this supersedes the old temporaryUploadAges, while maintaining full
backwards-compatibility.
please consult config.sample.js if you want to start using this
instead of only on some arbitrary routes
configurable via config, please check sample, disabled by default
i still recommend configuring from your own http server (nginx, etc.),
if you want to have a more complex per-routes headers
only usergroup and file extension bypass
real file size can't be determined before passthrough scan,
so there's no bypass by max file size
please read the comments in sample config file
refactored utils.clamscan into utils.scan
this is to align with original behavior pre-Helmet v5 update
this only changes sample config file, and fallback values when helmet
option is missing from config file
otherwise decide at your own discretion (refer to the comments)
GIFs are known to not work without custom globally-installed libvips
with ImageMagick or GraphicsMagick support.
https://sharp.pixelplumbing.com/api-output#gifhttps://sharp.pixelplumbing.com/install#custom-libvips
It's highly recommended to update your config following the changes to
the sample config file.
This also addressed a bug where images would still get recorded to DB
despite them not existing physically due to strip tags errors.
much more expandable, and should be easier to understand overall.
make more statistics operations run concurrently to speed them up.
make linuxDiskStats config key obsolete by using systeminformation
package to also query for any mounted file systems.
Resolves#192
This added 2 new dependencies:
content-disposition
BobbyWibowo/serve-static
content-disposition:
This has fallback generation for file names that are outside ISO-8859-1.
Plus it was already a sub-dependency due to express to begin with.
BobbyWibowo/serve-static:
A fork of express/serve-static to allow specifying an async setHeaders
function by the name preSetHeaders, that will be awaited before
creating send stream to clients.
The service will now automatically clean up any leftover data from any
inactive & unfinished chunked upload attempts.
Updated config.sample.js for updated description and new sub-option
for chunkSize option.
UPDATE YOUR CONFIG FILE IF YOU USE CHUNKED UPLOADS!
Read more about this at the end.
Added new dependency: blake3
Hashes will be created as the uploads are being written to disk.
With exception for chunked uploads!
For them specifically, their hashes will be created as they're being
rebuilt into a single file.
Should still be a lot better than the previous case where it had to
re-read the already written files.
To support that feature, added a new file
controllers/multerStorageController.js.
It's just a custom storage engine for Multer.
chunkSize option now allows setting max chunk size from config file.
Previously it was hardcoded to 95MB, but assuming you have paid
Cloudflare plans, you can actually have up to 500MB.
Also moved the option to be after maxSize and before urlMaxSize.
Made a lot more sense to me this way, as chunked uploads only work on
regular uploads.
Updated v1 version string and rebuilt client assets.
This adds Cookie Consent library at public/libs/cookieconsent.
Added views/cookiepolicy.njk.
Added a new config option cookiePolicy. Disabled by default.
Updated views/faq.njk to use variables wherever applicable.
The variables are initiated at views/_globals.njk.
The said file also contains variables used at views/cookiepolicy.njk.
Restored messages about Cloudflare to FAQ.
They will be shown only if config.cloudflare.purgeCache is enabled.
Statistics will now capitalize first letters of the keys instead.
Updated background color of SweetAlert modals.
Moved table styling from dashboard.css to style.css (global),
since table will also be used in Cookie Policy page.
Bumped v1 version string and rebuilt client assets.
Restore disk usage stats even when config.linuxDiskStats is off
The said config will now only toggle the 'extended' stats which are
disk usage of each directories within the uploads directory
The option is disabled by default.
Meaning you need to explicitly set it to true to restore
the old behavior.
The one that uses both "df" and "du" binaries.
I found them to be very slow with 100k+ uploads
on my ancient potato server.
... and optionally videos using ffmpeg (still experimental).
Users can choose whether to strip tags of their uploads or not from
the home uploader's Config tab (safe.fiery.me will have it disabled
by default).
The behavior will also be applied to the downloadable ShareX config.
Server owners can choose to force either behavior.
Make sure to add the new config from config.sample.js.
---
Fixed all instances of "e.i." to "e.g.".
My English sucks okay.
Bumped v1 version string.
Updated sample API rate limits.
This will pretty much be the same ones used live in safe.fiery.me.
This rate limits ALL API calls to 10 requests per second,
but apply stricter limits to login & register endpoints, which are
2 requests per 5 seconds.
Also apply stricter limit to album ZIP download endpoint to
4 requests in 30 seconds.
Also removed forcing 200 HTTP status code from the error responses,
cause front-end will now handle any HTTP status codes properly.
It was previously set to 200 cause frontend couldn't handler
errors properly.
On a side note, rate limiting all API calls is important due to the fact
that any token-based endpoints can be used for brute-forcing tokens.
Some server firewalls can also be used to ban possible brute force
attacks through actively monitoring the HTTP server's access logs,
so you may also want to consider that kind of solution for your site
instead.
Description in album public pages will no longer use h2 tag.
Descriptions that can go up to 4000 chars kinda made no sense to use
that tag.
Use Nunjucks' built-in nl2br tag to replace newlines with <br> tag.
Removed unused macro from faq.njk.
Better extensions filter list in URL uploads tab.
Updated config.sample.js with sample usage of the URL uploads extensions
filter.
As the title says, this commit is a massive overhaul.
I've rewritten/restrucuted almost everything in the controller scripts.
Because of that, there's a considerable possibility that I've broken
something somewhere.
Notable changes:
Added temporary uploads.
Removed file name length changer from dashboard,
in favor of an equivalent in homepage config tab.
This allows non-registered users to also set file name length.
A bunch of other undocmented stuff.
I don't know, I'm too tired to remember them all.
* Updated path resolving for upload folder option.
This SHOULD now allow using an absolute path, even those outside of
the lolisafe installation.
* Added a config option at uploads -> generateThumbs, named placeholder.
It's a string option that lets you set path of the placeholder image
for files whose thumbnail could not be generated.
It defaults to the old hard-coded path when set to falsy value.
* Fixed thumbs script not using upload folder from config file.
* Added filters for thumb generation error handling.
This is used to ignore some common error messages,
such as file formats not being supported.
Bobby
Bobby Wibowo
evanmn
Evan McCarthy
camjac251