Releases: Neztore/save-server
v1.3.0: Make file names adjustable
File length names can now be altered using the nameLength environment variable. This is useful for bigger servers with lots of images as the default 11 million possible combinations is not enough for all cases. (Though this not a worry for most...)
v1.2.0: Add Log out, Fix URL shortening, eslint
v1.2.0
- Adds a log out button (and the server side code, to boot)
- Makes the authorization cookie sameSite = lax
- Updates dependencies (Important for security!)
- Hides the x-powered-by header properly
- Enables eslint under
npm testand makes all of the code conform to it. - Fixes URL shortening from the ShareX client. Old config files should work: The web API url has changed.
v1.1.0 Improve and fix URL Shortenings
Bugs fixed
- Fixed issue where non-root users could not delete their shortened URLs
Improvements
- Adds the ability for you to specify the URI (DOMAIN/XXXX) for a given URL shortening.
Given some people may give (less) trusted people access, this has some safeguards:- Must be between 2 and 20 characters
- Must be alphanumeric
- You cannot overwrite existing URL shortenings
If any of these requirements are failed, a generated URI is returned (as if no custom was specified)
v1.0.9: Update Bcrypt
Bcrypt security issue was recently published.
I do not think this package is vulnerable due to length validation but better safe than sorry.
v.1.0.8: Improve code highlighting and display
- Added github repo to package.json
- Added NPM badge to Github repo
The actual improvements:
- Made highlightjs preserve tabs
- Moved from
pretocode, allowing whitespace to be preserved & proper highlighting
Uploaded code now looks bearable.
v1.0.7: Fix broken code
Sorry folks. Really dropped the ball here.
The previous CSRF implementation broke file uploading. I've now fixed everything.
File uploading now only accepts authentication by header. This allows it not to need CSRF as attackers could not get the secret from cookie.
This release resolves a CSRF vulnerability present within the server.
This means that if you are logged into a Save-Server instance and you browse to a malicious site they could perform some actions such as creating Redirects, Deleting files, creating or updating users (If root)
They cannot GET files with this vulnerability, so they could not view your gallery - only modify it.
Fix releases
Fixes releases. Please see v.1.0.5 for details of security vulnerability.
v1.0.5: Resolve CSRF vulnerability
This release resolves a CSRF vulnerability present within the server.
This means that if you are logged into a Save-Server instance and you browse to a malicious site they could perform some actions such as creating Redirects, Deleting files, creating or updating users (If root)
They cannot GET files with this vulnerability, so they could not view your gallery - only modify it.
v1.0.4: User deletion fix
Solves the "Ghost file" problem.
This is actually v.1.0.3 but I had npm issues so ended up incrementing.. again :)
v1.02: Bug fixes
Includes the removal of an errornous message on the URL shortener page and improvements surrounding passwords:
- Increased limit to 100 characters
- Added a bcrypt notice to readme
- Added bcrypt notice to > 100 warning message;