From: Patrick Canterino Date: Fri, 5 Jun 2026 14:16:41 +0000 (+0200) Subject: Merge branch 'patch-1' into 'show_password_box' X-Git-Tag: 4.7.2~8 X-Git-Url: https://git.p6c8.net/jirafeau/jirafeau.git/commitdiff_plain/9e0eb7719c3ce8dd8052b4c29da5c60033fc1389?hp=56aae3afa9286b92174f113fd39cfd0fb7b93b2e Merge branch 'patch-1' into 'show_password_box' Add a Show password checkbox See merge request jirafeau/Jirafeau!30 --- diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 627ed17..613ab9b 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -3,10 +3,12 @@ cache: paths: - vendor/ -# Run tests for php:8.2 -job_lint_app_82: - image: php:8.2 - before_script: &before_linter_script +# Aliases and Anchors for reuse + +.linter_script: &linter_script + - ./vendor/bin/parallel-lint --gitlab --exclude vendor . + - ./vendor/bin/php-cs-fixer -vvv check . --using-cache=no --rules=@PSR12,-single_space_around_construct +.before_script: &before_linter_script # Install git, the docker php image doesn't have it installed by default - apt-get update -yqq - apt-get install git -yqq @@ -17,24 +19,63 @@ job_lint_app_82: - curl -sS https://getcomposer.org/installer | php # Create composer.json file manually, since this is a project without any non-dev dependencies yet - php composer.phar require --dev php-parallel-lint/php-parallel-lint - - php composer.phar require --dev friendsofphp/php-cs-fixer:3.64.0 + - php composer.phar require --dev friendsofphp/php-cs-fixer:3.93.1 # Install all project dependencies - php composer.phar install - script: &linter_script - - ./vendor/bin/parallel-lint --exclude vendor . - - ./vendor/bin/php-cs-fixer -vvv check . --using-cache=no --rules=@PSR12,-single_space_around_construct + +.enableWarningOnFailure: &linter_warning + allow_failure: + exit_codes: + - 1 + + +# Run tests for php:8.5 +job_lint_app_85: + image: php:8.5 + before_script: *before_linter_script + script: *linter_script + +# Run tests for php:8.4 +job_lint_app_84: + image: php:8.4 + before_script: *before_linter_script + script: *linter_script + +job_lint_app_83: + image: php:8.3 + before_script: *before_linter_script + script: *linter_script + +# Run tests for php:8.2 +job_lint_app_82: + image: php:8.2 + before_script: *before_linter_script + script: *linter_script + + +# ================= +# Deprecated ones START +# ================= # Run tests for php:8.1 job_lint_app_81: image: php:8.1 before_script: *before_linter_script script: *linter_script + <<: *linter_warning + + # Run tests for php:7.4 job_lint_app_74: image: php:7.4 before_script: *before_linter_script script: *linter_script + <<: *linter_warning + +# ================= +# Deprecated ones END +# ================= publish: image: docker:latest diff --git a/CHANGELOG.md b/CHANGELOG.md index c687514..5e614ec 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,9 +12,14 @@ 5. Follow the installation wizard, it should propose you the same data folder or even update automatically 6. Check your `/lib/config.local.php` and compare it with the `/lib/config.original.php` to see if new configuration items are available. If a new item is missing in your `config.local.php`, this may trigger some errors as Jirafeau may expect to have them. +## Version 4.7.x (not yet released) + +- Favicon was missing in the `modern` theme +- ... + ## Version 4.7.1 -- Fixed another possibility to bypass the checks for [CVE-2022-30110](https://www.cve.org/CVERecord?id=CVE-2022-30110), [CVE-2024-12326](https://www.cve.org/CVERecord?id=CVE-2024-12326) and [CVE-2025-7066](https://www.cve.org/CVERecord?id=CVE-2025-7066) (prevent preview of SVG images and other critical files) by sending a manipulated HTTP request with a MIME type like "image". When doing the preview, the browser tries to automatically detect the MIME type resulting in detecting SVG and possibly executing JavaScript code. To prevent this, MIME sniffing is disabled. +- Fixed another possibility to bypass the checks for [CVE-2022-30110](https://www.cve.org/CVERecord?id=CVE-2022-30110), [CVE-2024-12326](https://www.cve.org/CVERecord?id=CVE-2024-12326) and [CVE-2025-7066](https://www.cve.org/CVERecord?id=CVE-2025-7066) (prevent preview of SVG images and other critical files) by sending a manipulated HTTP request with a MIME type like "image". When doing the preview, the browser tries to automatically detect the MIME type resulting in detecting SVG and possibly executing JavaScript code. To prevent this, MIME sniffing is disabled. This issue has subsequently been reported as [CVE-2026-1466](https://www.cve.org/CVERecord?id=CVE-2026-1466). - The default value of `max_upload_chunk_size_bytes` was set to `5000000`. Higher values could trigger a bug Chromium-based browsers on servers with HTTP/3 enabled, causing asynchronous uploads to fail. - Docker image: Updated PHP to 8.3 and removed `mime-types.conf` from `lighttpd.conf` - Upgrade from 4.7.0: in-place upgrade, you also should set `max_upload_chunk_size_bytes` to `5000000` in your `config.local.php`! diff --git a/f.php b/f.php index 269b10b..870b4bd 100644 --- a/f.php +++ b/f.php @@ -171,7 +171,9 @@ if (!empty($link['key'])) { require(JIRAFEAU_ROOT.'lib/template/footer.php'); exit; } else { - if (hash_equals($link['key'], md5($_POST['key']))) { + if (strpos($link['key'], '[SHA256]') == 0 && hash_equals(substr($link['key'], 8), hash('sha256', $_POST['key']))) { + $password_challenged = true; + } elseif (hash_equals($link['key'], md5($_POST['key']))) { $password_challenged = true; } else { sleep(2); diff --git a/lib/config.original.php b/lib/config.original.php index 6b7c342..37c87eb 100644 --- a/lib/config.original.php +++ b/lib/config.original.php @@ -235,6 +235,10 @@ $cfg['installation_done'] = false; */ $cfg['debug'] = false; +/* Enable this debug flag to enforce the classic (synchronous) file upload mechanism. + */ +$cfg['debug_enforce_classic_upload'] = false; + /* Set Jirafeau's maximal upload chunk * When Jirafeau upload a large file, Jirafeau sends several data chunks to fit server's capabilities. * Jirafeau tries to upload each data chunk with the maximal size allowed by PHP (post_max_size and upload_max_filesize). diff --git a/lib/functions.js.php b/lib/functions.js.php index 29d50c1..cafecaf 100644 --- a/lib/functions.js.php +++ b/lib/functions.js.php @@ -430,9 +430,9 @@ function classic_upload (file, time, password, one_time) req.upload.addEventListener ("progress", upload_progress, false); req.addEventListener ("error", XHRErrorHandler, false); req.addEventListener ("abort", XHRErrorHandler, false); - req.onreadystatechange = function () + req.onload = function () { - if (req.readyState == 4 && req.status == 200) + if (req.status === 200) { var res = req.responseText; @@ -479,6 +479,13 @@ function classic_upload (file, time, password, one_time) function check_html5_file_api () { + + // Enforce classic upload is enabled through config! + return false; + return window.File && window.FileReader && window.FileList && window.Blob; } diff --git a/lib/functions.php b/lib/functions.php index 84bcea8..948a436 100644 --- a/lib/functions.php +++ b/lib/functions.php @@ -464,9 +464,9 @@ function jirafeau_handle_add_file_encryption($crypt_module_enabled, $file_path) error_log("PHP extension sodium not loaded, won't encrypt in Jirafeau"); } if ($crypt_module_enabled == true && extension_loaded('sodium') == true) { - $crypt_key = jirafeau_encrypt_file($file_path, $file_path.'crypt'); + $crypt_key = jirafeau_encrypt_file($file_path, $file_path.'.crypt'); if (strlen($crypt_key) > 0) { - if (rename($file_path.'crypt', $file_path) === true) { + if (rename($file_path.'.crypt', $file_path) === true) { $crypted = true; } } @@ -544,7 +544,7 @@ function jirafeau_add_file($file, $one_time_download, $key, $time, $ip, $crypt, /* hash password or empty. */ $password = ''; if (!empty($key)) { - $password = md5($key); + $password = '[SHA256]' . hash('sha256', $key); } /* create link file */ @@ -554,7 +554,7 @@ function jirafeau_add_file($file, $one_time_download, $key, $time, $ip, $crypt, $handle, $name . NL. $mime_type . NL. $size . NL. $password . NL. $time . NL . $hash. NL . ($one_time_download ? 'O' : 'R') . NL . time() . - NL . $ip . NL. $delete_link_code . NL . ($crypted ? 'C' : 'O') + NL . $ip . NL. $delete_link_code . NL . ($crypted ? 'C2' : 'O') ); fclose($handle); $hash_link = substr(base_16_to_64(md5_file($link_tmp_name)), 0, $link_name_length); @@ -1088,10 +1088,10 @@ function jirafeau_async_init($filename, $type, $one_time, $key, $time, $ip) $w_path = $p . $ref . '_data'; touch($w_path); - /* md5 password or empty */ + /* sha256 password or empty */ $password = ''; if (!empty($key)) { - $password = md5($key); + $password = '[SHA256]' . hash('sha256', $key); } /* Store information. */ @@ -1642,7 +1642,7 @@ function jirafeau_escape($string) function jirafeau_admin_session_start() { $_SESSION['admin_auth'] = true; - $_SESSION['admin_csrf'] = md5(uniqid(mt_rand(), true)); + $_SESSION['admin_csrf'] = hash('sha256', uniqid(mt_rand(), true)); } function jirafeau_session_end() diff --git a/lib/settings.php b/lib/settings.php index 5a8d3a7..e015067 100644 --- a/lib/settings.php +++ b/lib/settings.php @@ -43,7 +43,7 @@ if ($cfg['debug'] === true) { /* Jirafeau package */ define('JIRAFEAU_PACKAGE', 'Jirafeau'); -define('JIRAFEAU_VERSION', '4.7.1'); +define('JIRAFEAU_VERSION', '4.7.x-dev'); define('JIRAFEAU_WEBSITE', 'https://gitlab.com/jirafeau/Jirafeau'); diff --git a/media/modern/favicon.ico b/media/modern/favicon.ico new file mode 100644 index 0000000..c42c696 Binary files /dev/null and b/media/modern/favicon.ico differ diff --git a/script.php b/script.php index ae57449..301ebe8 100644 --- a/script.php +++ b/script.php @@ -183,7 +183,7 @@ if (isset($_FILES['file']) && is_writable(VAR_FILES) echo 'Error 9'; exit; } - if (strlen($link['key']) > 0 && md5($key) != $link['key']) { + if (strlen($link['key']) > 0 && hash('sha256', $key) != $link['key']) { sleep(2); echo 'Error 10'; exit;