From dcf7ec54255194932d15a8130a86f572ff9e21ee Mon Sep 17 00:00:00 2001 From: Patrick Canterino Date: Mon, 8 Sep 2025 12:03:48 +0200 Subject: [PATCH 01/12] Jirafeau 4.7.0 is ready --- CHANGELOG.md | 3 +-- lib/settings.php | 2 +- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1dcf19c..40a6241 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,14 +12,13 @@ 5. Follow the installation wizard, it should propose you the same data folder or even update automatically 6. Check your `/lib/config.local.php` and compare it with the `/lib/config.original.php` to see if new configuration items are available. If a new item is missing in your `config.local.php`, this may trigger some errors as Jirafeau may expect to have them. -## Version 4.7.0 (not yet released) +## Version 4.7.0 - Added feature for using shortened download links. This requires a web server that supports URL rewriting, like Apache with `mod_rewrite`. - Added CSS class `tos` for addressing the link to the "Terms of Service" page - Download stats introduced in version 4.6.0 were accidentally removed in version 4.6.1. This feature is now available again. - Generated download passwords were not shown after the upload was completed - Uploading a file using `script.php` with an upload password set always ended up in an "Error 2". This is fixed now. -- ... - Upgrade from 4.6.3: in-place upgrade New configuration items: diff --git a/lib/settings.php b/lib/settings.php index cbdfaff..5e8a13e 100644 --- a/lib/settings.php +++ b/lib/settings.php @@ -43,7 +43,7 @@ if ($cfg['debug'] === true) { /* Jirafeau package */ define('JIRAFEAU_PACKAGE', 'Jirafeau'); -define('JIRAFEAU_VERSION', '4.6.x-dev'); +define('JIRAFEAU_VERSION', '4.7.0'); define('JIRAFEAU_WEBSITE', 'https://gitlab.com/jirafeau/Jirafeau'); -- 2.43.0 From 844933292f936d7b4bdeb8b2467080a356261dba Mon Sep 17 00:00:00 2001 From: Patrick Canterino Date: Mon, 8 Sep 2025 12:09:50 +0200 Subject: [PATCH 02/12] Begin a new release cycle --- CHANGELOG.md | 4 ++++ lib/settings.php | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 40a6241..9a4d6f3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,10 @@ 5. Follow the installation wizard, it should propose you the same data folder or even update automatically 6. Check your `/lib/config.local.php` and compare it with the `/lib/config.original.php` to see if new configuration items are available. If a new item is missing in your `config.local.php`, this may trigger some errors as Jirafeau may expect to have them. +## Version 4.7.x (not yet released) + +- ... + ## Version 4.7.0 - Added feature for using shortened download links. This requires a web server that supports URL rewriting, like Apache with `mod_rewrite`. diff --git a/lib/settings.php b/lib/settings.php index 5e8a13e..e015067 100644 --- a/lib/settings.php +++ b/lib/settings.php @@ -43,7 +43,7 @@ if ($cfg['debug'] === true) { /* Jirafeau package */ define('JIRAFEAU_PACKAGE', 'Jirafeau'); -define('JIRAFEAU_VERSION', '4.7.0'); +define('JIRAFEAU_VERSION', '4.7.x-dev'); define('JIRAFEAU_WEBSITE', 'https://gitlab.com/jirafeau/Jirafeau'); -- 2.43.0 From 9832ac10b3a5915e8dfe7672a83449b0bc1a76c4 Mon Sep 17 00:00:00 2001 From: Patrick Canterino Date: Sun, 4 Jan 2026 14:43:49 +0100 Subject: [PATCH 03/12] Mentioned issue #40 as a known issue in the README file --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index d2ac2b5..53c3af7 100644 --- a/README.md +++ b/README.md @@ -152,6 +152,10 @@ By activating this feature, you have to be aware of few things: In a next step, encryption will be made by the client (in JavaScript). +## Known issues + +- There is an [issue](https://gitlab.com/jirafeau/Jirafeau/-/issues/40) with asynchronous uploads not working in Chromium-based browsers on servers with HTTP/3 enabled. This seems to be a bug in Chromium. Thanks to [slt](https://gitlab.com/sltrash) for [reporting](https://issues.chromium.org/issues/457463688) this to the Chromium developers. + ## License GNU Affero General Public License v3 (AGPL-3.0). -- 2.43.0 From 747afb20bfcff14bb67e40e7035d47a6311ba3e1 Mon Sep 17 00:00:00 2001 From: Patrick Canterino Date: Sun, 4 Jan 2026 14:54:55 +0100 Subject: [PATCH 04/12] Disable MIME sniffing to prevent preview of invalid (propably harmful) file types Reported by Yann CAM and Killian CHEVRIER --- f.php | 1 + 1 file changed, 1 insertion(+) diff --git a/f.php b/f.php index 922668f..269b10b 100644 --- a/f.php +++ b/f.php @@ -231,6 +231,7 @@ if (!jirafeau_is_viewable($link['mime_type']) || !$cfg['preview'] || $do_downloa header('Content-Disposition: attachment; filename="' . $link['file_name'] . '"'); } else { header('Content-Disposition: filename="' . $link['file_name'] . '"'); + header('X-Content-Type-Options: nosniff'); } header('Content-Type: ' . $link['mime_type']); if ($cfg['file_hash'] == "md5") { -- 2.43.0 From d2bf1e757a925c54ce3db40a8f26bb185d0e7d75 Mon Sep 17 00:00:00 2001 From: Patrick Canterino Date: Sun, 18 Jan 2026 14:14:05 +0100 Subject: [PATCH 05/12] Set default value of max_upload_chunk_size_bytes to 5000000 (5MB) Higher values can trigger a bug in Chromium based browsers with HTTP/3 on the web server enabled (see issue #40) --- lib/config.original.php | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/lib/config.original.php b/lib/config.original.php index 876ddba..6b7c342 100644 --- a/lib/config.original.php +++ b/lib/config.original.php @@ -235,16 +235,20 @@ $cfg['installation_done'] = false; */ $cfg['debug'] = false; -/** Set Jirafeau's maximal upload chunk +/* Set Jirafeau's maximal upload chunk * When Jirafeau upload a large file, Jirafeau sends several data chunks to fit server's capabilities. * Jirafeau tries to upload each data chunk with the maximal size allowed by PHP (post_max_size and upload_max_filesize). - * However, too large PHP configuration values are not needed and could induce unwanted side effects (see #303). + * However, too large PHP configuration values are not needed and could induce unwanted side effects + * (see https://gitlab.com/mojo42/Jirafeau/-/issues/303). + * This parameter should set to something less or equal to 5000000 (5MB), since high value can cause problems in + * Chromium based browsers with HTTP/3 on the web server enabled + * (see https://gitlab.com/jirafeau/Jirafeau/-/issues/40). * This parameter set Jirafeau's own maximal chunk size with a reasonable value. * Option is only used for async uploads and won't be used for browsers without html5 support. * You should not touch this parameter unless you have good reason to do so. Feel free to open an issue to ask questions. * Set to 0 to remove limitation. */ -$cfg['max_upload_chunk_size_bytes'] = 100000000; // 100MB +$cfg['max_upload_chunk_size_bytes'] = 5000000; // 100MB /* Set password requirement policy for downloading files * Possible values: -- 2.43.0 From 17ae6cc98f93c938b723f033de846d373e0c69a3 Mon Sep 17 00:00:00 2001 From: Patrick Canterino Date: Sun, 18 Jan 2026 14:20:21 +0100 Subject: [PATCH 06/12] Further description of issue #40 in README --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 53c3af7..b62f0a2 100644 --- a/README.md +++ b/README.md @@ -154,7 +154,9 @@ In a next step, encryption will be made by the client (in JavaScript). ## Known issues -- There is an [issue](https://gitlab.com/jirafeau/Jirafeau/-/issues/40) with asynchronous uploads not working in Chromium-based browsers on servers with HTTP/3 enabled. This seems to be a bug in Chromium. Thanks to [slt](https://gitlab.com/sltrash) for [reporting](https://issues.chromium.org/issues/457463688) this to the Chromium developers. +- There is an [issue](https://gitlab.com/jirafeau/Jirafeau/-/issues/40) with asynchronous uploads not working in Chromium-based browsers on servers with HTTP/3 enabled. This seems to be caused by a [bug in Chromium](https://issues.chromium.org/issues/457463688). +This bug can be worked around by setting `max_upload_chunk_size_bytes` to a value of around 3000000 to 5000000 (3 to 5MB) which is default since Jirafeau version 4.7.1. +Thanks to [slt](https://gitlab.com/sltrash) for reporting this and for finding a workaround. ## License -- 2.43.0 From 03ed2de1cf815fda85fd06eb823270a4b5d95297 Mon Sep 17 00:00:00 2001 From: Patrick Canterino Date: Sun, 18 Jan 2026 14:30:14 +0100 Subject: [PATCH 07/12] Updated CHANGELOG --- CHANGELOG.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9a4d6f3..20eea31 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,9 +12,11 @@ 5. Follow the installation wizard, it should propose you the same data folder or even update automatically 6. Check your `/lib/config.local.php` and compare it with the `/lib/config.original.php` to see if new configuration items are available. If a new item is missing in your `config.local.php`, this may trigger some errors as Jirafeau may expect to have them. -## Version 4.7.x (not yet released) +## Version 4.7.1 (not yet released) -- ... +- Fixed another possibility to bypass the checks for [CVE-2022-30110](https://www.cve.org/CVERecord?id=CVE-2022-30110), [CVE-2024-12326](https://www.cve.org/CVERecord?id=CVE-2024-12326) and [CVE-2025-7066](https://www.cve.org/CVERecord?id=CVE-2025-7066) (prevent preview of SVG images and other critical files) by sending a manipulated HTTP request with a MIME type like "image". When doing the preview, the browser tries to automatically detect the MIME type resulting in detecting SVG and possibly executing JavaScript code. To prevent this, MIME sniffing is disabled. +- The default value of `max_upload_chunk_size_bytes` was set to `5000000`. Higher values could trigger a bug Chromium-based browsers on servers with HTTP/3 enabled, causing asynchronous uploads to fail. +- Upgrade from 4.7.0: in-place upgrade, you also should set `max_upload_chunk_size_bytes` to `5000000` in your `config.local.php`! ## Version 4.7.0 -- 2.43.0 From d5079555c270e18a398c9575754e7e719bd1a72b Mon Sep 17 00:00:00 2001 From: Patrick Canterino Date: Sun, 18 Jan 2026 14:58:01 +0100 Subject: [PATCH 08/12] Added slt to list of authors --- AUTHORS.md | 1 + 1 file changed, 1 insertion(+) diff --git a/AUTHORS.md b/AUTHORS.md index e12f2c1..98e175b 100644 --- a/AUTHORS.md +++ b/AUTHORS.md @@ -95,6 +95,7 @@ This is a list of people who contributed to Jirafeau over the years. The list wa - scumjr - Sebastien Mennetrier - Slobodan Simić +- slt - Spanti Nicola (RyDroid) - Srikanth L - ssantos -- 2.43.0 From 37bcb9abfc0066306a60fecd6ea89879f245fa3f Mon Sep 17 00:00:00 2001 From: Patrick Canterino Date: Mon, 19 Jan 2026 19:30:06 +0100 Subject: [PATCH 09/12] Docker image: Updated PHP to 8.3 and removed mime-types.conf from lighttpd.conf PHP 8.1 is end-of-life mime-types.conf is not available in recent versions of lighttpd Fixed issue #45 --- Dockerfile | 2 +- docker/lighttpd.conf | 2 -- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 6bf9788..fd437e6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM php:8.1-fpm-alpine +FROM php:8.3-fpm-alpine LABEL org.opencontainers.image.authors="jerome@jutteau.fr" ARG INI="php" diff --git a/docker/lighttpd.conf b/docker/lighttpd.conf index 680280f..5acb592 100644 --- a/docker/lighttpd.conf +++ b/docker/lighttpd.conf @@ -5,12 +5,10 @@ var.statedir = "/var/lib/lighttpd" server.port = 80 server.modules = ( "mod_access", -# "mod_usertrack", "mod_expire", "mod_accesslog" ) -include "mime-types.conf" include "mod_fastcgi_fpm.conf" server.username = "lighttpd" -- 2.43.0 From e12401c2e7e8554c24e4a4fd23aa2f124fb07f19 Mon Sep 17 00:00:00 2001 From: Patrick Canterino Date: Mon, 19 Jan 2026 19:36:45 +0100 Subject: [PATCH 10/12] Updated CHANGELOG --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 20eea31..7fb6eb5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,6 +16,7 @@ - Fixed another possibility to bypass the checks for [CVE-2022-30110](https://www.cve.org/CVERecord?id=CVE-2022-30110), [CVE-2024-12326](https://www.cve.org/CVERecord?id=CVE-2024-12326) and [CVE-2025-7066](https://www.cve.org/CVERecord?id=CVE-2025-7066) (prevent preview of SVG images and other critical files) by sending a manipulated HTTP request with a MIME type like "image". When doing the preview, the browser tries to automatically detect the MIME type resulting in detecting SVG and possibly executing JavaScript code. To prevent this, MIME sniffing is disabled. - The default value of `max_upload_chunk_size_bytes` was set to `5000000`. Higher values could trigger a bug Chromium-based browsers on servers with HTTP/3 enabled, causing asynchronous uploads to fail. +- Docker image: Updated PHP to 8.3 and removed `mime-types.conf` from `lighttpd.conf` - Upgrade from 4.7.0: in-place upgrade, you also should set `max_upload_chunk_size_bytes` to `5000000` in your `config.local.php`! ## Version 4.7.0 -- 2.43.0 From 1b3736d6c74261314976b2777e6e71e9c3e9392f Mon Sep 17 00:00:00 2001 From: Patrick Canterino Date: Sun, 25 Jan 2026 14:33:36 +0100 Subject: [PATCH 11/12] Updated README - Notes about lack of end-to-end encryption - Notes about setting max_upload_chunk_size_bytes manually if updating from an older version --- README.md | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index b62f0a2..1d3de30 100644 --- a/README.md +++ b/README.md @@ -143,19 +143,21 @@ Encryption is configured to use [XChaCha20-Poly1305](https://en.wikipedia.org/wi In case of security troubles on the server, attacker won't be able to access files. By activating this feature, you have to be aware of few things: -- Data encryption has a cost (CPU) and it takes more time for downloads to complete once file sent. -- During the download, the server will decrypt on the fly (and use resource). -- This feature needs to have the [`Sodium`](https://www.php.net/manual/en/book.sodium.php) PHP module. -- File de-duplication will stop to work (as we can't compare two encrypted files). -- Be sure your server does not log client's requests. -- Don't forget to enable HTTPS. -In a next step, encryption will be made by the client (in JavaScript). +- This is **no** [end-to-end encryption](https://en.wikipedia.org/wiki/End-to-end_encryption)! Although the file should be sent to server using HTTPS, the file is unencrypted on the server for a very short time. To have end-to-end encryption, you need to encrypt the file yourself. +- Data encryption has a cost (CPU) and it takes more time for downloads to complete once file sent. +- During the download, the server will decrypt on the fly (and use resource). +- This feature needs to have the [`Sodium`](https://www.php.net/manual/en/book.sodium.php) PHP module. +- File de-duplication will stop to work (as we can't compare two encrypted files). +- Be sure your server does not log client's requests. +- Don't forget to enable HTTPS. + +In a next step, encryption will be made by the client (in JavaScript), which will also give us end-to-end encryption. ## Known issues - There is an [issue](https://gitlab.com/jirafeau/Jirafeau/-/issues/40) with asynchronous uploads not working in Chromium-based browsers on servers with HTTP/3 enabled. This seems to be caused by a [bug in Chromium](https://issues.chromium.org/issues/457463688). -This bug can be worked around by setting `max_upload_chunk_size_bytes` to a value of around 3000000 to 5000000 (3 to 5MB) which is default since Jirafeau version 4.7.1. +This bug can be worked around by setting `max_upload_chunk_size_bytes` to a value of around 3000000 to 5000000 (3 to 5MB) which is default since Jirafeau version 4.7.1. Please note that you have to change this value manually if you're upgrading from a version of Jirafeau older than 4.7.1! Thanks to [slt](https://gitlab.com/sltrash) for reporting this and for finding a workaround. ## License -- 2.43.0 From f1b3cb91458721a5c2a5a8779b35113688f8f0bd Mon Sep 17 00:00:00 2001 From: Patrick Canterino Date: Sun, 25 Jan 2026 14:35:16 +0100 Subject: [PATCH 12/12] Jirafeau 4.7.1 is ready --- CHANGELOG.md | 2 +- lib/settings.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7fb6eb5..c687514 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,7 +12,7 @@ 5. Follow the installation wizard, it should propose you the same data folder or even update automatically 6. Check your `/lib/config.local.php` and compare it with the `/lib/config.original.php` to see if new configuration items are available. If a new item is missing in your `config.local.php`, this may trigger some errors as Jirafeau may expect to have them. -## Version 4.7.1 (not yet released) +## Version 4.7.1 - Fixed another possibility to bypass the checks for [CVE-2022-30110](https://www.cve.org/CVERecord?id=CVE-2022-30110), [CVE-2024-12326](https://www.cve.org/CVERecord?id=CVE-2024-12326) and [CVE-2025-7066](https://www.cve.org/CVERecord?id=CVE-2025-7066) (prevent preview of SVG images and other critical files) by sending a manipulated HTTP request with a MIME type like "image". When doing the preview, the browser tries to automatically detect the MIME type resulting in detecting SVG and possibly executing JavaScript code. To prevent this, MIME sniffing is disabled. - The default value of `max_upload_chunk_size_bytes` was set to `5000000`. Higher values could trigger a bug Chromium-based browsers on servers with HTTP/3 enabled, causing asynchronous uploads to fail. diff --git a/lib/settings.php b/lib/settings.php index e015067..5a8d3a7 100644 --- a/lib/settings.php +++ b/lib/settings.php @@ -43,7 +43,7 @@ if ($cfg['debug'] === true) { /* Jirafeau package */ define('JIRAFEAU_PACKAGE', 'Jirafeau'); -define('JIRAFEAU_VERSION', '4.7.x-dev'); +define('JIRAFEAU_VERSION', '4.7.1'); define('JIRAFEAU_WEBSITE', 'https://gitlab.com/jirafeau/Jirafeau'); -- 2.43.0