MAINHACK

Viewing / Editing File: changelog.txt

File is not writable. Editing disabled.
v6.6.14

Released on Jun 27, 2025
Minor cosmetic hotfix

This is a small patch which fixes a cosmetic issue on the gallery page.

    fix ♯3499 : fix header always showing up by @ildyria.
	
v6.6.13

Released on Jun 27, 2025
Security release: Server-Side Request Forgery (SSRF) vulnerability fix (3.5)

All versions of Lychee below 6.6.12 are vulnerable to a Server-Side Request Forgery (SSRF) vulnerability. This leads the attacker to be able to execute any GET request on your local network.
The vulnerability

The attack makes use of an unsanitized input on an fopen call during a photo import. This vulnerability would allow an attacker to effectively read any file on your internal network, including localhost.

In itself Lychee is not impacted. As in the attack will not compromise your photos, albums, etc. Furthermore, the attacker needs to have access to an account with upload rights.

However, this still allows the attacker to use Lychee as a proxy and interact within your internal network/localhost. For example, if you have a notification forwarding service with a GET webhook, that could be exploited to send a notification and start a phishing attack.
The Fix

We added multiple optional checks on the urls provided:

    validate that the url formatting
    validate that the scheme is http/https
    validate that the port if given is 80 or 443
    validate that if an ip is used it is not a local ip
    validate that localhost is not used.

All of them are enabled by default and can be disabled in the expert admin settings.
Other changes

    fix ♯3498 : Fix SSRF + bump version by @ildyria.

    new ♯3491 : Add optional gallery header image by @ildyria.

        We added the option to have a header image on top of the gallery page. You will find the configuration in the Landing page settings.

    fix ♯3497 : add some missing RTL support on timeline photo display by @ildyria.

        Improvement of the RTL support on timeline photo display.

v6.6.12

Released on Jun 26, 2025
Persian, Right to Left (RTL) support, and invite links!

This is a small release that brings a few new features. A few weeks ago we added support for Arabic, but that was without the proper reading direction support. By adding support for Persian, we also took the time to add a full Right to Left (RTL) integration. There might still be some light display issues, but we are confident our middle eastern users will appreciate this.

A bug that has been plaguing lychee for a while was that on mobile, the album header bar was disappearing when switching to the photo view. We completely rewrote the way the header bar is displayed and this is now fixed.

In version 6.6.6 we added a new registration page. This was either on or off, but there was no way to filter who could register. This release adds the ability to create invite links. As a result, you can keep the registration page disabled and create invite links that you can share with your friends.

    new ♯3419 : Add Persian language and fix LTR and RTL display by @ildyria.
    new ♯3435 : Do not log queries which are faster than 100ms by default by @ildyria.

        We added the .env variable DB_LOG_SQL_MIN_TIME which allows to you set the minimum time in ms for a query to be logged. Any SQL queries faster than this will be ignored. This is not something that is visible to the user, and more of a debugging/profiling feature.

    fixes ♯3494 : fix disappearing header bar on mobile by @ildyria.
    new ♯3433 : Add backend and frontend for simple invitation links by @ildyria.
    new ♯3458 : Add quick setup to run pgsql locally with tests by @ildyria.

        We added a small pgsql docker compose file with a postgresql database setup. This is not meant to be used in production, but it will allow us to easily run our test suite locally with a postgresql database.

v6.6.11

Released on Jun 23, 2025
Minor fix on photo edit.

Editing photos was no longer possible since version 6.6.6, this was due to the change of the photo-album relationship. This is now fixed and you can edit your photos again. Sorry for the inconvenience.

    fixes ♯3471 : Photo edit by @ildyria.

v6.6.10
Released on Jun 18, 2025

    Fix path traversal attack + bump version.
Cancel / Back
[ MAINHACK ]

Viewing / Editing File: changelog.txt

Server Info

System Features

User Info
