X-Git-Url: https://git.p6c8.net/jirafeau/pcanterino.git/blobdiff_plain/3d007ac30c40c8262fa259bcc8e8a1cabba1d9ef..978683b51e7c6c49377b5a9404f4717cfd2f5392:/CHANGELOG.md?ds=sidebyside diff --git a/CHANGELOG.md b/CHANGELOG.md index 8a63821..1dcf19c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,15 +12,43 @@ 5. Follow the installation wizard, it should propose you the same data folder or even update automatically 6. Check your `/lib/config.local.php` and compare it with the `/lib/config.original.php` to see if new configuration items are available. If a new item is missing in your `config.local.php`, this may trigger some errors as Jirafeau may expect to have them. +## Version 4.7.0 (not yet released) + +- Added feature for using shortened download links. This requires a web server that supports URL rewriting, like Apache with `mod_rewrite`. +- Added CSS class `tos` for addressing the link to the "Terms of Service" page +- Download stats introduced in version 4.6.0 were accidentally removed in version 4.6.1. This feature is now available again. +- Generated download passwords were not shown after the upload was completed +- Uploading a file using `script.php` with an upload password set always ended up in an "Error 2". This is fixed now. +- ... +- Upgrade from 4.6.3: in-place upgrade + +New configuration items: +- `use_shortlinks` for enabling shortlinks + +## Version 4.6.3 + +- Fixed the possibility to bypass the checks for [CVE-2022-30110](https://www.cve.org/CVERecord?id=CVE-2022-30110) and [CVE-2024-12326](https://www.cve.org/CVERecord?id=CVE-2024-12326) (prevent preview of SVG images and other critical files) by sending a manipulated HTTP request with a MIME type like "image/png,text/html". When doing the preview, the MIME type "text/html" takes precedence and you can execute for example JavaScript code. This issue has subsequently been reported as [CVE-2025-7066](https://www.cve.org/CVERecord?id=CVE-2025-7066). +- Compare password hashes using `hash_equals()` +- Upgrade from 4.6.2: in-place upgrade + +## Version 4.6.2 + +- Allow to configure the language and the availabilities for files for a Docker container (issue [#20](https://gitlab.com/jirafeau/Jirafeau/-/issues/20)) +- Added an example `docker-compose.yaml` file for configuring the Docker container +- Fixed an error occuring on some systems while building the Docker image (issue [#24](https://gitlab.com/jirafeau/Jirafeau/-/issues/24)) +- Script upload was broken due to a missing `return` statement (issue [#23](https://gitlab.com/jirafeau/Jirafeau/-/issues/23)) +- Upgrade from 4.6.1: in-place upgrade + ## Version 4.6.1 - Removed the download button and the corresponding link for encrypted files from the admin interface - Fixed an issue with sending the wrong filesize after decrypting an encrypted file -- Fixed the possibility to bypass the check for CVE-2022-30110 (prevent preview of SVG images) by sending a manipulated HTTP request with a MIME type like "image/svg+XML". +- Fixed the possibility to bypass the check for [CVE-2022-30110](https://www.cve.org/CVERecord?id=CVE-2022-30110) (prevent preview of SVG images) by sending a manipulated HTTP request with a MIME type like "image/svg+XML". This issue has subsequently been reported as [CVE-2024-12326](https://www.cve.org/CVERecord?id=CVE-2024-12326). - We now provide Docker images for AMD64 and ARM64 systems - Lots of code refactoring and cleanup - Few more little fixes - Typo and spelling mistakes +- Upgrade from 4.6.0: in-place upgrade New configuration items: - `one_time_download_preselected` for preselecting the checkbox for deleting the file after the first download @@ -35,6 +63,7 @@ New configuration items: - Removed usage of deprecated `strftime()` function - Few more little fixes - Typo and spelling mistakes +- Upgrade from 4.5.0: in-place upgrade New configuration items: - `download_password_requirement`, `download_password_gen_len`, `download_password_gen_chars`, `download_password_policy` and `download_password_policy_regex` for configuring file download passwords