Chevereto v4.0.3 announcement

[Rodolfo]

Hey there,

I'm confirming the third revision for Macanudo (4.0), this one is (again) about fixing bugs and incremental improvements.

👉 If you are experiencing bugs check hot-fixes and don't hesitate to use Bug Tracking.

 

[Rodolfo]

✅ Removed limit on upload threads

Via an RFC opened by @Barry we are now removing the limitation on configurable upload threads. This affects the streams allowed to send uploads at the same time which you can now freely configure.

Keep in mind that these are real-world limited by the HTTP protocol you may be using (6 on HTTP 1.1, N on H2) and by your server hardware.

🤔 Using huge values could melt your machines? There's just one way to find out!

 

[Rodolfo]

🐞 Fixed bug with empty string on table prefix

Thanks to @gioh I was able to spot a tricky bug. When using CHEVERETO_DB_TABLE_PREFIX with empty string the system was failing to detect the database connection. This release fixes this issue.



I also got rid of the connection printed values on install. You never know who could be sniffing or sapeando your installations!

 

[Rodolfo]

🐞 Fixed bug with B2 Storage (legacy)

B2 Legacy API SDK wasn't working so I spawned our own maintained version of it at chevereto/backblaze-b2-legacy with support for PHP 8. You should be migrating to B2's S3 compatible asap, but for all those under pressure this will keep your systems working.

You may want to go to /app to alter composer.json and then run composer update to push the fixed package in your setups.

chevereto/backblaze-b2-legacy

 

[Rodolfo]

🐞 Fixed bug affecting Amazon S3

Amazon S3 storage wasn't working after the addition of CloudFlare R2. This revision fixes this bug.

 

[Rodolfo]

🦄 Updated XR Debug to 0.5 (Flagg)

My XR Debug software now supports end-to-end encryption! With this the debugger now cipher the communication so there's no chance to get the debug messages compromised as it uses AES-GCM AE (Authenticated Encryption).



Why it is important? XR Debug is a remote on-the-fly debugger, the problem is when you use it for a production website the communication was open to anybody. With this nifty addition only those with the encryption key will be able to see the dump messages.

I really doubt that anybody else but me ends up using this on your machines, but I think it worth mention that I took care of your security.

 

[Rodolfo]

🐊 Added CHEVERETO_HEADER_CLIENT_IP environment variable

When running using a proxy you may find out that Chevereto fails to detect the real visitor IP. This is because Chevereto uses REMOTE_ADDR, which in proxy setup points to the proxy TCP IP (and not the client IP) which drives a lot of issues. To fix this, I'm introducing the variable CHEVERETO_HEADER_CLIENT_IP which will allow you to configure the header for client IP.

So if your proxy uses the header X-Real-IP you only need to set CHEVERETO_HEADER_CLIENT_IP=X-Real-IP to instruct Chevereto to trust in that header for client IP detection.

 

[Rodolfo]

🐞 Fixed wrong IP detection for Akismet

Askimet was doing a check for $_SERVER['HTTP_X_FORWARDED_FOR'] which can be spoofed at client layer when not using a proxy. In other words, unless using a proxy Akismet was vulnerable to fake IPs due to this unsafe header handling. This revision fixes this bug.

 

[Rodolfo]

🐬 Improved compatibility with MySQL 5

The database schema for MySQL 5.6 has been improved with the addition of ROW_FORMAT=DYNAMIC. TL;DR: It provides better index support for longer keys. At 2022 you should be already running MySQL 8 (or MariaDB 10) but you know how it goes, in some systems it may not be available so this release improves the situation.

 

[Rodolfo]

🤖 Added support for hCaptcha

This revision adds support for hCaptcha as per this RFC (thanks @Picxly). This will enable us to use a privacy-first captcha alternative. This captcha is way better than reCaptcha which honestly? Looks abandoned by Google compared with hCaptcha.

 

[Rodolfo]

🐞 Fixed bug with missing delete links on uploader

The delete link was not being shown after upload. This revision fixes this bug.