Skip to content

Releases: sternenseemann/spacecookie

1.0.0.3

03 May 14:02

Choose a tag to compare

Security fix:
Resolve sanitizePath not eliminating .. from paths. This affects users
of sanitizePath and sanitizePathIfNotUrl from Network.Gopher.Util.

This issue only affects the spacecookie library, not the spacecookie server
daemon since a separate check would prevent it from handling such malicious
requests (which delayed the discovery of this bug). It is probably wise to
upgrade either way.

Note that gophermap parsing behavior is unchanged, i.e. it just normalises
paths, even though makeGophermapFilePath used to call sanitizePath in
previous versions. This is due to the assumption that gophermaps come from a
trusted source and/or paths produced from gophermap parsing aren't used to
access files directly, i.e. those paths are only served to clients (whose later
requests are subject to selector sanitization) as selectors in menus. If those
assumptions don't hold for your code, you will need to further sanitize the
paths returned from gophermapToDirectoryResponse.

1.0.0.2

03 Oct 18:47

Choose a tag to compare

1.0.0.1

29 Nov 12:36

Choose a tag to compare

This release fixes compilation with aeson >= 2.0.

1.0.0.0

16 Mar 21:56

Choose a tag to compare

Read the full CHANGELOG.

TL;DR:

  • Server daemon: Configurable logging, full compatibility with Bucktooth gophermaps, fix networking bug related to curl, DoS migitations, …
  • Library: Rework request representation, use more efficient and flexible ByteString over String, user-implementable logging, …

0.2.1.2

13 May 20:38

Choose a tag to compare

Fix build by adjusting dependency constraints.

0.2.1.1: Fixed Privilege Dropping

10 Dec 14:40

Choose a tag to compare

  • Server
    • Make user parameter in config optional. If it is not given or set to null, spacecookie won't attempt to change its UID and GID. This is especially useful, if socket activation is used. In that case it is not necessary to start spacecookie as root since systemd sets up the socket, so spacecookie can be already started by the right user and doesn't need to change UID.
    • Example Systemd config files
      • SocketMode is now 660 instead of default 666.
      • Set User and Group for spacecookie.service as well.
      • Set "user": null in spacecookie.json
  • Library
    • Fixed issue that led to runGopher* trying to change UID even if it wasn't possible (not running as root). This especially affected the spacecookie server, since cRunUserName would always be Just.
    • Made logging related to dropPrivileges clearer.

0.2.1.0: systemd Support

20 Oct 12:34

Choose a tag to compare

  • Improved systemd support.
    • Support for the notify service type
    • Support for socket activation and socket (fd) storage
    • To make use of these new features you'll have to update your service files
  • Added defaultConfig value to prevent future breakage in software using the
    library when the GopherConfig type is extended.
  • Pretty print IPv6 addresses in logging

0.2.0.1: Hackage Release

23 May 08:30

Choose a tag to compare

Added version constraints for base to please hackage.

0.2.0.0: Initial Release

23 May 08:19

Choose a tag to compare

Release the project properly in its state of 2 years ago, since it has got some attention without me noticing.