Skip to content

Release v2.7.4 - 2026-06-12

Latest

Choose a tag to compare

@MarSeventh MarSeventh released this 12 Jun 11:30

CloudFlare-ImgBed v2.7.4 🥳

Add Features:

  • Added /upload/huggingface/completeMultipart to proxy HuggingFace LFS multipart completion for large direct uploads
  • HuggingFace direct upload URL generation now rewrites multipart completion URLs to an internal endpoint, enabling multipart completion in Cloudflare Workers deployments
  • Added publicUrl to successful Upload API responses. When a default URL prefix is set, basic uploads and chunked-upload merge return this public access link

Optimization:

  • Unified WebDAV credential resolution into the shared channel credential flow, so read, delete, move, and rename operations use the same configuration source
  • Reduced persisted file metadata for S3, Telegram, Discord, HuggingFace, WebDAV, and related channels by no longer storing fields that can be read from the current channel configuration
  • Management file details now dynamically enrich S3Location, S3CdnFileUrl, HfFileUrl, WebDAVPublicUrl, and similar display fields from the current channel configuration, so displayed links refresh after config changes
  • File read, delete, move, and rename operations now resolve credentials through the current channel configuration; legacy Telegram/TelegramNew records without ChannelName fall back to Telegram_env
  • Added fallback channel matching based on unique identity fields stored in legacy metadata, allowing files to keep resolving to the current Telegram, S3/R2, Discord, HuggingFace, or WebDAV channel configuration after a channel is renamed
  • Added channel-name immutability hints in channel settings and disabled channel-name editing to prevent breaking the association between uploaded files and their channel configuration
  • Added frontend validation for user and admin session max age in System Settings > Security Settings, restricting values to 1-3650 days

Security:

  • Management file list, batch list, custom file list, and metadata APIs now filter sensitive S3, Telegram, Discord, HuggingFace, and WebDAV credentials from returned metadata
  • File read, delete, move, and rename operations now prefer current channel configuration for credentials, reducing the need to store or expose credentials in file metadata
  • WebDAVBaseUrl in metadata now strips URL userinfo to avoid leaking usernames or passwords through management API responses
  • Management metadata, tag, allow/block list, move, rename, and backup restore write paths now consistently remove sensitive and config-derived fields, preventing old backups or legacy records from writing credentials back
  • Admin login, user login, and session checks now return 503 when security settings cannot be loaded, preventing fallback to an empty default authentication config
  • Session max-age settings are now normalized on the backend; timestamp-like or out-of-range values fall back to 14 days to avoid Cloudflare KV expirationTtl range errors

Fix Bugs:

  • Fixed HuggingFace file HEAD responses returning Content-Length: 0; the handler now uses uploaded metadata (FileSizeBytes) to report the actual file size, improving browser and player media probing
  • Fixed HuggingFace direct upload URL requests requiring fileType; files without a MIME type now fall back to application/octet-stream
  • Improved HuggingFace multipart completion target and parts validation so invalid requests return 400 instead of 500
  • Fixed WebDAV public URL reads changing the original 404/403 status into 500 when the WebDAV API fallback also failed
  • Fixed file details still showing stale S3Location or CDN links after changing S3 endpoint/CDN configuration
  • Fixed S3 move or rename failures potentially moving the database record even when the remote S3 operation failed
  • Fixed large admin file lists stopping before all pages were appended even when later load-more requests succeeded
  • Changed channel deletion confirmation into a risk warning that clearly states files associated with the deleted channel may become inaccessible
  • Fixed chunked uploads failing when some browsers cannot detect a file MIME type and the frontend sends an empty originalFileType; the upload form now falls back to application/octet-stream
  • Fixed admin login returning HTTP 500 when an abnormal millisecond timestamp was used as the Cloudflare KV expirationTtl

Add Features:

  • 新增 HuggingFace 大文件分片直传完成接口 /upload/huggingface/completeMultipart,用于代理完成 LFS multipart 上传
  • HuggingFace 直传获取上传地址时会自动将 multipart 完成地址改写为站点内接口,支持 Cloudflare Workers 部署下完成分片上传
  • 上传 API 成功响应新增 publicUrl 字段;设置默认 URL 前缀后,普通上传和分块合并会返回该公开访问链接

Optimization:

  • WebDAV 凭据解析统一到通用渠道凭据链路,读取、删除、移动、重命名等操作使用同一套配置来源
  • 精简文件 metadata 持久化内容,S3、Telegram、Discord、HuggingFace、WebDAV 等渠道不再保存可从当前渠道配置读取的配置字段
  • 管理端文件详情会按当前渠道配置动态补齐 S3Location、S3CdnFileUrl、HfFileUrl、WebDAVPublicUrl 等展示字段,配置修改后展示链接会随之刷新
  • 文件读取、删除、移动、重命名统一通过当前渠道配置解析凭据;旧版缺少 ChannelName 的 Telegram/TelegramNew 记录会自动匹配 Telegram_env
  • 读取旧文件 metadata 时新增基于渠道唯一标识字段的兜底匹配策略,渠道改名后仍可通过历史 metadata 中的 Telegram、S3/R2、Discord、HuggingFace、WebDAV 等标识字段匹配到当前配置
  • 渠道设置中新增渠道名称不可修改提示,编辑渠道时禁用渠道名称输入,避免已上传文件与渠道配置的关联被误改
  • 系统设置的会话安全策略中,用户端和管理端会话有效期新增 1-3650 天的前端表单校验

Security:

  • 管理端文件列表、批量列表、自定义文件列表和元数据接口返回 metadata 时会过滤 S3、Telegram、Discord、HuggingFace、WebDAV 等渠道敏感凭据
  • 文件读取、删除、移动、重命名等操作优先从当前渠道配置解析凭据,减少凭据写入或暴露在文件 metadata 中的风险
  • WebDAV metadata 中的 WebDAVBaseUrl 会清理 URL userinfo,避免用户名或密码随管理端接口响应泄露
  • 管理端元数据、标签、黑白名单、移动、重命名、备份恢复等写回路径会统一清理敏感字段和配置派生字段,避免旧版备份或旧记录再次写入凭据
  • 管理端、用户端登录和会话检查在安全配置读取失败时改为返回 503,避免异常情况下使用默认空认证配置放行
  • 会话有效期配置新增后端规范化,异常时间戳或超出范围的值会回退为 14 天,避免写入 Cloudflare KV 时触发 expirationTtl 越界

Fix Bugs:

  • 修复 HuggingFace 渠道文件 HEAD 请求返回 Content-Length: 0 的问题,现在会优先使用上传元数据中的 FileSizeBytes 返回真实文件大小,改善浏览器和播放器对媒体文件的预检与进度识别
  • 修复 HuggingFace 直传接口将 fileType 作为必填项导致部分无 MIME 类型文件无法获取上传地址的问题,现在默认使用 application/octet-stream
  • 改进 HuggingFace multipart 完成接口的目标地址和分片参数校验,非法请求会返回 400 而不是 500
  • 修复 WebDAV 使用公开地址读取失败后,API 回退读取也失败时可能把原始 404/403 状态改写为 500 的问题
  • 修复修改 S3 endpoint/CDN 等配置后,前端文件详情仍可能显示旧 S3Location 或旧 CDN 链接的问题
  • 修复 S3 文件移动或重命名远端操作失败时,数据库记录仍可能被移动到新路径的问题
  • 修复管理面板大批量文件分页加载时,后续接口成功返回但前端不再追加页面,导致无法继续加载完整列表的问题
  • 删除渠道确认弹窗改为风险提醒,明确提示删除后关联该渠道的文件可能无法访问
  • 修复分块上传部分浏览器无法识别文件 MIME Type 时,前端未传递 originalFileType 导致上传失败的问题;现在会默认使用 application/octet-stream 兜底
  • 修复管理员登录时异常毫秒时间戳被当作 KV expirationTtl 使用,导致 Cloudflare Worker 返回 500 的问题