CloudFlare-ImgBed v2.7.4 🥳
Add Features:
- Added
/upload/huggingface/completeMultipartto proxy HuggingFace LFS multipart completion for large direct uploads - HuggingFace direct upload URL generation now rewrites multipart completion URLs to an internal endpoint, enabling multipart completion in Cloudflare Workers deployments
- Added
publicUrlto successful Upload API responses. When a default URL prefix is set, basic uploads and chunked-upload merge return this public access link
Optimization:
- Unified WebDAV credential resolution into the shared channel credential flow, so read, delete, move, and rename operations use the same configuration source
- Reduced persisted file metadata for S3, Telegram, Discord, HuggingFace, WebDAV, and related channels by no longer storing fields that can be read from the current channel configuration
- Management file details now dynamically enrich S3Location, S3CdnFileUrl, HfFileUrl, WebDAVPublicUrl, and similar display fields from the current channel configuration, so displayed links refresh after config changes
- File read, delete, move, and rename operations now resolve credentials through the current channel configuration; legacy Telegram/TelegramNew records without
ChannelNamefall back toTelegram_env - Added fallback channel matching based on unique identity fields stored in legacy metadata, allowing files to keep resolving to the current Telegram, S3/R2, Discord, HuggingFace, or WebDAV channel configuration after a channel is renamed
- Added channel-name immutability hints in channel settings and disabled channel-name editing to prevent breaking the association between uploaded files and their channel configuration
- Added frontend validation for user and admin session max age in System Settings > Security Settings, restricting values to 1-3650 days
Security:
- Management file list, batch list, custom file list, and metadata APIs now filter sensitive S3, Telegram, Discord, HuggingFace, and WebDAV credentials from returned metadata
- File read, delete, move, and rename operations now prefer current channel configuration for credentials, reducing the need to store or expose credentials in file metadata
WebDAVBaseUrlin metadata now strips URL userinfo to avoid leaking usernames or passwords through management API responses- Management metadata, tag, allow/block list, move, rename, and backup restore write paths now consistently remove sensitive and config-derived fields, preventing old backups or legacy records from writing credentials back
- Admin login, user login, and session checks now return 503 when security settings cannot be loaded, preventing fallback to an empty default authentication config
- Session max-age settings are now normalized on the backend; timestamp-like or out-of-range values fall back to 14 days to avoid Cloudflare KV
expirationTtlrange errors
Fix Bugs:
- Fixed HuggingFace file
HEADresponses returningContent-Length: 0; the handler now uses uploaded metadata (FileSizeBytes) to report the actual file size, improving browser and player media probing - Fixed HuggingFace direct upload URL requests requiring
fileType; files without a MIME type now fall back toapplication/octet-stream - Improved HuggingFace multipart completion target and parts validation so invalid requests return 400 instead of 500
- Fixed WebDAV public URL reads changing the original 404/403 status into 500 when the WebDAV API fallback also failed
- Fixed file details still showing stale S3Location or CDN links after changing S3 endpoint/CDN configuration
- Fixed S3 move or rename failures potentially moving the database record even when the remote S3 operation failed
- Fixed large admin file lists stopping before all pages were appended even when later load-more requests succeeded
- Changed channel deletion confirmation into a risk warning that clearly states files associated with the deleted channel may become inaccessible
- Fixed chunked uploads failing when some browsers cannot detect a file MIME type and the frontend sends an empty
originalFileType; the upload form now falls back toapplication/octet-stream - Fixed admin login returning HTTP 500 when an abnormal millisecond timestamp was used as the Cloudflare KV
expirationTtl
Add Features:
- 新增 HuggingFace 大文件分片直传完成接口
/upload/huggingface/completeMultipart,用于代理完成 LFS multipart 上传 - HuggingFace 直传获取上传地址时会自动将 multipart 完成地址改写为站点内接口,支持 Cloudflare Workers 部署下完成分片上传
- 上传 API 成功响应新增
publicUrl字段;设置默认 URL 前缀后,普通上传和分块合并会返回该公开访问链接
Optimization:
- WebDAV 凭据解析统一到通用渠道凭据链路,读取、删除、移动、重命名等操作使用同一套配置来源
- 精简文件 metadata 持久化内容,S3、Telegram、Discord、HuggingFace、WebDAV 等渠道不再保存可从当前渠道配置读取的配置字段
- 管理端文件详情会按当前渠道配置动态补齐 S3Location、S3CdnFileUrl、HfFileUrl、WebDAVPublicUrl 等展示字段,配置修改后展示链接会随之刷新
- 文件读取、删除、移动、重命名统一通过当前渠道配置解析凭据;旧版缺少
ChannelName的 Telegram/TelegramNew 记录会自动匹配Telegram_env - 读取旧文件 metadata 时新增基于渠道唯一标识字段的兜底匹配策略,渠道改名后仍可通过历史 metadata 中的 Telegram、S3/R2、Discord、HuggingFace、WebDAV 等标识字段匹配到当前配置
- 渠道设置中新增渠道名称不可修改提示,编辑渠道时禁用渠道名称输入,避免已上传文件与渠道配置的关联被误改
- 系统设置的会话安全策略中,用户端和管理端会话有效期新增 1-3650 天的前端表单校验
Security:
- 管理端文件列表、批量列表、自定义文件列表和元数据接口返回 metadata 时会过滤 S3、Telegram、Discord、HuggingFace、WebDAV 等渠道敏感凭据
- 文件读取、删除、移动、重命名等操作优先从当前渠道配置解析凭据,减少凭据写入或暴露在文件 metadata 中的风险
- WebDAV metadata 中的
WebDAVBaseUrl会清理 URL userinfo,避免用户名或密码随管理端接口响应泄露 - 管理端元数据、标签、黑白名单、移动、重命名、备份恢复等写回路径会统一清理敏感字段和配置派生字段,避免旧版备份或旧记录再次写入凭据
- 管理端、用户端登录和会话检查在安全配置读取失败时改为返回 503,避免异常情况下使用默认空认证配置放行
- 会话有效期配置新增后端规范化,异常时间戳或超出范围的值会回退为 14 天,避免写入 Cloudflare KV 时触发
expirationTtl越界
Fix Bugs:
- 修复 HuggingFace 渠道文件
HEAD请求返回Content-Length: 0的问题,现在会优先使用上传元数据中的FileSizeBytes返回真实文件大小,改善浏览器和播放器对媒体文件的预检与进度识别 - 修复 HuggingFace 直传接口将
fileType作为必填项导致部分无 MIME 类型文件无法获取上传地址的问题,现在默认使用application/octet-stream - 改进 HuggingFace multipart 完成接口的目标地址和分片参数校验,非法请求会返回 400 而不是 500
- 修复 WebDAV 使用公开地址读取失败后,API 回退读取也失败时可能把原始 404/403 状态改写为 500 的问题
- 修复修改 S3 endpoint/CDN 等配置后,前端文件详情仍可能显示旧 S3Location 或旧 CDN 链接的问题
- 修复 S3 文件移动或重命名远端操作失败时,数据库记录仍可能被移动到新路径的问题
- 修复管理面板大批量文件分页加载时,后续接口成功返回但前端不再追加页面,导致无法继续加载完整列表的问题
- 删除渠道确认弹窗改为风险提醒,明确提示删除后关联该渠道的文件可能无法访问
- 修复分块上传部分浏览器无法识别文件 MIME Type 时,前端未传递
originalFileType导致上传失败的问题;现在会默认使用application/octet-stream兜底 - 修复管理员登录时异常毫秒时间戳被当作 KV
expirationTtl使用,导致 Cloudflare Worker 返回 500 的问题