Releases: Xenthys/ShareXen
Fix array_map calls (info endpoint as an admin)
The info endpoint uses array_map to list users and admins, but the function was not passed as a string.
This worked with PHP <8.0 due thanks to the language's leniency, but raised errors in more recent versions.
ShareXen now respects the array_map documentation and passes function names as strings, we're good.
Add DEFAULT_PROTOCOL constant and error_msg field
The DEFAULT_PROTOCOL
constant (default value: auto) allows administrators to override the default API protocol in case the automated check does not work. This can help in cases where a reverse-proxy configuration is causing issues with the automated detection, or if you want to use a specific protocol no matter how the API is called per example.
The error_msg
field has been added right after the error
one in replies, it provides a human-readable error message.
Check the ShareXen.sxcu file to update your custom uploader configuration, allowing ShareX to display it if needed.
Fix broken log messages
The $endpoint
variable in the log function was undefined, thus completely omitting to log the endpoint, and throwing warnings.
Add URL_STRIP_EXTENSION constant
This small update allows users to remove the file extension from the resulting URL, as requested in issue #2. This is useful for using a rewrite rule in order to automatically find the corresponding file.
Be careful, as the filename generator only checks against existing files of the same extension. It is therefore possible to have two files with the exact same name, as long as they have a different extension.
Fix flawed MAX_ITERATIONS check
The name-generating loop now errors properly when reaching the configured MAX_ITERATIONS value.
Before the patch, the error condition was hardcoded to 10.
If you kept the MAX_ITERATIONS constant set to 10, you are fine.
Setting the MAX_ITERATIONS constant under 10 (then reaching it) would validate the name and overwrite the file, instead of rejecting the request with a "cannot_generate_unique_filename" error.
Setting the MAX_ITERATIONS constant above 10 had no effect.
Drop curl dependency, enhance info endpoint
String concatenation is no longer used where in-line variables can improve code readability and ease of use.
Constants are now all checked and given default values in case they're unset. Old checks have been removed.
An optional MAX_ITERATIONS constant has been added.
Calling the Discord webhook now relies on native PHP functions (fopen, specifically file_get_contents) instead of using a plethora of curl functions. This might be disabled on some cheap webhosts, but those usually don't have libcurl installed anyway.
The info endpoint now indicates the amount of max iterations (to everyone), gives a list of configured usernames along with the list of admins (to admins), and whether a Discord webhook is configured and can be used by checking if "allow_url_fopen" is enabled (to admins).
Security patch: empty salt was usable
A configured salt is necessary for generating security keys. That wasn't true before this commit.
According to the comment above the SALT definition, keeping it empty was supposed to disable the feature. Instead, it kept it insecurely enabled and used the empty salt, giving absolutely predictible security keys considered as valid instead of not returning any. Note that commenting-out the define properly disabled this feature.
If you do not update and have an empty salt, either remove/comment the define, or set a proper one immediately.
Default allowed file extensions have also been edited, showing regex are supported (which they are since the beginning) to make sure users are aware of that possibility as it wasn't documented.
Random name generator safeguarding
The random name generator is now protected against infinite loops.
The iteration_count JSON field has therefore been added to indicate how many loop iterations were necessary to generate a unique name. If no unique name is found after 10 iterations, the script will return an HTTP 500 cannot_generate_unique_filename error as it really shouldn't take more than one or two iterations.
The PHP version check has been removed since the script errors immediately, as PHP 5 cannot parse it at all before execution. The hard fail is caused by the special syntax at line 723, but it is definitely not the only point that requires PHP 7, that provides e.g. the random_int function, which is a CSPRNG as wanted here.
The random_str function doesn't require mbstring anymore as the keyspace only contains ASCII characters.
Unicode keyspaces are therefore not (and have never been) supported at all.
Authentication rewrite
This release introduces breaking changes, be careful when updating.
Users now have usernames, adding admins does not depend on positions anymore.
This is way easier to use and more convenient. Requires client & server configuration update.
Configuration has been updated:
- USER_TOKENS has been removed in favor of USERS (new format)
- MAX_ADMIN_ID has been removed in favor of ADMINS (new format)
- DELETION_SALT has been renamed to SALT (same format)
Some parameters have been changed:
auth_token
has been renamed totoken
deletion_hash
has been renamed tokey
user_id
has been removed in favor ofusername
and now only exists when a user is authenticated
Please follow https://github.com/Xenthys/ShareXen/blob/master/UPDATING.md for more information.
User-defined protocol
You can now use the protocol
parameter to specify which protocol should be used for the image URL. Can be useful in case you call your script from a local tool over HTTP but server images over HTTPS, or if you call the API over HTTPS but don't have HTTP support on another domain name you want to use for displaying the images.
This completes the domain
parameter from v1.3.0 f364218 and has the same behavior when unspecified: assume the protocol is the same than the one used to call the API itself.