Jirafeau - Package Updates
-
[1.8.0]
- Update Jirafeau to 4.6.0
- Full changelog
- New configuration options for allowing to require, check or generate file download passwords
- Re-implemented server side encryption using PHP's Sodium extension (the formerly used mcrypt extension is deprecated)
- Keep and show basic download stats
- Removed Lighttpd's mod_usertrack from Docker config
- Added
<meta name="viewport"to template header to support responsive themes
-
[1.8.1]
- Update Jirafeau to 4.6.1
- Full Changelog
- Removed the download button and the corresponding link for encrypted files from the admin interface
- Fixed an issue with sending the wrong filesize after decrypting an encrypted file
- Fixed the possibility to bypass the check for CVE-2022-30110 (prevent preview of SVG images) by sending a manipulated HTTP request with a MIME type like "image/svg+XML".
- We now provide Docker images for AMD64 and ARM64 systems
- Lots of code refactoring and cleanup
- Few more little fixes
- Typo and spelling mistakes
-
[1.9.0]
- symlink custom tos to
/app/data/tos.local.txt
- symlink custom tos to
-
[1.9.1]
- Update Jirafeau to 4.6.2
- Full Changelog
- Allow to configure the language and the availabilities for files for a Docker container (issue #20)
- Added an example
docker-compose.yamlfile for configuring the Docker container - Fixed an error occuring on some systems while building the Docker image (issue #24)
- Script upload was broken due to a missing
returnstatement (issue #23) - Upgrade from 4.6.1: in-place upgrade
-
[1.10.0]
- Update base image to 5.0.0
-
[1.11.0]
- add checklist
-
[1.11.1]
- Update Jirafeau to 4.6.3
- Full Changelog
- Fixed the possibility to bypass the checks for CVE-2022-30110 and CVE-2024-12326 (prevent preview of SVG images and other critical files) by sending a manipulated HTTP request with a MIME type like "image/png,text/html". When doing the preview, the MIME type "text/html" takes precedence and you can execute for example JavaScript code.
- Compare password hashes using
hash_equals()
-
[1.12.0]
- Update Jirafeau to 4.7.0
- Full Changelog
- Added feature for using shortened download links. This requires a web server that supports URL rewriting, like Apache with
mod_rewrite. - Added CSS class
tosfor addressing the link to the "Terms of Service" page - Download stats introduced in version 4.6.0 were accidentally removed in version 4.6.1. This feature is now available again.
- Generated download passwords were not shown after the upload was completed
- Uploading a file using
script.phpwith an upload password set always ended up in an "Error 2". This is fixed now.
-
[1.12.1]
- Update Jirafeau to 4.7.1
- Full Changelog
- Fixed another possibility to bypass the checks for CVE-2022-30110, CVE-2024-12326 and CVE-2025-7066 (prevent preview of SVG images and other critical files) by sending a manipulated HTTP request with a MIME type like "image". When doing the preview, the browser tries to automatically detect the MIME type resulting in detecting SVG and possibly executing JavaScript code. To prevent this, MIME sniffing is disabled.
- The default value of
max_upload_chunk_size_byteswas set to5000000. Higher values could trigger a bug Chromium-based browsers on servers with HTTP/3 enabled, causing asynchronous uploads to fail.
