X-Git-Url: https://git.p6c8.net/jirafeau/pcanterino.git/blobdiff_plain/b15d9743d761b176c8d522f3259017c093c5f382..978683b51e7c6c49377b5a9404f4717cfd2f5392:/CHANGELOG.md?ds=inline

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 944d835..1dcf19c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,6 +12,25 @@
 5. Follow the installation wizard, it should propose you the same data folder or even update automatically
 6. Check your `/lib/config.local.php` and compare it with the `/lib/config.original.php` to see if new configuration items are available. If a new item is missing in your `config.local.php`, this may trigger some errors as Jirafeau may expect to have them.
 
+## Version 4.7.0 (not yet released)
+
+- Added feature for using shortened download links. This requires a web server that supports URL rewriting, like Apache with `mod_rewrite`.
+- Added CSS class `tos` for addressing the link to the "Terms of Service" page
+- Download stats introduced in version 4.6.0 were accidentally removed in version 4.6.1. This feature is now available again.
+- Generated download passwords were not shown after the upload was completed
+- Uploading a file using `script.php` with an upload password set always ended up in an "Error 2". This is fixed now.
+- ...
+- Upgrade from 4.6.3: in-place upgrade
+
+New configuration items:
+- `use_shortlinks` for enabling shortlinks
+
+## Version 4.6.3
+
+- Fixed the possibility to bypass the checks for [CVE-2022-30110](https://www.cve.org/CVERecord?id=CVE-2022-30110) and [CVE-2024-12326](https://www.cve.org/CVERecord?id=CVE-2024-12326) (prevent preview of SVG images and other critical files) by sending a manipulated HTTP request with a MIME type like "image/png,text/html". When doing the preview, the MIME type "text/html" takes precedence and you can execute for example JavaScript code. This issue has subsequently been reported as [CVE-2025-7066](https://www.cve.org/CVERecord?id=CVE-2025-7066).
+- Compare password hashes using `hash_equals()`
+- Upgrade from 4.6.2: in-place upgrade
+
 ## Version 4.6.2
 
 - Allow to configure the language and the availabilities for files for a Docker container (issue [#20](https://gitlab.com/jirafeau/Jirafeau/-/issues/20))