Remove further form action targets, if these forms should be send
to the same page anyway. In this case we may safely omnit the
action attribute and safe some path constructions.
Dan Untenzu [Fri, 27 Jan 2017 09:23:50 +0000 (10:23 +0100)]
[BUGFIX] Catch errors in upload form
The upload forms failed to catch errors due to a
never matching condition. Failing uploads (eg. because of
filesize limit etc.) still tried to render non-existing
download links instead of showing the error.
Fix the condition by testing if the return string
starts with "Error" instead of equals "Error".
Dan Untenzu [Tue, 24 Jan 2017 15:57:32 +0000 (16:57 +0100)]
[TASK] Rename license short identifier
The official short identifier for
"GNU Affero General Public License v3.0" is "AGPL-3.0"
(see https://spdx.org/licenses/ → https://spdx.org/licenses/AGPL-3.0.html)
Dan Untenzu [Wed, 18 Jan 2017 18:32:37 +0000 (19:32 +0100)]
[FEATURE] Autogenerate prefix for absolute links
Add a helping variable to build absolute links to
the root of the domain without handling the URL scheme.
This way all links could get rid of the host & domain part,
and just build absolute links to the root instead.
(Replace "[https://example.com/foo/] + [functions.js]" with
"[/foo/] + [functions.js]")
Dan Untenzu [Wed, 18 Jan 2017 18:00:44 +0000 (19:00 +0100)]
[FEATURE] Installer: Remove (unknown) form target URL
The domain on which Jirafeau is running, is not yet
defined while installing the project. In order to build valid
action links for the form, the script generated a possible URL
using the request header. This method may fail for proxies
or while using HTTPS or due to spoofing or…
In HTML5 we can safely omnit the action attribute (see
http://stackoverflow.com/a/9678030), which will cause the browser
to send the request to the exact same URL again.
This way we can avoid the URL guessing during the installation.
pixelbrackets [Tue, 17 Jan 2017 21:21:47 +0000 (22:21 +0100)]
[!!][FEATURE] Remove XHTML doctype
The project uses a HTML5 doctype, but switches
to XHTML if a condition says that the clients browser
can handle XHTML. As this is the case for nearly any
browser which also supports HTML5, the condition causes
the script to *always* render the XHTML doctype.
We remove the whole condition and the XHTML doctype
in favour of a HTML5 doctype only.
Note: This may be considered as breaking change,
since HTML5 may not be working in ancient versions of IE.
Dan Untenzu [Tue, 17 Jan 2017 15:36:54 +0000 (16:36 +0100)]
[FEATURE] Docs: Explain how to obey the AGPLv3 license
This project uses the AGPLv3 license. If an admin decides
to make some adaptions to the source code, and run a service with
these changes incorporated, the admin is required to offer
the servers users a download of the source code of his version.
Describe in the README how to do that conveniently with the ToS page.
Dan Untenzu [Tue, 17 Jan 2017 11:42:04 +0000 (12:42 +0100)]
[!!][FEATURE] Let admin overwrite the ToS page
Let the admin overwrite the content of the
"Terms of Service" page by copying the original ToS
template and creating a local file (same procedure as
for the configuration). This file is not versionized.
Note: This is a breaking change, since the existing
tos textfile is moved. This should be mentioned
in the update comments.
* ToS text file changed → move file from "/tos_text.php"
to "/lib/tos.local.txt" and remove all HTML und PHP Tags,
leaving a regular text file.
Simplify the generation of the local configuration file
by replacing various loops with shorter PHP standard methods.
This will cause the local configuration to have a slightly
different style, but it is still an array therefore is
readable and changeable by PHP developers.
Dan Untenzu [Mon, 16 Jan 2017 16:54:01 +0000 (17:54 +0100)]
[FEATURE] Move config include into settings file
Move the include of the original and the local
configuration file into the settings file to reduce one
includes in each file, have all settings in one place
and remove unneccessary code from the config file
(which makes it easier to copy and change it).
Dan Untenzu [Mon, 16 Jan 2017 14:31:13 +0000 (15:31 +0100)]
[FEATURE] Readme: Add link to contribution file
Its a common way to include a CONTRIBUTING.md file
(https://github.com/blog/1184-contributing-guidelines)
to explain developers things like code format, structures and
patch guidelines.
Rename the newcomers file to CONTRIBUTING.md and add
a link to it in the README.
Dan Untenzu [Mon, 16 Jan 2017 13:26:29 +0000 (14:26 +0100)]
[BUGFIX] Bash script: return download link to web view
The bash script uses the upload URL to build the download link.
So the user may share different links when using the bash script
or the webform. Besides that does the API page show the same
result for "download links" and "direct links", so the current
list makes no sense to the uploader.
The script should however link to the web view and
offer API commands additionally.
Dan Untenzu [Mon, 16 Jan 2017 10:14:39 +0000 (11:14 +0100)]
[FEATURE] Bash script: Enhance help and add version
Enhance the help and show all available options in
a common structure.
Move description of available options to one place.
Also add the version of the Jirafeau version which
generated the bash script. This way a user may
find out about changes (because his script was
generated with Jirafeau 1.1.2, but the current version
on the server may be 3.2.5 already).
Dan Untenzu [Fri, 13 Jan 2017 14:39:12 +0000 (15:39 +0100)]
[FEATURE] Set default expiration time in config
Enable the admin to set a default expiration time
in the configuration time. This way the upload form
may offer "hour", "day", "month" as available expiration
times and "day" is preselected.
Dan Untenzu [Thu, 12 Jan 2017 17:24:02 +0000 (18:24 +0100)]
[FEATURE] Streamline default expiration date
The bash script sets the expiration date to "none"
by default. The web form has "month" as default however.
Streamline the default expiration date and set the bash
to month as well.
This also avoids an error if the bash script is run
for the first time ever with default settings, since
the expiration time "none" is not allowed then.
Dan Untenzu [Thu, 12 Jan 2017 15:28:47 +0000 (16:28 +0100)]
[BUGFIX] Deliver JavaScript with correct MIME type
The JavaScript lib is generated by a PHP file. This
file will be blocked in browsers, if the server has the
security option "X-Content-Type-Options: nosniff" set.
Set the correct MIME type (text/javascript) in the header
to avoid this behaviour.
Jérôme [Wed, 18 May 2016 12:09:14 +0000 (12:09 +0000)]
Merge branch 'master' into 'master'
Adding the possibility to call admin.php from CLI to automatize (e.g. in cron) the cleaning of old/expired files and unfinished tranfers
Hello,
I think this feature might be of interest for other administrators of Jirafeau. I have not found any way in the app to do it so I developed this small patch. What do you think?
Best
Pierre-Alain
An attacker ban bypass the authentication form by passing an array instead of a string (https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet#Input_handling). The identity operator should fix the vulnerability.