jetforce/CHANGELOG.md

311 lines
13 KiB
Markdown
Raw Normal View History

2019-08-12 17:39:14 +02:00
# Jetforce Changelog
2021-01-06 05:59:48 +01:00
### v0.9.0 (unreleased)
2021-03-22 03:37:25 +01:00
N/A
### v0.8.2 (2021-03-21)
#### Fixes
2021-01-06 05:59:48 +01:00
2021-03-22 03:37:25 +01:00
- Fix trailing ``]`` at the end of auto-generated directory names.
2021-01-06 05:59:48 +01:00
2021-01-06 06:23:06 +01:00
### v0.8.1 (2021-01-06)
### Changes
- Remove new type hint syntax that was causing an error in python 3.7.
2021-01-06 05:59:48 +01:00
### v0.8.0 (2021-01-06)
#### Changes
2020-12-10 17:32:34 +01:00
- Added support for international domain names using IDN encoding.
- Several improvements to internal python type hinting coverage.
- Added a ``py.typed`` file to indicate project support for type hints.
- Optimized TCP packets when streaming directory listings.
- Optimized TCP packets when streaming large CGI responses.
- Improved error handling to catch invalid responses from CGI scripts.
- Fixed a bug where TLS_CLIENT_AUTHORISED would sometimes be set to
``True``/``False`` instead of ``1``/``0``.
- Fixed error handling edge case when the client killed the connection
before all data has been sent. A `CancelledError` exception will now
be raised internally instead of a ``ConnectionClosed`` exception.
2020-12-06 06:29:16 +01:00
### v0.7.0 (2020-12-06)
#### Spec Changes
- Requests containing URLs without a scheme are no longer accepted.
- The server will stop redirecting the root URL "gemini://example.com" to
"gemini://example.com/". These URLs are canonically the same per the url RFC
definition and should both return successful responses.
2020-11-30 06:09:46 +01:00
- The CGI variable TLS_CLIENT_HASH now formats the certificate hash as
"SHA256:\<HASH\>" where \<HASH\> is uppercase hexidecimal. The old base64
fingerprint will still be available as TLS_CLIENT_HASH_B64 to help migrate
existing CGI scripts, but it's recommended that you support the new hash
format moving forward.
2020-07-31 03:24:07 +02:00
### v0.6.0 (2020-07-30)
2020-07-27 06:02:51 +02:00
#### Bugfixes
2020-07-14 06:46:22 +02:00
- The default mimetype for unknown file extensions will now be sent as
"application/octet-stream" instead of "text/plain". The expectation is that
it would be safer for a client to download an unknown file rather than
attempting to display it inline as text.
2020-07-31 03:24:07 +02:00
- Fixed a bug that prevented loading the default mimetype definitions from
/etc/mime.types and other system-level files.
2020-07-14 06:46:22 +02:00
2020-07-27 06:02:51 +02:00
#### Features
- The static file server now has a ``--rate-limit`` flag that can be used
to define per-IP address rate limiting for requests. Requests that exceed
the specified rate will receive a 44 SLOW DOWN error response.
2020-07-31 03:24:07 +02:00
- Server access logs are now directed to ``stdout`` instead of ``stderr``.
Error traceback and other messages will still be directed to ``stderr``.
- File chunking size has been optimized for streaming large static files.
2020-07-27 06:02:51 +02:00
#### Examples
2020-07-27 06:09:00 +02:00
- Added an example that demonstrates how to use the new ``RateLimiter`` class
(examples/rate_limit.py).
2020-07-27 06:02:51 +02:00
2020-07-14 06:01:58 +02:00
### v0.5.0 (2020-07-14)
#### Spec Changes
2020-06-20 07:42:17 +02:00
- URLs with a userinfo component will now be rejected with a status of 59.
- The status code definitions have been updated to match the recent changes
to the gemini spec:
- 21 ``SUCCESS_END_OF_SESSION`` -> (removed)
- 61 ``TRANSIENT_CERTIFICATE_REQUESTED`` -> ``CERTIFICATE_NOT_AUTHORISED``
- 62 ``AUTHORISED_CERTIFICATE_REQUIRED`` -> ``CERTIFICATE_NOT_VALID``
- 63 ``CERTIFICATE_NOT_ACCEPTED`` -> (removed)
- 64 ``FUTURE_CERTIFICATE_REJECTED`` -> (removed)
- 65 ``EXPIRED_CERTIFICATE_REJECTED`` -> (removed)
2020-07-14 06:01:58 +02:00
#### Bugfixes
- Jetforce will now always terminate the TCP connection without waiting for a
TLS close_notify alert response from the client. This fixes a bug where some
clients would appear to hang after receiving the content from the server.
2020-07-14 06:01:58 +02:00
#### Features
- The jetforce-client tool now supports writing TLS keys to a logfile to
facilitate debugging TLS connections using tools like Wireshark.
- If an application response handler returns a twisted.Deferred object, the
errback will now be invoked when the TCP connection is closed.
- Error stack traces are no longer shown when the client prematurely closes
the connection.
#### Examples
- Added a new example that demonstrates streaming data to client connections
(examples/chatroom.py).
- Added a new example that demonstrates extending the static file server with
common patterns like redirects and authenticated directories
(examples/redirect.py).
2020-06-09 06:27:49 +02:00
### v0.4.0 (2020-06-09)
#### Features
- Added a ``--default-lang`` command line argument to the static file server.
This setting will define a language parameter that will be attached to the
meta for all text/gemini responses. For example, ``--default-lang=en`` will
set the response meta to ``"text/gemini; lang=en"``.
- Added support for the "11 SENSITIVE INPUT" status code.
- The response header now uses a <space> instead of a <tab> to separate the
status code from the meta text.
2020-06-09 06:27:49 +02:00
### v0.3.2 (2020-06-02)
#### Bugfixes
- The static file server will now URL-encode spaces (%20) and other reserved
characters in filenames.
- The ``Request`` class will now apply URL decoding to the following components
of the request, in addition to the query params:
- ``request.path``
- ``request.params``
- ``request.fragment``
2020-06-09 06:27:49 +02:00
### v0.3.1 (2020-06-01)
#### Bugfixes
- The client certificate fingerprint hash is now encoded using a URL-safe
2020-06-01 20:59:26 +02:00
version of the base64 algorithm [urlsafe_b64encode()](https://docs.python.org/3/library/base64.html#base64.urlsafe_b64encode).
This is intended to make it simpler for applications and CGI scripts to
use the certificate fingerprint in URL paths.
2020-06-09 06:27:49 +02:00
### v0.3.0 (2020-05-21)
2020-01-13 01:31:48 +01:00
This release brings some major improvements and necessary refactoring of the
jetforce package. Please read the release notes carefully and exercise caution
when upgrading from previous versions of jetforce.
#### For users of the static file server
If you are running jetforce only as a static file & CGI server (i.e. you
are using the command-line and haven't written any custom python applications),
you should not need to make any changes.
There have been some minor updates to the CGI variables, and new CGI variables
2020-05-31 06:19:29 +02:00
have been added with additional TLS information. Check out the README for more
information on CGI variables.
This package now has third-party python dependencies. If you installed jetforce
2020-05-31 06:19:29 +02:00
through pip, you should already be fine. If you were running the ``jetforce.py``
script directly from the git repository, you will likely either want to switch
to installing from pip (recommended), or setup a virtual environment and run
``python setup.py install``. This will install the dependencies and stick a
``jetforce`` executable into your system path.
#### jetforce-diagnostics
The ``jetforce-diagnostics`` script is no longer included as part of jetforce.
It has been moved to its own repository at
[gemini-diagnostics](https://github.com/michael-lazar/gemini-diagnostics).
#### Code Structure
The underlying TCP server framework has been switched from asyncio+ssl to
twisted+PyOpenSSL. This change was necessary to allow support for self-signed
client certificates. The new framework provides more access to hook into the
OpenSSL library and implement non-standard TLS behavior.
I tried to isolate the framework changes to the ``GeminiServer`` layer. This
means that if you subclassed from the ``JetforceApplication``, you will likely
not need to change anything in your application code. Launching a jetforce
server from inside of python code has been simplified (no more setting up the
asyncio event loop!).
```
server = GeminiServer(app)
server.run()
```
Check out the updated examples in the *examples/* directory for more details.
#### TLS Client Certificates
Jetforce will now accept self-signed and unvalidated client certificates. The
``capath`` and ``cafile`` arguments can still be provided, and will attempt to
validate the certificate using of the underlying OpenSSL library. The result
of this validation will be saved in the ``TLS_CLIENT_AUTHORISED`` environment
variable so that each application can decide how it wants to accept/reject the
connection.
In order to facilitate TOFU verification schemes, a fingerprint of the client
certificate is now computed and saved in the ``TLS_CLIENT_HASH`` environment
variable.
#### Other Changes
- A client certificate can now have an empty ``commonName`` field.
2020-05-26 06:25:48 +02:00
- ``JetforceApplication.route()`` - named capture groups in regex patterns will
now be passed as keyword arguments to the wrapped function. See
examples/pagination.py for an example of how to use this feature.
2020-05-26 06:25:48 +02:00
- ``CompositeApplication`` - A class is now included to support composing
2020-05-31 06:19:29 +02:00
multiple applications behind the same jetforce server. See examples/vhost.py
for an example of how to use this feature.
2020-05-26 06:25:48 +02:00
- CGI variables - ``SCRIPT_NAME`` and ``PATH_INFO`` have been changed to match
their intended usage as defined in RFC 3875.
- CGI variables - ``TLS_CIPHER`` and ``TLS_VERSION`` have been added and
contain information about the established TLS connection.
2020-05-26 06:25:48 +02:00
- Applications can now optionally return ``Deferred`` objects instead of bytes,
2020-05-31 06:19:29 +02:00
in order to support applications built on top of asynchronous coroutines.
### v0.2.3 (2020-05-24)
- Fix a security vulnerability that allowed maliciously crafted URLs to break
out of the root server directory.
### v0.2.2 (2020-03-31)
- Fix a regression in path matching for the static directory application.
### v0.2.1 (2020-03-31)
2020-03-31 06:40:10 +02:00
- A hostname can now be specified in the route pattern, to facilitate running
multiple vhosts on a single jetforce server.
2020-03-26 20:48:44 +01:00
- Route patterns now use ``re.fullmatch()`` and will no longer trigger on
partial matches.
2020-03-11 05:06:22 +01:00
- Jetforce will no longer raise an exception when attempting to log dropped
connections or other malformed requests.
- Added the following CGI variables for client certificates:
2020-03-26 20:48:44 +01:00
TLS_CLIENT_NOT_BEFORE, TLS_CLIENT_NOT_AFTER, TLS_CLIENT_SERIAL_NUMBER
2020-01-22 00:17:33 +01:00
### v0.2.0 (2020-01-21)
2020-01-22 00:17:33 +01:00
2020-01-13 01:31:48 +01:00
#### Features
- Added support for python 3.8.
2020-01-13 02:36:00 +01:00
- Added a new server diagnostics tool, ``jetforce-diagnostics``.
2020-01-13 01:31:48 +01:00
- Added ability to binding to IPv6 addresses (if supported by your OS):
2020-01-13 02:36:00 +01:00
- For IPv4 : ``--host "0.0.0.0"``
- For IPv6 : ``--host "::"``
- For IPv4 + IPv6 : ``--host ""``
2020-01-13 01:31:48 +01:00
- Various improvements have been made to the project documentation.
#### Bugfixes
- A URL missing a scheme will now be interpreted as "gemini://".
2020-01-13 02:36:00 +01:00
- A request to the root URL without a trailing slash will now return a
``31 PERMANENT REDIRECT``.
2020-01-13 01:31:48 +01:00
- Requests containing an invalid or unparsable URL format will now return a
2020-01-13 02:36:00 +01:00
status of ``59 BAD REQUEST`` instead of ``50 PERMANENT FAILURE``.
2020-01-13 01:31:48 +01:00
- Files starting with ``~`` will now be included in directory listings.
- Requests containing an incorrect scheme, hostname, or port will now return a
2020-01-13 02:36:00 +01:00
``53 PROXY REFUSED`` instead of a ``50 PERMANENT FAILURE``.
2020-01-13 01:31:48 +01:00
- The port number in the URL (if provided) is now validated against the
server's port number.
2020-01-13 02:36:00 +01:00
- OS errors when attempting to read a file will return a ``51 NOT FOUND``
status instead of a ``42 CGI Error``. This is a precaution to prevent leaking
sensitive information about the server's filesystem.
- For security, unhandled exceptions will now display a generic error message
instead of the plain exception string.
2020-01-13 01:31:48 +01:00
2019-09-23 04:13:00 +02:00
### v0.1.0 (2019-09-22)
2019-09-23 03:59:20 +02:00
- The server will now return a redirect if a directory is requested but the URL
2019-09-23 04:13:00 +02:00
does not end in a trailing slash. This is intended to reduce duplicate
selectors and make it easier for clients to resolve relative links.
2019-09-23 03:59:20 +02:00
- Added a ``-V`` / ``--version`` argument to display the version and exit.
2019-09-23 04:13:00 +02:00
- The server now returns an error code of ``50 PERMENANT FAILURE`` by default
if the URL does not match the server's scheme or hostname.
- Timestamps in log messages are now displayed in the server's local timezone.
As before, the UTC offset is included as "+HHMM" to avoid ambiguity.
2019-09-23 03:59:20 +02:00
2019-08-30 05:51:25 +02:00
### v0.0.7 (2019-08-30)
2019-08-23 15:45:24 +02:00
2019-08-30 05:51:25 +02:00
- Added support for a primitive version of CGI scripting.
- Added support for TLS client certificate verification.
- The directory index file has been changed from ".gemini" to "index.gmi".
- Files with the ".gemini" extension are now recognized as *text/gemini*.
- Several minor improvements to the internal codebase and API.
2019-08-23 15:45:24 +02:00
2019-08-23 01:34:04 +02:00
### v0.0.6 (2019-08-22)
- Significant refactoring of the base application interface.
- Added built-in support for URL routing based on the request path.
- Added support for accepting input using query strings.
2019-08-30 05:51:25 +02:00
- Files with the ".gmi" extension are now recognized as *text/gemini*.
2019-08-23 01:34:04 +02:00
- Added a new examples/ directory with the following applications
- A bare bones echo server
- A guestbook application
- An HTTP/HTTPS proxy server
2019-08-12 17:39:14 +02:00
### v0.0.5 (2019-08-12)
Updates to conform to the v0.9.1 Gemini specification
- The request line is now expected to be a full URL instead of a PATH.
- Response status codes have been updated to match the new specification.
- The server now requires a "hostname" be specified via a command line argument.
- Request URLs that contain other protocols / hosts are disallowed.
- A simple gemini client, ``jetforce-client``, is now included.