We are happy to announce the latest release of our file manager, CKFinder 2.2. This is a security release that contains a fix for a known vulnerability in IIS 6.0 web servers, so an upgrade is highly recommended.
In addition to the security fix, this release contains a few exciting new features, including HTML5 multiple file uploads, read-only mode, and the lightbox plugin, as well as numerous bug fixes.
Read-only Mode and Lightbox Plugin
We have just introduced the possibility to put CKFinder in the read-only mode thanks to the
config.readOnly setting. Once this option is set, your users will be able to browse and view your files, but will be unable to modify them.
Please note that this setting only pertains to disabling of some UI elements, so if you want to completely block such user operations as upload or file editing, you will need to adjust your ACL settings accordingly in the server side configuration file. This new feature will let you use CKFinder as an online gallery aimed at presenting your photos, movies, or other files to your users
without letting them modify your collection.
Another new feature that can make using CKFinder as an online gallery even more attractive is the new Gallery plugin that lets you display your images by using a lightbox effect instead of showing them in a new browser window or tab.
This way you can quickly view all your image files using just the displayed buttons of the lightbox or the arow keys on your keyboard to display the next/previous image in a slideshow. CKFinder is extremely flexible in this regard and supports multiple lightbox libraries, so you can choose the one that you fancy most or use Colorbox that is enabled by default.
HTML5 Multiple File Uploads and Drag&Drop
We have decided to base our multiple file upload feature on HTML5 capabilities. Since version 2.2 multiple file uploads will use HTML5 technology in all browsers that support this feature, including Firefox, Chrome, Internet Explorer 10 and Opera 12. Flash upload will now be used in older versions of Internet Explorer or Opera browsers only.
In addition to that we have also introduced the possibility to upload files by using the drag and drop feature. You can now select one or more photos on your local computer, drag them to the CKFinder Files Panel, and drop in order to send them to the server.
Please note that the drag and drop feature works exclusively in Firefox, Chrome, Safari, Internet Explorer 10, and Opera 12.
Security Patch for IIS6
The security fix that is provided in this CKFinder release is related to the vulnerability discovered in Microsoft Internet Information Services 6 (IIS6) which is caused by the web server incorrectly executing e.g. ASP code included in a file having multiple extensions separated by ";" (e.g. "file.asp;.jpg") or in a file with an arbitrary extension located in a directory ending with ".asp". You can read more about it here or here. If you follow the IIS best practices, this bug will not affect you, as the upload folder should never have "Execute" permissions (for any server and environment). This was stated, among others, by Microsoft itself, read more.
CKFinder now contains an additional
disallowUnsafeCharacters configuration option that lets you decide whether or not you want to allow unsafe characters in file and folder names.
The CKFinder team would like to thank Soroush Dalili who discovered and reported this issue!
More New Features and Fixes
This release also contains plenty of minor new features and fixes. Improved detection and support for Android and iOS tablets were introduced. File sizes are now formatted and displayed in a more convenient fashion and the Upload feature works more intuitively now. Last but not least, issues with closing the browser tab in Internet Explorer and Opera should now be gone.
See the What's New? page for the full list of changes.
CKFinder 2.2.1 with Chrome 18 Fix
Chrome 18 contains a bug that makes it impossible to display the CKFinder popup window. A minor update to CKFinder 2.2 (numbered 2.2.1) was released on 2012-04-04 to address this issue. Please note that this problem does not occur in earlier or later Chrome versions nor in any other browser. You can get CKFinder 2.2.1 from the official CKFinder download site.
A new version of CKEditor fixing the same Chrome 18 bug (which blocks showing the CKFinder popup in this browser after you click the "Browse Server" button) will be released next week.