]>
git.p6c8.net - jirafeau/pcanterino.git/log
Patrick Canterino [Sun, 31 May 2026 13:30:50 +0000 (15:30 +0200)]
Renamed cfg option debug_enforce_legacy_upload to debug_enforce_classic_upload
Patrick Canterino [Sun, 31 May 2026 13:29:37 +0000 (15:29 +0200)]
Fixed file encryption in classic uploads
Encrypted files uploaded using classic (synchronous) uploads were marked using "C" identifying legacy mcrypt encryption
=> changed to "C2" identifying Sodium encryption
Patrick Canterino [Fri, 29 May 2026 14:57:14 +0000 (16:57 +0200)]
Added config option to enforce legacy synchronous file upload
This is useful for debugging, we use it for issue #48
Blackeye [Thu, 28 May 2026 18:21:13 +0000 (20:21 +0200)]
Merge branch 'proposal_ci_php_linting_with_warning' into 'next-release'
Proposal ci php linting with warning
See merge request jirafeau/Jirafeau!32
Patrick Canterino [Wed, 4 Feb 2026 11:36:38 +0000 (12:36 +0100)]
Mentioned CVE-2026-1466 in CHANGELOG
Blackeye [Tue, 3 Feb 2026 22:31:42 +0000 (23:31 +0100)]
updated php-cs-fixer version to latest version
Blackeye [Tue, 3 Feb 2026 22:19:50 +0000 (23:19 +0100)]
rearanged anchors and added linting proposal
Patrick Canterino [Fri, 30 Jan 2026 12:22:47 +0000 (13:22 +0100)]
Updated CHANGELOG
Patrick Canterino [Fri, 30 Jan 2026 12:19:15 +0000 (13:19 +0100)]
Merge branch 'master' into 'next-release'
Missing favicon
See merge request jirafeau/Jirafeau!31
TehPeGaSuS [Mon, 26 Jan 2026 21:25:20 +0000 (22:25 +0100)]
Upload New File
Patrick Canterino [Sun, 25 Jan 2026 13:39:52 +0000 (14:39 +0100)]
Begin a new release cycle
Patrick Canterino [Sun, 25 Jan 2026 13:35:16 +0000 (14:35 +0100)]
Jirafeau 4.7.1 is ready
Patrick Canterino [Sun, 25 Jan 2026 13:33:36 +0000 (14:33 +0100)]
Updated README
- Notes about lack of end-to-end encryption
- Notes about setting max_upload_chunk_size_bytes manually if updating from an older version
Patrick Canterino [Mon, 19 Jan 2026 18:36:45 +0000 (19:36 +0100)]
Updated CHANGELOG
Patrick Canterino [Mon, 19 Jan 2026 18:30:06 +0000 (19:30 +0100)]
Docker image: Updated PHP to 8.3 and removed mime-types.conf from lighttpd.conf
PHP 8.1 is end-of-life
mime-types.conf is not available in recent versions of lighttpd
Fixed issue #45
Patrick Canterino [Sun, 18 Jan 2026 13:58:01 +0000 (14:58 +0100)]
Added slt to list of authors
Patrick Canterino [Sun, 18 Jan 2026 13:30:14 +0000 (14:30 +0100)]
Updated CHANGELOG
Patrick Canterino [Sun, 18 Jan 2026 13:20:21 +0000 (14:20 +0100)]
Further description of issue #40 in README
Patrick Canterino [Sun, 18 Jan 2026 13:14:05 +0000 (14:14 +0100)]
Set default value of max_upload_chunk_size_bytes to
5000000 (5MB)
Higher values can trigger a bug in Chromium based browsers with HTTP/3 on the web server enabled (see issue #40)
Patrick Canterino [Sat, 10 Jan 2026 15:29:40 +0000 (16:29 +0100)]
Merge branch 'bug_mime_sniffing' into 'next-release'
Disable MIME sniffing to prevent preview of invalid (propably harmful) file types
See merge request jirafeau/Jirafeau!29
Patrick Canterino [Sun, 4 Jan 2026 13:54:55 +0000 (14:54 +0100)]
Disable MIME sniffing to prevent preview of invalid (propably harmful) file types
Reported by Yann CAM and Killian CHEVRIER
Patrick Canterino [Sun, 4 Jan 2026 13:43:49 +0000 (14:43 +0100)]
Mentioned issue #40 as a known issue in the README file
Patrick Canterino [Mon, 8 Sep 2025 10:09:50 +0000 (12:09 +0200)]
Begin a new release cycle
Patrick Canterino [Mon, 8 Sep 2025 10:03:48 +0000 (12:03 +0200)]
Jirafeau 4.7.0 is ready
Patrick Canterino [Mon, 8 Sep 2025 09:54:03 +0000 (11:54 +0200)]
Updated list of authors
Patrick Canterino [Mon, 8 Sep 2025 09:50:56 +0000 (11:50 +0200)]
Updated CHANGELOG
Patrick Canterino [Sat, 30 Aug 2025 12:28:22 +0000 (14:28 +0200)]
Updated CHANGELOG
Patrick Canterino [Sat, 30 Aug 2025 12:13:45 +0000 (14:13 +0200)]
Merge branch 'shortlinks' into 'next-release'
add short link support
See merge request jirafeau/Jirafeau!24
Florian [Sat, 30 Aug 2025 12:13:45 +0000 (12:13 +0000)]
add short link support
Patrick Canterino [Tue, 12 Aug 2025 13:04:20 +0000 (15:04 +0200)]
Fixed indentation
Patrick Canterino [Tue, 12 Aug 2025 12:46:59 +0000 (14:46 +0200)]
Merge branch 'f_issue_35-36' into 'next-release'
Fixes for issues 35 and 36
See merge request jirafeau/Jirafeau!26
Patrick Canterino [Tue, 12 Aug 2025 12:45:01 +0000 (14:45 +0200)]
Merge branch 'f_issue_37' into 'next-release'
Fix for issue 37
See merge request jirafeau/Jirafeau!27
Patrick Canterino [Sat, 9 Aug 2025 13:35:46 +0000 (15:35 +0200)]
Trying to upload a file using script.php with an upload password set always ends up in an "Error 2". Added "!isset($_POST['upload_password'])" to the test condition.
Patch by Yannis Aribaud
Patrick Canterino [Sat, 9 Aug 2025 13:13:44 +0000 (15:13 +0200)]
Download statistics were not shown in the admin interface
This feature got accidentally lost during refactoring
Patrick Canterino [Sat, 9 Aug 2025 13:06:13 +0000 (15:06 +0200)]
The generated download password was not shown in the "finished" page
This feature got accidentally lost during refactoring
Also made the form field readonly
Patrick Canterino [Sat, 9 Aug 2025 12:53:45 +0000 (14:53 +0200)]
Merge branch 'make-tos-identifiable' into 'next-release'
give tos notice a specific element id
See merge request jirafeau/Jirafeau!25
Florian [Sat, 9 Aug 2025 12:53:45 +0000 (12:53 +0000)]
give tos notice a specific element id
Patrick Canterino [Fri, 8 Aug 2025 13:00:52 +0000 (15:00 +0200)]
Mentioned CVE-2025-7066
Patrick Canterino [Sun, 22 Jun 2025 13:12:28 +0000 (15:12 +0200)]
Begin a new release cycle
Patrick Canterino [Sun, 22 Jun 2025 13:02:31 +0000 (15:02 +0200)]
Jirafeau 4.6.3 is ready
Patrick Canterino [Thu, 19 Jun 2025 12:17:35 +0000 (14:17 +0200)]
Updated CHANGELOG
Patrick Canterino [Thu, 19 Jun 2025 11:56:59 +0000 (13:56 +0200)]
Fixes for issues #31 and #32
See merge request jirafeau/Jirafeau!22
Patrick Canterino [Mon, 16 Jun 2025 10:13:44 +0000 (12:13 +0200)]
Compare stored hashes for admin and download password using hash_equals()
This prevents timing attacks and attacks using Type Juggling
Originally proposed by onosh
Patrick Canterino [Mon, 16 Jun 2025 09:58:15 +0000 (11:58 +0200)]
Check for commas in MIME type before generating preview
It was possible to bypass the preview check by sending a manipulated HTTP request with a MIME type like "image/png,text/html".
When parsing the Content-Type of a HTTP response, browsers see multiple MIME types, and the last one, text/html, takes precedence, allowing to execute potentially harmful JavaScript code.
This check was originally implemented to address CVE-2022-30110 then CVE-2024-12326.
Reported by:
- Yann CAM (ycam) (https://yann.cam/)
- Killian CHEVRIER (palmier) (https://killianchevrier.fr/)
Patrick Canterino [Sat, 22 Mar 2025 12:15:31 +0000 (13:15 +0100)]
Merge branch 'master' into 'next-release'
fix grammar mistake
See merge request jirafeau/Jirafeau!21
Ruixey [Fri, 21 Mar 2025 16:08:57 +0000 (16:08 +0000)]
fix grammar mistake
Patrick Canterino [Tue, 4 Mar 2025 14:39:23 +0000 (15:39 +0100)]
Begin a new release cycle
Patrick Canterino [Tue, 4 Mar 2025 14:34:07 +0000 (15:34 +0100)]
Merge branch 'next-release'
Patrick Canterino [Tue, 4 Mar 2025 14:31:23 +0000 (15:31 +0100)]
Jirafeau 4.6.2 is ready
Patrick Canterino [Fri, 28 Feb 2025 12:57:19 +0000 (13:57 +0100)]
Updated CHANGELOG
Blackeye [Wed, 19 Feb 2025 13:46:25 +0000 (13:46 +0000)]
Merge branch 'hotfix_issue_21' into 'master'
HOTFIX: fix for issue #21 and a docker_compose.yaml for testing | cherry https://gitlab.com/jirafeau/Jirafeau/-/commit/
8e36d013510ddedf9bb830b547f2de7664815bd0
See merge request jirafeau/Jirafeau!20
Blackstareye [Sat, 18 Jan 2025 17:15:14 +0000 (18:15 +0100)]
fix for issue #21 and a docker_compose.yaml for testing
Blackeye [Tue, 18 Feb 2025 16:52:49 +0000 (16:52 +0000)]
Merge branch 'hotfix_cherrypick_issue_23' into 'master'
fixed script upload - missing return statement
See merge request jirafeau/Jirafeau!19
Blackstareye [Mon, 17 Feb 2025 17:13:46 +0000 (18:13 +0100)]
fixed script upload - missing return statement
Blackeye [Tue, 18 Feb 2025 14:26:37 +0000 (14:26 +0000)]
Merge branch 'fix_for_issue_23' into 'next-release'
fixed script upload - missing return statement
See merge request jirafeau/Jirafeau!18
Blackstareye [Mon, 17 Feb 2025 17:13:46 +0000 (18:13 +0100)]
fixed script upload - missing return statement
Blackeye [Mon, 17 Feb 2025 15:51:11 +0000 (15:51 +0000)]
Merge branch 'fix_for_issue_20' into 'next-release'
fix for #20, added also lang to env variables; added function for associative...
See merge request jirafeau/Jirafeau!14
Blackstareye [Mon, 17 Feb 2025 15:46:11 +0000 (16:46 +0100)]
fixed typo
Blackstareye [Mon, 17 Feb 2025 15:42:27 +0000 (16:42 +0100)]
added run container section
Blackstareye [Mon, 17 Feb 2025 15:39:00 +0000 (16:39 +0100)]
changed method name and added doc for docker compose
Blackstareye [Fri, 24 Jan 2025 19:38:58 +0000 (20:38 +0100)]
fixed format
Blackstareye [Fri, 24 Jan 2025 19:26:29 +0000 (20:26 +0100)]
fix for #20, added also lang to env variables; added function for associative arrays (e.g. json in env)
Blackstareye [Fri, 24 Jan 2025 19:25:15 +0000 (20:25 +0100)]
example docker compose with availabilities (defaulted according to config)
Blackeye [Tue, 21 Jan 2025 14:18:52 +0000 (14:18 +0000)]
Merge branch 'fix_for_issue_21' into 'next-release'
fix for issue #21 and a docker_compose.yaml for testing
See merge request jirafeau/Jirafeau!13
Blackstareye [Sat, 18 Jan 2025 17:15:14 +0000 (18:15 +0100)]
fix for issue #21 and a docker_compose.yaml for testing
Patrick Canterino [Sun, 1 Dec 2024 14:33:14 +0000 (15:33 +0100)]
Begin a new release cycle
Patrick Canterino [Sun, 1 Dec 2024 14:27:35 +0000 (15:27 +0100)]
Updated CHANGELOG
Patrick Canterino [Sun, 1 Dec 2024 14:25:51 +0000 (15:25 +0100)]
Jirafeau 4.6.1 is ready
Patrick Canterino [Sun, 1 Dec 2024 14:25:15 +0000 (15:25 +0100)]
Updated CHANGELOG
Patrick Canterino [Sun, 1 Dec 2024 14:05:34 +0000 (15:05 +0100)]
Made check for MIME type "image/svg+xml" case insensitive
It was possible to bypass this check by sending a manipulated HTTP request with a MIME type like "image/svg+XML".
This check was originally implemented to address CVE-2022-30110.
Reported by:
- Yann CAM (ycam) (https://yann.cam/)
- Georges TAUPIN (jo) (https://www.georgestaupin.com/)
Patrick Canterino [Mon, 25 Nov 2024 16:24:07 +0000 (17:24 +0100)]
Fixed footer ("designed by")
Patrick Canterino [Fri, 22 Nov 2024 14:56:24 +0000 (15:56 +0100)]
Removed references to weblate
Patrick Canterino [Fri, 22 Nov 2024 13:47:04 +0000 (14:47 +0100)]
Updated CHANGELOG
Patrick Canterino [Fri, 22 Nov 2024 13:41:51 +0000 (14:41 +0100)]
Updated Docker README
Patrick Canterino [Sat, 16 Nov 2024 14:09:32 +0000 (14:09 +0000)]
Merge branch 'bug_content_length' into 'next-release'
Store filesize before encrypting the file
See merge request jirafeau/Jirafeau!11
Patrick Canterino [Sun, 10 Nov 2024 13:47:41 +0000 (14:47 +0100)]
Updated Docker README
Patrick Canterino [Sun, 10 Nov 2024 13:03:40 +0000 (14:03 +0100)]
Store filesize before encrypting the file
This currently applies only for async uploads.
Otherwise we would send the size of the encrypted file and the data of the unencrypted file.
The encrypted file is usually larger than the unencrypted one. So the browser expects more
data and aborts the download because it thinks it didn't receive all the data.
Patrick Canterino [Fri, 25 Oct 2024 18:50:18 +0000 (20:50 +0200)]
Added "one_time_download_preselected" to Docker options
Patrick Canterino [Thu, 24 Oct 2024 15:39:14 +0000 (15:39 +0000)]
Merge branch 'docker_arm' into 'next-release'
Build Docker images for linux/arm/v7, linux/arm64/v8 and linux/amd64
See merge request jirafeau/Jirafeau!10
Patrick Canterino [Tue, 22 Oct 2024 18:17:59 +0000 (20:17 +0200)]
Added some comments explaining the build job for the Docker image
Patrick Canterino [Sat, 19 Oct 2024 13:24:08 +0000 (15:24 +0200)]
Build Docker images for linux/arm/v7, linux/arm64/v8 and linux/amd64
Patrick Canterino [Sat, 19 Oct 2024 11:31:25 +0000 (11:31 +0000)]
Merge branch 'fix_cs' into 'next-release'
Switched to php-cs-fixer 3.64.0 and PSR12 in CI
Added pipeline for PHP 8.2
See merge request jirafeau/Jirafeau!7
Patrick Canterino [Mon, 14 Oct 2024 17:28:35 +0000 (19:28 +0200)]
Added pipeline for PHP 8.2
Patrick Canterino [Mon, 14 Oct 2024 17:23:13 +0000 (19:23 +0200)]
Skip single_space_around_construct check in CI
Patrick Canterino [Mon, 14 Oct 2024 14:26:16 +0000 (16:26 +0200)]
Fixed every error detected by php-cs-fixer (except the single_space_around_construct type)
Patrick Canterino [Wed, 16 Oct 2024 17:50:05 +0000 (19:50 +0200)]
Updated Docker README
- Mount local directory for data storage
- Syntax highlighting
Patrick Canterino [Mon, 14 Oct 2024 10:22:34 +0000 (12:22 +0200)]
Switched to php-cs-fixer 3.64.0 and PSR12 in CI
Also "fix --dry-run" does the same as "check"
Patrick Canterino [Mon, 14 Oct 2024 17:40:29 +0000 (19:40 +0200)]
Updated README and CHANGELOG
Patrick Canterino [Sat, 12 Oct 2024 14:48:50 +0000 (14:48 +0000)]
Merge branch 'bug_admin_download_encrypted' into 'next-release'
Removed the download button and the corresponding link for encrypted files from the admin interface
See merge request jirafeau/Jirafeau!6
Patrick Canterino [Sat, 12 Oct 2024 14:48:50 +0000 (14:48 +0000)]
Removed the download button and the corresponding link for encrypted files from the admin interface
Patrick Canterino [Sun, 8 Sep 2024 14:26:07 +0000 (14:26 +0000)]
Merge branch 'new-copyright-header' into 'next-release'
Updated copyright header, new list of authors in separate file
See merge request jirafeau/Jirafeau!5
Patrick Canterino [Sun, 8 Sep 2024 14:26:07 +0000 (14:26 +0000)]
Updated copyright header, new list of authors in separate file
Patrick Canterino [Tue, 3 Sep 2024 17:49:49 +0000 (19:49 +0200)]
Updated CHANGELOG
Patrick Canterino [Tue, 3 Sep 2024 17:34:19 +0000 (19:34 +0200)]
Added screenshots directory to .dockerignore
Patrick Canterino [Mon, 2 Sep 2024 17:14:13 +0000 (17:14 +0000)]
Merge branch 'new-screenshots' into 'next-release'
Update screenshots in README and store them in the repository
See merge request jirafeau/Jirafeau!4
Patrick Canterino [Mon, 2 Sep 2024 17:14:13 +0000 (17:14 +0000)]
Update screenshots in README and store them in the repository
Blackeye [Mon, 26 Aug 2024 11:58:02 +0000 (11:58 +0000)]
Merge branch 'f_modularization_wip_rebased' into 'next-release'
Code Modularization
See merge request jirafeau/Jirafeau!3
Blackeye [Mon, 26 Aug 2024 11:58:02 +0000 (11:58 +0000)]
Code Modularization
Patrick Canterino [Sun, 18 Aug 2024 15:53:20 +0000 (17:53 +0200)]
Merge branch 'master' into next-release
This will fix the history after commit
4efa531d in master
Patrick Canterino [Sun, 18 Aug 2024 15:52:31 +0000 (17:52 +0200)]
Copied information about Docker from README files from next-release to master
So our users will instantly get this new information whem opening the GitLab page
patrick-canterino.de