERecord?id=CVE-2024-12326) and [CVE-2025-7066](https://www.cve.org/CVERecord?id=CVE-2025-7066) (prevent preview of SVG images and other critical files) by sending a manipulated HTTP request with a MIME type like "image". When doing the preview, the browser tries to automatically detect the MIME type resulting in detecting SVG and possibly executing JavaScript code. To prevent this, MIME sniffing is disabled. +- Fixed another possibility to bypass the checks for [CVE-2022-30110](https://www.cve.org/CVERecord?id=CVE-2022-30110), [CVE-2024-12326](https://www.cve.org/CVERecord?id=CVE-2024-12326) and [CVE-2025-7066](https://www.cve.org/CVERecord?id=CVE-2025-7066) (prevent preview of SVG images and other critical files) by sending a manipulated HTTP request with a MIME type like "image". When doing the preview, the browser tries to automatically detect the MIME type resulting in detecting SVG and possibly executing JavaScript code. To prevent this, MIME sniffing is disabled. This issue has subsequently been reported as [CVE-2026-1466](https://www.cve.org/CVERecord?id=CVE-2026-1466). - The default value of `max_upload_chunk_size_bytes` was set to `5000000`. Higher values could trigger a bug Chromium-based browsers on servers with HTTP/3 enabled, causing asynchronous uploads to fail. - Docker image: Updated PHP to 8.3 and removed `mime-types.conf` from `lighttpd.conf` - Upgrade from 4.7.0: in-place upgrade, you also should set `max_upload_chunk_size_bytes` to `5000000` in your `config.local.php`!