From 97971a35ce678939f577c4fc44c054ef98c72f0b Mon Sep 17 00:00:00 2001
From: Florian <7305144-fm-sys@users.noreply.gitlab.com>
Date: Sat, 30 Aug 2025 12:13:45 +0000
Subject: [PATCH 01/16] add short link support
---
.gitignore | 3 ++-
.htaccess.sample | 7 +++++++
lib/config.original.php | 7 +++++++
lib/functions.js.php | 21 ++++++++++++++++-----
4 files changed, 32 insertions(+), 6 deletions(-)
create mode 100644 .htaccess.sample
diff --git a/.gitignore b/.gitignore
index 4c13bde..02ef59e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -12,4 +12,5 @@ composer.phar
.*
!.gitlab-ci.yml
!.gitignore
-!.dockerignore
\ No newline at end of file
+!.dockerignore
+!.htaccess.sample
\ No newline at end of file
diff --git a/.htaccess.sample b/.htaccess.sample
new file mode 100644
index 0000000..98d1d80
--- /dev/null
+++ b/.htaccess.sample
@@ -0,0 +1,7 @@
+
+ RewriteEngine On
+
+ # Match URLs with an 8-character alphanumeric ID
+ RewriteRule ^([a-zA-Z0-9_-]{8})$ f.php?h=$1 [L,QSA]
+
+
diff --git a/lib/config.original.php b/lib/config.original.php
index 8aec857..876ddba 100644
--- a/lib/config.original.php
+++ b/lib/config.original.php
@@ -34,6 +34,13 @@ $cfg['web_root'] = '';
*/
$cfg['var_root'] = '';
+/* Activating 'use_shortlinks' will allow you to use shortened download links
+ * This requires a web server that supports URL rewriting, like Apache with mod_rewrite.
+ * If you are using Apache, copy the provided '.htaccess.sample' file in the root directory of
+ * Jirafeau and store it as '.htaccess'. For other web servers, manual configuration is required.
+ */
+$cfg['use_shortlinks'] = false;
+
/* Language - choose between 'auto' or any language located in the /lib/locales/ folder.
* The mode »auto« will cause the script to detect the user's browser information
* and offer a matching language, or use »en« if it is not available.
diff --git a/lib/functions.js.php b/lib/functions.js.php
index b8888a6..29d50c1 100644
--- a/lib/functions.js.php
+++ b/lib/functions.js.php
@@ -25,7 +25,9 @@ function template_js_preview_link()
if (!!document.getElementById('preview_link'))
{
document.getElementById('upload_finished_preview').style.display = 'none';
- var preview_link_href = 'f.php?h=' + reference + '&p=1';
+ var preview_link_href = use_shortlinks ? '' : 'f.php?h=';
+ preview_link_href += reference;
+ preview_link_href += use_shortlinks ? '?p=1' : '&p=1';
if (crypt_key.length > 0)
{
preview_link_href += '&k=' + crypt_key;
@@ -50,10 +52,12 @@ function template_js_download_page()
{
?>
// Download page
- var download_link_href = 'f.php?h=' + reference;
+ var download_link_href = use_shortlinks ? '' : 'f.php?h=';
+ download_link_href += reference;
if (crypt_key.length > 0)
{
- download_link_href += '&k=' + crypt_key;
+ download_link_href += use_shortlinks ? '?k=' : '&k='
+ download_link_href += crypt_key;
}
if (!!document.getElementById('upload_finished_download_page'))
{
@@ -79,7 +83,10 @@ function template_js_delete_link()
{
?>
// Delete link
- var delete_link_href = 'f.php?h=' + reference + '&d=' + delete_code;
+ var delete_link_href = use_shortlinks ? '' : 'f.php?h=';
+ delete_link_href += reference;
+ delete_link_href += use_shortlinks ? '?d=' : '&d=';
+ delete_link_href += delete_code;
document.getElementById('delete_link').href = delete_link_href;
document.getElementById('delete_link_text').innerHTML = web_root + delete_link_href;
// Direct download link
- var direct_download_link_href = 'f.php?h=' + reference + '&d=1';
+ //var direct_download_link_href = 'f.php?h=' + reference + '&d=1';
+ var direct_download_link_href = use_shortlinks ? '' : 'f.php?h=';
+ direct_download_link_href += reference;
+ direct_download_link_href += use_shortlinks ? '?d=1' : '&d=1';
if (crypt_key.length > 0)
{
direct_download_link_href += '&k=' + crypt_key;
@@ -132,6 +142,7 @@ require(JIRAFEAU_ROOT . 'lib/lang.php');
?>
// @license magnet:?xt=urn:btih:0b31508aeb0634b347b8270c7bee4d411b5d4109&dn=agpl-3.0.txt AGPL-v3-or-Later
var web_root = "";
+var use_shortlinks = ;
var lang_array = ;
var lang_array_fallback = ;
--
2.43.0
From 8c25790dc330b1465c0d77167103a19ed2a8eea7 Mon Sep 17 00:00:00 2001
From: Patrick Canterino
Date: Sat, 30 Aug 2025 14:28:22 +0200
Subject: [PATCH 02/16] Updated CHANGELOG
---
CHANGELOG.md | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/CHANGELOG.md b/CHANGELOG.md
index d06a0bc..13e53f9 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -14,7 +14,16 @@
## Version 4.6.x (not yet released)
+- Shortlinks...
+- Added CSS class `tos` to the link to the "Terms of Service" page
+- Download stats introduced in version 4.6.0 were accidentally removed in version 4.6.1. This feature is now available again.
+- Generated download passwords were not shown after the upload was completed
+- Uploading a file using `script.php` with an upload password set always ended up in an "Error 2". This is fixed now.
- ...
+- Upgrade from 4.6.2: in-place upgrade
+
+New configuration items:
+- `use_shortlinks` for enabling shortlinks
## Version 4.6.3
--
2.43.0
From 978683b51e7c6c49377b5a9404f4717cfd2f5392 Mon Sep 17 00:00:00 2001
From: Patrick Canterino
Date: Mon, 8 Sep 2025 11:50:56 +0200
Subject: [PATCH 03/16] Updated CHANGELOG
---
CHANGELOG.md | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 13e53f9..1dcf19c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,15 +12,15 @@
5. Follow the installation wizard, it should propose you the same data folder or even update automatically
6. Check your `/lib/config.local.php` and compare it with the `/lib/config.original.php` to see if new configuration items are available. If a new item is missing in your `config.local.php`, this may trigger some errors as Jirafeau may expect to have them.
-## Version 4.6.x (not yet released)
+## Version 4.7.0 (not yet released)
-- Shortlinks...
-- Added CSS class `tos` to the link to the "Terms of Service" page
+- Added feature for using shortened download links. This requires a web server that supports URL rewriting, like Apache with `mod_rewrite`.
+- Added CSS class `tos` for addressing the link to the "Terms of Service" page
- Download stats introduced in version 4.6.0 were accidentally removed in version 4.6.1. This feature is now available again.
- Generated download passwords were not shown after the upload was completed
- Uploading a file using `script.php` with an upload password set always ended up in an "Error 2". This is fixed now.
- ...
-- Upgrade from 4.6.2: in-place upgrade
+- Upgrade from 4.6.3: in-place upgrade
New configuration items:
- `use_shortlinks` for enabling shortlinks
--
2.43.0
From 10aaabd693a9eeccc85f7310f5070784fa9f5b4b Mon Sep 17 00:00:00 2001
From: Patrick Canterino
Date: Mon, 8 Sep 2025 11:54:03 +0200
Subject: [PATCH 04/16] Updated list of authors
---
AUTHORS.md | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/AUTHORS.md b/AUTHORS.md
index a8e247e..e12f2c1 100644
--- a/AUTHORS.md
+++ b/AUTHORS.md
@@ -38,6 +38,7 @@ This is a list of people who contributed to Jirafeau over the years. The list wa
- fm-sys
- François Boulogne
- François L
+- Georges Taupin
- GoZ
- Guilherme Andrade
- gwunderlich
@@ -58,6 +59,7 @@ This is a list of people who contributed to Jirafeau over the years. The list wa
- Julien Malik
- KajmaczeK
- Kidhoma Norman
+- Killian Chevrier
- Lari Oesch
- Laurentiu Dobrota
- Luna Jernberg
@@ -85,6 +87,7 @@ This is a list of people who contributed to Jirafeau over the years. The list wa
- Poorchop
- Pyry
- Pyry Kujala
+- Ruixey
- R.W
- Sabri Ãnal
- sam lt
@@ -107,6 +110,8 @@ This is a list of people who contributed to Jirafeau over the years. The list wa
- Victor Lamoine
- Viktar Vauchkevich
- Wim Livens
+- Yann Cam
+- Yannis Aribaud
- Yaron Shahrabani
- YFdyh000
- Your Name
--
2.43.0
From dcf7ec54255194932d15a8130a86f572ff9e21ee Mon Sep 17 00:00:00 2001
From: Patrick Canterino
Date: Mon, 8 Sep 2025 12:03:48 +0200
Subject: [PATCH 05/16] Jirafeau 4.7.0 is ready
---
CHANGELOG.md | 3 +--
lib/settings.php | 2 +-
2 files changed, 2 insertions(+), 3 deletions(-)
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 1dcf19c..40a6241 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,14 +12,13 @@
5. Follow the installation wizard, it should propose you the same data folder or even update automatically
6. Check your `/lib/config.local.php` and compare it with the `/lib/config.original.php` to see if new configuration items are available. If a new item is missing in your `config.local.php`, this may trigger some errors as Jirafeau may expect to have them.
-## Version 4.7.0 (not yet released)
+## Version 4.7.0
- Added feature for using shortened download links. This requires a web server that supports URL rewriting, like Apache with `mod_rewrite`.
- Added CSS class `tos` for addressing the link to the "Terms of Service" page
- Download stats introduced in version 4.6.0 were accidentally removed in version 4.6.1. This feature is now available again.
- Generated download passwords were not shown after the upload was completed
- Uploading a file using `script.php` with an upload password set always ended up in an "Error 2". This is fixed now.
-- ...
- Upgrade from 4.6.3: in-place upgrade
New configuration items:
diff --git a/lib/settings.php b/lib/settings.php
index cbdfaff..5e8a13e 100644
--- a/lib/settings.php
+++ b/lib/settings.php
@@ -43,7 +43,7 @@ if ($cfg['debug'] === true) {
/* Jirafeau package */
define('JIRAFEAU_PACKAGE', 'Jirafeau');
-define('JIRAFEAU_VERSION', '4.6.x-dev');
+define('JIRAFEAU_VERSION', '4.7.0');
define('JIRAFEAU_WEBSITE', 'https://gitlab.com/jirafeau/Jirafeau');
--
2.43.0
From 844933292f936d7b4bdeb8b2467080a356261dba Mon Sep 17 00:00:00 2001
From: Patrick Canterino
Date: Mon, 8 Sep 2025 12:09:50 +0200
Subject: [PATCH 06/16] Begin a new release cycle
---
CHANGELOG.md | 4 ++++
lib/settings.php | 2 +-
2 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 40a6241..9a4d6f3 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,6 +12,10 @@
5. Follow the installation wizard, it should propose you the same data folder or even update automatically
6. Check your `/lib/config.local.php` and compare it with the `/lib/config.original.php` to see if new configuration items are available. If a new item is missing in your `config.local.php`, this may trigger some errors as Jirafeau may expect to have them.
+## Version 4.7.x (not yet released)
+
+- ...
+
## Version 4.7.0
- Added feature for using shortened download links. This requires a web server that supports URL rewriting, like Apache with `mod_rewrite`.
diff --git a/lib/settings.php b/lib/settings.php
index 5e8a13e..e015067 100644
--- a/lib/settings.php
+++ b/lib/settings.php
@@ -43,7 +43,7 @@ if ($cfg['debug'] === true) {
/* Jirafeau package */
define('JIRAFEAU_PACKAGE', 'Jirafeau');
-define('JIRAFEAU_VERSION', '4.7.0');
+define('JIRAFEAU_VERSION', '4.7.x-dev');
define('JIRAFEAU_WEBSITE', 'https://gitlab.com/jirafeau/Jirafeau');
--
2.43.0
From 9832ac10b3a5915e8dfe7672a83449b0bc1a76c4 Mon Sep 17 00:00:00 2001
From: Patrick Canterino
Date: Sun, 4 Jan 2026 14:43:49 +0100
Subject: [PATCH 07/16] Mentioned issue #40 as a known issue in the README file
---
README.md | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/README.md b/README.md
index d2ac2b5..53c3af7 100644
--- a/README.md
+++ b/README.md
@@ -152,6 +152,10 @@ By activating this feature, you have to be aware of few things:
In a next step, encryption will be made by the client (in JavaScript).
+## Known issues
+
+- There is an [issue](https://gitlab.com/jirafeau/Jirafeau/-/issues/40) with asynchronous uploads not working in Chromium-based browsers on servers with HTTP/3 enabled. This seems to be a bug in Chromium. Thanks to [slt](https://gitlab.com/sltrash) for [reporting](https://issues.chromium.org/issues/457463688) this to the Chromium developers.
+
## License
GNU Affero General Public License v3 (AGPL-3.0).
--
2.43.0
From 747afb20bfcff14bb67e40e7035d47a6311ba3e1 Mon Sep 17 00:00:00 2001
From: Patrick Canterino
Date: Sun, 4 Jan 2026 14:54:55 +0100
Subject: [PATCH 08/16] Disable MIME sniffing to prevent preview of invalid
(propably harmful) file types
Reported by Yann CAM and Killian CHEVRIER
---
f.php | 1 +
1 file changed, 1 insertion(+)
diff --git a/f.php b/f.php
index 922668f..269b10b 100644
--- a/f.php
+++ b/f.php
@@ -231,6 +231,7 @@ if (!jirafeau_is_viewable($link['mime_type']) || !$cfg['preview'] || $do_downloa
header('Content-Disposition: attachment; filename="' . $link['file_name'] . '"');
} else {
header('Content-Disposition: filename="' . $link['file_name'] . '"');
+ header('X-Content-Type-Options: nosniff');
}
header('Content-Type: ' . $link['mime_type']);
if ($cfg['file_hash'] == "md5") {
--
2.43.0
From d2bf1e757a925c54ce3db40a8f26bb185d0e7d75 Mon Sep 17 00:00:00 2001
From: Patrick Canterino
Date: Sun, 18 Jan 2026 14:14:05 +0100
Subject: [PATCH 09/16] Set default value of max_upload_chunk_size_bytes to
5000000 (5MB)
Higher values can trigger a bug in Chromium based browsers with HTTP/3 on the web server enabled (see issue #40)
---
lib/config.original.php | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/lib/config.original.php b/lib/config.original.php
index 876ddba..6b7c342 100644
--- a/lib/config.original.php
+++ b/lib/config.original.php
@@ -235,16 +235,20 @@ $cfg['installation_done'] = false;
*/
$cfg['debug'] = false;
-/** Set Jirafeau's maximal upload chunk
+/* Set Jirafeau's maximal upload chunk
* When Jirafeau upload a large file, Jirafeau sends several data chunks to fit server's capabilities.
* Jirafeau tries to upload each data chunk with the maximal size allowed by PHP (post_max_size and upload_max_filesize).
- * However, too large PHP configuration values are not needed and could induce unwanted side effects (see #303).
+ * However, too large PHP configuration values are not needed and could induce unwanted side effects
+ * (see https://gitlab.com/mojo42/Jirafeau/-/issues/303).
+ * This parameter should set to something less or equal to 5000000 (5MB), since high value can cause problems in
+ * Chromium based browsers with HTTP/3 on the web server enabled
+ * (see https://gitlab.com/jirafeau/Jirafeau/-/issues/40).
* This parameter set Jirafeau's own maximal chunk size with a reasonable value.
* Option is only used for async uploads and won't be used for browsers without html5 support.
* You should not touch this parameter unless you have good reason to do so. Feel free to open an issue to ask questions.
* Set to 0 to remove limitation.
*/
-$cfg['max_upload_chunk_size_bytes'] = 100000000; // 100MB
+$cfg['max_upload_chunk_size_bytes'] = 5000000; // 100MB
/* Set password requirement policy for downloading files
* Possible values:
--
2.43.0
From 17ae6cc98f93c938b723f033de846d373e0c69a3 Mon Sep 17 00:00:00 2001
From: Patrick Canterino
Date: Sun, 18 Jan 2026 14:20:21 +0100
Subject: [PATCH 10/16] Further description of issue #40 in README
---
README.md | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/README.md b/README.md
index 53c3af7..b62f0a2 100644
--- a/README.md
+++ b/README.md
@@ -154,7 +154,9 @@ In a next step, encryption will be made by the client (in JavaScript).
## Known issues
-- There is an [issue](https://gitlab.com/jirafeau/Jirafeau/-/issues/40) with asynchronous uploads not working in Chromium-based browsers on servers with HTTP/3 enabled. This seems to be a bug in Chromium. Thanks to [slt](https://gitlab.com/sltrash) for [reporting](https://issues.chromium.org/issues/457463688) this to the Chromium developers.
+- There is an [issue](https://gitlab.com/jirafeau/Jirafeau/-/issues/40) with asynchronous uploads not working in Chromium-based browsers on servers with HTTP/3 enabled. This seems to be caused by a [bug in Chromium](https://issues.chromium.org/issues/457463688).
+This bug can be worked around by setting `max_upload_chunk_size_bytes` to a value of around 3000000 to 5000000 (3 to 5MB) which is default since Jirafeau version 4.7.1.
+Thanks to [slt](https://gitlab.com/sltrash) for reporting this and for finding a workaround.
## License
--
2.43.0
From 03ed2de1cf815fda85fd06eb823270a4b5d95297 Mon Sep 17 00:00:00 2001
From: Patrick Canterino
Date: Sun, 18 Jan 2026 14:30:14 +0100
Subject: [PATCH 11/16] Updated CHANGELOG
---
CHANGELOG.md | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9a4d6f3..20eea31 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,9 +12,11 @@
5. Follow the installation wizard, it should propose you the same data folder or even update automatically
6. Check your `/lib/config.local.php` and compare it with the `/lib/config.original.php` to see if new configuration items are available. If a new item is missing in your `config.local.php`, this may trigger some errors as Jirafeau may expect to have them.
-## Version 4.7.x (not yet released)
+## Version 4.7.1 (not yet released)
-- ...
+- Fixed another possibility to bypass the checks for [CVE-2022-30110](https://www.cve.org/CVERecord?id=CVE-2022-30110), [CVE-2024-12326](https://www.cve.org/CVERecord?id=CVE-2024-12326) and [CVE-2025-7066](https://www.cve.org/CVERecord?id=CVE-2025-7066) (prevent preview of SVG images and other critical files) by sending a manipulated HTTP request with a MIME type like "image". When doing the preview, the browser tries to automatically detect the MIME type resulting in detecting SVG and possibly executing JavaScript code. To prevent this, MIME sniffing is disabled.
+- The default value of `max_upload_chunk_size_bytes` was set to `5000000`. Higher values could trigger a bug Chromium-based browsers on servers with HTTP/3 enabled, causing asynchronous uploads to fail.
+- Upgrade from 4.7.0: in-place upgrade, you also should set `max_upload_chunk_size_bytes` to `5000000` in your `config.local.php`!
## Version 4.7.0
--
2.43.0
From d5079555c270e18a398c9575754e7e719bd1a72b Mon Sep 17 00:00:00 2001
From: Patrick Canterino
Date: Sun, 18 Jan 2026 14:58:01 +0100
Subject: [PATCH 12/16] Added slt to list of authors
---
AUTHORS.md | 1 +
1 file changed, 1 insertion(+)
diff --git a/AUTHORS.md b/AUTHORS.md
index e12f2c1..98e175b 100644
--- a/AUTHORS.md
+++ b/AUTHORS.md
@@ -95,6 +95,7 @@ This is a list of people who contributed to Jirafeau over the years. The list wa
- scumjr
- Sebastien Mennetrier
- Slobodan SimiÄ
+- slt
- Spanti Nicola (RyDroid)
- Srikanth L
- ssantos
--
2.43.0
From 37bcb9abfc0066306a60fecd6ea89879f245fa3f Mon Sep 17 00:00:00 2001
From: Patrick Canterino
Date: Mon, 19 Jan 2026 19:30:06 +0100
Subject: [PATCH 13/16] Docker image: Updated PHP to 8.3 and removed
mime-types.conf from lighttpd.conf
PHP 8.1 is end-of-life
mime-types.conf is not available in recent versions of lighttpd
Fixed issue #45
---
Dockerfile | 2 +-
docker/lighttpd.conf | 2 --
2 files changed, 1 insertion(+), 3 deletions(-)
diff --git a/Dockerfile b/Dockerfile
index 6bf9788..fd437e6 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-FROM php:8.1-fpm-alpine
+FROM php:8.3-fpm-alpine
LABEL org.opencontainers.image.authors="jerome@jutteau.fr"
ARG INI="php"
diff --git a/docker/lighttpd.conf b/docker/lighttpd.conf
index 680280f..5acb592 100644
--- a/docker/lighttpd.conf
+++ b/docker/lighttpd.conf
@@ -5,12 +5,10 @@ var.statedir = "/var/lib/lighttpd"
server.port = 80
server.modules = (
"mod_access",
-# "mod_usertrack",
"mod_expire",
"mod_accesslog"
)
-include "mime-types.conf"
include "mod_fastcgi_fpm.conf"
server.username = "lighttpd"
--
2.43.0
From e12401c2e7e8554c24e4a4fd23aa2f124fb07f19 Mon Sep 17 00:00:00 2001
From: Patrick Canterino
Date: Mon, 19 Jan 2026 19:36:45 +0100
Subject: [PATCH 14/16] Updated CHANGELOG
---
CHANGELOG.md | 1 +
1 file changed, 1 insertion(+)
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 20eea31..7fb6eb5 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -16,6 +16,7 @@
- Fixed another possibility to bypass the checks for [CVE-2022-30110](https://www.cve.org/CVERecord?id=CVE-2022-30110), [CVE-2024-12326](https://www.cve.org/CVERecord?id=CVE-2024-12326) and [CVE-2025-7066](https://www.cve.org/CVERecord?id=CVE-2025-7066) (prevent preview of SVG images and other critical files) by sending a manipulated HTTP request with a MIME type like "image". When doing the preview, the browser tries to automatically detect the MIME type resulting in detecting SVG and possibly executing JavaScript code. To prevent this, MIME sniffing is disabled.
- The default value of `max_upload_chunk_size_bytes` was set to `5000000`. Higher values could trigger a bug Chromium-based browsers on servers with HTTP/3 enabled, causing asynchronous uploads to fail.
+- Docker image: Updated PHP to 8.3 and removed `mime-types.conf` from `lighttpd.conf`
- Upgrade from 4.7.0: in-place upgrade, you also should set `max_upload_chunk_size_bytes` to `5000000` in your `config.local.php`!
## Version 4.7.0
--
2.43.0
From 1b3736d6c74261314976b2777e6e71e9c3e9392f Mon Sep 17 00:00:00 2001
From: Patrick Canterino
Date: Sun, 25 Jan 2026 14:33:36 +0100
Subject: [PATCH 15/16] Updated README
- Notes about lack of end-to-end encryption
- Notes about setting max_upload_chunk_size_bytes manually if updating from an older version
---
README.md | 18 ++++++++++--------
1 file changed, 10 insertions(+), 8 deletions(-)
diff --git a/README.md b/README.md
index b62f0a2..1d3de30 100644
--- a/README.md
+++ b/README.md
@@ -143,19 +143,21 @@ Encryption is configured to use [XChaCha20-Poly1305](https://en.wikipedia.org/wi
In case of security troubles on the server, attacker won't be able to access files.
By activating this feature, you have to be aware of few things:
-- Data encryption has a cost (CPU) and it takes more time for downloads to complete once file sent.
-- During the download, the server will decrypt on the fly (and use resource).
-- This feature needs to have the [`Sodium`](https://www.php.net/manual/en/book.sodium.php) PHP module.
-- File de-duplication will stop to work (as we can't compare two encrypted files).
-- Be sure your server does not log client's requests.
-- Don't forget to enable HTTPS.
-In a next step, encryption will be made by the client (in JavaScript).
+- This is **no** [end-to-end encryption](https://en.wikipedia.org/wiki/End-to-end_encryption)! Although the file should be sent to server using HTTPS, the file is unencrypted on the server for a very short time. To have end-to-end encryption, you need to encrypt the file yourself.
+- Data encryption has a cost (CPU) and it takes more time for downloads to complete once file sent.
+- During the download, the server will decrypt on the fly (and use resource).
+- This feature needs to have the [`Sodium`](https://www.php.net/manual/en/book.sodium.php) PHP module.
+- File de-duplication will stop to work (as we can't compare two encrypted files).
+- Be sure your server does not log client's requests.
+- Don't forget to enable HTTPS.
+
+In a next step, encryption will be made by the client (in JavaScript), which will also give us end-to-end encryption.
## Known issues
- There is an [issue](https://gitlab.com/jirafeau/Jirafeau/-/issues/40) with asynchronous uploads not working in Chromium-based browsers on servers with HTTP/3 enabled. This seems to be caused by a [bug in Chromium](https://issues.chromium.org/issues/457463688).
-This bug can be worked around by setting `max_upload_chunk_size_bytes` to a value of around 3000000 to 5000000 (3 to 5MB) which is default since Jirafeau version 4.7.1.
+This bug can be worked around by setting `max_upload_chunk_size_bytes` to a value of around 3000000 to 5000000 (3 to 5MB) which is default since Jirafeau version 4.7.1. Please note that you have to change this value manually if you're upgrading from a version of Jirafeau older than 4.7.1!
Thanks to [slt](https://gitlab.com/sltrash) for reporting this and for finding a workaround.
## License
--
2.43.0
From f1b3cb91458721a5c2a5a8779b35113688f8f0bd Mon Sep 17 00:00:00 2001
From: Patrick Canterino
Date: Sun, 25 Jan 2026 14:35:16 +0100
Subject: [PATCH 16/16] Jirafeau 4.7.1 is ready
---
CHANGELOG.md | 2 +-
lib/settings.php | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 7fb6eb5..c687514 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,7 +12,7 @@
5. Follow the installation wizard, it should propose you the same data folder or even update automatically
6. Check your `/lib/config.local.php` and compare it with the `/lib/config.original.php` to see if new configuration items are available. If a new item is missing in your `config.local.php`, this may trigger some errors as Jirafeau may expect to have them.
-## Version 4.7.1 (not yet released)
+## Version 4.7.1
- Fixed another possibility to bypass the checks for [CVE-2022-30110](https://www.cve.org/CVERecord?id=CVE-2022-30110), [CVE-2024-12326](https://www.cve.org/CVERecord?id=CVE-2024-12326) and [CVE-2025-7066](https://www.cve.org/CVERecord?id=CVE-2025-7066) (prevent preview of SVG images and other critical files) by sending a manipulated HTTP request with a MIME type like "image". When doing the preview, the browser tries to automatically detect the MIME type resulting in detecting SVG and possibly executing JavaScript code. To prevent this, MIME sniffing is disabled.
- The default value of `max_upload_chunk_size_bytes` was set to `5000000`. Higher values could trigger a bug Chromium-based browsers on servers with HTTP/3 enabled, causing asynchronous uploads to fail.
diff --git a/lib/settings.php b/lib/settings.php
index e015067..5a8d3a7 100644
--- a/lib/settings.php
+++ b/lib/settings.php
@@ -43,7 +43,7 @@ if ($cfg['debug'] === true) {
/* Jirafeau package */
define('JIRAFEAU_PACKAGE', 'Jirafeau');
-define('JIRAFEAU_VERSION', '4.7.x-dev');
+define('JIRAFEAU_VERSION', '4.7.1');
define('JIRAFEAU_WEBSITE', 'https://gitlab.com/jirafeau/Jirafeau');
--
2.43.0