Gallery Server 4.0.1 released

Gallery Server 4.0.1 released

By | 2016-12-01T16:37:37+00:00 June 29th, 2016|Announcements|0 Comments

Today we pushed out Gallery Server 4.0.1. It contains several bug fixes but no new features. Applying it to your 4.0.0 installation is easy — just copy the files from the upgrade package over your existing installation. There are no web.config changes to merge and you don’t have to worry about the version_key.txt file or your license information. Get the upgrade package from your downloads page. If you are upgrading from earlier versions, follow the instructions in the QuickStart Guide.

You can read the full list of bug fixes on the release history page. Here I’ll mention the most important ones.

Sort not updated when title is changed

If an album is sorted by title and you change the title, the album was not resorted based on the new title. This has been fixed.

HTML may be removed from properties and extracted metadata

In 4.0.0 and earlier, only administrators were allowed to specify HTML in the titles and captions of albums and media assets. This setting was exposed on the User Settings page:

The 'allow HTML' option is disabled by default in 4.0.0 and earlier

If you were a less privileged user with edit permission, you could modify a property but any HTML (and JavaScript) was automatically stripped. This was intended behavior and implemented this way as a robust security precaution.

In 4.0.0, we introduced an HTML editor but left the default setting of disallowing HTML entry for non-admins. This caused the confusing scenario where the HTML editor let non-admins create rich text but the server would strip it all away, leaving only the plain text.

We reviewed the security risks of allowing user-entered HTML and have concluded it can be done safely. So, 4.0.1 enables the ‘allow HTML’ setting on the User Settings page, in both new and upgraded galleries:

The 'allow HTML' option is enabled in 4.0.1 and higher galleries

Notice that the HTML is limited to a white-listed set of tags and attributes. Feel free to edit this if you want to allow values that aren’t listed.

We still prohibit JavaScript by default, and we strongly recommend you leave it disabled. Read more about potential security risks with HTML and Javascript in our blog post Update for 2.3 includes fix for security vulnerability (it’s old but still relevant).

With this setting change, Gallery Server now allows all users that have edit permission to include HTML in titles, captions, and other properties. It also allows users to upload media files with embedded HTML metadata and have that HTML be shown properly formatted in the gallery.

If you prefer the original behavior, feel free to turn the setting off.

Order of encoder settings reversed on Video & Audio settings page

In our efforts to improve multi-threading support in 4.0.0, we replaced several collection classes with thread-safe ones. One of these was the collection that stores the list of FFmpeg encoder settings you see on the Video & Audio settings page. Unfortunately, the new collection class we chose had the unfortunate effect of reversing its contents when we saved the values to the database.

This meant that each time you clicked the save button on the Video & Audio page, the order of the encoder settings was reversed. This order is very important to how video and audio files are processed, and if you ended up reversing the default settings, Gallery Server would suddenly start creating Flash videos instead of H.264 MP4 videos.

You are only affected if you have FFmpeg from the Gallery Server Binary Pack installed and you saved settings on the Video & Audio page an odd number of times (1, 3, 5, etc) while running 4.0.0. Version 4.0.1 fixes the underlying collection class and also attempts to fix any reversed settings. It you left the settings at default values and they were reversed, the upgrade script puts them back in the correct order. However, if you customized the encoder settings, Gallery Server can’t differentiate between changes you intended and ones caused by the bug, so it plays it safe and leaves leaves them alone.

To confirm your settings are in the correct order, upgrade to 4.0.1 and check the Video & Audio settings page. By default the encoder settings look like the following screenshot. If any are out of order, drag the up/down arrow to correctly position them, then save.

Default FFmpeg encoder settings

If you ended up with some Flash video files instead of the desired MP4 ones, synchronize the containing albums with the ‘rebuild optimized versions’ option selected and Gallery Server will create new videos based on the fixed set of encoder settings.

About the Author:

Founder and Lead Developer of Gallery Server

Leave A Comment