]>
git.p6c8.net - jirafeau/pcanterino.git/log
Patrick Canterino [Sat, 13 Jun 2026 13:44:42 +0000 (15:44 +0200)]
Updated CHANGELOG
Patrick Canterino [Sat, 13 Jun 2026 13:35:26 +0000 (15:35 +0200)]
Added "debug_enforce_classic_upload" to Docker options
Patrick Canterino [Fri, 5 Jun 2026 14:49:58 +0000 (16:49 +0200)]
Added TehPeGaSuS to the list of authors
Patrick Canterino [Fri, 5 Jun 2026 14:35:55 +0000 (16:35 +0200)]
Modified copyright header of all themes
Patrick Canterino [Fri, 5 Jun 2026 14:31:44 +0000 (16:31 +0200)]
Applied CSS for "show password box" to other themes
Patrick Canterino [Fri, 5 Jun 2026 14:23:42 +0000 (16:23 +0200)]
Applied patch by @Blackstareye from merge request !30
Now we have an eye button for toggling the password to clear text
Patrick Canterino [Fri, 5 Jun 2026 14:16:41 +0000 (16:16 +0200)]
Merge branch 'patch-1' into 'show_password_box'
Add a Show password checkbox
See merge request jirafeau/Jirafeau!30
Patrick Canterino [Fri, 5 Jun 2026 14:02:08 +0000 (16:02 +0200)]
Merge branch 'fix_legacy_upload' into 'next-release'
Fixed file encryption on classic upload
See merge request jirafeau/Jirafeau!34
Patrick Canterino [Fri, 5 Jun 2026 14:01:33 +0000 (16:01 +0200)]
Merge branch 'md5_to_sha256' into 'next-release'
Md5 to sha256
See merge request jirafeau/Jirafeau!33
Patrick Canterino [Sun, 31 May 2026 16:55:05 +0000 (18:55 +0200)]
Fixed error message occuring on classic upload
Changed handling of XHR responses
Patrick Canterino [Sun, 31 May 2026 13:49:28 +0000 (15:49 +0200)]
Fixed temporary filenames of encrypted files during classic upload
Patrick Canterino [Sun, 31 May 2026 13:30:50 +0000 (15:30 +0200)]
Renamed cfg option debug_enforce_legacy_upload to debug_enforce_classic_upload
Patrick Canterino [Sun, 31 May 2026 13:29:37 +0000 (15:29 +0200)]
Fixed file encryption in classic uploads
Encrypted files uploaded using classic (synchronous) uploads were marked using "C" identifying legacy mcrypt encryption
=> changed to "C2" identifying Sodium encryption
Patrick Canterino [Sun, 31 May 2026 13:07:50 +0000 (15:07 +0200)]
Small refactoring
Patrick Canterino [Fri, 29 May 2026 14:57:14 +0000 (16:57 +0200)]
Added config option to enforce legacy synchronous file upload
This is useful for debugging, we use it for issue #48
Patrick Canterino [Fri, 29 May 2026 13:48:02 +0000 (15:48 +0200)]
Fixed linter error
Patrick Canterino [Fri, 29 May 2026 13:35:41 +0000 (15:35 +0200)]
Prefixed SHA256 password hashes
This way we can identify them and still compare to legacy MD5 hashes
Patrick Canterino [Fri, 29 May 2026 13:13:29 +0000 (15:13 +0200)]
Here we actually NEED MD5. This one affects only legacy files encrypted using mcrypt.
Blackeye [Thu, 28 May 2026 18:21:13 +0000 (20:21 +0200)]
Merge branch 'proposal_ci_php_linting_with_warning' into 'next-release'
Proposal ci php linting with warning
See merge request jirafeau/Jirafeau!32
Patrick Canterino [Wed, 4 Feb 2026 11:36:38 +0000 (12:36 +0100)]
Mentioned CVE-2026-1466 in CHANGELOG
Blackeye [Wed, 4 Feb 2026 00:47:30 +0000 (01:47 +0100)]
pat pat - ci linting
Blackeye [Wed, 4 Feb 2026 00:39:18 +0000 (01:39 +0100)]
fixed script md5 -> sha256
Blackeye [Wed, 4 Feb 2026 00:33:51 +0000 (01:33 +0100)]
#34 - change md5 to sha256
Blackeye [Tue, 3 Feb 2026 22:31:42 +0000 (23:31 +0100)]
updated php-cs-fixer version to latest version
Blackeye [Tue, 3 Feb 2026 22:19:50 +0000 (23:19 +0100)]
rearanged anchors and added linting proposal
Patrick Canterino [Fri, 30 Jan 2026 12:22:47 +0000 (13:22 +0100)]
Updated CHANGELOG
Patrick Canterino [Fri, 30 Jan 2026 12:19:15 +0000 (13:19 +0100)]
Merge branch 'master' into 'next-release'
Missing favicon
See merge request jirafeau/Jirafeau!31
TehPeGaSuS [Mon, 26 Jan 2026 22:03:25 +0000 (23:03 +0100)]
Another attempt to fix linting
TehPeGaSuS [Mon, 26 Jan 2026 21:46:29 +0000 (22:46 +0100)]
Trying to make linting happy
TehPeGaSuS [Mon, 26 Jan 2026 21:25:20 +0000 (22:25 +0100)]
Upload New File
TehPeGaSuS [Mon, 26 Jan 2026 20:59:12 +0000 (21:59 +0100)]
Add a `Show password checkbox`
Patrick Canterino [Sun, 25 Jan 2026 13:39:52 +0000 (14:39 +0100)]
Begin a new release cycle
Patrick Canterino [Sun, 25 Jan 2026 13:35:16 +0000 (14:35 +0100)]
Jirafeau 4.7.1 is ready
Patrick Canterino [Sun, 25 Jan 2026 13:33:36 +0000 (14:33 +0100)]
Updated README
- Notes about lack of end-to-end encryption
- Notes about setting max_upload_chunk_size_bytes manually if updating from an older version
Patrick Canterino [Mon, 19 Jan 2026 18:36:45 +0000 (19:36 +0100)]
Updated CHANGELOG
Patrick Canterino [Mon, 19 Jan 2026 18:30:06 +0000 (19:30 +0100)]
Docker image: Updated PHP to 8.3 and removed mime-types.conf from lighttpd.conf
PHP 8.1 is end-of-life
mime-types.conf is not available in recent versions of lighttpd
Fixed issue #45
Patrick Canterino [Sun, 18 Jan 2026 13:58:01 +0000 (14:58 +0100)]
Added slt to list of authors
Patrick Canterino [Sun, 18 Jan 2026 13:30:14 +0000 (14:30 +0100)]
Updated CHANGELOG
Patrick Canterino [Sun, 18 Jan 2026 13:20:21 +0000 (14:20 +0100)]
Further description of issue #40 in README
Patrick Canterino [Sun, 18 Jan 2026 13:14:05 +0000 (14:14 +0100)]
Set default value of max_upload_chunk_size_bytes to
5000000 (5MB)
Higher values can trigger a bug in Chromium based browsers with HTTP/3 on the web server enabled (see issue #40)
Patrick Canterino [Sat, 10 Jan 2026 15:29:40 +0000 (16:29 +0100)]
Merge branch 'bug_mime_sniffing' into 'next-release'
Disable MIME sniffing to prevent preview of invalid (propably harmful) file types
See merge request jirafeau/Jirafeau!29
Patrick Canterino [Sun, 4 Jan 2026 13:54:55 +0000 (14:54 +0100)]
Disable MIME sniffing to prevent preview of invalid (propably harmful) file types
Reported by Yann CAM and Killian CHEVRIER
Patrick Canterino [Sun, 4 Jan 2026 13:43:49 +0000 (14:43 +0100)]
Mentioned issue #40 as a known issue in the README file
Patrick Canterino [Mon, 8 Sep 2025 10:09:50 +0000 (12:09 +0200)]
Begin a new release cycle
Patrick Canterino [Mon, 8 Sep 2025 10:03:48 +0000 (12:03 +0200)]
Jirafeau 4.7.0 is ready
Patrick Canterino [Mon, 8 Sep 2025 09:54:03 +0000 (11:54 +0200)]
Updated list of authors
Patrick Canterino [Mon, 8 Sep 2025 09:50:56 +0000 (11:50 +0200)]
Updated CHANGELOG
Patrick Canterino [Sat, 30 Aug 2025 12:28:22 +0000 (14:28 +0200)]
Updated CHANGELOG
Patrick Canterino [Sat, 30 Aug 2025 12:13:45 +0000 (14:13 +0200)]
Merge branch 'shortlinks' into 'next-release'
add short link support
See merge request jirafeau/Jirafeau!24
Florian [Sat, 30 Aug 2025 12:13:45 +0000 (12:13 +0000)]
add short link support
Patrick Canterino [Tue, 12 Aug 2025 13:04:20 +0000 (15:04 +0200)]
Fixed indentation
Patrick Canterino [Tue, 12 Aug 2025 12:46:59 +0000 (14:46 +0200)]
Merge branch 'f_issue_35-36' into 'next-release'
Fixes for issues 35 and 36
See merge request jirafeau/Jirafeau!26
Patrick Canterino [Tue, 12 Aug 2025 12:45:01 +0000 (14:45 +0200)]
Merge branch 'f_issue_37' into 'next-release'
Fix for issue 37
See merge request jirafeau/Jirafeau!27
Patrick Canterino [Sat, 9 Aug 2025 13:35:46 +0000 (15:35 +0200)]
Trying to upload a file using script.php with an upload password set always ends up in an "Error 2". Added "!isset($_POST['upload_password'])" to the test condition.
Patch by Yannis Aribaud
Patrick Canterino [Sat, 9 Aug 2025 13:13:44 +0000 (15:13 +0200)]
Download statistics were not shown in the admin interface
This feature got accidentally lost during refactoring
Patrick Canterino [Sat, 9 Aug 2025 13:06:13 +0000 (15:06 +0200)]
The generated download password was not shown in the "finished" page
This feature got accidentally lost during refactoring
Also made the form field readonly
Patrick Canterino [Sat, 9 Aug 2025 12:53:45 +0000 (14:53 +0200)]
Merge branch 'make-tos-identifiable' into 'next-release'
give tos notice a specific element id
See merge request jirafeau/Jirafeau!25
Florian [Sat, 9 Aug 2025 12:53:45 +0000 (12:53 +0000)]
give tos notice a specific element id
Patrick Canterino [Fri, 8 Aug 2025 13:00:52 +0000 (15:00 +0200)]
Mentioned CVE-2025-7066
Patrick Canterino [Sun, 22 Jun 2025 13:12:28 +0000 (15:12 +0200)]
Begin a new release cycle
Patrick Canterino [Sun, 22 Jun 2025 13:02:31 +0000 (15:02 +0200)]
Jirafeau 4.6.3 is ready
Patrick Canterino [Thu, 19 Jun 2025 12:17:35 +0000 (14:17 +0200)]
Updated CHANGELOG
Patrick Canterino [Thu, 19 Jun 2025 11:56:59 +0000 (13:56 +0200)]
Fixes for issues #31 and #32
See merge request jirafeau/Jirafeau!22
Patrick Canterino [Mon, 16 Jun 2025 10:13:44 +0000 (12:13 +0200)]
Compare stored hashes for admin and download password using hash_equals()
This prevents timing attacks and attacks using Type Juggling
Originally proposed by onosh
Patrick Canterino [Mon, 16 Jun 2025 09:58:15 +0000 (11:58 +0200)]
Check for commas in MIME type before generating preview
It was possible to bypass the preview check by sending a manipulated HTTP request with a MIME type like "image/png,text/html".
When parsing the Content-Type of a HTTP response, browsers see multiple MIME types, and the last one, text/html, takes precedence, allowing to execute potentially harmful JavaScript code.
This check was originally implemented to address CVE-2022-30110 then CVE-2024-12326.
Reported by:
- Yann CAM (ycam) (https://yann.cam/)
- Killian CHEVRIER (palmier) (https://killianchevrier.fr/)
Patrick Canterino [Sat, 22 Mar 2025 12:15:31 +0000 (13:15 +0100)]
Merge branch 'master' into 'next-release'
fix grammar mistake
See merge request jirafeau/Jirafeau!21
Ruixey [Fri, 21 Mar 2025 16:08:57 +0000 (16:08 +0000)]
fix grammar mistake
Patrick Canterino [Tue, 4 Mar 2025 14:39:23 +0000 (15:39 +0100)]
Begin a new release cycle
Patrick Canterino [Tue, 4 Mar 2025 14:34:07 +0000 (15:34 +0100)]
Merge branch 'next-release'
Patrick Canterino [Tue, 4 Mar 2025 14:31:23 +0000 (15:31 +0100)]
Jirafeau 4.6.2 is ready
Patrick Canterino [Fri, 28 Feb 2025 12:57:19 +0000 (13:57 +0100)]
Updated CHANGELOG
Blackeye [Wed, 19 Feb 2025 13:46:25 +0000 (13:46 +0000)]
Merge branch 'hotfix_issue_21' into 'master'
HOTFIX: fix for issue #21 and a docker_compose.yaml for testing | cherry https://gitlab.com/jirafeau/Jirafeau/-/commit/
8e36d013510ddedf9bb830b547f2de7664815bd0
See merge request jirafeau/Jirafeau!20
Blackstareye [Sat, 18 Jan 2025 17:15:14 +0000 (18:15 +0100)]
fix for issue #21 and a docker_compose.yaml for testing
Blackeye [Tue, 18 Feb 2025 16:52:49 +0000 (16:52 +0000)]
Merge branch 'hotfix_cherrypick_issue_23' into 'master'
fixed script upload - missing return statement
See merge request jirafeau/Jirafeau!19
Blackstareye [Mon, 17 Feb 2025 17:13:46 +0000 (18:13 +0100)]
fixed script upload - missing return statement
Blackeye [Tue, 18 Feb 2025 14:26:37 +0000 (14:26 +0000)]
Merge branch 'fix_for_issue_23' into 'next-release'
fixed script upload - missing return statement
See merge request jirafeau/Jirafeau!18
Blackstareye [Mon, 17 Feb 2025 17:13:46 +0000 (18:13 +0100)]
fixed script upload - missing return statement
Blackeye [Mon, 17 Feb 2025 15:51:11 +0000 (15:51 +0000)]
Merge branch 'fix_for_issue_20' into 'next-release'
fix for #20, added also lang to env variables; added function for associative...
See merge request jirafeau/Jirafeau!14
Blackstareye [Mon, 17 Feb 2025 15:46:11 +0000 (16:46 +0100)]
fixed typo
Blackstareye [Mon, 17 Feb 2025 15:42:27 +0000 (16:42 +0100)]
added run container section
Blackstareye [Mon, 17 Feb 2025 15:39:00 +0000 (16:39 +0100)]
changed method name and added doc for docker compose
Blackstareye [Fri, 24 Jan 2025 19:38:58 +0000 (20:38 +0100)]
fixed format
Blackstareye [Fri, 24 Jan 2025 19:26:29 +0000 (20:26 +0100)]
fix for #20, added also lang to env variables; added function for associative arrays (e.g. json in env)
Blackstareye [Fri, 24 Jan 2025 19:25:15 +0000 (20:25 +0100)]
example docker compose with availabilities (defaulted according to config)
Blackeye [Tue, 21 Jan 2025 14:18:52 +0000 (14:18 +0000)]
Merge branch 'fix_for_issue_21' into 'next-release'
fix for issue #21 and a docker_compose.yaml for testing
See merge request jirafeau/Jirafeau!13
Blackstareye [Sat, 18 Jan 2025 17:15:14 +0000 (18:15 +0100)]
fix for issue #21 and a docker_compose.yaml for testing
Patrick Canterino [Sun, 1 Dec 2024 14:33:14 +0000 (15:33 +0100)]
Begin a new release cycle
Patrick Canterino [Sun, 1 Dec 2024 14:27:35 +0000 (15:27 +0100)]
Updated CHANGELOG
Patrick Canterino [Sun, 1 Dec 2024 14:25:51 +0000 (15:25 +0100)]
Jirafeau 4.6.1 is ready
Patrick Canterino [Sun, 1 Dec 2024 14:25:15 +0000 (15:25 +0100)]
Updated CHANGELOG
Patrick Canterino [Sun, 1 Dec 2024 14:05:34 +0000 (15:05 +0100)]
Made check for MIME type "image/svg+xml" case insensitive
It was possible to bypass this check by sending a manipulated HTTP request with a MIME type like "image/svg+XML".
This check was originally implemented to address CVE-2022-30110.
Reported by:
- Yann CAM (ycam) (https://yann.cam/)
- Georges TAUPIN (jo) (https://www.georgestaupin.com/)
Patrick Canterino [Mon, 25 Nov 2024 16:24:07 +0000 (17:24 +0100)]
Fixed footer ("designed by")
Patrick Canterino [Fri, 22 Nov 2024 14:56:24 +0000 (15:56 +0100)]
Removed references to weblate
Patrick Canterino [Fri, 22 Nov 2024 13:47:04 +0000 (14:47 +0100)]
Updated CHANGELOG
Patrick Canterino [Fri, 22 Nov 2024 13:41:51 +0000 (14:41 +0100)]
Updated Docker README
Patrick Canterino [Sat, 16 Nov 2024 14:09:32 +0000 (14:09 +0000)]
Merge branch 'bug_content_length' into 'next-release'
Store filesize before encrypting the file
See merge request jirafeau/Jirafeau!11
Patrick Canterino [Sun, 10 Nov 2024 13:47:41 +0000 (14:47 +0100)]
Updated Docker README
Patrick Canterino [Sun, 10 Nov 2024 13:03:40 +0000 (14:03 +0100)]
Store filesize before encrypting the file
This currently applies only for async uploads.
Otherwise we would send the size of the encrypted file and the data of the unencrypted file.
The encrypted file is usually larger than the unencrypted one. So the browser expects more
data and aborts the download because it thinks it didn't receive all the data.
Patrick Canterino [Fri, 25 Oct 2024 18:50:18 +0000 (20:50 +0200)]
Added "one_time_download_preselected" to Docker options
Patrick Canterino [Thu, 24 Oct 2024 15:39:14 +0000 (15:39 +0000)]
Merge branch 'docker_arm' into 'next-release'
Build Docker images for linux/arm/v7, linux/arm64/v8 and linux/amd64
See merge request jirafeau/Jirafeau!10
patrick-canterino.de