diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml
new file mode 100644
index 000000000..048b1cf2c
--- /dev/null
+++ b/.github/FUNDING.yml
@@ -0,0 +1 @@
+github: [blueimp]
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
new file mode 100644
index 000000000..0153ebdf5
--- /dev/null
+++ b/.github/workflows/test.yml
@@ -0,0 +1,80 @@
+name: Test
+
+on: [push, pull_request]
+
+jobs:
+ lint:
+ runs-on: ubuntu-latest
+ strategy:
+ matrix:
+ node-version: [14, 16]
+ steps:
+ - uses: actions/checkout@v2
+ - uses: actions/setup-node@v2
+ with:
+ node-version: ${{ matrix.node-version }}
+ - run: npm install
+ - run: npm run lint
+
+ mocha:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v2
+ - name: chmod
+ run: chmod -R 777 server/php/files
+ - name: docker-compose build
+ run: docker-compose build example mocha
+ - name: mocha
+ run: docker-compose run --rm mocha
+ - name: docker-compose logs
+ if: always()
+ run: docker-compose logs example
+ - name: docker-compose down
+ if: always()
+ run: docker-compose down -v
+
+ wdio-chrome:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v2
+ - name: chmod
+ run: chmod -R 777 server/php/files wdio/reports
+ - name: docker-compose build
+ run: docker-compose build example
+ - name: wdio chrome
+ run: docker-compose run --rm wdio
+ - name: docker-compose logs
+ if: always()
+ run: docker-compose logs example
+ - name: docker-compose down
+ if: always()
+ run: docker-compose down -v
+ - name: Upload reports
+ if: always()
+ uses: actions/upload-artifact@v2
+ with:
+ name: reports
+ path: wdio/reports
+
+ wdio-firefox:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v2
+ - name: chmod
+ run: chmod -R 777 server/php/files wdio/reports
+ - name: docker-compose build
+ run: docker-compose build example
+ - name: wdio firefox
+ run: docker-compose run --rm wdio conf/firefox.js
+ - name: docker-compose logs
+ if: always()
+ run: docker-compose logs example
+ - name: docker-compose down
+ if: always()
+ run: docker-compose down -v
+ - name: Upload reports
+ if: always()
+ uses: actions/upload-artifact@v2
+ with:
+ name: reports
+ path: wdio/reports
diff --git a/.gitignore b/.gitignore
index 29a41a8c4..84901da00 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,3 @@
-.DS_Store
*.pyc
+.env
node_modules
diff --git a/LICENSE.txt b/LICENSE.txt
new file mode 100644
index 000000000..ca9e708c6
--- /dev/null
+++ b/LICENSE.txt
@@ -0,0 +1,20 @@
+MIT License
+
+Copyright © 2010 Sebastian Tschan, https://blueimp.net
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+the Software, and to permit persons to whom the Software is furnished to do so,
+subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
diff --git a/README.md b/README.md
index 4efb4c412..9a093c6af 100644
--- a/README.md
+++ b/README.md
@@ -1,86 +1,224 @@
-# jQuery File Upload Plugin
+# jQuery File Upload
-## Demo
-[Demo File Upload](http://blueimp.github.com/jQuery-File-Upload/)
+## Contents
-## Setup
-* [How to setup the plugin on your website](https://github.com/blueimp/jQuery-File-Upload/wiki/Setup)
-* [How to use only the basic plugin (minimal setup guide).](https://github.com/blueimp/jQuery-File-Upload/wiki/Basic-plugin)
+- [Description](#description)
+- [Demo](#demo)
+- [Features](#features)
+- [Security](#security)
+- [Setup](#setup)
+- [Requirements](#requirements)
+ - [Mandatory requirements](#mandatory-requirements)
+ - [Optional requirements](#optional-requirements)
+ - [Cross-domain requirements](#cross-domain-requirements)
+- [Browsers](#browsers)
+ - [Desktop browsers](#desktop-browsers)
+ - [Mobile browsers](#mobile-browsers)
+ - [Extended browser support information](#extended-browser-support-information)
+- [Testing](#testing)
+- [Support](#support)
+- [License](#license)
-## Support
-* **Support requests** and **general discussions** about the File Upload plugin can be posted to the official [support forum](https://groups.google.com/d/forum/jquery-fileupload).
-If your question is not directly related to the File Upload plugin, you might have a better chance to get a reply by posting to [Stack Overflow](http://stackoverflow.com/questions/tagged/blueimp+jquery+file-upload).
-* **Bugs** in the File Upload plugin can be reported using the [issues tracker](https://github.com/blueimp/jQuery-File-Upload/issues).
-Please try to reproduce the problem with the [Demo](http://blueimp.github.com/jQuery-File-Upload/) or with an unmodified setup. Problems with customizations should be posted to the [support forum](https://groups.google.com/d/forum/jquery-fileupload), especially for server-side problems.
-Provide as much details about your test setup as possible (server information, browser and operating system versions).
-Please also provide a [JSFiddle](http://jsfiddle.net/) to allow to reproduce the problem, if possible.
-* **Feature requests** can also be posted to the [issues tracker](https://github.com/blueimp/jQuery-File-Upload/issues) if the implementation would benefit a broader use case or the plugin could be considered incomplete without that feature. Else, please post your ideas to the [support forum](https://groups.google.com/d/forum/jquery-fileupload).
+## Description
+
+> File Upload widget with multiple file selection, drag&drop support, progress
+> bars, validation and preview images, audio and video for jQuery.
+> Supports cross-domain, chunked and resumable file uploads and client-side
+> image resizing.
+> Works with any server-side platform (PHP, Python, Ruby on Rails, Java,
+> Node.js, Go etc.) that supports standard HTML form file uploads.
+
+## Demo
+
+[Demo File Upload](https://blueimp.github.io/jQuery-File-Upload/)
## Features
-* **Multiple file upload:**
+
+- **Multiple file upload:**
Allows to select multiple files at once and upload them simultaneously.
-* **Drag & Drop support:**
- Allows to upload files by dragging them from your desktop or filemanager and dropping them on your browser window.
-* **Upload progress bar:**
- Shows a progress bar indicating the upload progress for individual files and for all uploads combined.
-* **Cancelable uploads:**
+- **Drag & Drop support:**
+ Allows to upload files by dragging them from your desktop or file manager and
+ dropping them on your browser window.
+- **Upload progress bar:**
+ Shows a progress bar indicating the upload progress for individual files and
+ for all uploads combined.
+- **Cancelable uploads:**
Individual file uploads can be canceled to stop the upload progress.
-* **Resumable uploads:**
+- **Resumable uploads:**
Aborted uploads can be resumed with browsers supporting the Blob API.
-* **Chunked uploads:**
- Large files can be uploaded in smaller chunks with browsers supporting the Blob API.
-* **Client-side image resizing:**
- Images can be automatically resized on client-side with browsers supporting the required JS APIs.
-* **Preview images:**
- A preview of image files can be displayed before uploading with browsers supporting the required JS APIs.
-* **No browser plugins (e.g. Adobe Flash) required:**
- The implementation is based on open standards like HTML5 and JavaScript and requires no additional browser plugins.
-* **Graceful fallback for legacy browsers:**
- Uploads files via XMLHttpRequests if supported and uses iframes as fallback for legacy browsers.
-* **HTML file upload form fallback:**
- Shows a standard HTML file upload form if JavaScript is disabled.
-* **Cross-site file uploads:**
- Supports uploading files to a different domain with Cross-site XMLHttpRequests.
-* **Multiple plugin instances:**
+- **Chunked uploads:**
+ Large files can be uploaded in smaller chunks with browsers supporting the
+ Blob API.
+- **Client-side image resizing:**
+ Images can be automatically resized on client-side with browsers supporting
+ the required JS APIs.
+- **Preview images, audio and video:**
+ A preview of image, audio and video files can be displayed before uploading
+ with browsers supporting the required APIs.
+- **No browser plugins (e.g. Adobe Flash) required:**
+ The implementation is based on open standards like HTML5 and JavaScript and
+ requires no additional browser plugins.
+- **Graceful fallback for legacy browsers:**
+ Uploads files via XMLHttpRequests if supported and uses iframes as fallback
+ for legacy browsers.
+- **HTML file upload form fallback:**
+ Allows progressive enhancement by using a standard HTML file upload form as
+ widget element.
+- **Cross-site file uploads:**
+ Supports uploading files to a different domain with cross-site XMLHttpRequests
+ or iframe redirects.
+- **Multiple plugin instances:**
Allows to use multiple plugin instances on the same webpage.
-* **Customizable and extensible:**
- Provides an API to set individual options and define callBack methods for various upload events.
-* **Multipart and file contents stream uploads:**
- Files can be uploaded as standard "multipart/form-data" or file contents stream (HTTP PUT file upload).
-* **Compatible with any server-side application platform:**
- Works with any server-side platform (PHP, Python, Ruby on Rails, Java, Node.js, Go etc.) that supports standard HTML form file uploads.
+- **Customizable and extensible:**
+ Provides an API to set individual options and define callback methods for
+ various upload events.
+- **Multipart and file contents stream uploads:**
+ Files can be uploaded as standard "multipart/form-data" or file contents
+ stream (HTTP PUT file upload).
+- **Compatible with any server-side application platform:**
+ Works with any server-side platform (PHP, Python, Ruby on Rails, Java,
+ Node.js, Go etc.) that supports standard HTML form file uploads.
+
+## Security
+
+⚠️ Please read the [VULNERABILITIES](VULNERABILITIES.md) document for a list of
+fixed vulnerabilities
+
+Please also read the [SECURITY](SECURITY.md) document for instructions on how to
+securely configure your Web server for file uploads.
+
+## Setup
+
+jQuery File Upload can be installed via [NPM](https://www.npmjs.com/):
+
+```sh
+npm install blueimp-file-upload
+```
+
+This allows you to include [jquery.fileupload.js](js/jquery.fileupload.js) and
+its extensions via `node_modules`, e.g:
+
+```html
+
+```
+
+The widget can then be initialized on a file upload form the following way:
+
+```js
+$('#fileupload').fileupload();
+```
+
+For further information, please refer to the following guides:
+
+- [Main documentation page](https://github.com/blueimp/jQuery-File-Upload/wiki)
+- [List of all available Options](https://github.com/blueimp/jQuery-File-Upload/wiki/Options)
+- [The plugin API](https://github.com/blueimp/jQuery-File-Upload/wiki/API)
+- [How to setup the plugin on your website](https://github.com/blueimp/jQuery-File-Upload/wiki/Setup)
+- [How to use only the basic plugin.](https://github.com/blueimp/jQuery-File-Upload/wiki/Basic-plugin)
## Requirements
-* [jQuery](http://jquery.com/) v. 1.6+
-* [jQuery UI widget factory](http://wiki.jqueryui.com/w/page/12138135/Widget%20factory) v. 1.8+
-* [jQuery Iframe Transport plugin](https://github.com/blueimp/jQuery-File-Upload/blob/master/jquery.iframe-transport.js) (included)
-* [JavaScript Templates engine](https://github.com/blueimp/JavaScript-Templates) v. 2.1.0+ (optional)
-* [JavaScript Load Image function](https://github.com/blueimp/JavaScript-Load-Image) v. 1.1.6+ (optional)
-* [JavaScript Canvas to Blob function](https://github.com/blueimp/JavaScript-Canvas-to-Blob) v. 2.0.0+ (optional)
-* [Bootstrap CSS Toolkit](https://github.com/twitter/bootstrap/) v. 2.0+ (optional)
-The jQuery UI widget factory is a requirement for the basic File Upload plugin, but very lightweight without any other dependencies.
-The jQuery Iframe Transport is required for [browsers without XHR file upload support](https://github.com/blueimp/jQuery-File-Upload/wiki/Browser-support).
-The UI version of the File Upload plugin also requires the JavaScript Templates engine as well as the JavaScript Load Image and JavaScript Canvas to Blob functions (for the image previews and resizing functionality). These dependencies are marked as optional, as the basic File Upload plugin can be used without them and the UI version of the plugin can be extended to override these dependencies with alternative solutions.
+### Mandatory requirements
+
+- [jQuery](https://jquery.com/) v1.7+
+- [jQuery UI widget factory](https://api.jqueryui.com/jQuery.widget/) v1.9+
+ (included): Required for the basic File Upload plugin, but very lightweight
+ without any other dependencies from the jQuery UI suite.
+- [jQuery Iframe Transport plugin](https://github.com/blueimp/jQuery-File-Upload/blob/master/js/jquery.iframe-transport.js)
+ (included): Required for
+ [browsers without XHR file upload support](https://github.com/blueimp/jQuery-File-Upload/wiki/Browser-support).
+
+### Optional requirements
-The User Interface is built with Twitter's [Bootstrap](https://github.com/twitter/bootstrap/) Toolkit. This enables a CSS based, responsive layout and fancy transition effects on modern browsers. The demo also includes the [Bootstrap Image Gallery Plugin](https://github.com/blueimp/Bootstrap-Image-Gallery). Both of these components are optional and not required.
+- [JavaScript Templates engine](https://github.com/blueimp/JavaScript-Templates)
+ v3+: Used to render the selected and uploaded files.
+- [JavaScript Load Image library](https://github.com/blueimp/JavaScript-Load-Image)
+ v2+: Required for the image previews and resizing functionality.
+- [JavaScript Canvas to Blob polyfill](https://github.com/blueimp/JavaScript-Canvas-to-Blob)
+ v3+:Required for the resizing functionality.
+- [blueimp Gallery](https://github.com/blueimp/Gallery) v2+: Used to display the
+ uploaded images in a lightbox.
+- [Bootstrap](https://getbootstrap.com/) v3+: Used for the demo design.
+- [Glyphicons](https://glyphicons.com/) Icon set used by Bootstrap.
-The repository also includes the [jQuery XDomainRequest Transport plugin](https://github.com/blueimp/jQuery-File-Upload/blob/master/js/cors/jquery.xdr-transport.js), which enables Cross-domain AJAX requests (GET and POST only) in Microsoft Internet Explorer >= 8. However, the XDomainRequest object doesn't support file uploads and the plugin is only used by the [Demo](http://blueimp.github.com/jQuery-File-Upload/) for Cross-domain requests to delete uploaded files from the demo file upload service.
+### Cross-domain requirements
-[Cross-domain File Uploads](https://github.com/blueimp/jQuery-File-Upload/wiki/Cross-domain-uploads) using the [Iframe Transport plugin](https://github.com/blueimp/jQuery-File-Upload/blob/master/js/jquery.iframe-transport.js) require a redirect back to the origin server to retrieve the upload results. The [example implementation](https://github.com/blueimp/jQuery-File-Upload/blob/master/js/main.js) makes use of [result.html](https://github.com/blueimp/jQuery-File-Upload/blob/master/cors/result.html) as a static redirect page for the origin server.
+[Cross-domain File Uploads](https://github.com/blueimp/jQuery-File-Upload/wiki/Cross-domain-uploads)
+using the
+[Iframe Transport plugin](https://github.com/blueimp/jQuery-File-Upload/blob/master/js/jquery.iframe-transport.js)
+require a redirect back to the origin server to retrieve the upload results. The
+[example implementation](https://github.com/blueimp/jQuery-File-Upload/blob/master/js/main.js)
+makes use of
+[result.html](https://github.com/blueimp/jQuery-File-Upload/blob/master/cors/result.html)
+as a static redirect page for the origin server.
+
+The repository also includes the
+[jQuery XDomainRequest Transport plugin](https://github.com/blueimp/jQuery-File-Upload/blob/master/js/cors/jquery.xdr-transport.js),
+which enables limited cross-domain AJAX requests in Microsoft Internet Explorer
+8 and 9 (IE 10 supports cross-domain XHR requests).
+The XDomainRequest object allows GET and POST requests only and doesn't support
+file uploads. It is used on the
+[Demo](https://blueimp.github.io/jQuery-File-Upload/) to delete uploaded files
+from the cross-domain demo file upload service.
## Browsers
-The File Upload plugin is regularly tested with the latest browser versions and supports the following minimal versions:
-* Google Chrome - 7.0+
-* Apple Safari - 4.0+
-* Mozilla Firefox - 3.0+
-* Opera - 10.0+
-* Microsoft Internet Explorer 6.0+
+### Desktop browsers
+
+The File Upload plugin is regularly tested with the latest browser versions and
+supports the following minimal versions:
+
+- Google Chrome
+- Apple Safari 4.0+
+- Mozilla Firefox 3.0+
+- Opera 11.0+
+- Microsoft Internet Explorer 6.0+
+
+### Mobile browsers
+
+The File Upload plugin has been tested with and supports the following mobile
+browsers:
+
+- Apple Safari on iOS 6.0+
+- Google Chrome on iOS 6.0+
+- Google Chrome on Android 4.0+
+- Default Browser on Android 2.3+
+- Opera Mobile 12.0+
+
+### Extended browser support information
-Drag & Drop is only supported on Google Chrome, Firefox 4.0+, Safari 5.0+ and Opera 12.0+.
-Microsoft Internet Explorer has no support for multiple file selection or upload progress.
+For a detailed overview of the features supported by each browser version and
+known operating system / browser bugs, please have a look at the
[Extended browser support information](https://github.com/blueimp/jQuery-File-Upload/wiki/Browser-support).
+## Testing
+
+The project comes with three sets of tests:
+
+1. Code linting using [ESLint](https://eslint.org/).
+2. Unit tests using [Mocha](https://mochajs.org/).
+3. End-to-end tests using [blueimp/wdio](https://github.com/blueimp/wdio).
+
+To run the tests, follow these steps:
+
+1. Start [Docker](https://docs.docker.com/).
+2. Install development dependencies:
+ ```sh
+ npm install
+ ```
+3. Run the tests:
+ ```sh
+ npm test
+ ```
+
+## Support
+
+This project is actively maintained, but there is no official support channel.
+If you have a question that another developer might help you with, please post
+to
+[Stack Overflow](https://stackoverflow.com/questions/tagged/blueimp+jquery+file-upload)
+and tag your question with `blueimp jquery file upload`.
+
## License
-Released under the [MIT license](http://www.opensource.org/licenses/MIT).
+
+Released under the [MIT license](https://opensource.org/licenses/MIT).
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 000000000..433a6853c
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,227 @@
+# File Upload Security
+
+## Contents
+
+- [Introduction](#introduction)
+- [Purpose of this project](#purpose-of-this-project)
+- [Mitigations against file upload risks](#mitigations-against-file-upload-risks)
+ - [Prevent code execution on the server](#prevent-code-execution-on-the-server)
+ - [Prevent code execution in the browser](#prevent-code-execution-in-the-browser)
+ - [Prevent distribution of malware](#prevent-distribution-of-malware)
+- [Secure file upload serving configurations](#secure-file-upload-serving-configurations)
+ - [Apache config](#apache-config)
+ - [NGINX config](#nginx-config)
+- [Secure image processing configurations](#secure-image-processing-configurations)
+- [ImageMagick config](#imagemagick-config)
+
+## Introduction
+
+For an in-depth understanding of the potential security risks of providing file
+uploads and possible mitigations, please refer to the
+[OWASP - Unrestricted File Upload](https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload)
+documentation.
+
+To securely setup the project to serve uploaded files, please refer to the
+sample
+[Secure file upload serving configurations](#secure-file-upload-serving-configurations).
+
+To mitigate potential vulnerabilities in image processing libraries, please
+refer to the
+[Secure image processing configurations](#secure-image-processing-configurations).
+
+By default, all sample upload handlers allow only upload of image files, which
+mitigates some attack vectors, but should not be relied on as the only
+protection.
+
+Please also have a look at the
+[list of fixed vulnerabilities](VULNERABILITIES.md) in jQuery File Upload, which
+relates mostly to the sample server-side upload handlers and how they have been
+configured.
+
+## Purpose of this project
+
+Please note that this project is not a complete file management product, but
+foremost a client-side file upload library for [jQuery](https://jquery.com/).
+The server-side sample upload handlers are just examples to demonstrate the
+client-side file upload functionality.
+
+To make this very clear, there is **no user authentication** by default:
+
+- **everyone can upload files**
+- **everyone can delete uploaded files**
+
+In some cases this can be acceptable, but for most projects you will want to
+extend the sample upload handlers to integrate user authentication, or implement
+your own.
+
+It is also up to you to configure your web server to securely serve the uploaded
+files, e.g. using the
+[sample server configurations](#secure-file-upload-serving-configurations).
+
+## Mitigations against file upload risks
+
+### Prevent code execution on the server
+
+To prevent execution of scripts or binaries on server-side, the upload directory
+must be configured to not execute files in the upload directory (e.g.
+`server/php/files` as the default for the PHP upload handler) and only treat
+uploaded files as static content.
+
+The recommended way to do this is to configure the upload directory path to
+point outside of the web application root.
+Then the web server can be configured to serve files from the upload directory
+with their default static files handler only.
+
+Limiting file uploads to a whitelist of safe file types (e.g. image files) also
+mitigates this issue, but should not be the only protection.
+
+### Prevent code execution in the browser
+
+To prevent execution of scripts on client-side, the following headers must be
+sent when delivering generic uploaded files to the client:
+
+```
+Content-Type: application/octet-stream
+X-Content-Type-Options: nosniff
+```
+
+The `Content-Type: application/octet-stream` header instructs browsers to
+display a download dialog instead of parsing it and possibly executing script
+content e.g. in HTML files.
+
+The `X-Content-Type-Options: nosniff` header prevents browsers to try to detect
+the file mime type despite the given content-type header.
+
+For known safe files, the content-type header can be adjusted using a
+**whitelist**, e.g. sending `Content-Type: image/png` for PNG files.
+
+### Prevent distribution of malware
+
+To prevent attackers from uploading and distributing malware (e.g. computer
+viruses), it is recommended to limit file uploads only to a whitelist of safe
+file types.
+
+Please note that the detection of file types in the sample file upload handlers
+is based on the file extension and not the actual file content. This makes it
+still possible for attackers to upload malware by giving their files an image
+file extension, but should prevent automatic execution on client computers when
+opening those files.
+
+It does not protect at all from exploiting vulnerabilities in image display
+programs, nor from users renaming file extensions to inadvertently execute the
+contained malicious code.
+
+## Secure file upload serving configurations
+
+The following configurations serve uploaded files as static files with the
+proper headers as
+[mitigation against file upload risks](#mitigations-against-file-upload-risks).
+Please do not simply copy&paste these configurations, but make sure you
+understand what they are doing and that you have implemented them correctly.
+
+> Always test your own setup and make sure that it is secure!
+
+e.g. try uploading PHP scripts (as "example.php", "example.php.png" and
+"example.png") to see if they get executed by your web server, e.g. the content
+of the following sample:
+
+```php
+GIF89ad
+ # Some of the directives require the Apache Headers module. If it is not
+ # already enabled, please execute the following command and reload Apache:
+ # sudo a2enmod headers
+ #
+ # Please note that the order of directives across configuration files matters,
+ # see also:
+ # https://httpd.apache.org/docs/current/sections.html#merging
+
+ # The following directive matches all files and forces them to be handled as
+ # static content, which prevents the server from parsing and executing files
+ # that are associated with a dynamic runtime, e.g. PHP files.
+ # It also forces their Content-Type header to "application/octet-stream" and
+ # adds a "Content-Disposition: attachment" header to force a download dialog,
+ # which prevents browsers from interpreting files in the context of the
+ # web server, e.g. HTML files containing JavaScript.
+ # Lastly it also prevents browsers from MIME-sniffing the Content-Type,
+ # preventing them from interpreting a file as a different Content-Type than
+ # the one sent by the webserver.
+
+ SetHandler default-handler
+ ForceType application/octet-stream
+ Header set Content-Disposition attachment
+ Header set X-Content-Type-Options nosniff
+
+
+ # The following directive matches known image files and unsets the forced
+ # Content-Type so they can be served with their original mime type.
+ # It also unsets the Content-Disposition header to allow displaying them
+ # inline in the browser.
+
+ ForceType none
+ Header unset Content-Disposition
+
+
+```
+
+### NGINX config
+
+Add the following directive to the NGINX config, replacing the directory path
+with the absolute path to the upload directory:
+
+```Nginx
+location ^~ /path/to/project/server/php/files {
+ root html;
+ default_type application/octet-stream;
+ types {
+ image/gif gif;
+ image/jpeg jpg;
+ image/png png;
+ }
+ add_header X-Content-Type-Options 'nosniff';
+ if ($request_filename ~ /(((?!\.(jpg)|(png)|(gif)$)[^/])+$)) {
+ add_header Content-Disposition 'attachment; filename="$1"';
+ # Add X-Content-Type-Options again, as using add_header in a new context
+ # dismisses all previous add_header calls:
+ add_header X-Content-Type-Options 'nosniff';
+ }
+}
+```
+
+## Secure image processing configurations
+
+The following configuration mitigates
+[potential image processing vulnerabilities with ImageMagick](VULNERABILITIES.md#potential-vulnerabilities-with-php-imagemagick)
+by limiting the attack vectors to a small subset of image types
+(`GIF/JPEG/PNG`).
+
+Please also consider using alternative, safer image processing libraries like
+[libvips](https://github.com/libvips/libvips) or
+[imageflow](https://github.com/imazen/imageflow).
+
+## ImageMagick config
+
+It is recommended to disable all non-required ImageMagick coders via
+[policy.xml](https://wiki.debian.org/imagemagick/security).
+To do so, locate the ImageMagick `policy.xml` configuration file and add the
+following policies:
+
+```xml
+
+
+
+
+
+
+
+
+```
diff --git a/VULNERABILITIES.md b/VULNERABILITIES.md
new file mode 100644
index 000000000..14f70b81d
--- /dev/null
+++ b/VULNERABILITIES.md
@@ -0,0 +1,118 @@
+# List of fixed vulnerabilities
+
+## Contents
+
+- [Potential vulnerabilities with PHP+ImageMagick](#potential-vulnerabilities-with-phpimagemagick)
+- [Remote code execution vulnerability in the PHP component](#remote-code-execution-vulnerability-in-the-php-component)
+- [Open redirect vulnerability in the GAE components](#open-redirect-vulnerability-in-the-gae-components)
+- [Cross-site scripting vulnerability in the Iframe Transport](#cross-site-scripting-vulnerability-in-the-iframe-transport)
+
+## Potential vulnerabilities with PHP+ImageMagick
+
+> Mitigated: 2018-10-25 (GMT)
+
+The sample [PHP upload handler](server/php/UploadHandler.php) before
+[v9.25.1](https://github.com/blueimp/jQuery-File-Upload/releases/tag/v9.25.1)
+did not validate file signatures before invoking
+[ImageMagick](https://www.imagemagick.org/) (via
+[Imagick](https://php.net/manual/en/book.imagick.php)).
+Verifying those
+[magic bytes](https://en.wikipedia.org/wiki/List_of_file_signatures) mitigates
+potential vulnerabilities when handling input files other than `GIF/JPEG/PNG`.
+
+Please also configure ImageMagick to only enable the coders required for
+`GIF/JPEG/PNG` processing, e.g. with the sample
+[ImageMagick config](SECURITY.md#imagemagick-config).
+
+**Further information:**
+
+- Commit containing the mitigation:
+ [fe44d34](https://github.com/blueimp/jQuery-File-Upload/commit/fe44d34be43be32c6b8d507932f318dababb25dd)
+- [ImageTragick](https://imagetragick.com/)
+- [CERT Vulnerability Note VU#332928](https://www.kb.cert.org/vuls/id/332928)
+- [ImageMagick CVE entries](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=imagemagick)
+
+## Remote code execution vulnerability in the PHP component
+
+> Fixed: 2018-10-23 (GMT)
+
+The sample [PHP upload handler](server/php/UploadHandler.php) before
+[v9.24.1](https://github.com/blueimp/jQuery-File-Upload/releases/tag/v9.24.1)
+allowed to upload all file types by default.
+This opens up a remote code execution vulnerability, unless the server is
+configured to not execute (PHP) files in the upload directory
+(`server/php/files`).
+
+The provided [.htaccess](server/php/files/.htaccess) file includes instructions
+for Apache to disable script execution, however
+[.htaccess support](https://httpd.apache.org/docs/current/howto/htaccess.html)
+is disabled by default since Apache `v2.3.9` via
+[AllowOverride Directive](https://httpd.apache.org/docs/current/mod/core.html#allowoverride).
+
+**You are affected if you:**
+
+1. A) Uploaded jQuery File Upload < `v9.24.1` on a Webserver that executes files
+ with `.php` as part of the file extension (e.g. "example.php.png"), e.g.
+ Apache with `mod_php` enabled and the following directive (_not a recommended
+ configuration_):
+ ```ApacheConf
+ AddHandler php5-script .php
+ ```
+ B) Uploaded jQuery File Upload < `v9.22.1` on a Webserver that executes files
+ with the file extension `.php`, e.g. Apache with `mod_php` enabled and the
+ following directive:
+ ```ApacheConf
+
+ SetHandler application/x-httpd-php
+
+ ```
+2. Did not actively configure your Webserver to not execute files in the upload
+ directory (`server/php/files`).
+3. Are running Apache `v2.3.9+` with the default `AllowOverride` Directive set
+ to `None` or another Webserver with no `.htaccess` support.
+
+**How to fix it:**
+
+1. Upgrade to the latest version of jQuery File Upload.
+2. Configure your Webserver to not execute files in the upload directory, e.g.
+ with the [sample Apache configuration](SECURITY.md#apache-config)
+
+**Further information:**
+
+- Commits containing the security fix:
+ [aeb47e5](https://github.com/blueimp/jQuery-File-Upload/commit/aeb47e51c67df8a504b7726595576c1c66b5dc2f),
+ [ad4aefd](https://github.com/blueimp/jQuery-File-Upload/commit/ad4aefd96e4056deab6fea2690f0d8cf56bb2d7d)
+- [Full disclosure post on Hacker News](https://news.ycombinator.com/item?id=18267309).
+- [CVE-2018-9206](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9206)
+- [OWASP - Unrestricted File Upload](https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload)
+
+## Open redirect vulnerability in the GAE components
+
+> Fixed: 2015-06-12 (GMT)
+
+The sample Google App Engine upload handlers before
+v[9.10.1](https://github.com/blueimp/jQuery-File-Upload/releases/tag/9.10.1)
+accepted any URL as redirect target, making it possible to use the Webserver's
+domain for phishing attacks.
+
+**Further information:**
+
+- Commit containing the security fix:
+ [f74d2a8](https://github.com/blueimp/jQuery-File-Upload/commit/f74d2a8c3e3b1e8e336678d2899facd5bcdb589f)
+- [OWASP - Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html)
+
+## Cross-site scripting vulnerability in the Iframe Transport
+
+> Fixed: 2012-08-09 (GMT)
+
+The [redirect page](cors/result.html) for the
+[Iframe Transport](js/jquery.iframe-transport.js) before commit
+[4175032](https://github.com/blueimp/jQuery-File-Upload/commit/41750323a464e848856dc4c5c940663498beb74a)
+(_fixed in all tagged releases_) allowed executing arbitrary JavaScript in the
+context of the Webserver.
+
+**Further information:**
+
+- Commit containing the security fix:
+ [4175032](https://github.com/blueimp/jQuery-File-Upload/commit/41750323a464e848856dc4c5c940663498beb74a)
+- [OWASP - Cross-site Scripting (XSS)](https://owasp.org/www-community/attacks/xss/)
diff --git a/cors/postmessage.html b/cors/postmessage.html
index 34e73c80b..3f37e4067 100644
--- a/cors/postmessage.html
+++ b/cors/postmessage.html
@@ -1,75 +1,85 @@
-
+
-
-
-jQuery File Upload Plugin postMessage API
-
-
-
-
+
+
+
-
-
\ No newline at end of file
+ }
+ e.source.postMessage(
+ {
+ id: s.id,
+ status: jqXHR.status,
+ statusText: statusText,
+ result: result,
+ headers: jqXHR.getAllResponseHeaders()
+ },
+ e.origin
+ );
+ });
+ });
+
+
+