From 6d6c111b80ad13201b7acd7c2f5b8fd6d160e11b Mon Sep 17 00:00:00 2001 From: MrWouterNL Date: Mon, 21 Mar 2022 20:46:14 +0100 Subject: [PATCH 01/16] [BUGFIX] Disallow file preview for image/svg+xml files --- lib/functions.js.php | 15 ++++++++------- lib/functions.php | 2 +- 2 files changed, 9 insertions(+), 8 deletions(-) diff --git a/lib/functions.js.php b/lib/functions.js.php index 7cf1da8..14fad1d 100644 --- a/lib/functions.js.php +++ b/lib/functions.js.php @@ -182,16 +182,17 @@ function show_link (reference, delete_code, crypt_key, date) } // Test if content can be previewed - type = document.getElementById('file_select').files[0].type; - if (type.startsWith('image/') || - type.startsWith('audio') || - type.startsWith('text/plain') || - type.startsWith('video/')) - { + type = document.getElementById('file_select').files[0].type; + if ((type.startsWith('image/') + || type.startsWith('audio') + || type.startsWith('text/plain') + || type.startsWith('video/')) + && !type.includes('image/svg+xml')) + { document.getElementById('preview_link').href = preview_link_href; document.getElementById('preview_link_text').innerHTML = web_root + preview_link_href; document.getElementById('upload_finished_preview').style.display = ''; - } + } } // Direct download link diff --git a/lib/functions.php b/lib/functions.php index c831b73..6e5c886 100644 --- a/lib/functions.php +++ b/lib/functions.php @@ -511,7 +511,7 @@ function jirafeau_is_viewable($mime) if (!empty($mime)) { $viewable = array('image', 'video', 'audio'); $decomposed = explode('/', $mime); - if (in_array($decomposed[0], $viewable)) { + if (in_array($decomposed[0], $viewable) && strpos($mime, 'image/svg+xml') === false) { return true; } $viewable = array('text/plain'); -- 2.34.1 From c7f776c8b948b033c200c8fd84ab5e8a8422d601 Mon Sep 17 00:00:00 2001 From: Edwin Bos Date: Wed, 23 Jun 2021 15:42:47 +0200 Subject: [PATCH 02/16] Implement expiry after a fortnight (2 weeks). --- index.php | 4 ++++ lib/config.original.php | 4 +++- lib/functions.js.php | 5 +++++ lib/locales/ar.json | 1 + lib/locales/be.json | 1 + lib/locales/bn_IN.json | 1 + lib/locales/bo.json | 1 + lib/locales/ca.json | 1 + lib/locales/cs.json | 1 + lib/locales/da.json | 1 + lib/locales/de.json | 1 + lib/locales/el.json | 1 + lib/locales/en.json | 1 + lib/locales/es.json | 1 + lib/locales/et.json | 1 + lib/locales/fi.json | 1 + lib/locales/fr.json | 1 + lib/locales/he.json | 1 + lib/locales/hi.json | 1 + lib/locales/hr.json | 1 + lib/locales/hu.json | 1 + lib/locales/id.json | 1 + lib/locales/it.json | 1 + lib/locales/ja.json | 1 + lib/locales/ko.json | 1 + lib/locales/ku.json | 1 + lib/locales/la.json | 1 + lib/locales/mfe.json | 1 + lib/locales/ms.json | 1 + lib/locales/nb_NO.json | 1 + lib/locales/nl.json | 1 + lib/locales/pl.json | 1 + lib/locales/ps.json | 1 + lib/locales/pt.json | 1 + lib/locales/pt_BR.json | 1 + lib/locales/ro.json | 1 + lib/locales/ru.json | 1 + lib/locales/sh.json | 1 + lib/locales/sk.json | 1 + lib/locales/sl.json | 1 + lib/locales/sq.json | 1 + lib/locales/sr.json | 1 + lib/locales/sv.json | 1 + lib/locales/ta.json | 1 + lib/locales/template.json | 1 + lib/locales/th.json | 1 + lib/locales/tr.json | 3 ++- lib/locales/uk.json | 1 + lib/locales/vi.json | 1 + lib/locales/zh.json | 1 + lib/locales/zh_TW.json | 1 + lib/settings.php | 1 + script.php | 8 +++++++- 53 files changed, 69 insertions(+), 3 deletions(-) diff --git a/index.php b/index.php index fb5f1e5..9edb3af 100644 --- a/index.php +++ b/index.php @@ -208,6 +208,10 @@ elseif (true === jirafeau_challenge_upload_ip($cfg, get_ip_address($cfg))) { 'value' => 'week', 'label' => '1_W' ), + array( + 'value' => 'fortnight', + 'label' => '2_W' + ), array( 'value' => 'month', 'label' => '1_M' diff --git a/lib/config.original.php b/lib/config.original.php index d8722ac..59bad4e 100644 --- a/lib/config.original.php +++ b/lib/config.original.php @@ -112,8 +112,9 @@ $cfg['admin_http_auth_user'] = ''; * 'hour': file available for one hour * 'day': file available for one day * 'week': file available for one week + * 'fortnight': file is available for two weeks * 'month': file is available for one month - * 'quarter': file is available for three month + * 'quarter': file is available for three months * 'year': file available for one year * 'none': unlimited availability */ @@ -122,6 +123,7 @@ $cfg['availabilities'] = array( 'hour' => true, 'day' => true, 'week' => true, + 'fortnight' => true, 'month' => true, 'quarter' => false, 'year' => false, diff --git a/lib/functions.js.php b/lib/functions.js.php index 14fad1d..2127dbb 100644 --- a/lib/functions.js.php +++ b/lib/functions.js.php @@ -321,6 +321,11 @@ function add_time_string_to_date(d, time) d.setSeconds (d.getSeconds() + 604800); return true; } + if (time == 'fortnight') + { + d.setSeconds (d.getSeconds() + 1209600); + return true; + } if (time == 'month') { d.setSeconds (d.getSeconds() + 2592000); diff --git a/lib/locales/ar.json b/lib/locales/ar.json index 1c0cbac..2e68b08 100644 --- a/lib/locales/ar.json +++ b/lib/locales/ar.json @@ -1,4 +1,5 @@ { + "2_W": "", "REPORTING_AN_ISSUE": "", "SIZE_DATA": "حجم البيانات", "INCOMPATIBLE_OPTIONS_W": "", diff --git a/lib/locales/be.json b/lib/locales/be.json index 201128d..2893d8a 100644 --- a/lib/locales/be.json +++ b/lib/locales/be.json @@ -1,4 +1,5 @@ { + "2_W": "", "REPORTING_AN_ISSUE": "", "SIZE_DATA": "", "INCOMPATIBLE_OPTIONS_W": "", diff --git a/lib/locales/bn_IN.json b/lib/locales/bn_IN.json index ac7b8e8..4c4d1dd 100644 --- a/lib/locales/bn_IN.json +++ b/lib/locales/bn_IN.json @@ -1,4 +1,5 @@ { + "2_W": "", "REPORTING_AN_ISSUE": "", "SIZE_DATA": "", "INCOMPATIBLE_OPTIONS_W": "", diff --git a/lib/locales/bo.json b/lib/locales/bo.json index aaf4850..772777a 100644 --- a/lib/locales/bo.json +++ b/lib/locales/bo.json @@ -1,4 +1,5 @@ { + "2_W": "", "REPORTING_AN_ISSUE": "", "SIZE_DATA": "", "INCOMPATIBLE_OPTIONS_W": "", diff --git a/lib/locales/ca.json b/lib/locales/ca.json index 8caea3b..1f70ecb 100644 --- a/lib/locales/ca.json +++ b/lib/locales/ca.json @@ -1,4 +1,5 @@ { + "2_W": "Una quincena", "REPORTING_AN_ISSUE": "", "SIZE_DATA": "", "INCOMPATIBLE_OPTIONS_W": "", diff --git a/lib/locales/cs.json b/lib/locales/cs.json index 3babc97..737980b 100644 --- a/lib/locales/cs.json +++ b/lib/locales/cs.json @@ -1,4 +1,5 @@ { + "2_W": "", "REPORTING_AN_ISSUE": "", "SIZE_DATA": "", "INCOMPATIBLE_OPTIONS_W": "", diff --git a/lib/locales/da.json b/lib/locales/da.json index b7f1cdf..c420396 100644 --- a/lib/locales/da.json +++ b/lib/locales/da.json @@ -1,4 +1,5 @@ { + "2_W": "", "REPORTING_AN_ISSUE": "", "SIZE_DATA": "", "INCOMPATIBLE_OPTIONS_W": "", diff --git a/lib/locales/de.json b/lib/locales/de.json index 66970f3..1db7f7b 100644 --- a/lib/locales/de.json +++ b/lib/locales/de.json @@ -1,4 +1,5 @@ { + "2_W": "Zwei Wochen", "REPORTING_AN_ISSUE": "", "SIZE_DATA": "Datengröße", "INCOMPATIBLE_OPTIONS_W": "Die folgenden Konfigurationsoptionen sind nicht kompatibel:", diff --git a/lib/locales/el.json b/lib/locales/el.json index 49c4168..84937c3 100644 --- a/lib/locales/el.json +++ b/lib/locales/el.json @@ -1,4 +1,5 @@ { + "2_W": "", "REPORTING_AN_ISSUE": "", "SIZE_DATA": "", "INCOMPATIBLE_OPTIONS_W": "", diff --git a/lib/locales/en.json b/lib/locales/en.json index fdf4a65..817c1f4 100644 --- a/lib/locales/en.json +++ b/lib/locales/en.json @@ -19,6 +19,7 @@ "1_H": "One hour", "1_D": "One day", "1_W": "One week", + "2_W": "One fortnight", "1_M": "One month", "1_Q": "One quarter", "1_Y": "One year", diff --git a/lib/locales/es.json b/lib/locales/es.json index a8255df..b7cff2f 100644 --- a/lib/locales/es.json +++ b/lib/locales/es.json @@ -1,4 +1,5 @@ { + "2_W": "Una quincena", "REPORTING_AN_ISSUE": "", "SIZE_DATA": "", "INCOMPATIBLE_OPTIONS_W": "", diff --git a/lib/locales/et.json b/lib/locales/et.json index 4196693..b62d93f 100644 --- a/lib/locales/et.json +++ b/lib/locales/et.json @@ -1,4 +1,5 @@ { + "2_W": "", "REPORTING_AN_ISSUE": "", "SIZE_DATA": "", "INCOMPATIBLE_OPTIONS_W": "", diff --git a/lib/locales/fi.json b/lib/locales/fi.json index 0c427d7..960c417 100644 --- a/lib/locales/fi.json +++ b/lib/locales/fi.json @@ -1,4 +1,5 @@ { + "2_W": "", "REPORTING_AN_ISSUE": "", "SIZE_DATA": "", "INCOMPATIBLE_OPTIONS_W": "", diff --git a/lib/locales/fr.json b/lib/locales/fr.json index 2450de5..73aab89 100644 --- a/lib/locales/fr.json +++ b/lib/locales/fr.json @@ -1,4 +1,5 @@ { + "2_W": "Deux semaines", "REPORTING_AN_ISSUE": "Rapporter un bogue", "SIZE_DATA": "Volume de données", "INCOMPATIBLE_OPTIONS_W": "Les options de configuration suivantes sont incompatibles :", diff --git a/lib/locales/he.json b/lib/locales/he.json index edc6376..8f711a9 100644 --- a/lib/locales/he.json +++ b/lib/locales/he.json @@ -1,4 +1,5 @@ { + "2_W": "", "REPORTING_AN_ISSUE": "", "SIZE_DATA": "גודל הנתונים", "INCOMPATIBLE_OPTIONS_W": "אפשרויות ההגדרה הבאות אינן תואמות:", diff --git a/lib/locales/hi.json b/lib/locales/hi.json index 5c8e5ff..0831b20 100644 --- a/lib/locales/hi.json +++ b/lib/locales/hi.json @@ -1,4 +1,5 @@ { + "2_W": "", "REPORTING_AN_ISSUE": "", "SIZE_DATA": "", "INCOMPATIBLE_OPTIONS_W": "", diff --git a/lib/locales/hr.json b/lib/locales/hr.json index 9b07fc4..bf4a83b 100644 --- a/lib/locales/hr.json +++ b/lib/locales/hr.json @@ -1,4 +1,5 @@ { + "2_W": "", "REPORTING_AN_ISSUE": "", "SIZE_DATA": "Veličina podataka", "INCOMPATIBLE_OPTIONS_W": "Sljedeće opcije konfiguracije su nekompatibilne:", diff --git a/lib/locales/hu.json b/lib/locales/hu.json index 6e649fd..d45f078 100644 --- a/lib/locales/hu.json +++ b/lib/locales/hu.json @@ -1,4 +1,5 @@ { + "2_W": "", "REPORTING_AN_ISSUE": "", "SIZE_DATA": "", "INCOMPATIBLE_OPTIONS_W": "", diff --git a/lib/locales/id.json b/lib/locales/id.json index aaf4850..772777a 100644 --- a/lib/locales/id.json +++ b/lib/locales/id.json @@ -1,4 +1,5 @@ { + "2_W": "", "REPORTING_AN_ISSUE": "", "SIZE_DATA": "", "INCOMPATIBLE_OPTIONS_W": "", diff --git a/lib/locales/it.json b/lib/locales/it.json index 01e5723..81e662b 100644 --- a/lib/locales/it.json +++ b/lib/locales/it.json @@ -1,4 +1,5 @@ { + "2_W": "Due settimane", "REPORTING_AN_ISSUE": "", "SIZE_DATA": "Dimensione dei dati", "INCOMPATIBLE_OPTIONS_W": "Le seguenti opzioni di configurazione sono incompatibili:", diff --git a/lib/locales/ja.json b/lib/locales/ja.json index c44738a..3f0cd79 100644 --- a/lib/locales/ja.json +++ b/lib/locales/ja.json @@ -1,4 +1,5 @@ { + "2_W": "", "REPORTING_AN_ISSUE": "", "SIZE_DATA": "", "INCOMPATIBLE_OPTIONS_W": "", diff --git a/lib/locales/ko.json b/lib/locales/ko.json index 5c8e5ff..0831b20 100644 --- a/lib/locales/ko.json +++ b/lib/locales/ko.json @@ -1,4 +1,5 @@ { + "2_W": "", "REPORTING_AN_ISSUE": "", "SIZE_DATA": "", "INCOMPATIBLE_OPTIONS_W": "", diff --git a/lib/locales/ku.json b/lib/locales/ku.json index 4196693..b62d93f 100644 --- a/lib/locales/ku.json +++ b/lib/locales/ku.json @@ -1,4 +1,5 @@ { + "2_W": "", "REPORTING_AN_ISSUE": "", "SIZE_DATA": "", "INCOMPATIBLE_OPTIONS_W": "", diff --git a/lib/locales/la.json b/lib/locales/la.json index ca1d56a..95e226b 100644 --- a/lib/locales/la.json +++ b/lib/locales/la.json @@ -1,4 +1,5 @@ { + "2_W": "", "REPORTING_AN_ISSUE": "", "SIZE_DATA": "", "INCOMPATIBLE_OPTIONS_W": "", diff --git a/lib/locales/mfe.json b/lib/locales/mfe.json index 4196693..b62d93f 100644 --- a/lib/locales/mfe.json +++ b/lib/locales/mfe.json @@ -1,4 +1,5 @@ { + "2_W": "", "REPORTING_AN_ISSUE": "", "SIZE_DATA": "", "INCOMPATIBLE_OPTIONS_W": "", diff --git a/lib/locales/ms.json b/lib/locales/ms.json index aaf4850..772777a 100644 --- a/lib/locales/ms.json +++ b/lib/locales/ms.json @@ -1,4 +1,5 @@ { + "2_W": "", "REPORTING_AN_ISSUE": "", "SIZE_DATA": "", "INCOMPATIBLE_OPTIONS_W": "", diff --git a/lib/locales/nb_NO.json b/lib/locales/nb_NO.json index 41fb695..d05dd01 100644 --- a/lib/locales/nb_NO.json +++ b/lib/locales/nb_NO.json @@ -1,4 +1,5 @@ { + "2_W": "To uker", "REPORTING_AN_ISSUE": "", "SIZE_DATA": "Datastørrelse", "INCOMPATIBLE_OPTIONS_W": "Følgende oppsettsvalg er ikke kompatible:", diff --git a/lib/locales/nl.json b/lib/locales/nl.json index 8e5a4a0..21aaf26 100644 --- a/lib/locales/nl.json +++ b/lib/locales/nl.json @@ -1,4 +1,5 @@ { + "2_W": "Twee weken", "REPORTING_AN_ISSUE": "", "SIZE_DATA": "", "INCOMPATIBLE_OPTIONS_W": "", diff --git a/lib/locales/pl.json b/lib/locales/pl.json index cc24eda..d5a2742 100644 --- a/lib/locales/pl.json +++ b/lib/locales/pl.json @@ -1,4 +1,5 @@ { + "2_W": "", "REPORTING_AN_ISSUE": "", "SIZE_DATA": "Rozmiar danych", "INCOMPATIBLE_OPTIONS_W": "Następujące opcje konfiguracji są niezgodne:", diff --git a/lib/locales/ps.json b/lib/locales/ps.json index 4196693..b62d93f 100644 --- a/lib/locales/ps.json +++ b/lib/locales/ps.json @@ -1,4 +1,5 @@ { + "2_W": "", "REPORTING_AN_ISSUE": "", "SIZE_DATA": "", "INCOMPATIBLE_OPTIONS_W": "", diff --git a/lib/locales/pt.json b/lib/locales/pt.json index 6ecd828..bcb7a49 100644 --- a/lib/locales/pt.json +++ b/lib/locales/pt.json @@ -1,4 +1,5 @@ { + "2_W": "Uma quinzena", "REPORTING_AN_ISSUE": "", "SIZE_DATA": "Tamanho dos dados", "NO_BROWSER_SUPPORT": "O seu navegador pode não suportar HTML5, então o tamanho máximo do ficheiro é ", diff --git a/lib/locales/pt_BR.json b/lib/locales/pt_BR.json index 032a7dc..fabff5a 100644 --- a/lib/locales/pt_BR.json +++ b/lib/locales/pt_BR.json @@ -1,4 +1,5 @@ { + "2_W": "Uma quinzena", "REPORTING_AN_ISSUE": "", "SIZE_DATA": "", "INCOMPATIBLE_OPTIONS_W": "", diff --git a/lib/locales/ro.json b/lib/locales/ro.json index 2c63ef7..3edb71c 100644 --- a/lib/locales/ro.json +++ b/lib/locales/ro.json @@ -1,4 +1,5 @@ { + "2_W": "", "REPORTING_AN_ISSUE": "", "SIZE_DATA": "Mărime date", "INCOMPATIBLE_OPTIONS_W": "Următoarele opţiuni de configurare sunt incompatibile:", diff --git a/lib/locales/ru.json b/lib/locales/ru.json index ebc13f3..8087478 100644 --- a/lib/locales/ru.json +++ b/lib/locales/ru.json @@ -1,4 +1,5 @@ { + "2_W": "", "REPORTING_AN_ISSUE": "", "SIZE_DATA": "", "INCOMPATIBLE_OPTIONS_W": "", diff --git a/lib/locales/sh.json b/lib/locales/sh.json index 4196693..b62d93f 100644 --- a/lib/locales/sh.json +++ b/lib/locales/sh.json @@ -1,4 +1,5 @@ { + "2_W": "", "REPORTING_AN_ISSUE": "", "SIZE_DATA": "", "INCOMPATIBLE_OPTIONS_W": "", diff --git a/lib/locales/sk.json b/lib/locales/sk.json index e942ba6..c38d159 100644 --- a/lib/locales/sk.json +++ b/lib/locales/sk.json @@ -1,4 +1,5 @@ { + "2_W": "", "REPORTING_AN_ISSUE": "", "SIZE_DATA": "", "INCOMPATIBLE_OPTIONS_W": "", diff --git a/lib/locales/sl.json b/lib/locales/sl.json index 4196693..b62d93f 100644 --- a/lib/locales/sl.json +++ b/lib/locales/sl.json @@ -1,4 +1,5 @@ { + "2_W": "", "REPORTING_AN_ISSUE": "", "SIZE_DATA": "", "INCOMPATIBLE_OPTIONS_W": "", diff --git a/lib/locales/sq.json b/lib/locales/sq.json index 4196693..b62d93f 100644 --- a/lib/locales/sq.json +++ b/lib/locales/sq.json @@ -1,4 +1,5 @@ { + "2_W": "", "REPORTING_AN_ISSUE": "", "SIZE_DATA": "", "INCOMPATIBLE_OPTIONS_W": "", diff --git a/lib/locales/sr.json b/lib/locales/sr.json index 09781a9..b22674a 100644 --- a/lib/locales/sr.json +++ b/lib/locales/sr.json @@ -1,4 +1,5 @@ { + "2_W": "", "REPORTING_AN_ISSUE": "", "SIZE_DATA": "", "INCOMPATIBLE_OPTIONS_W": "", diff --git a/lib/locales/sv.json b/lib/locales/sv.json index 7dbea8c..6d842da 100644 --- a/lib/locales/sv.json +++ b/lib/locales/sv.json @@ -1,4 +1,5 @@ { + "2_W": "Två veckor", "REPORTING_AN_ISSUE": "", "SIZE_DATA": "Data storlek", "INCOMPATIBLE_OPTIONS_W": "Följande inställningar är inkompatibla:", diff --git a/lib/locales/ta.json b/lib/locales/ta.json index 2d8fdfb..74f3a49 100644 --- a/lib/locales/ta.json +++ b/lib/locales/ta.json @@ -1,4 +1,5 @@ { + "2_W": "", "REPORTING_AN_ISSUE": "", "SIZE_DATA": "", "INCOMPATIBLE_OPTIONS_W": "", diff --git a/lib/locales/template.json b/lib/locales/template.json index 283ba93..4ceb498 100644 --- a/lib/locales/template.json +++ b/lib/locales/template.json @@ -1,4 +1,5 @@ { + "2_W": "", "REPORTING_AN_ISSUE": "", "SIZE_DATA": "", "INCOMPATIBLE_OPTIONS_W": "", diff --git a/lib/locales/th.json b/lib/locales/th.json index 4196693..b62d93f 100644 --- a/lib/locales/th.json +++ b/lib/locales/th.json @@ -1,4 +1,5 @@ { + "2_W": "", "REPORTING_AN_ISSUE": "", "SIZE_DATA": "", "INCOMPATIBLE_OPTIONS_W": "", diff --git a/lib/locales/tr.json b/lib/locales/tr.json index 77168b2..ef253a2 100644 --- a/lib/locales/tr.json +++ b/lib/locales/tr.json @@ -1,4 +1,5 @@ { + "2_W": "İki hafta", "REPORTING_AN_ISSUE": "", "SIZE_DATA": "Veri boyutu", "INCOMPATIBLE_OPTIONS_W": "Aşağıdaki yapılandırma seçenekleri uyumsuz:", @@ -20,7 +21,7 @@ "1_D": "Bir gün", "1_W": "Bir hafta", "1_M": "Bir ay", - "1_Q": "15 dakika", + "1_Q": "Üç ay", "1_Y": "Bir yıl", "NONE": "Hiçbiri", "UP_PSW": "Yükleme şifresi", diff --git a/lib/locales/uk.json b/lib/locales/uk.json index 8dad8a1..c90655e 100644 --- a/lib/locales/uk.json +++ b/lib/locales/uk.json @@ -1,4 +1,5 @@ { + "2_W": "", "REPORTING_AN_ISSUE": "", "SIZE_DATA": "Розмір даних", "NO_BROWSER_SUPPORT": "Ваш веб-переглядач може не підтримує HTML5, тому найбільший розмір файлу - це ", diff --git a/lib/locales/vi.json b/lib/locales/vi.json index c44738a..3f0cd79 100644 --- a/lib/locales/vi.json +++ b/lib/locales/vi.json @@ -1,4 +1,5 @@ { + "2_W": "", "REPORTING_AN_ISSUE": "", "SIZE_DATA": "", "INCOMPATIBLE_OPTIONS_W": "", diff --git a/lib/locales/zh.json b/lib/locales/zh.json index 5b7373a..abb9ee6 100644 --- a/lib/locales/zh.json +++ b/lib/locales/zh.json @@ -1,4 +1,5 @@ { + "2_W": "", "REPORTING_AN_ISSUE": "", "SIZE_DATA": "", "INCOMPATIBLE_OPTIONS_W": "", diff --git a/lib/locales/zh_TW.json b/lib/locales/zh_TW.json index a73ab7c..20b3ab4 100644 --- a/lib/locales/zh_TW.json +++ b/lib/locales/zh_TW.json @@ -1,4 +1,5 @@ { + "2_W": "", "REPORTING_AN_ISSUE": "", "SIZE_DATA": "", "INCOMPATIBLE_OPTIONS_W": "", diff --git a/lib/settings.php b/lib/settings.php index ecdcf5d..6efc8b7 100644 --- a/lib/settings.php +++ b/lib/settings.php @@ -70,6 +70,7 @@ define('JIRAFEAU_MINUTE', 60); // 60 define('JIRAFEAU_HOUR', 3600); // JIRAFEAU_MINUTE * 60 define('JIRAFEAU_DAY', 86400); // JIRAFEAU_HOUR * 24 define('JIRAFEAU_WEEK', 604800); // JIRAFEAU_DAY * 7 +define('JIRAFEAU_FORTNIGHT', 1209600); // JIRAFEAU_WEEK * 2 define('JIRAFEAU_MONTH', 2592000); // JIRAFEAU_DAY * 30 define('JIRAFEAU_QUARTER', 7776000); // JIRAFEAU_DAY * 90 define('JIRAFEAU_YEAR', 31536000); // JIRAFEAU_DAY * 365 diff --git a/script.php b/script.php index d31ce78..4926a1c 100644 --- a/script.php +++ b/script.php @@ -99,6 +99,9 @@ if (isset($_FILES['file']) && is_writable(VAR_FILES) case 'week': $time += JIRAFEAU_WEEK; break; + case 'fortnight': + $time += JIRAFEAU_FORTNIGHT; + break; case 'month': $time += JIRAFEAU_MONTH; break; @@ -292,7 +295,7 @@ if [ -z "$2" ]; then echo "Global variables to export:" echo " JIRAFEAU_PROXY: Domain and port of proxy server, eg. »proxysever.example.com:3128«" echo " JIRAFEAU_URL : URI to Jirafeau installation with trailing slash, eg. »https://example.com/jirafeau/«" - echo " JIRAFEAU_TIME : expiration time, eg. »minute«, »hour«, »day«, »week«, »month«, »quarter«, »year« or »none«" + echo " JIRAFEAU_TIME : expiration time, eg. »minute«, »hour«, »day«, »week«, fortnight, »month«, »quarter«, »year« or »none«" echo " JIRAFEAU_ONE_TIME : self-destroy after first download, eg. »1« to enable or »« (empty) to disable" echo " JIRAFEAU_CURL : alternative path to curl binary" echo " JIRAFEAU_UPLOAD_PASSWD : upload password" @@ -453,6 +456,9 @@ elseif (isset($_GET['init_async'])) { case 'week': $time += JIRAFEAU_WEEK; break; + case 'fortnight': + $time += JIRAFEAU_FORTNIGHT; + break; case 'month': $time += JIRAFEAU_MONTH; break; -- 2.34.1 From 507be5f97be283db761fdf28f0e403e582fa1186 Mon Sep 17 00:00:00 2001 From: sam lt Date: Fri, 4 Jun 2021 12:37:30 +0000 Subject: [PATCH 03/16] fix 2 minor typos --- script.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/script.php b/script.php index 4926a1c..d3d5868 100644 --- a/script.php +++ b/script.php @@ -381,9 +381,9 @@ if [ "$1" == "send" ]; then echo echo "Download via API:" if [[ $key_code ]]; then - echo " ${0} get ${url}${apipage}?h=$code&k=$key_code [PASSWORD}" + echo " ${0} get ${url}${apipage}?h=$code&k=$key_code [PASSWORD]" else - echo " ${0} get ${url}${apipage}?h=$code [PASSWORD}" + echo " ${0} get ${url}${apipage}?h=$code [PASSWORD]" fi echo "Delete via API:" echo " ${0} delete \"${url}${downloadpage}?h=$code&d=$del_code\"" -- 2.34.1 From 3e84a5debe0984bea841016ba587b109031a7816 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Oskar=20Fagerfj=C3=A4ll?= Date: Tue, 19 Jan 2021 14:54:35 +0900 Subject: [PATCH 04/16] fix spelling mistakes --- CHANGELOG.md | 12 ++++++------ CONTRIBUTING.md | 22 +++++++++++----------- admin.php | 6 +++--- docker/README.md | 12 ++++++------ lib/config.original.php | 12 ++++++------ lib/functions.php | 32 ++++++++++++++++---------------- lib/settings.php | 2 +- lib/template/footer.php | 2 +- script.php | 2 +- 9 files changed, 51 insertions(+), 51 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6b292cd..1892fef 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -26,7 +26,7 @@ - Litespeed workaround for large files - Admin interface can compute data folder size - REUSE compliance test -- multiple docker features: mcrypt support, daily cleanup, unprivilidged user +- multiple docker features: mcrypt support, daily cleanup, unprivileged user - Add upload password capability in script options - Various bugfixes around retries and error management - Automatically lower chunk size sent to server refusing large chunks @@ -81,7 +81,7 @@ find links -type f | while read link; do bn="$(basename "$link")"; mkdir "links/ - Security fixes, thanks [Bishopfox Team](https://www.bishopfox.com/) - Translation fixes - Docker fix -- Advertise javascript license for LibreJS compatibility +- Advertise JavaScript license for LibreJS compatibility - other minor fixes - Upgrade from 3.4.0: in-place upgrade @@ -157,14 +157,14 @@ To reuse a custom version of your ToS, move your ```/tos_text.php``` file to ``` - Link on API page to generate bash script - More informative error codes for API - Security Fix: Prevent authentication bypass for admin interface -- CLI script to remove expired files automatically with a cronjob +- CLI script to remove expired files automatically with a cron job - SHA-256 hash the admin password - New theme "elegantish" - Fix for JavaScript MIME-Type, prevents blocking the resource on some servers - Show download link for a file in admin interface - Default time for expiration (set to 'month' by default) - New expiration time: 'quarter' -- A lof of translation contributions +- A lot of translation contributions - Code cleanups - Upgrade from 1.1: in-place upgrade @@ -175,7 +175,7 @@ To reuse a custom version of your ToS, move your ```/tos_text.php``` file to ``` - Unlimited file size upload using HTML5 file API - Show speed and estimated time during upload - A lot of fixes -- A lot of new langages +- A lot of new languages - Small API to upload files - Limit access to Jirafeau using IP, mask, passwords - Manage (some) proxy headers @@ -197,7 +197,7 @@ The very first version of Jirafeau after the fork of Jyraphe. - Keep uploader's ip - Delete link for each upload - No more clear text password storage -- Simple langage support +- Simple language support - Add an admin interface - New Design - Add term of use diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index e7ee9c3..e032590 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -14,12 +14,12 @@ It is meant to be a simple filehosting service, simple to use, simple to install This project won't evolve to a file manager and will focus to keep a very few dependencies. -So things like a markdown parser for the ToS or E-Mail tasks would be usefull for sure, but may be [rejected](https://gitlab.com/mojo42/Jirafeau/issues/37#note_1191566) since they would a lot of dependencies and makes the project more complex. +So things like a markdown parser for the ToS or E-Mail tasks would be useful for sure, but may be [rejected](https://gitlab.com/mojo42/Jirafeau/issues/37#note_1191566) since they would a lot of dependencies and makes the project more complex. ## Structure -Here is a little explaination of Jirafeau's arboresence in a simplified -view only to show the most importants files and their role. +Here is a little explanation of Jirafeau's structure in a simplified +view only to show the most important files and their role. ``` . @@ -32,29 +32,29 @@ view only to show the most importants files and their role. ├── tos.php : "Terms of Service" page ├── lib │   ├── config.original.php : default parameters -│   ├── config.local.php : the users parameters (auto generated, not versionized) +│   ├── config.local.php : the users parameters (auto generated, not versioned) │   ├── functions_*.js : JavaScript functions for index.php (AJAX etc) │   ├── functions.php : core functions and tools of Jirafeau │   ├── tos.original.txt : default text show on the ToS page -│   ├── tos.local.txt : a users alternative text show on the ToS page (not versionized) +│   ├── tos.local.txt : a users alternative text show on the ToS page (not versioned) │   ├── settings.php : core settings of Jirafeau, includes the configuration params automatically │   ├── locales : language folder, contains all language files │   └── template │   ├── footer.php : footer with links to source and ToS for all HTML views │   └── header.php : header with logo and title for all HTML views ├── media : folder containing all skins -└── var-xxxxxxx : the users folder containing all data (auto generated, not versionized) - ├── async : chunks of uploaded files (not succressfull yet) +└── var-xxxxxxx : the users folder containing all data (auto generated, not versioned) + ├── async : chunks of uploaded files (not successful yet) ├── files : all files that have been uploaded successfully │ ├── [hashed file name] : the original file │ └── [hashed file name]_count : count many links to this file exist - └── links : all links, including meta-informations, pointing to files + └── links : all links, including metadata, pointing to files └── [link] : the link file, includes which original file should be used and some meta data like creation date, expiration time ``` ## Translations -Translation may be add via [Jirafeau's Weblate](https://hosted.weblate.org/projects/jirafeau/master/). +Translation may be added via [Jirafeau's Weblate](https://hosted.weblate.org/projects/jirafeau/master/). ## Coding style @@ -71,11 +71,11 @@ Translation may be add via [Jirafeau's Weblate](https://hosted.weblate.org/proje Please create one branch for each feature and send one merge request for each branch. -Dont squash several changes or commits into one merge request as this is hard to review. +Don't squash several changes or commits into one merge request as this is hard to review. Please use ```next-release``` as base branch and send your merge request to this branch (not ```master```). -Quick walktrough: +Quick walkthrough: * Create ticket for new feature * Fork the original repository, clone the own repository, add the original repository as upstream diff --git a/admin.php b/admin.php index 180b4f7..d05ce35 100644 --- a/admin.php +++ b/admin.php @@ -55,18 +55,18 @@ if (php_sapi_name() == "cli") { exit; } - /* Unlog if asked. */ + /* Logout if requested. */ if (jirafeau_admin_session_logged() && isset($_POST['action']) && (strcmp($_POST['action'], 'logout') == 0)) { jirafeau_admin_session_end(); } if (!jirafeau_admin_session_logged()) { - /* Test HTTP authentification. */ + /* Test HTTP authentication. */ if (!empty($cfg['admin_http_auth_user']) && $cfg['admin_http_auth_user'] == $_SERVER['PHP_AUTH_USER']) { jirafeau_admin_session_start(); } - /* Test web password authentification. */ + /* Test web password authentication. */ elseif (!empty($cfg['admin_password']) && isset($_POST['admin_password'])) { if ($cfg['admin_password'] === hash('sha256', $_POST['admin_password'])) { jirafeau_admin_session_start(); diff --git a/docker/README.md b/docker/README.md index be2b85a..b1ed8a7 100644 --- a/docker/README.md +++ b/docker/README.md @@ -1,13 +1,13 @@ # Run Jirafeau through a pre-made Docker image -Jirafeau is a small PHP application so running it inside a docker is pretty straightforward. +Jirafeau is a small PHP application so running it inside a docker container is pretty straightforward. ``` docker pull mojo42/jirafeau:latest docker run -it --rm -p 8080:80 mojo42/jirafeau:latest ``` -Then connect on [locahost:8080](http://localhost:8080/). +Then connect on [localhost:8080](http://localhost:8080/). The admin console is located on `/admin.php`, check console output to get auto-generated admin password. # Build your own Jirafeau docker image @@ -20,16 +20,16 @@ docker build -t your/jirafeau:latest . # Security -You may be interested to run Jirafeau on port 80: +You may be interested in running Jirafeau on port 80: ``` docker run -d -p 80:80 --sysctl net.ipv4.ip_unprivileged_port_start=80 mojo42/jirafeau ``` -Note that Jirafeau image does not provide any SSL/TLS. You may be interrested in using [docker compose](https://docs.docker.com/compose/) combined with [Let's Encrypt](https://letsencrypt.org/). +Note that Jirafeau image does not provide any SSL/TLS. You may be interested in using [docker compose](https://docs.docker.com/compose/) combined with [Let's Encrypt](https://letsencrypt.org/). # Options -Jirafeau docker image accept some options through environment variables to ease its configuration. +Jirafeau's docker image accepts some options through environment variables to ease its configuration. More details about options in `lib/config.original.php`. Available options: @@ -63,7 +63,7 @@ docker run -it -p 8080:80 --rm -e ADMIN_PASSWORD='p4ssw0rd' -e WEB_ROOT='jirafea Files and links are stored in `/data` by default. Sub folders are automatically created with needed permissions at creation if needed. Note that configuration is not stored in /data. -Example of using a dedicated volume to store Jirafeau data separatly from containter: +Example of using a dedicated volume to store Jirafeau data separately from the container: ``` docker volume create jirafeau_data docker run -it --rm -p 8080:80 --mount source=jirafeau_data,target=/data mojo42/jirafeau:latest diff --git a/lib/config.original.php b/lib/config.original.php index 59bad4e..365b5aa 100644 --- a/lib/config.original.php +++ b/lib/config.original.php @@ -25,7 +25,7 @@ * rename it to »config.local.php« and adapt the parameters. **/ -/* URL of installation, with traling slash (eg. »https://exmaple.com/jirafeau/«) +/* URL of installation, with trailing slash (eg. »https://example.com/jirafeau/«) */ $cfg['web_root'] = ''; @@ -33,10 +33,10 @@ $cfg['web_root'] = ''; */ $cfg['var_root'] = ''; -/* Language - choice between 'auto' or any language located in the /lib/locales/ folder. +/* Language - choose between 'auto' or any language located in the /lib/locales/ folder. * The mode »auto« will cause the script to detect the user's browser information - * and offer a matching language, and use »en« if it is not available. - * Forcing to a specific lang lightly reduce lang computation. + * and offer a matching language, or use »en« if it is not available. + * Forcing a specific lang will slightly reduce computation time. */ $cfg['lang'] = 'auto'; @@ -70,7 +70,7 @@ $cfg['enable_crypt'] = false; $cfg['link_name_length'] = 8; /* Upload password(s). - * An empty array will disable the password authentification. + * An empty array will disable password authentication. * $cfg['upload_password'] = array(); // No password * $cfg['upload_password'] = array('psw1'); // One password * $cfg['upload_password'] = array('psw1', 'psw2'); // Two passwords @@ -93,7 +93,7 @@ $cfg['upload_ip'] = array(); $cfg['upload_ip_nopassword'] = array(); /* Password for the admin interface. - * An empty password will disable the password authentification. + * An empty password will disable password authentication. * The password is a sha256 hash of the original version. */ $cfg['admin_password'] = ''; diff --git a/lib/functions.php b/lib/functions.php index 6e5c886..27265bd 100644 --- a/lib/functions.php +++ b/lib/functions.php @@ -20,7 +20,7 @@ */ /** - * Transform a string in a path by seperating each letters by a '/'. + * Transform a string in a path by separating each letters by a '/'. * @return path finishing with a '/' */ function s2p($s) @@ -418,7 +418,7 @@ function jirafeau_upload($file, $one_time_download, $key, $time, $ip, $crypt, $l } } - /* file informations */ + /* file information */ $hash = jirafeau_hash_file($file_hash_method, $file['tmp_name']); $name = str_replace(NL, '', trim($file['name'])); $mime_type = $file['type']; @@ -593,8 +593,8 @@ function check_errors($cfg) } /** - * Read link informations - * @return array containing informations. + * Read link information + * @return array containing information. */ function jirafeau_get_link($hash) { @@ -659,7 +659,7 @@ function jirafeau_admin_list($name, $file_hash, $link_hash) /* Push new found directory. */ $stack[] = $d . $node . '/'; } elseif (is_file($d . $node)) { - /* Read link informations. */ + /* Read link information. */ $l = jirafeau_get_link($node); if (!count($l)) { continue; @@ -675,7 +675,7 @@ function jirafeau_admin_list($name, $file_hash, $link_hash) if (!empty($link_hash) && $link_hash != $node) { continue; } - /* Print link informations. */ + /* Print link information. */ echo ''; echo '' . '' . t('JI_PROJECT') . '' . ' (AGPL-3.0)'; ?> - + | '; diff --git a/script.php b/script.php index d3d5868..de105ba 100644 --- a/script.php +++ b/script.php @@ -293,7 +293,7 @@ if [ -z "$2" ]; then echo " $0 delete URL" echo echo "Global variables to export:" - echo " JIRAFEAU_PROXY: Domain and port of proxy server, eg. »proxysever.example.com:3128«" + echo " JIRAFEAU_PROXY: Domain and port of proxy server, eg. »proxyserver.example.com:3128«" echo " JIRAFEAU_URL : URI to Jirafeau installation with trailing slash, eg. »https://example.com/jirafeau/«" echo " JIRAFEAU_TIME : expiration time, eg. »minute«, »hour«, »day«, »week«, fortnight, »month«, »quarter«, »year« or »none«" echo " JIRAFEAU_ONE_TIME : self-destroy after first download, eg. »1« to enable or »« (empty) to disable" -- 2.34.1 From 5058cbd048a108666d4078c692cb12ce96e521db Mon Sep 17 00:00:00 2001 From: Jerome Jutteau Date: Sat, 30 Apr 2022 20:53:54 +0200 Subject: [PATCH 05/16] Jirafeau version 4.4.0 closes #292 Signed-off-by: Jerome Jutteau --- CHANGELOG.md | 15 ++++++++++++++- lib/settings.php | 2 +- 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1892fef..4b0d917 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,7 +8,20 @@ * If you have installed Jirafeau just by uploading files on your server, you can download the desired version, overwrite/remove all files and chown/chmod files if needed. Keep a backup of your local configuration file tough. 4. With you browser, go to your Jirafeau root page 5. Follow the installation wizard, it should propose you the same data folder or even update automatically -6. Check your ```/lib/config.local.php``` and compare it with the ```/lib/config.original.php``` to see if new configuration items are available +6. Check your `/lib/config.local.php` and compare it with the `/lib/config.original.php` to see if new configuration items are available + + +# version 4.4.0 + +- Add docker options +- Admin pannel can output informations for bug opening +- Fixes for PHP 8 +- Fix autocomplete field for passwords +- Fix file previewing +- Disallow file preview for image/svg+xml files +- Expiry after a fortnight (2 weeks) +- Typo and spelling mistakes +- Upgrade from 4.3.0: in-place upgrade # version 4.3.0 diff --git a/lib/settings.php b/lib/settings.php index bf562dd..2efc66a 100644 --- a/lib/settings.php +++ b/lib/settings.php @@ -41,7 +41,7 @@ if ($cfg['debug'] === true) { /* Jirafeau package */ define('JIRAFEAU_PACKAGE', 'Jirafeau'); -define('JIRAFEAU_VERSION', '4.3.0'); +define('JIRAFEAU_VERSION', '4.4.0'); /* Directories. */ define('VAR_FILES', $cfg['var_root'] . 'files/'); -- 2.34.1 From d00ef4f1b8e503e29e10967f921c247a08670f61 Mon Sep 17 00:00:00 2001 From: Hunter Fuller Date: Wed, 16 Mar 2022 23:17:42 -0500 Subject: [PATCH 06/16] Add support for the X-Sendfile header/module to offload downloads. With the appropriate config option enabled, Jirafeau will send the X-Sendfile header instead of sending the file itself. As a result, Apache/lighttpd will send the file without the intervention of Jirafeau, and download resumes/seeking will also be enabled for this download. If the user requested an encrypted file then this will not work, but it should work in all other cases. --- f.php | 13 +++++++++---- lib/config.original.php | 10 ++++++++++ 2 files changed, 19 insertions(+), 4 deletions(-) diff --git a/f.php b/f.php index e2547d7..f7f3786 100644 --- a/f.php +++ b/f.php @@ -272,11 +272,16 @@ elseif ($link['crypted']) { } /* Read file. */ else { - $r = fopen(VAR_FILES . $p . $link['hash'], 'r'); - while (!feof($r)) { - print fread($r, 1024); + if ($cfg['use_xsendfile']) { + $file_web_path = preg_replace('#^' . $_SERVER['DOCUMENT_ROOT'] . '#', '', VAR_FILES); + header('X-Sendfile: ' . $file_web_path . $p . $link['hash']); + } else { + $r = fopen(VAR_FILES . $p . $link['hash'], 'r'); + while (!feof($r)) { + print fread($r, 1024); + } + fclose($r); } - fclose($r); } if ($link['onetime'] == 'O') { diff --git a/lib/config.original.php b/lib/config.original.php index 365b5aa..ecca24f 100644 --- a/lib/config.original.php +++ b/lib/config.original.php @@ -183,6 +183,16 @@ $cfg['file_hash'] = 'md5'; */ $cfg['litespeed_workaround'] = false; +/* Use the X-Sendfile header which should cause your webserver to handle + * the sending of the file. The webserver must be configured to do this + * using the mod_xsendfile module in Apache or the appropriate config in + * lighttpd. The offload will not happen in the case of server-side encrypted + * files, but all other cases should work. Benefits include being able + * to resume downloads and seek instantly in media players like VLC or + * the Firefox/Discord/Chrome embedded player. + */ +$cfg['use_xsendfile'] = false; + /* Store uploader's IP along with 'link' file. * Depending of your legislation, you may have to adjust this parameter. */ -- 2.34.1 From c2127a10a2623c1be83a66b17e1c5a5b38ed5c62 Mon Sep 17 00:00:00 2001 From: bendia Date: Tue, 21 Dec 2021 22:21:19 +0100 Subject: [PATCH 07/16] [BUGFIX] use i18n string_id to avoid "FIXME" errors in install.php This fix has been backported from #101 merge request in next-release Thanks @bendia Signed-off-by: Jerome Jutteau --- install.php | 14 ++------------ 1 file changed, 2 insertions(+), 12 deletions(-) diff --git a/install.php b/install.php index 705f3d6..6dbefb5 100644 --- a/install.php +++ b/install.php @@ -47,23 +47,13 @@ require(JIRAFEAU_ROOT . 'lib/template/header.php'); if (!file_exists(JIRAFEAU_CFG)) { // show an error if it is not possible to create the file if (!@touch(JIRAFEAU_CFG)) { - jirafeau_fatal_error( - t('The local configuration file could not be created. Create a ' . - 'lib/config.local.php file and give the write ' . - 'permission to the web server (preferred solution), or give the ' . - 'write permission to the web server on the lib ' . - 'directory.') - ); + jirafeau_fatal_error(t('CONF_SOLUTION')); } } // is the local configuration writable? if (!is_writable(JIRAFEAU_CFG) && !@chmod(JIRAFEAU_CFG, '0666')) { - jirafeau_fatal_error( - t('The local configuration is not writable by the web server. ' . - 'Give the write permission to the web server on the ' . - 'lib/config.local.php file.') - ); + jirafeau_fatal_error(t('CONF_SOLUTION_2')); } /** -- 2.34.1 From 803190432fb705b53c37c403dba36d2c5a01f8c3 Mon Sep 17 00:00:00 2001 From: Jerome Jutteau Date: Sat, 30 Apr 2022 21:15:36 +0200 Subject: [PATCH 08/16] [FEATURE] IRC channel is now open on libera.chat closes #294 Signed-off-by: Jerome Jutteau --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 4a243a2..dff22cb 100644 --- a/README.md +++ b/README.md @@ -294,6 +294,8 @@ So: Feel free to create an issue if you found a bug. +Also, you can come have a chat on [libera.chat](https://web.libera.chat/) in `#jirafeau` channel. + ### Can I buy you a coffee? You can [drop few bucks](https://www.paypal.com/paypalme/jeromejutteau) to help the [demo web site](https://jirafeau.net) to stay alive. -- 2.34.1 From 8d598fa5dd872010dbe2ea0179cd98a745db3dd0 Mon Sep 17 00:00:00 2001 From: Jerome Jutteau Date: Tue, 17 May 2022 18:32:13 +0200 Subject: [PATCH 09/16] [TASK] Add example of admin password generation ref #297 Signed-off-by: Jerome Jutteau --- lib/config.original.php | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/config.original.php b/lib/config.original.php index ecca24f..51364d0 100644 --- a/lib/config.original.php +++ b/lib/config.original.php @@ -95,6 +95,7 @@ $cfg['upload_ip_nopassword'] = array(); /* Password for the admin interface. * An empty password will disable password authentication. * The password is a sha256 hash of the original version. + * Example: echo -n "myVerySecretAdminPassword" | sha256sum */ $cfg['admin_password'] = ''; -- 2.34.1 From 9493cba088d6a0554687ecba4091f72c19300f1d Mon Sep 17 00:00:00 2001 From: Jerome Jutteau Date: Sat, 2 Jul 2022 16:35:50 +0200 Subject: [PATCH 10/16] Detail more errors A user which just have "Error" is hard to help. This should help understanding what is happening. ref #303 Signed-off-by: Jerome Jutteau --- lib/functions.php | 43 ++++++++++++++++++++++++------------------- 1 file changed, 24 insertions(+), 19 deletions(-) diff --git a/lib/functions.php b/lib/functions.php index 27265bd..1444c1f 100644 --- a/lib/functions.php +++ b/lib/functions.php @@ -946,12 +946,10 @@ function jirafeau_async_delete($ref) * @param $key eventual password (or blank) * @param $time time limit * @param $ip ip address of the client - * @return a string containing a temporary reference followed by a code or the string 'Error' + * @return a string containing a temporary reference followed by a code or a string starting with 'Error' */ function jirafeau_async_init($filename, $type, $one_time, $key, $time, $ip) { - $res = 'Error'; - /* Create temporary folder. */ $ref; $p; @@ -962,8 +960,7 @@ function jirafeau_async_init($filename, $type, $one_time, $key, $time, $ip) } while (file_exists($p)); @mkdir($p, 0755, true); if (!file_exists($p)) { - echo 'Error'; - return; + return 'Error: cannot create async folder.'; } /* touch empty data file */ @@ -997,7 +994,7 @@ function jirafeau_async_init($filename, $type, $one_time, $key, $time, $ip) * @param $file piece of data * @param $code client code for this operation * @param $max_file_size maximum allowed file size - * @return a string containing a next code to use or the string "Error" + * @return a string containing a next code to use or a string starting with 'Error' */ function jirafeau_async_push($ref, $data, $code, $max_file_size) { @@ -1005,11 +1002,17 @@ function jirafeau_async_push($ref, $data, $code, $max_file_size) $a = jirafeau_get_async_ref($ref); /* Check some errors. */ - if (count($a) == 0 - || $a['next_code'] != "$code" - || empty($data['tmp_name']) - || !is_uploaded_file($data['tmp_name'])) { - return 'Error'; + if (count($a) == 0) { + return "Error: cannot find transfer"; + } + if ($a['next_code'] != "$code") { + return "Error: bad transfer code"; + } + if (empty($data['tmp_name'])) { + return "Error: missing tmp_name"; + } + if (!is_uploaded_file($data['tmp_name'])) { + return "Error: tmp_name may not be uploaded"; } $p = s2p($ref); @@ -1022,7 +1025,7 @@ function jirafeau_async_push($ref, $data, $code, $max_file_size) if ($max_file_size > 0 && filesize($r_path) + filesize($w_path) > $max_file_size * 1024 * 1024) { jirafeau_async_delete($ref); - return 'Error'; + return "Error: file size is above upload limit"; } /* Concatenate data. */ @@ -1033,7 +1036,7 @@ function jirafeau_async_push($ref, $data, $code, $max_file_size) fclose($r); fclose($w); jirafeau_async_delete($ref); - return 'Error'; + return "Error: cannot write file"; } } fclose($r); @@ -1059,7 +1062,7 @@ function jirafeau_async_push($ref, $data, $code, $max_file_size) * @param $code client code for this operation * @param $crypt boolean asking to crypt or not * @param $link_name_length link name length - * @return a string containing the download reference followed by a delete code or the string 'Error' + * @return a string containing the download reference followed by a delete code or a string starting with 'Error' */ function jirafeau_async_end($ref, $code, $crypt, $link_name_length, $file_hash_method) { @@ -1067,13 +1070,13 @@ function jirafeau_async_end($ref, $code, $crypt, $link_name_length, $file_hash_m $a = jirafeau_get_async_ref($ref); if (count($a) == 0 || $a['next_code'] != "$code") { - return "Error"; + return "Error: bad code for ending transfer"; } /* Generate link infos. */ $p = VAR_ASYNC . s2p($ref) . $ref . "_data"; if (!file_exists($p)) { - return 'Error'; + return "Error: referenced file does not exist"; } $crypted = false; @@ -1121,9 +1124,11 @@ function jirafeau_async_end($ref, $code, $crypt, $link_name_length, $file_hash_m fclose($handle); $hash_link = substr(base_16_to_64(md5_file($link_tmp_name)), 0, $link_name_length); $l = s2p("$hash_link"); - if (!@mkdir(VAR_LINKS . $l, 0755, true) || - !rename($link_tmp_name, VAR_LINKS . $l . $hash_link)) { - return 'Error'; + if (!@mkdir(VAR_LINKS . $l, 0755, true)) { + return "Error: cannot create folder in LINKS"; + } + if (!rename($link_tmp_name, VAR_LINKS . $l . $hash_link)) { + return "Error: cannot rename file in LINKS"; } /* Clean async upload. */ -- 2.34.1 From 689557880514b74d0e21a56b40fe16a78f3b1a65 Mon Sep 17 00:00:00 2001 From: Jerome Jutteau Date: Sat, 2 Jul 2022 17:00:52 +0200 Subject: [PATCH 11/16] Update CHANGELOG regarding new options ref #303 Signed-off-by: Jerome Jutteau --- CHANGELOG.md | 8 +++++++- CONTRIBUTING.md | 2 +- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4b0d917..c7cb37f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,7 +8,7 @@ * If you have installed Jirafeau just by uploading files on your server, you can download the desired version, overwrite/remove all files and chown/chmod files if needed. Keep a backup of your local configuration file tough. 4. With you browser, go to your Jirafeau root page 5. Follow the installation wizard, it should propose you the same data folder or even update automatically -6. Check your `/lib/config.local.php` and compare it with the `/lib/config.original.php` to see if new configuration items are available +6. Check your `/lib/config.local.php` and compare it with the `/lib/config.original.php` to see if new configuration items are available. If a new item is missing in your `config.local.php`, this may trigger some errors as Jirafeau may expect to have them. # version 4.4.0 @@ -23,6 +23,9 @@ - Typo and spelling mistakes - Upgrade from 4.3.0: in-place upgrade +New configuration items: +- `fortnight` value in `availabilities` array (default to `true`) + # version 4.3.0 - Fix various docker errors @@ -32,6 +35,9 @@ - Add option 'store_uploader_ip' to avoid uploaders ip logging - Upgrade from 4.2.0: in-place upgrade +New configuration items: +- `store_uploader_ip` (default to `true`) + # version 4.2.0 - New file_hash option to eventually speed-up file identification process diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index e032590..71c5b88 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -93,7 +93,7 @@ Quick walkthrough: * If the release is not done for security purposes: create a new issue and freeze next-release branch for at least week. * Compare the [»next-release« branch to »master«](https://gitlab.com/mojo42/Jirafeau/compare/master...next-release) * Add a list of noteworthy features and bugfixes to `CHANGELOG.md` -* Add eventual upgrade procedure to `CHANGELOG.md` +* Add eventual upgrade procedure to `CHANGELOG.md`. Make sure to list all new configuration items. * Build and test docker image * Change the version, using [semantic versioning](http://semver.org/), in ```settings.php``` * Merge »next-release« branch to »master« -- 2.34.1 From 6f6cfb13fc72f4baac6f6bd53e5c1c20f9715c9e Mon Sep 17 00:00:00 2001 From: Jerome Jutteau Date: Sun, 3 Jul 2022 10:42:33 +0200 Subject: [PATCH 12/16] Add more details about upload error ref #303 Signed-off-by: Jerome Jutteau --- lib/functions.php | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/lib/functions.php b/lib/functions.php index 1444c1f..46c004a 100644 --- a/lib/functions.php +++ b/lib/functions.php @@ -1008,6 +1008,11 @@ function jirafeau_async_push($ref, $data, $code, $max_file_size) if ($a['next_code'] != "$code") { return "Error: bad transfer code"; } + if ($data['error'] != UPLOAD_ERR_OK) { + // Check error code in https://www.php.net/manual/en/features.file-upload.errors.php + $data_details = print_r($data, true); + return "Error: upload error: {$data_details}"; + } if (empty($data['tmp_name'])) { return "Error: missing tmp_name"; } -- 2.34.1 From 6eca3aa915782488ab0d688d7397c42e3fdf30b4 Mon Sep 17 00:00:00 2001 From: Jerome Jutteau Date: Sun, 3 Jul 2022 13:38:23 +0200 Subject: [PATCH 13/16] [BUGFIX] Limit upload chunk size to a reasonable value Not really a bug but avoid users to fall in php configuration traps. ref #303 Signed-off-by: Jerome Jutteau --- CHANGELOG.md | 6 ++++++ index.php | 2 +- lib/config.original.php | 11 +++++++++++ lib/functions.js.php | 4 ++-- lib/functions.php | 18 +++++++++++++++++- 5 files changed, 37 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c7cb37f..d2598a0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,12 @@ 5. Follow the installation wizard, it should propose you the same data folder or even update automatically 6. Check your `/lib/config.local.php` and compare it with the `/lib/config.original.php` to see if new configuration items are available. If a new item is missing in your `config.local.php`, this may trigger some errors as Jirafeau may expect to have them. +# version 4.5 + +- Fix side effects of setting too high values in php configuration. + +New configuration items: +- `max_upload_chunk_size_bytes` option # version 4.4.0 diff --git a/index.php b/index.php index 9edb3af..9f1b0c7 100644 --- a/index.php +++ b/index.php @@ -269,7 +269,7 @@ elseif (true === jirafeau_challenge_upload_ip($cfg, get_ip_address($cfg))) { onclick=" document.getElementById('upload').style.display = 'none'; document.getElementById('uploading').style.display = ''; - upload (); + upload (); "/>

diff --git a/lib/config.original.php b/lib/config.original.php index 51364d0..ffff3ce 100644 --- a/lib/config.original.php +++ b/lib/config.original.php @@ -210,3 +210,14 @@ $cfg['installation_done'] = false; * var- folder should kept secret and accessing it may lead to data leak if unprotected. */ $cfg['debug'] = false; + +/** Set Jirafeau's maximal upload chunk + * When Jirafeau upload a large file, Jirafeau sends several data chunks to fit server's capabilities. + * Jirafeau tries to upload each data chunk with the maximal size allowed by PHP (post_max_size and upload_max_filesize). + * However, too large PHP configuration values are not needed and could induce unwanted side effects (see #303). + * This parameter set Jirafeau's own maximal chunk size with a reasonable value. + * Option is only used for async uploads and won't be used for browsers without html5 support. + * You should not touch this parameter unless you have good reason to do so. Feel free to open an issue to ask questions. + * Set to 0 to remove limitation. + */ +$cfg['max_upload_chunk_size_bytes'] = 100000000; // 100MB diff --git a/lib/functions.js.php b/lib/functions.js.php index 2127dbb..c1a81d8 100644 --- a/lib/functions.js.php +++ b/lib/functions.js.php @@ -596,14 +596,14 @@ function async_upload_end (code) req.send (form); } -function upload (max_size) +function upload (max_chunk_size) { var one_time_checkbox = document.getElementById('one_time_download'); var one_time = one_time_checkbox !== null ? one_time_checkbox.checked : false; if (check_html5_file_api ()) { async_upload_start ( - max_size, + max_chunk_size, document.getElementById('file_select').files[0], document.getElementById('select_time').value, document.getElementById('input_key').value, diff --git a/lib/functions.php b/lib/functions.php index 46c004a..4dcf5de 100644 --- a/lib/functions.php +++ b/lib/functions.php @@ -229,6 +229,21 @@ function jirafeau_get_max_upload_size() return jirafeau_human_size(jirafeau_get_max_upload_size_bytes()); } +/** + * get the maximal upload size for a data chunk in async uploads + * @param max_upload_chunk_size_bytes + */ +function jirafeau_get_max_upload_chunk_size_bytes($max_upload_chunk_size_bytes = 0) +{ + if ($max_upload_chunk_size_bytes > 0) { + return min( + jirafeau_get_max_upload_size_bytes(), + $max_upload_chunk_size_bytes + ); + } + return jirafeau_get_max_upload_size_bytes(); +} + /** * gets a string explaining the error * @param $code the error code @@ -835,7 +850,8 @@ function jirafeau_admin_bug_report($cfg) 'enable_crypt', 'preview', 'maximal_upload_size', - 'store_uploader_ip' + 'store_uploader_ip', + 'max_upload_chunk_size_bytes' ]; foreach ($jirafeau_options as &$o) { $v = $cfg[$o]; -- 2.34.1 From 7846b6b73a7b4cc2f66249ed5ab995121e493b65 Mon Sep 17 00:00:00 2001 From: Jerome Jutteau Date: Sun, 3 Jul 2022 14:16:22 +0200 Subject: [PATCH 14/16] [BUGFIX] fix and simplify delete confirmation form Signed-off-by: Jerome Jutteau --- f.php | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/f.php b/f.php index f7f3786..5555523 100644 --- a/f.php +++ b/f.php @@ -89,8 +89,8 @@ if (!empty($delete_code) && $delete_code == $link['link_code']) { '

'; } else { ?>
-
Date: Sun, 3 Jul 2022 16:14:43 +0200 Subject: [PATCH 15/16] [TASK] update docker image with PHP 8.1 Signed-off-by: Jerome Jutteau --- Dockerfile | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index 4256ea8..58c813d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,5 @@ -FROM php:7.3-fpm-alpine -MAINTAINER "Jérôme Jutteau " +FROM php:8.1-fpm-alpine +LABEL org.opencontainers.image.authors="jerome@jutteau.fr" # lighttpd user ARG USER_ID=100 @@ -29,8 +29,7 @@ RUN chmod o=,ug=rx /cleanup.sh /run.sh COPY docker/docker_config.php /docker_config.php # install lighttpd -RUN apk add lighttpd php7-mcrypt && \ - echo "extension=/usr/lib/php7/modules/mcrypt.so" > /usr/local/etc/php/conf.d/mcrypt.ini && \ +RUN apk add lighttpd && \ chown -R $USER_ID /var/log/lighttpd && \ mkdir -p /usr/local/etc/php COPY docker/php.ini /usr/local/etc/php/php.ini -- 2.34.1 From e7ca00035309ca757f2be9dddf37b0f66d66c2b6 Mon Sep 17 00:00:00 2001 From: Jerome Jutteau Date: Sun, 3 Jul 2022 16:27:15 +0200 Subject: [PATCH 16/16] [BUGFIX] Fix user/group id in Dockerfile fixes #304 Signed-off-by: Jerome Jutteau --- Dockerfile | 23 ++++++++--------------- 1 file changed, 8 insertions(+), 15 deletions(-) diff --git a/Dockerfile b/Dockerfile index 58c813d..e0b81bf 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,41 +1,34 @@ FROM php:8.1-fpm-alpine LABEL org.opencontainers.image.authors="jerome@jutteau.fr" -# lighttpd user -ARG USER_ID=100 -# www-data group -ARG GROUP_ID=82 - # install base RUN apk update && \ ln -snf /usr/share/zoneinfo/Etc/UTC /etc/localtime && \ echo "UTC" > /etc/timezone +# install lighttpd +RUN apk add lighttpd git # install jirafeau RUN mkdir /www WORKDIR /www COPY .git .git -RUN apk add git && \ - git reset --hard && rm -rf docker install.php .git .gitignore .gitlab-ci.yml CONTRIBUTING.md Dockerfile README.md && \ - apk del git && \ - touch /www/lib/config.local.php && \ - chown -R $USER_ID.$GROUP_ID /www && \ - chmod o=,ug=rwX -R /www +RUN git reset --hard && rm -rf docker install.php .git .gitignore .gitlab-ci.yml CONTRIBUTING.md Dockerfile README.md +RUN touch /www/lib/config.local.php +RUN chown -R $(id -u lighttpd).$(id -g www-data) /www +RUN chmod o=,ug=rwX -R /www COPY docker/cleanup.sh /cleanup.sh COPY docker/run.sh /run.sh RUN chmod o=,ug=rx /cleanup.sh /run.sh COPY docker/docker_config.php /docker_config.php -# install lighttpd -RUN apk add lighttpd && \ - chown -R $USER_ID /var/log/lighttpd && \ - mkdir -p /usr/local/etc/php +RUN mkdir -p /usr/local/etc/php COPY docker/php.ini /usr/local/etc/php/php.ini COPY docker/lighttpd.conf /etc/lighttpd/lighttpd.conf # cleanup +RUN apk del git RUN rm -rf /var/cache/apk/* CMD /run.sh -- 2.34.1