This release includes the following changes:
o polarssl: removed
o smtp: add CURLOPT_MAIL_RCPT_ALLLOWFAILS and --mail-rcpt-allowfails
o wolfSSH: new SSH backend
This release includes the following bugfixes:
o altsvc: improved header parser
o altsvc: keep a copy of the file name to survive handle reset
o altsvc: make saving the cache an atomic operation
o altsvc: use h3-27
o azure: disable brotli on the macos debug-builds
o build: remove all HAVE_OPENSSL_ENGINE_H defines
o checksrc.bat: Fix not being able to run script from the main curl dir
o cleanup: fix several comment typos
o cleanup: fix typos and wording in docs and comments
o cmake: add support for CMAKE_LTO option
o cmake: clean up and improve build procedures
o cmake: enable SMB for Windows builds
o cmake: improve libssh2 check on Windows
o cmake: Show HTTPS-proxy in the features output
o cmake: support specifying the target Windows version
o cmake: use check_symbol_exists also for inet_pton
o configure.ac: fix comments about --with-quiche
o configure: disable metalink if mbedTLS is specified
o configure: disable metalink support for incompatible SSL/TLS
o conn: do not reuse connection if SOCKS proxy credentials differ
o conncache: removed unused Curl_conncache_bundle_size()
o connect: remove some spurious infof() calls
o connection reuse: respect the max_concurrent_streams limits
o contributors: also include people who contributed to curl-www
o contrithanks: use the most recent tag by default
o cookie: check __Secure- and __Host- case sensitively
o cookies: make saving atomic with a rename
o create-dirs.d: mention the mode
o curl: avoid using strlen for testing if a string is empty
o curl: error on --alt-svc use w/o support
o curl: let -D merge headers in one file again
o curl: make #0 not output the full URL
o curl: make the -# spaceship bar not wrap the line
o curl: remove 'config' field from OutStruct
o curl:progressbarinit: ignore column width from terminals < 20
o curl_escape.3: add a link to curl_free
o curl_getenv.3: fix the memory handling description
o curl_global_init: assume the EINTR bit by default
o curl_global_init: move the IPv6 works status bool to multi handle
o CURLINFO_COOKIELIST.3: Fix example
o CURLOPT_ALTSVC_CTRL.3: fix the DEFAULT wording
o CURLOPT_PROXY_SSL_OPTIONS.3: Sync with CURLOPT_SSL_OPTIONS.3
o CURLOPT_REDIR_PROTOCOLS.3: update the DEFAULT section
o data.d: remove "Multiple files can also be specified"
o digest: do not quote algorithm in HTTP authorisation
o docs/HTTP3: add --enable-alt-svc to curl's configure
o docs/HTTP3: update the OpenSSL branch to use for ngtcp2
o docs: fix typo on CURLINFO_RETRY_AFTER
o easy: remove dead code
o form.d: fix two minor typos
o ftp: convert 'sock_accepted' to a plain boolean
o ftp: remove superfluous checking for crlf in user or pwd
o ftp: shrink temp buffers used for PORT
o github action: add CIFuzz
o github: Instructions to post "uname -a" on Unix systems in issues
o GnuTLS: always send client cert
o gtls: fixed compilation when using GnuTLS < 3.5.0
o hostip: move code to resolve IP address literals to `Curl_resolv`
o HTTP-COOKIES: describe the cookie file format
o HTTP-COOKIES: mention that a trailing newline is required
o http2: make pausing/unpausing set/clear local stream window
o http2: now requires nghttp2 >= 1.12.0
o http: added 417 response treatment
o http: increase EXPECT_100_THRESHOLD to 1Mb
o http: mark POSTs with no body as "upload done" from the start
o http: move "oauth_bearer" from connectdata to Curl_easy
o include: remove non-curl prefixed defines
o KNOWN_BUGS: Multiple methods in a single WWW-Authenticate: header
o libssh2: add support for forcing a hostkey type
o libssh2: fix variable type
o libssh: improve known hosts handling
o llist: removed unused Curl_llist_move()
o location.d: the method change is from POST to GET only
o md4: fixed compilation issues when using GNU TLS gcrypt
o md4: use init/update/final functions in Secure Transport
o md5: added implementation for mbedTLS
o mk-ca-bundle: add support for CKA_NSS_SERVER_DISTRUST_AFTER
o multi: change curl_multi_wait/poll to error on negative timeout
o multi: fix outdated comment
o multi: if Curl_readwrite sets 'comeback' use expire, not loop
o multi_done: if multiplexed, make conn->data point to another transfer
o multi_wait: stop loop when sread() returns zero
o ngtcp2: add error code for QUIC connection errors
o ngtcp2: fixed to only use AF_INET6 when ENABLE_IPV6
o ngtcp2: update to git master and its draft-25 support
o ntlm: move the winbind data into the NTLM data structure
o ntlm: pass the Curl_easy structure to the private winbind functions
o ntlm: removed the dependency on the TLS libaries when using MD5
o ntlm_wb: use Curl_socketpair() for greater portability
o oauth2-bearer.d: works for HTTP too
o openssl: make CURLINFO_CERTINFO not truncate x509v3 fields
o openssl: remove redundant assignment
o os400: fixed the build
o pause: force-drain the transfer on unpause
o quiche: update to draft-25
o README: mention that the docs is in docs/
o RELEASE-PROCEDURE: feature win is closed post-release a few days
o runtests: make random seed fixed for a month
o runtests: restore the command log
o schannel: make CURLOPT_CAINFO work better on Windows 7
o schannel_verify: Fix alt names manual verify for UNICODE builds
o sha256: use crypto implementations when available
o singleuse.pl: support new API functions, fix curl_dbg_ handling
o smtp: support the SMTPUTF8 extension
o smtp: support UTF-8 based host names in MAIL FROM
o SOCKS: make the connect phase non-blocking
o strcase: turn Curl_raw_tolower into static
o strerror: increase STRERROR_LEN 128 -> 256
o test1323: added missing 'unit test' feature requirement
o tests: add a unit test for MD4 digest generation
o tests: add a unit test for SHA256 digest generation
o tests: add a unit test for the HMAC hash generation
o tests: deduce the tool name from the test case for unit tests
o tests: fix Python 3 compatibility of smbserver.py
o tool_dirhie: allow directory traversal during creation
o tool_homedir: change GetEnv() to use libcurl's curl_getenv()
o tool_util: improve Windows version of tvnow()
o travis: update non-OpenSSL Linux jobs to Bionic
o url: include the failure reason when curl_win32_idn_to_ascii() fails
o urlapi: guess scheme properly with credentials given
o urldata: do string enums without #ifdefs for build scripts
o vtls: refactor Curl_multissl_version to make the code clearer
o win32: USE_WIN32_CRYPTO to enable Win32 based MD4, MD5 and SHA256
Update ruby-puma to 4.3.3.
## 4.3.3 and 3.12.4 / 2020-02-28
* Bugfixes
* Fix: Fixes a problem where we weren't splitting headers correctly on newlines (#2132)
* Security
* Fix: Prevent HTTP Response splitting via CR in early hints.
Version 0.12
Main changes:
* Changes in official python version support: added 3.7 and dropped 3.4.
* Added ability to submit a form without updating ``StatefulBrowser`` internal
state: ``submit_selected(..., update_state=False)``. This means you get a
response from the form submission, but your browser stays on the same page.
Useful for handling forms that result in a file download or open a new tab.
Bug fixes
* Improve handling of form enctype to behave like a real browser.
* HTML ``type`` attributes are no longer required to be lowercase.
* Form controls with the ``disabled`` attribute will no longer be submitted
to improve compliance with the HTML standard. If you were relying on this
bug to submit disabled elements, you can still achieve this by deleting the
``disabled`` attribute from the element in the :class:`~mechanicalsoup.Form`
object directly.
* When a form containing a file input field is submitted without choosing a
file, an empty filename & content will be sent just like in a real browser.
* ``<option>`` tags without a ``value`` attribute will now use their text as
the value.
* The optional ``url_regex`` argument to ``follow_link`` and ``download_link``
was fixed so that it is no longer ignored.
* Allow duplicate submit elements instead of raising a LinkNotFoundError.
Patch from Patrick TJ McPhee via pkgsrc-users.
Changes are documented at
https://github.com/moinwiki/moin-1.9/blob/1.9.10/docs/CHANGES#L13
There are too many to list here, but the summary is
- upgrades to included third-party-packages,
- wide array of security fixes
- improvements in user management
A bunch of files that are mysteriously not on linux, and a bunch of files
that are mysteriously OS-specific (probably missing "else").
And a sandboxing library.
Release V0.21.0
* Add -b/--batch to 'psl' to suppress printing the domain
* Add support for Meson build system
* Improve build system
* Improve Windows compatibility
* Remove NLS / gettext
* Several cleanups and cosmetics
ChangeLog:
- Makefile improvements
- some README tweaks and rewording, reordering
- add OpenBSD unveil support
- small code-style white-space/newline
- style.css: highlight anchor ids, useful for linking highlighting lines
in a diff
- improve includes, stagit-index does not need compat.h
- atom.xml: improve output format a bit
Changes:
Version 5.3.2:
Maintenance updates
- Date/Time: Ensure that get_feed_build_date() correctly handles a modified post object with invalid date.
- Uploads: Fix file name collision in wp_unique_filename() when uploading a file with upper case extension on non case-sensitive file systems.
- Media: Fix PHP warnings in wp_unique_filename() when the destination directory is unreadable.
- Administration: Fix the colors in all color schemes for buttons with the .active class.
- Tests/build tools: In wp_insert_post(), when checking the post date to set future or publish status, use a proper delta comparison.
Version 5.3.1:
Security fixes
- Props to Daniel Bachhuber for finding an issue where an unprivileged user could make a post sticky via the REST API.
- Props to Simon Scannell of RIPS Technologies for finding and disclosing an issue where cross-site scripting (XSS) could be stored in well-crafted links.
- Props to the WordPress.org Security Team for hardening wp_kses_bad_protocol() to ensure that it is aware of the named colon attribute.
- Props to Nguyen The Duc for discovering a stored XSS vulnerability using block editor content.
Maintenance updates
- Administration: improvements to admin form controls height and alignment standardization (see related dev note), dashboard widget links accessibility and alternate color scheme readability issues (see related dev note).
- Block editor: fix Edge scrolling issues and intermittent JavaScript issues.
- Bundled themes: add customizer option to show/hide author bio, replace JS based smooth scroll with CSS (see related dev note) and fix Instagram embed CSS.
- Date/time: improve non-GMT dates calculation, fix date format output in specific languages and make get_permalink() more resilient against PHP timezone changes.
- Embeds: remove CollegeHumor oEmbed provider as the service doesn’t exist anymore.
- External libraries: update sodium_compat.
- Site health: allow the remind interval for the admin email verification to be filtered.
- Uploads: avoid thumbnails overwriting other uploads when filename matches, and exclude PNG images from scaling after upload.
- Users: ensure administration email verification uses the user’s locale instead of the site locale.
* Bumps version dependencies.
Changes (since 1.32.1):
Cliqz Browser release 1.33.0 includes the improvements of Firefox’s latest
version 73.0.1 with additional Cliqz improvements and bug fixes. Improvements
* Cliqz got updated to Firefox 73.0.1 with various improvements and fixes.
* In the browser settings you’ll find the new section "Labs". Here you can
activate the latest browser features that we’re currently testing. The
first one is support for the Dat Protocol that enables the loading of
certain web pages via a peer-to-peer network.
Fixes
* Users of Kaspersky Antivirus could no longer open HTTPS pages in the Cliqz
Browser and got the error message "Your Connection is not secure". This
problem should not occur again in the future.
* When updating from an older browser version it could happen that instead of
Cliqz Tab only an empty page was displayed. This issue has been fixed.
Miscellaneous
* The Connect feature has been removed due to performance issues. But we are
already working on a better and more stable solution. Please let us know
what features you would like to see.
1.7.0:
Added Django 3.0 support
Added support for Python 3.8
Add attribute download to the download link in order to offer the file under its original name.
* Do not define USE_LANGUAGES+=gnu++17. Passing -std=gnu++17 to all clang
invocations causes build failure.
Changelog:
Fixed
Fixed crashes on Windows systems running third-party security software such as 0patch or G DATA (bug 1610790)
Fixed loss of browser functionality in certain circumstances such as running in Windows compatibility mode or having custom anti-exploit settings (bug 1614885)
Resolved problems connecting to the RBC Royal Bank website (bug 1613943)
Fixed Firefox unexpectedly exiting when leaving Print Preview mode (bug 1611133)
Fixed crashes when playing encrypted content on some Linux systems (bug 1614535)
Changelog:
Changes
[stable18] Fix cursor on disabled contenteditable divs (server#18961)
Bump style-loader from 1.1.2 to 1.1.3 (server#18982)
[stable18] Increase the timeout for app downloads (server#19025)
[stable18] Fix loaded controller check (server#19060)
[stable18] Allow to await the sidebar (server#19089)
[stable18] expose Argon2 options (as we did for bcrypt) (server#19094)
[stable18] fix multiselect actions for files (server#19108)
[stable18] Adjust filelist color handling to new dark theme value (server#19117)
[stable18] Reduce legacy event log level to debug (server#19118)
[stable18] New file menu needs to be above the filelist header (server#19119)
[stable18] Do not invert avatar colors when dark theme is enabled (server#19121)
[stable18] Use the target for file notifications (server#19149)
[stable18] Use correct appid for talk (server#19150)
[stable18] add hub bundle for easy installation on upgraded instances (server#19153)
[stable18] apps can have polyamorous relationships with bundles (server#19166)
[stable18] Use themed favicon-fb (server#19189)
[stable18] Fix "Call to undefined method OCA\\WorkflowEngine\\Entity\\File::t()" (server#19190)
[stable18] Fix query selector for inverted icons (server#19206)
[stable18] Do not encode contacts menu mailto links (server#19207)
[stable18] Give the sharing tab a unique id so it also opens properly on other languages (server#19212)
[stable18] WebcalRefreshJob: Fix reading refresh rate (server#19228)
[stable18] Make sure to catch php errors during job execution (server#19269)
[stable18] Center Buttons (server#19271)
[stable18] Use the l10n from settings (server#19277)
[stable18] Use proper andwhere clause (server#19278)
[stable18] Add move (and firstlogin) option to transferownership service (server#19279)
[stable18] for the DB ot pick an index specify the object_type (server#19283)
[stable18] owner transfer multiselect fixes (server#19291)
[stable18] Allow respecting PASSWORD_DEFAULT (server#19292)
[stable18] Keep the modification time during decryptFile (server#19297)
[stable18] Fix data Apache2 .htaccess typo (server#19302)
[stable18] Fix display of DTEND for multi-day all-day event (server#19308)
[stable18] do not overwrite global user auth credentials with empty values (server#19315)
[stable18] Fix occ maintenance:install database connect failure (server#19326)
[stable18] Fix event type (server#19330)
[stable18] Array access on int will fail on php7.4 (server#19332)
[stable18] Make sure the default share provider does not execute for other things (server#19334)
[stable18] Disable link shares of disabled users (server#19340)
[stable18] Prevent archieved download on secure view (server#19360)
[stable18] Log Flow activity (server#19396)
[stable18] Allow to serve static webm directly (server#19420)
18.0.1 final (server#19422)
[stable18] Allow to serve static mp4 directly (server#19428)
[stable18] Update master php testing versions (activity#417)
Update stable18 target versions (activity#418)
[stable18] Update master php testing versions (files_pdfviewer#164)
Update stable18 target versions (files_pdfviewer#165)
Update stable18 target versions (files_texteditor#194)
Update stable18 target versions (firstrunwizard#274)
Update stable18 target versions (logreader#313)
[stable18] Update master php testing versions (nextcloud_announcements#64)
Update stable18 target versions (nextcloud_announcements#65)
Update stable18 target versions (notifications#547)
[stable18] Add linting via github actions (notifications#555)
[stable18] Support Strict VoIP push notifications for iOS 13 SDK (notifications#565)
[stable18] Update master php testing versions (password_policy#93)
Update stable18 target versions (password_policy#94)
[stable18] Lint with github actions (photos#153)
[stable18] No more drone. Do it all on github actions (photos#158)
[stable18] Respect .noimage and .nomedia files (photos#160)
[stable18] added headers for your photos and favs (photos#172)
[stable18] Fix/actions (photos#174)
[stable18] Fix url escaping (photos#175)
[stable18] Use actions from tutorial (photos#181)
Update stable18 target versions (privacy#323)
Update stable18 target versions (recommendations#182)
Update stable18 target versions (serverinfo#170)
[stable18] Update master php testing versions (survey_client#104)
Update stable18 target versions (survey_client#105)
[stable18] GitHub actions/lint (viewer#368)
Fix url escaping (viewer#370)
[stable18] Adjust tests syntax & formatting (viewer#379)
[stable18] Use actions from tutorial (viewer#385)
[stable18] Revert "Fix url escaping" (viewer#396)
1.6.0:
Removed support for Django <= 1.10
Removed outdated files
Code alignments with other addons
Replace deprecated templatetag staticfiles against static.
Added management command filer_check to check the integrity of the database against the file system, and vice versa.
Add jQuery as AdminFileWidget Media dependency
Add rel="noopener noreferrer" for tab nabbing
Fixed an issue where a value error is raised when no folder is selected
Fixed search field overflow
1.5.0:
Added support for Django 2.2
Adapted test matrix
Adapted test structure and added fixes
Version 1.11.1:
Bugs fixed
* Corrected an error regarding supported Python versions in the
README file.
Version 1.11:
No bug fixes or new features.
Other changes
* Python 2 has reached the end of its support cycle from the Python
core team; accordingly, Python 2 support is dropped. Supported
Python versions are now 3.5, 3.6, 3.7, and 3.8.
2.3.0:
Added support for Django 3.0
Added further tests to raise coverage
Fixed smaller issues found during testing
2.2.0:
Added support for Django 2.2 and django CMS 3.7
Removed support for Django 2.0
Extended test matrix
Added isort and adapted imports
Adapted code base to align with other supported addons
3.8.0:
Added support for Django 2.2 and django CMS 3.7
Removed support for Django 2.0
Extended test matrix
Added isort and adapted imports
Adapted code base to align with other supported addons
Updated translations
2.3.0:
Added support for Django 3.0
Deprecated old CMS_STYLE_NAMES setting
Deprecated old CMS_STYLE_TAG_TYPES setting
Added further tests to raise coverage
Fixed smaller issues found during testing
2.2.0:
Added support for Django 2.2 and django CMS 3.7
Removed support for Django 2.0
Extended test matrix
Added isort and adapted imports
Adapted code base to align with other supported addons
Exclude tests folder from release build
2.5.0:
Added file link support
Allow link requirement to be changed when another CMS plugin inherits from AbstractLink
Fixed a bug preventing HOSTNAME_PATTERN to work
Updated translations
2.4.0:
Added support for Django 2.2 and django CMS 3.7
Removed support for Django 2.0
Extended test matrix
Added isort and adapted imports
Adapted code base to align with other supported addons
1.5.0:
Added support for Django 3.0
1.4.2:
Added further tests to raise coverage
Fixed smaller issues found during testing
Fixes an issue with older installations
Fixes double save issue, where icon is lost
1.4.1:
Fixes an issue where the icon widget throws a Javascript error
1.4.0:
Added support for Django 2.2 and django CMS 3.7
Removed support for Django 2.0
Extended test matrix
Fixes an issue when using multiple icons on different models #20
1.3.0:
Added support for Font Awesome 5
Added support for custom data iconset
Added isort and adapted imports
Fixed an issue where Font Awesome is not rendered on a clean install
Extended test matrix
Adapted code base to align with other supported addons
1.4.0:
Added support for Django 3.0
Add rendering on plugin first insert capability
1.3.1 (unreleased)
Added further tests to raise coverage
Fixed smaller issues found during testing
Changed DecimalField field to FloatField for Marker plugin
1.3.0:
Added support for Django 2.2 and django CMS 3.7
Removed support for Django 2.0
Extended test matrix
Exclude tests folder from release build
Added installation instructions for django-filer
2.4.0:
Added support for Django 3.0
Added further tests to raise coverage
Fixed smaller issues found during testing
2.3.0:
Added support for Django 2.2 and django CMS 3.7
Removed support for Django 2.0
Extended test matrix
Added isort and adapted imports
Adapted code base to align with other supported addons
1.3.0:
Added support for Django 3.0
Added further tests to raise coverage
Fixed smaller issues found during testing
1.2.0:
Added support for Django 2.2 and django CMS 3.7
Removed support for Django 2.0
Extended test matrix
Fixed typo in MANIFEST.in
Added isort and adapted imports
Adapted code base to align with other supported addons
2.4.0:
Added support for Django 3.0
Pinned django-filer to 1.5.0
Added further tests to raise coverage
Fixed smaller issues found during testing
Dropped support for django-filer <= 1.4
Fixed alt attribute not rendering correctly
2.3.0:
Fixes an issue where get_link doesn't return external picture
Fixes img_srcset_data being processed on an external picture
Added tests for the plugin itself
Updated translations
2.2.1:
Fixed a regression where external images are not shown anymore
2.2.0:
Added support for Django 2.2 and django CMS 3.7
Removed support for Django 2.0
Fixed an issue when the image reference is lost
Extended test matrix
Added isort and adapted imports
Adapted code base to align with other supported addons
1.1.7:
Unknown changes
1.1.4:
Add filer support and migration for existing plugins to filer based ecosystem.
Add better support for Python3
Fix all tests for the plugins
2.7.0:
* Add support for Django 3.0
* Drop support for Python 2
* Drop support for Django < 1.11
* Drop support for Django 2.0, 2.1
2.6.0:
* Added testing for Django 2.2 (no code changes required).
1.2.0:
Added support for Django 3.0
Added support for Python 3.8
Added further tests to raise coverage
Fixed smaller issues found during testing
1.1.0:
Added support for Django 2.2 and django CMS 3.7
Removed support for Django 2.0
Extended test matrix
Added isort and adapted imports
Adapted code base to align with other supported addons
Added translations
## [1.11.1](https://github.com/go-gitea/gitea/releases/tag/v1.11.1) - 2020-02-15
* BUGFIXES
* Repo name added to automatically generated commit message when merging (#9997) (#10285)
* Fix Workerpool deadlock (#10283) (#10284)
* Divide GetIssueStats query in smaller chunks (#10176) (#10282)
* Fix reply on code review (#10257)
* Stop hanging issue indexer initialisation from preventing shutdown (#10243) (#10249)
* Fix filter label emoji width (#10241) (#10244)
* Fix issue sidebar menus having an infinite height (#10239) (#10240)
* Fix commit between two commits calculation if there is only last commit (#10225) (#10226)
* Only check for conflicts/merging if the PR has not been merged in the interim (#10132) (#10206)
* Blacklist manifest.json & milestones user (#10292) (#10293)
Tastypie v0.14.3 (Django 3.0)
Python 2.7+ or Python 3.4+ (Whatever is supported by your version of Django)
Django 1.11, 2.2 (LTS releases) or Django 3.0 (latest release)
This is the last version that will explicitly support Python 2.x, which has reached EOL.
3.2.0:
Bugfixes
- Receiving DATA frames on closed (or reset) streams now properly emit a
WINDOW_UPDATE to keep the connection flow window topped up.
API Changes (Backward-Incompatible)
- ``h2.config.logger`` now uses a `trace(...)` function, in addition
to `debug(...)`. If you defined a custom logger object, you need to handle
these new function calls.
2.9:
- Update to Unicode 12.1.0.
- Prohibit A-labels ending with a hyphen.
- Future-proofing: Test on Python 3.7 and 3.8, don't immediately
fail should Python 4 come along.
- Made BSD 3-clause license clearer
Security Vulnerabilities fixed in Firefox ESR68.5
# CVE-2020-6796: Missing bounds check on shared memory read in the parent process
# CVE-2020-6797: Extensions granted downloads.open permission could open arbitrary applications on Mac OSX
# CVE-2020-6798: Incorrect parsing of template tag could result in JavaScript injection
# CVE-2020-6799: Arbitrary code execution when opening pdf links from other applications, when Firefox is configured as default pdf reader
Note: This issue only affects Windows operating systems and when Firefox is configured as the default handler for non-default filetypes. Other operating systems are unaffected.
# CVE-2020-6800: Memory safety bugs fixed in Firefox 73 and Firefox ESR 68.5
Changes:
2.26.4
======
- Always use a light theme for rendering form controls.
- Fix the build with WPE renderer disabled.
- Fix the build with OpenGL disabled.
- Fix the build with GCC 10.
- Fix several crashes and rendering issues.
## [1.11.0](https://github.com/go-gitea/gitea/releases/tag/v1.11.0) - 2020-02-10
* BREAKING
* Fix followers and following tabs in profile (#10202) (#10203)
* Make CertFile and KeyFile relative to CustomPath (#9868) (#9874)
* Remove unused endpoints (#9538)
* Prefix all user-generated IDs in markup (#9477)
* Enforce Gitea environment for pushes (#8982)
* Hide some user information via API if user have not enough permissions (#8655)
* Move startpage/homepage translation to crowdin (#8596)
* SECURITY
* Never allow an empty password to validate (#9682) (#9683)
* Prevent redirect to Host (#9678) (#9679)
* Swagger hide search field (#9554)
* Add "search" to reserved usernames (#9063)
* Switch to fomantic-ui (#9374)
* Only serve attachments when linked to issue/release and if accessible by user (#9340)
* FEATURES
* Webhooks should only show sender if it makes sense (#9601)
* Provide Default messages for merges (#9393)
* Add description to labels on create issue (#9392)
* Graceful Queues: Issue Indexing and Tasks (#9363)
* Default NO_REPLY_ADDRESS to DOMAIN (#9325)
* Allow FCGI over unix sockets (#9298)
* Graceful: Xorm, RepoIndexer, Cron and Others (#9282)
* Add API for Reactions (#9220)
* Graceful: Cancel Process on monitor pages & HammerTime (#9213)
* Graceful: Allow graceful restart for unix sockets (#9113)
* Graceful: Allow graceful restart for fcgi (#9112)
* Sign protected branches (#8993)
* Add Graceful shutdown for Windows and hooks for shutdown of goroutines (#8964)
* Add Gitea icon to Emojis (#8950)
* Expand/Collapse Files and Blob Excerpt while Reviewing/Comparing code (#8924)
* Allow Custom Reactions (#8886)
* Close/reopen issues by keywords in titles and comments (#8866)
* Allow incompletely specified Time Formats (#8816)
* Prevent upload (overwrite) of lfs locked file (#8769)
* Template Repositories (#8768)
* Add /milestones endpoint (#8733)
* Make repository management section handle lfs locks (#8726)
* Respect LFS File Lock on UI (#8719)
* Add team option to grant rights for all organization repositories (#8688)
* Enabling and disabling the commit button to prevent empty commits (web editor) (#8590)
* Add setting to disable BASIC authentication (#8586)
* Expose db.SetMaxOpenConns and allow non MySQL dbs to set conn pool params (#8528)
* Allow Protected Branches to Whitelist Deploy Keys (#8483)
* Push to create repo (#8419)
* Sign merges, CRUD, Wiki and Repository initialisation with gpg key (#7631)
* Add basic repository lfs management (#7199)
* BUGFIXES
* Fix code-expansion arc-green theme bug (#10180) (#10185)
* Prevent double wait-group decrement (#10170) (#10175)
* Allow emoji on review head comments (#10159) (#10174)
* Fix issue/pull link (#10158) (#10173)
* Fix push-create SSH bugs (#10145) (#10151)
* Prevent DeleteUser API abuse (#10125) (#10128)
* Fix issues/pulls dashboard paging error (#10114) (#10115)
* Add button to revert SimpleMDE to plain textarea (#10099) (#10102)
* Fix branch page pull request title and link error (#10092) (#10097)
* Fix PR API: Only try to get HeadBranch if HeadRepo exist (#10029) (#10088)
* Update topics repo count when deleting repository (#10051) (#10081)
* Show pull icon on pull requests (#10061) (#10062)
* Fix milestone API state parameter unhandled (#10049) (#10052)
* Move to using a temporary repo for pushing new PRs (#10009) (#10042)
* Fix wiki raw view on sub path (#10002) (#10040)
* Ensure that feeds are appropriately restricted (#10018) (#10019)
* Sanitize credentials in mirror form (#9975) (#9991)
* Close related pull requests when deleting head repository or head branch (#9927) (#9974)
* Switch to use -f instead of -F for sendmail (#9961) (#9970)
* Fix file rename/copy not supported by indexer (#9965) (#9967)
* Fix repo indexer not updating upon push (#9957) (#9963)
* Don't convert ellipsis in markdown (#9905) (#9937)
* Fixed repo link in generated comment for cross repository dependency (#9863) (#9935)
* Check if diff actually contains sections when rendering (#9926) (#9933)
* Fix wrong hint when status checking is running on pull request view (#9886) (#9928)
* Fix RocketChat (#9908) (#9921)
* Do not try to recreate ldap user if they are already created (#9900) (#9919)
* Create terminated channel in queue_redis (#9910) (#9911)
* Prevent empty LDAP search result from deactivating all users (#9879) (#9896)
* Fix wrong permissions check when issues/prs shared operations (#9885) (#9889)
* Check user != nil before checking values (#9881) (#9883)
* Allow hyphen in language name (#9873) (#9880)
* Ensure that 2fa is checked on reset-password (#9857) (#9876)
* Fix issues/pulls dependencies problems (#9842) (#9864)
* Fix markdown anchor links (#9673) (#9840)
* Allow assignee on Pull Creation when Issue Unit is deactivated (#9836) (#9837)
* Fix download file wrong content-type (#9825) (#9834)
* Fix wrong poster identity on a migrated pull request when submit review (#9827) (#9830)
* Fix database dump when log directory is missing (#9818) (#9819)
* Fix compare (#9808) (#9814)
* Fix push-to-create (#9772) (#9797)
* Fix missing msteam webhook on organization (#9781) (#9794)
* Fix missing unlock in uniquequeue (#9790) (#9791)
* Fix add team on collaborator page when same name as organization (#9778)
* DeleteRepoFile incorrectly handles Delete to new branch (#9769) (#9775)
* Fix milestones page (#9771)
* Fix SimpleMDE quote reply (#9757) (#9768)
* Fix missing updated time on migrated issues and comments (#9744) (#9764)
* Move Errored PRs out of StatusChecking (#9675) (#9726)
* Make hook status printing configurable with delay (#9641) (#9725)
* Fix /repos/issues/search (#9698) (#9724)
* Silence fomantic error regarding tabs (#9713) (#9718)
* Remove unused lock (#9709) (#9710)
* Remove q.lock.Unlock() in setInternal to prevent panic (#9705) (#9706)
* Load milestone in API PR list (#9671) (#9700)
* Don't attempt to close issue if already closed (#9696) (#9699)
* Remove google font call (#9668) (#9681)
* Eliminate horizontal scroll caused by footer (#9674)
* Fix nil reference in repo generation (#9660) (#9666)
* Add HTML URL to API Issues (#9654) (#9661)
* Add PR review webhook to Telegram (#9653) (#9655)
* Use filepath.IsAbs instead of path.IsAbs (#9651) (#9652)
* Disable remove button on repository teams when have access to all (#9640)
* Clean up old references on branch delete (#9614)
* Hide public repos owned by private orgs (#9609)
* Fix access issues on milestone and issue overview pages. (#9603)
* Fix error logged when repos qs is empty (#9591)
* Dont trigger notification twice on issue assignee change (#9582)
* Fix mirror pushed commit actions (#9572)
* Allow only specific columns to be updated on issue via API (#9189) (#9539)
* Fix default avatar for ghost user (#9536)
* Fix download of release attachments with same name (#9529)
* Resolve deprecated INI conversion (#9525)
* Ignore empty avatars during database migration (#9520)
* Fix deleted branch isn't removed when push the branch again (#9516)
* Fix repository issues pagination bug when there are more than one label filter (#9512)
* Fix SetExpr failed (#9506)
* Remove obsolete file private/push_update.go (#9503)
* When recreating hooks, delete them first so they are recreated with the umask (#9502)
* Properly enforce gitea environment for pushes (#9501)
* Fix datarace on repo indexer queue (#9490)
* Add call to load repo prior to redirect in add/remove dependency code (#9484)
* Wrap the code indexer (#9476)
* Use Req.URL.RequestURI() to cope with FCGI urls (#9473)
* Set default ssh.minimum_key_sizes (#9466)
* Fixed issue with paging in /repos/{owner}/{repo}/git/trees/{sha} api (#9459)
* Fix wrong notification on merge (#9450)
* Issue with Migration rule v111 (#9449)
* Trigger webhook when deleting a branch after merging a PR (#9424)
* Add migration to sanitize repository original_url (#9423)
* Use OriginalURL instead of CloneAddr in migration logging (#9418)
* Push update after branch is restored (#9416)
* Fix wrong migration (#9381)
* Fix show repositories filter (#9234) (#9379)
* Fix Slack webhook payload title generation to work with Mattermost (#9378)
* Fix double webhook for new PR (#9375)
* AuthorizedKeysCommand should not query db directly (#9371)
* Fix missed change to GetManager() (#9361)
* Fix cache problem on dashboard (#9358)
* RepoIndexer: DefaultBranch needs to be prefixed by BranchPrefix (#9356)
* Fix protected branch using IssueID (#9348)
* Fix nondeterministic behavior (#9341)
* Fix PR/issue redirects when having external tracker (#9339)
* Remove release attachments which repository has been deleted (#9334)
* Fix issue indexer not triggered when migrating a repository (#9332)
* Add SyncTags to uploader interface (#9326)
* Fix bug that release attachment files not deleted when deleting repository (#9322)
* Only sync tags after all migration release batches are completed (#9319)
* File Edit: Author/Committer interchanged (#9297)
* prebuild CSS/JS before xgo release binaries (#9293)
* Log: Ensure FLAGS=none shows no flags (#9287)
* Make Diff Detail on Pull Request Changed File UI always on Top (#9280)
* Switch CSS minifier to cssnano (#9260)
* Fix latest docker image haven't include static files. (#9252)
* Don't link wiki revision to commit (#9244)
* Change review content column to type text in db (#9229)
* Fixed topic regex pattern and added search by topic links after save (#9219)
* Add language to user API responce (#9215)
* Correct tooltip message blocked by dependencies (#9211)
* Add SimpleMDE and Fix Image Paste for Issue/Comment Editor (#9197)
* Fix panic when diff (#9187)
* Fix#9151 - smtp logger configuration sendTos should be an array (#9154)
* Fix max length check and limit in multiple repo forms (#9148)
* Always Show Password Field on Link Account Sign-in Page (#9147)
* Properly fix displaying virtual session provider in admin panel (#9137)
* Fix race condition on indexer (#9136)
* Fix team links in HTML rendering (#9127)
* Fix race condition in ReplaceSanitizer (#9123)
* Fix what information is shown about user in API (#9115)
* Fix nil context user for template repositories (#9099)
* Hide given credentials for migrated repos. (#9097)
* Fix reCAPTCHA API URL (#9083)
* Fix password checks on admin create/edit user (#9076)
* Update golang.org/x/crypto vendor to use acme v2 (#9056)
* Ensure Written is set in GZIP ProxyResponseWriter (#9018)
* Fix wrong system notice when repository is empty (#9010)
* Fix broken link to branch from issue list (#9003)
* Fix bug when pack js (#8992)
* New review approvals shouldn't require a message (#8991)
* Shadow password correctly for session config (#8984)
* Don't send notification on pending reviews (#8943)
* Fix Notify Create Ref Error on tag creation (#8936)
* Convert EOL to UNIX-style to render MD properly (#8925)
* Migrate temp_repo.go to use git.NewCommand (#8918)
* Fix issue with user.fullname (#8902)
* Add Close() method to gogitRepository (#8901)
* Enable punctuations ending mentions (#8889)
* Fix password complexity check on registration (#8887)
* Fix require external registration password (#8885)
* Fix edit content button on migrated issue content (#8877)
* Fix permission checks for close/reopen from commit (#8875)
* Fix API Bug (fail on empty assignees) (#8873)
* Stop using git count-objects and use raw directory size for repository (#8848)
* Fix count for commit graph last page (#8843)
* Fix to close opened io resources as soon as not needed (#8839)
* Improve notification (#8835)
* Fix new user form for non-local users (#8826)
* Fix: remove duplicated signed commit icons (#8820)
* Fix (open/closed) issue count when label excluded (#8815)
* Fix SSH2 conditional in key parsing code (#8806)
* Fix 500 when edit hook (#8782)
* On windows set core.longpaths true (#8776)
* Fix commit expand button to not go to commit link (#8745)
* Avoid re-issuing redundant cross-references. (#8734)
* Fix milestone close timestamp function (#8728)
* Move webhook codes from service to webhook notification (#8712)
* Show zero lines on the line counter if the file empty (#8700)
* Fix deadline on update issue or PR via API (#8696)
* make call createMilestoneComment on newIssue func (#8678)
* Send tag create and push webhook when release created on UI (#8671)
* Prevent chrome download page as html with alt + click (#8669)
* Fix 500 when getting user as unauthenticated user (#8653)
* Graceful fixes (#8645)
* Add SubURL to redirect path (#8632) (#8634)
* Fix extra columns from `label` table (#8633)
* Add SubURL to redirect path for transferred/renamed repos (#8632)
* Fix bug when migrate from API (#8631)
* Allow to merge if file path contains " or \ (#8629)
* Prevent removal of non-empty emoji panel following selection of duplicate (#8609)
* Ensure default gpg settings not nil and found commits have reference to repo (#8604)
* Set webhook Content-Type for application/x-www-form-urlencoded (#8599)
* Fix#8582 by handling empty repos (#8587)
* Fix of the diff statistics view on pull request's (#8581)
* Fix bug on pull requests when transfer head repository (#8564)
* Fix template error on account page (#8562)
* Allow externalID to be UUID (#8551)
* Fix ignored error on editorconfig api (#8550)
* Fix user avatar name (#8547)
* Ensure that GitRepo is set on Empty repositories (#8539)
* Add missed close in ServeBlobLFS (#8527)
* Fix migrate mirror 500 bug (#8526)
* Fix password complexity regex for special characters (on master) (#8525)
* ENHANCEMENTS
* Explicitly refer to PR in squash-merge commit message in case of external tracker (#9844) (#9855)
* Add a /user/login landing page option (#9622)
* Some more e-mail notification fixes (#9596)
* Add branch protection option to block merge on requested changes. (#9592)
* Add footer extra links template (#9576)
* Fix for a wrong URL in activity page of repository. (#9571)
* Update default issue template (#9568)
* Change markdown rendering from blackfriday to goldmark (#9533)
* Extend file create api with dates (#9464)
* Add ActionCommentPull action (#9456)
* Response for context on retry database connection (#9444)
* Refactor webhooks to reduce code duplication (#9422)
* update couchbase deps for new license (#9419)
* Add .ignore file for search tools (#9417)
* Remove unsued struct (#9405)
* Hide not allowed Reactions (#9387)
* Remove text from action-only webhooks (#9377)
* Move PushToBaseRepo from models to services/pull (#9352)
* Site admin could view org's members (#9346)
* Sleep longer if request speed is over github limitation (#9335)
* Refactor comment (#9330)
* Refactor code indexer (#9313)
* Remove SavePatch and generate patches on the fly (#9302)
* Move some pull request functions from models to services (#9266)
* Update JS dependencies (#9255)
* Show label list on label set (#9251)
* Redirect issue if repo has configured external tracker. (#9247)
* Allow kbd tags (#9245)
* Remove unused comment actions (#9222)
* Fixed errors logging in dump.go (#9218)
* Expose release counter to repo API response (#9214)
* Make consistent links to repository in the Slack/Mattermost notificiations (#9205)
* Expose pull request counter to repo API response (#9202)
* Extend TrackedTimes API (#9200)
* Extend StopWatch API (#9196)
* Move code indexer related code to a new package (#9191)
* Docker: ask s6 to stop all service when gitea stop (#9171)
* Variable expansion in repository templates (#9163)
* Add avatar and issue labels to template repositories (#9149)
* Show single review comments in the PR conversation tab (#9143)
* Extract createComment (#9125)
* Move PushUpdateOptions from models to repofiles (#9124)
* Alternate syntax for cross references (#9116)
* Add USE_SERVICE_WORKER setting (#9110)
* Only show part of members on orgnization dashboard and add paging for orgnization members page (#9092)
* Explore page: Add topic param to pagination (#9077) (#9078)
* Markdown: Sanitizier Configuration (#9075)
* Add password requirement info on error (#9074)
* Allow authors to use act keywords in PR content (#9059)
* Move modules/gzip to gitea.com/macaron/gzip (#9058)
* Branch protection: Possibility to not use whitelist but allow anyone with write access (#9055)
* Context menus for comments, add quote reply (#9043)
* Update branch API endpoint to show effective branch protection. (#9031)
* Move git graph from models to modules/graph (#9027)
* Move merge actions to notification (#9024)
* Move mirror sync actions to notification (#9022)
* Add retry for migration http/https requests (#9019)
* Rewrite delivery of issue and comment mails (#9009)
* Add review comments to mail notifications (#8996)
* Refactor pull request review (#8954)
* Githook highlighter (#8932)
* Add git hooks and webhooks to template repositories; move to services (#8926)
* Only view branch or tag if it match refType requested. (#8899)
* Drop Admin attribute based on LDAP when login (continue #1743) (#8849)
* Add additional periods to activity page (#8829)
* Update go-org to optimize code (#8824)
* Move some actions to notification/action (#8779)
* Webhook support custom proxy (#8760)
* Fix API deadline removal (#8759)
* Mark review comment as invalidated when file is deleted (#8751)
* Move pull list code to a separate file (#8748)
* Move webhook to a standalone package under modules (#8747)
* Multi repo select on issue page (#8741)
* apply exclude label on milestone issue list (#8739)
* Move issue notifications and assignee man (#8713)
* Move issue change content from models to service (#8711)
* Move issue change status from models to service (#8691)
* Move more issue assignee code from models to issue service (#8690)
* Create PR on Current Repository by Default (#8670)
* Improve Open Graph Protocol (#8637)
* Batch hook pre- and post-receive calls (#8602)
* Improve webhooks (#8583)
* Move transfer repository and rename repository on a service package and start action notification (#8573)
* Implement/Fix PR review webhooks (#8570)
* Rewrite markdown rendering to blackfriday v2 and rewrite orgmode rendering to go-org (#8560)
* Move some repositories' operations to a standalone service package (#8557)
* Allow more than 255 characters for tokens in external_login_user table (#8554)
* Move issue label operations to issue service package (#8553)
* Adjust error reporting from merge failures and use LC_ALL=C for git (#8548)
* Mail assignee when issue/pull request is assigned (#8546)
* Allow committing / adding empty files using the web ui (#8420) (#8532)
* Move sync mirror actions to mirror service package (#8518)
* Remove arrows on numeric inputs (#8516)
* Support inline rendering of CUSTOM_URL_SCHEMES (#8496)
* Recalculate repository access only for specific user (#8481)
* Add download button for rull request diff- and patch-file (#8470)
* Add single sign-on support via SSPI on Windows (#8463)
* Move change issue title from models to issue service package (#8456)
* Add included tag on branch view (#8449)
* Make static resouces web browser cache time customized on app.ini (#8442)
* Enable Uploading/Removing Attachments When Editing an Issue/Comment (#8426)
* Add pagination to commit graph page (#8360)
* Use templates for issue e-mail subject and body (#8329)
* Move clearlabels from models to issue service (#8326)
* Move AddTestPullRequestTask to pull service package from models (#8324)
* Team permission to create repository in organization (#8312)
* Allows external rendering of other filetypes (#8300)
* Add 'Alt + click' feature to exclude labels (#8199)
* Configurable close and reopen keywords for PRs (#8120)
* Configurable URL for static resources (#7911)
* Unifies commit list in repository commit table and wiki revision page (#7907)
* Allow cross-repository dependencies on issues (#7901)
* Auto-subscribe user to repository when they commit/tag to it (#7657)
* Restore Graceful Restarting & Socket Activation (#7274)
* wiki - add 'write' 'preview' buttons to wiki edit like in issues (#7241)
* Change target branch for pull request (#6488)
* Display PR commits and diffs using base repo rather than forked (#3648)
* TESTING
* Add debug option to serv to help debug problems (#9492)
* Fix the intermittent TestGPGGit failures (#9360)
* Testing: Update postgres sequences (#9304)
* Missed defer prepareTestEnv (#9285)
* Fix "data race" in testlogger (#9159)
* Yet another attempt to fix the intermittent failure of gpg git test (#9146)
* integrations: Fix Dropped Test Errors (#9040)
* services/mirror: fix dropped test errors (#9007)
* Fix intermittent GPG Git test failure (#8968)
* Update Github Migration Tests (#8893) (#8938)
* Update heatmap fixtures to restore tests (#8615)
* TRANSLATION
* Fix Korean locales (#9761) (#9780)
* Fix placeholders in the error message (#9060)
* Fix spelling of admin.users.max_repo_creation (#8934)
* Improve german translation of homepage (#8549)
* BUILD
* Fix webpack polyfills (#9735) (#9738)
* Update gitea.com/macaron to 1.4.0 (#9608)
* Upgrade lato fonts to v16. (#9498)
* Update alpine to 3.11 (#9440)
* Upgrade blevesearch (#9177)
* Remove built js/css files from git (#9114)
* Move semantic.dropdown.custom.js to webpack (#9064)
* Check compiled files during build (#9042)
* Enable lazy-loading of gitgraph.js (#9036)
* Pack web_src/js/draw.js to public/js/index.js (#8975)
* Modernize js and use babel (#8973)
* Move index.js to web_src and use webpack to pack them (#8598)
* Restrict modules/graceful to non-windows build and shim IsChild (#8537)
* Upgrade gopkg.in/editorconfig/editorconfig-core-go.v1 (#8501)
* DOCS
* Swagger info corrections (#9441) (#9558)
* Add ALLOW_ONLY_EXTERNAL_REGISTRATION to config cheat sheet (#8986)
* Rephrase comment about RuntimeDirectory option in systemd config (#8912)
* Explicitly indicate the socket unit to use the service unit "gitea.service" (#8804)
* Adjust the must-change-password help (#8755)
* Add notice to docs for migrating from more recent versions of Gogs (#8724)
* Add explicit info about customization of homepage (#8694)
* Change external asciidoctor tool to embedded mode (#8677)
* Add Docker fail2ban configuration (#8642)
* Correct some outdated statements in the contributing guidelines (#8612)
* Basic Design guidelines (describing different parts of the code) (#8601)
* Display Gitea logo in Readme (#8592)
* Fix building from source docs to ref AppWorkPath (#8567)
* Update the provided gitea.service to mention socket activation (#8531)
* Doc added how to setup email (#8520)
* MISC
* Backport Locales [2020-01-14] (#9773)
* Add translatable Powered by Gitea text in footer (#9600)
* Add contrib/environment-to-ini (#9519)
* Remove unnecessary loading of settings in update hook (#9496)
* Update gitignore list (#9437)
* Update license list (#9436)
* Fix background reactions in the arc-green theme (#9421)
* Update and fix chardet import (#9351)
* Ensure LF on checkouts and in editors (#9259)
* Fixed topics margin (#9248)
* Add comment to exported function WindowsServiceName (make revive) (#9241)
* Remove empty lines on issues/pulls page (#9232)
* Fix Add Comment Button's "+" Position (#9140)
* Add first issue comment hashtag (#9052)
* Change some label colors (#9051)
* Fix double scroll in branch dropdown (#9048)
* Add comment highlight when target from url (#9047)
* Update display of reactions to issues and comments (#9038)
* Button tooltip formatting under Branches (#9034)
* Allow setting default branch via API (#9030)
* Update dashboard context for PR reviews (#8995)
* Show repository size in repo home page and settings (#8940)
* Allow to add and remove all repositories to/from team. (#8867)
* Show due date in dashboard issues list (#8860)
* Theme arc-green: reverse heatmap colors (#8840)
* Project files table style update (#8757)
* gitignore debugging file from vscode (#8740)
* Add API for Issue set Subscription (#8729)
* Make 100% width search bar (#8710)
* Update color theme for heatmap (#8709)
* Add margin to title_wip_desc (#8705)
* Improve visibility of "Pending" indicator (#8685)
* Improve accessibility of dropdown menus (#8638)
* Make /users/{username}/repos list private repos the current user has access to (#8621)
* Prevent .code-view from overriding font on icon fonts (#8614)
* Add id references on all issue events to allow internal linking (#8608)
* Upgrade xorm to v0.8.0 (#8536)
* Upgrade gopkg.in/ini.v1 (#8500)
* Update CodeMirror to version 5.49.0 (#8381)
* Wiki editor: enable side-by-side button (#7242)
PycURL 7.43.0.5:
This release fixes a build issue on recent Pythons on CentOS/RHEL distributions.
PycURL 7.43.0.4:
This release improves compatibility with Python 3.8 and removes support for Python 2 and Python 3.4. It also adds wolfSSL support and thread safety of the multi interface.
* highlight: Adapt to API change in highlight >= 3.51
* mdwn: Fix inverted footnote configuration when MultiMarkdown is
enabled. Thanks, Giuseppe Bilotta
* Updated German basewiki and directives translation from Sebastian Kuhnert.
* Updated German program translation from Sebastian Kuhnert.
pkgsrc changes:
- Add 'ikiwiki-sudo' option for portable ikiwiki-mass-rebuild, on by default
Changelog:
New
Today's Firefox release includes two features that help users
view and read website content more easily, quickly. Like all
accessibility improvements, these features improve browsing
for everyone.
Firefox has offered a page zoom feature for more than a
decade that allows users to set the zoom level on a per-site
basis. For users who need to zoom most websites, having to
adjust zoom for each new site can be an annoyance. To
address this, we have implemented a new global default zoom
level setting. This option is available in about:preferences
under "Language and Appearance" and can be scaled up or
down from 100% as needed and sets the default zoom level
for all sites. Per-site zoom is still available to make
adjustments to individual sites as needed.
Many users with low vision rely on Windows' High Contrast
Mode to make websites more readable. Traditionally, to
increase the readability of text, Firefox has disabled
background images when High Contrast Mode is enabled. With
today's release of Firefox 73, we introduce a "readability
backplate" solution which places a block of background
color between the text and background image. Now, websites
in High Contrast Mode are more readable without disabling
background images.
Fixed
Various security fixes.
Improved audio quality when playing back audio at a faster or
slower speed.
Firefox will now only prompt you to save logins if a field in
a login form was modified.
Changed
WebRender will roll out to laptops with Nvidia graphics cards
with drivers newer than 432.00, and screen sizes smaller than
1920x1200
Security fixes:
#CVE-2020-6796: Missing bounds check on shared memory read in the parent process
#CVE-2020-6797: Extensions granted downloads.open permission could open arbitrary applications on Mac OSX
#CVE-2020-6798: Incorrect parsing of template tag could result in JavaScript injection
#CVE-2020-6799: Arbitrary code execution when opening pdf links from other applications, when Firefox is configured as default pdf reader
#CVE-2020-6800: Memory safety bugs fixed in Firefox 73 and Firefox ESR 68.5
#CVE-2020-6801: Memory safety bugs fixed in Firefox 73
ChangeLog:
This release includes one new lexer: the Varnish lexer! We also have fixes
for the D, Java, Lua, NASM, Objective-C, PowerShell, Rust, Shell, TOML and
TypeScript lexers.
Provides building blocks for allowing HTML widgets to communicate with
each other, with Shiny or without (i.e. static .html files). Currently
supports linked brushing and filtering.
0.15.0:
* Drop support for Python 2. Please pin to ~= 0.14.0 if you support
Python 2.
* Drop support for Python 3.5, meaning the minimum supported version
is Python 3.6.1.
* Switch events to be dataclass based, otherwise the API is
consistent.
* Add type hints throughout and support PEP 561 via a py.typed
file. This should allow projects that use wsproto to type check their
usage of wsproto.
* Bugfix prevent the test folder being installed as a package called
test.
* Explicitly require Host header in handshake.
* Drop wsaccel support and utilise the aiohttp/@willmcgugan masking
method. wsaccel is unmaintained and this new maksing method is
almost as quick.
Django 2.2.10 fixes a security issue:
CVE-2020-7471: Potential SQL injection via StringAgg(delimiter)
StringAgg aggregation function was subject to SQL injection, using a suitably crafted delimiter.
Django 1.11.28 fixes a security issue:
CVE-2020-7471: Potential SQL injection via StringAgg(delimiter)
StringAgg aggregation function was subject to SQL injection, using a suitably crafted delimiter.
pkgsrc changes: clean up PKG_OPTIONS and enable several backends default.
Quote from release announce:
This release is a security release resolving several issues found in
the prior Squid releases.
The major changes to be aware of:
* SQUID-2020:1 Improper Input Validation issues in HTTP Request
processing
(CVE-2020-8449, CVE-2020-8450)
This issue allows attackers to perform denial of service on the
proxy and all clients using it.
This issue potentially allows attackers to bypass security access
controls in systems between client and proxy.
This issue potentially allows remote code execution under the
proxy low-privilege level. While restricted, it does have access
to a wide range of information about the network structure and
other clients using the proxy.
This issue is limited to Squid acting as a reverse-proxy. Some
effects also require allow_direct permissions.
See the advisory for updated patches:
<http://www.squid-cache.org/Advisories/SQUID-2020_1.txt>
Please note that NTLM is a deprecated authentication mechanism.
All users of this tool are advised to plan migration to
Negotiate/Kerberos authentication.
* SQUID-2020:2 Information Disclosure issue in FTP Gateway.
(CVE-2019-12528)
Certain FTP server responses can result in Squid revealing
random amounts of memory content from heap.
When Squid mempools feature is enabled the leak is limited to
lines in FTP directory listings, possibly from other clients.
When mempools is disabled the information may be anything from
the heap area including information from other processes on the
machine.
See the advisory for more details:
<http://www.squid-cache.org/Advisories/SQUID-2020_2.txt>
* SQUID-2020:3 Buffer Overflow issue in ext_lm_group_acl helper.
(CVE-2020-8517)
This problem is limited to installations using the ext_lm_group_acl
binary (previously shipped as mswin_check_lm_group).
Due to incorrect input validation the NTLM authentication
credentials parser in ext_lm_group_acl may write to memory
outside the credentials buffer.
On systems with memory access protections this can result in
the the helper process being terminated unexpectedly. Resulting
in Squid process also terminating and a denial of service for
all clients using the proxy.
See the advisory for more details:
<http://www.squid-cache.org/Advisories/SQUID-2020_3.txt>
* Bug 5008: SIGBUS in PagePool::level() with custom rock slot size
This shows up as SMP Squids crashing on arm64 with a SIGBUS error. The
issues was incorrect memory alignment with certain cache sizes. This
Squid release now forces alignment of the critical rock page details.
* Bug 4735: Truncated chunked responses cached as whole
This bug shows up as clients getting the cached truncated response
objects until the cache object expires or is force removed.
In absence of partial-object caching this Squid release treats
incomplete responses as non-cacheable and prevents the chunked encoding
terminator chunk being delivered to the active client(s).
* Fix server_cert_fingerprint on cert validator-reported errors
This bug shows up as a server_cert_fingerprint ACL mismatch when
sslproxy_cert_error directive was applied to validation errors reported
by the certificate validator, because the ACL could not find the server
certificate.
All users of Squid are urged to upgrade as soon as possible.
3.7.1:
Added code of conduct reference file to the root directory
Moved contributing file to the root directory
Added better templates for new issue requests
Fixed a bug where creating a page via the cms.api.create_page ignores left/right positions.
Fixed documentation example for urls.py when using multiple languages.
Mark public static placeholder dirty when published.
Fixed a bug where request.current_page would always be the public page, regardless of the toolbar status (draft / live). This only affected custom urls from an apphook.
Fixed a bug where the menu would render draft pages even if the page on the request was a public page. This happens when a user without change permissions requests edit mode.
Fixed the 'urls.W001' warning with custom apphook urls
Prevent non-staff users to login with the django CMS toolbar
Added missing {% trans %} to toolbar shortcuts.
Fixed branch and release policy.
Improved and simplified permissions documentation.
Improved apphooks documentation.
Improved CMSPluginBase documentation.
Improved documentation related to nested plugins.
Updated installation tutorial.
Fixed a simple typo in the docstring for cms.utils.helpers.normalize_name.
3.7.0:
Introduced Django 2.2 support.
Introduced Python 3.7 support.
Fixed test suite.
Fixed override urlconf_module so that Django system checks don't crash.
3.6.0:
Removed the cms moderator command.
Dropped Django < 1.11 support.
Removed the translatable content get / set methods from CMSPlugin model.
Removed signal handlers for Page, Title, Placeholder and CMSPlugin models.
Moved Title.meta_description length restriction from model to form and increased its max length to 320 characters.
Added page_title parameter for cms.api.create_page() and cms.api.create_title().
Introduced Django 2.0 support.
Introduced Django 2.1 support.
1.5.0:
Added support for Django 3.0
Added support for Python 3.8
1.4.0:
Introduced support for Django 2.2 and django CMS 3.7
Removed support for Django 2.0
Extended test matrix
Fixed screenshot tests for Django 2.1 and higher
Added new classifiers
Version 0.16.1
--------------
Released 2020-01-27
- Fix import location in deprecation messages for subpackages.
:issue:`1663`
- Fix an SSL error on Python 3.5 when the dev server responds with no
content. :issue:`1659`
patch-src_fdevent__solaris__port.c was removed since what it solves is fixed
in this version.
Changes from 1.4.54
[core] fix compile error on Solaris
[core] attribute_pure
[core] array-specialized buffer_caseless_compare()
[core] specialized buffer_eq_*() for short strings
[core] mark some more funcs w/ attribute_pure
[core] use buffer_eq_icase* funcs
[multiple] replace strcasecmp() on short strings
[core] mark some more funcs w/ attribute_pure
[mod_webdav] fix startup crash w/ multiple conds
[core] cold func http_response_omit_header()
[core] use buffer_eq_icase_ssn func
[core] use buffer_eq_icase_ssn func
[core] correct attribute_pure syntax
[core] allocate unix socket paths with SUN_LEN()+1
Use explicit_memset from NetBSD if available for safe_memclear
Also use explicit_memset (NetBSD) with cmake, scons and meson
[cmake]: enable CMAKE_POSITION_INDEPENDENT_CODE by default
[core] improve http_headers[] data struct packing
[core] fdevent_poll() is effective periodic timer
[core] move con state handling to connections*.c
[core] issue config error for invalid ‘:’
[mod_deflate] fix choose encoding parse error
[core] retry on some fdevent set/del temporary err
[core] disable stat_cache FAM if FAM conn closed
[mod_auth] http_auth_const_time_memeq improvement
[build] prefer pkg-config for postgres
[mod_authn_gssapi] 500 if fail to delegate creds
[mod_authn_gssapi] option to store delegated creds
[mod_webdav] fix file uploads > 128M
[mod_auth] do not use quoted-string for algorithm
[mod_auth] require digest uri= match original URI
[mod_auth] Authentication-Info: nextnonce=…
[mod_auth] http_auth_const_time_memeq_pad()
[mod_auth] http_auth_const_time_memeq()
[build] PGSQL_CFLAGS with pkg-config for postgres
[core] avoid freeaddrinfo() on NULL ptr
[core] reject WS following header field-name
[core] reject Transfer-Encoding + Content-Length
[mod_openssl] reject invalid ALPN
[mod_accesslog] parse multiple cookies
[core] Oracle Solaris does not have POLLRDHUP
[multiple] address coverity warnings
[core] preserve %2b and %2B in query string
[core] fall back to accept() if accept4() EPERM
[mod_auth] close connection after bad password
[core] do not accept() > server.max-connections
[core] save errno before logging if execve() fails
[config] update /var/run → /run for systemd
[core] Solaris has getloadavg in sys/loadavg.h
[build] Fix build when using nested CMake
[core] fix one-byte OOB read (underflow)
1.1.0:
Added support for Django 3.0
Added support for Python 3.8
Extended test matrix
Added isort and adapted imports
Adapted code base to align with other supported addons
Adapted README.rst instructions
1.0.0:
Added support for Django 1.11, 2.0, 2.1, and 2.2
Removed support for Django < 1.11
2.2:
- Dropped testing for Django 1.8, 1.9, 1.10.
- Dropped support for Python 2.
- Added support for Django 2.1, 2.2, 3.0, and Python 3.7.
- Updated translations from Transifex.
1.0.0:
Extended test matrix
Added isort and adapted imports
Adapted code base to align with other supported addons
Adapted README.rst instructions
Added support for Django 3.0
Added support for Python 3.8
0.9.0:
Added testing for Django 1.11, 2.0, and 2.1; and dropped testing for older versions.
Added support for Python 3.6
2.4.0:
* Wraps session save calls in ``database_sync_to_async()``, for compatibility
with Django 3.0's ``async_unsafe()`` checks.
* Drops compatibility with all Django versions lower than 2.2.
2.4.1:
* Avoids Twisted using the default event loop, for compatibility with Django
3.0's ``async_unsafe()`` decorator in threaded contexts, such as using the
auto-reloader.
1.8.6:
Experimental Features
- The SameSite value now includes a new option named "None", this is a new
change that was introduced in
https://tools.ietf.org/html/draft-west-cookie-incrementalism-00
Please be aware that older clients are incompatible with this change:
https://www.chromium.org/updates/same-site/incompatible-clients, WebOb does
not enable SameSite on cookies by default, so there is no backwards
incompatible change here.
- Validation of SameSite values can be disabled by toggling a module flag. This
is in anticipation of future changes in evolving cookie standards.
The discussion in https://github.com/Pylons/webob/pull/407 (which initially
expanded the allowed options) notes the sudden change to browser cookie
implementation details may happen again.
In May 2019, Google announced a new model for privacy controls in their
browsers, which affected the list of valid options for the SameSite attribute
of cookies. In late 2019, the company began to roll out these changes to their
browsers to force developer adoption of the new specification.
See https://www.chromium.org/updates/same-site and
https://blog.chromium.org/2019/10/developers-get-ready-for-new.html for more
details on this change.
Scrapy 1.8.0:
Highlights:
* Dropped Python 3.4 support and updated minimum requirements; made Python 3.8
support official
* New :meth:`Request.from_curl <scrapy.http.Request.from_curl>` class method
* New :setting:`ROBOTSTXT_PARSER` and :setting:`ROBOTSTXT_USER_AGENT` settings
* New :setting:`DOWNLOADER_CLIENT_TLS_CIPHERS` and
:setting:`DOWNLOADER_CLIENT_TLS_VERBOSE_LOGGING` settings
Selenium 3.141.0
* Bump version to a better approximation of Π
* Improved Test build targets
* fix os path in test for Windows
* use 'NUL' for /dev/null on Windows
* Update ctor docstrings to explain that a directory passed in is cloned.
* Allow passing of service_args to Safari.
* Remove element equals url
* Improved WebExtension support
build with qt5 5.14
All frameworks
Port from QRegExp to QRegularExpression
Port from qrand to QRandomGenerator
Fix compilation with Qt 5.15 (e.g. endl is now Qt::endl,
QHash insertMulti now requires using QMultiHash...)
Attica
Don't use a verified nullptr as a data source
Support multiple children elements in comment elements
Set a proper agent string for Attica requests
Baloo
Correctly report if baloo_file is unavailable
Check cursor_open return value
Initialise QML monitor values
Move URL parsing methods from kioslave to query object
Breeze Icons
Change XHTML icon to be a purple HTML icon
Merge headphones and zigzag in the center
Add application/x-audacity-project icon
Add 32px preferences-system
Add application/vnd.apple.pkpass icon
icon for ktimetracker using the PNG in the app repo, to be replaced
with real breeze SVG
add kipi icon, needs redone as a breeze theme svg [or just kill off kipi]
Extra CMake Modules
[android] Fix apk install target
Support PyQt5 compiled with SIP 5
Framework Integration
Remove ColorSchemeFilter from KStyle
KDE Doxygen Tools
Display fully qualified class/namespace name as page header
KCalendarCore
Improve README.md to have an Introduction section
Make incidence geographic coordinate also accessible as a property
Fix RRULE generation for timezones
KCMUtils
Deprecate KCModuleContainer
KCodecs
Fix invalid cast to enum by changing the type to int rather than enum
KCompletion
Deprecate KPixmapProvider
[KHistoryComboBox] Add method to set an icon provider
KConfig
kconfig EBN transport protocol cleanup
Expose getter to KConfigWatcher's config
Fix writeFlags with KConfigCompilerSignallingItem
Add a comment pointing to the history of Cut and Delete sharing a shortcut
KConfigWidgets
Rename "Configure Shortcuts" to "Configure Keyboard Shortcuts"
KContacts
Align ECM and Qt setup with Frameworks conventions
Specify ECM dependency version as in any other framework
KCoreAddons
Add KPluginMetaData::supportsMimeType
[KAutoSaveFile] Use QUrl::path() instead of toLocalFile()
Unbreak build w/ PROCSTAT: add missing impl. of KProcessList::processInfo
[KProcessList] Optimize KProcessList::processInfo
[KAutoSaveFile] Improve the comment in tempFileName()
Fix KAutoSaveFile broken on long path
KDeclarative
[KeySequenceHelper] Grab actual window when embedded
Add optional subtitle to grid delegate
[QImageItem/QPixmapItem] Don't lose precision during calculation
KFileMetaData
Partial fix for accentuated characters in file name on Windows
Remove unrequired private declarations for taglibextractor
Partial solution to accept accentuated characters on windows
xattr: fix crash on dangling symlinks
KIconThemes
Set breeze as default theme when reading from configuration file
Deprecate the top-level IconSize() function
Fix centering scaled icons on high dpi pixmaps
KImageFormats
pic: Fix Invalid-enum-value undefined behaviour
KIO
[KFilePlacesModel] Fix supported scheme check for devices
Embed protocol data also for Windows version of trash ioslave
Adding support for mounting KIOFuse URLs for applications that don't use KIO
Add truncation support to FileJob
Deprecate KUrlPixmapProvider
Deprecate KFileWidget::toolBar
[KUrlNavigator] Add RPM support to krarc:
KFilePlaceEditDialog: fix crash when editing the Trash place
Add button to open the folder in filelight to view more details
Show more details in warning dialog shown before starting a
privileged operation
KDirOperator: Use a fixed line height for scroll speed
Additional fields such as deletion time and original path are now
shown in the file properties dialog
KFilePlacesModel: properly parent tagsLister to avoid memleak.
HTTP ioslave: call correct base class in virtual_hook(). The
base of HTTP ioslave is TCPSlaveBase, not SlaveBase
Ftp ioslave: fix 4 character time interpreted as year
Re-add KDirOperator::keyPressEvent to preserve BC
Use QStyle for determining icon sizes
Kirigami
ActionToolBar: Only show the overflow button if there are visible
items in the menu
Don't build and install app templates on android
Don't hardcode the margin of the CardsListView
Add support for custom display components to Action
Let the other components grow if there's more things on the header
Remove dynamic item creation in DefaultListItemBackground
reintroduce the collapse button
Show application window icon on AboutPage
KItemModels
Add KColumnHeadersModel
KJS
Added tests for Math.exp()
Added tests for various assignment operators
Test special cases of multiplicate operators (*, / and %)
KNewStuff
Ensure the dialog title is correct with an uninitialised engine
Don't show the info icon on the big preview delegate
Support archive installs with adoption commands
Send along the config name with requests
KPeople
Expose enum to the metaobject compiler
KQuickCharts
Also correct the shader header files
Correct license headers for shaders
KService
Deprecate KServiceTypeProfile
KTextEditor
Add "line-count" property to the ConfigInterface
Avoid unwanted horizontal scrolling
KWayland
[plasmashell] Update docs for panelTakesFocus to make it generic
[plasmashell] Add signal for panelTakesFocus changing
KXMLGUI
KActionCollection: provide a changed() signal as a replacement for removed()
Adjust keyboard shortcut configuration window's title
NetworkManagerQt
Manager: add support for AddAndActivateConnection2
cmake: Consider NM headers as system includes
Sync Utils::securityIsValid with NetworkManager
Plasma Framework
[ToolTip] Round position
Enable wheel events on Slider {}
Sync QWindow flag WindowDoesNotAcceptFocus to wayland plasmashell interface
[calendar] Check out of bounds array access in QLocale lookup
[Plasma Dialog] Use QXcbWindowFunctions for setting window types Qt
WindowFlags doesn't know
[PC3] Complete plasma progress bar animation
[PC3] Only show progress bar indicator when the ends won't overlap
[RFC] Fix Display Configuration icon margins
[ColorScope] Work with plain QObjects again
[Breeze Desktop Theme] Add monochrome user-desktop icon
Remove default width from PlasmaComponents3.Button
[PC3 ToolButton] Have the label take into account complementary color schemes
Added background colors to active and inactive icon view
QQC2StyleBridge
[ToolTip] Round position
Update size hint when font changes
Solid
Display first / in mounted storage access description
Ensure mounted nfs filesystems matches their fstab declared counterpart
Sonnet
The signal done is deprecated in favour of spellCheckDone, now correctly emitted
Syntax Highlighting
LaTeX: fix brackets in some commands
TypeScript: add "bigint" primitive type
Python: improve numbers, add octals, binaries and "breakpoint" keyword
SELinux: add "glblub" keyword and update permissions list
Several enhancements to gitolite syntax definition
pkglint -r --network --only "migrate"
As a side-effect of migrating the homepages, pkglint also fixed a few
indentations in unrelated lines. These and the new homepages have been
checked manually.
0.17.0
feature: Http().redirect_codes set, works after follow(_all)_redirects check
This allows one line workaround for old gcloud library that uses 308
response without redirect semantics.
20.1.2
fix: add python_requires>=3.5 to prevent installation on python 2
20.1.1
IMPORTANT: beginning release v20.1.1, Autobahn|Python only supports Python 3.5 or later.
fix: first part of cleaning up code, dropping Python 2 support
pkgsrc changes:
- Remove no longer needed
patch-Source_WebKit_WebProcess_WebPage_CoordinatedGraphics_LayerTreeHost.h,
Changes:
2.26.3
======
- Fix issues while trying to play a video on NextCloud.
- Make sure the GL video sink uses a valid WebKit shared GL context.
- Fix vertical alignment of text containing arabic diacritics.
- Fix build with icu 65.1.
- Fix page loading errors with websites using HSTS.
- Fix web process crash when displaying a KaTeX formula.
- Fix several crashes and rendering issues.
Changelog:
Fixed
Various stability fixes
Fixed issues opening files with spaces in their path (bug 1601905)
Fixed a hang opening about:logins when a master password is set (bug 1606992)
Fixed a web compatibility issue with CSS Shadow Parts which shipped in Firefox 72 (bug 1604989)
Fixed inconsistent playback performance for fullscreen 1080p videos on some systems (bug 1608485)
- Bumps versions of dependencies.
Changes (since 1.32.0):
Cliqz Browser release 1.32.0 includes the improvements of Firefox’s latest
versions 71.0 and 72.0.1 with additional Cliqz improvements and bug fixes.
Improvements
* Cliqz got updated to Firefox 71.0 and 72.0.1 with various improvements and
fixes.
* The built-in security add-on HTTPS Everywhere got updated to the latest
version 2019.11.7.
Fixes
* For some users, YouTube stopped working in Cliqz Browser until they
cleared their cookies and cache. These cookie related issues have been
fixed.
* Sometimes the onboarding was shown again and again. Now you’ll only see it
after the first start of the browser.
* Recommended add-ons like Ghostery or LastPass could not be installed
anymore. These add-ons can now be installed again.
* We made sure that Cliqz Tab doesn’t show up in the history item list
anymore.
* If you right-clicked on the Cliqz icon in the Windows taskbar and selected
the task "Open new tab" in the Jump List, it could happen that instead of
Cliqz Tab only a blank page appeared. This has been fixed.
Updated to gtk 3 / GNOME 3 version / recentish webkit.
This is one minor version away from the latest version, but nevertheless
a large improvement - we need a small webkit-gtk bump (ping leot :)).
Changelog:
Nextcloud Hub is the first completely integrated on-premises content
collaboration platform on the market, ready for a new generation
of users who expect seamless online collaboration capabilities out
of the box.
With this release, we made a change to what we ship. Nextcloud 17
is now Nextcloud Hub 18. Nextcloud Hub comes with a number of new
apps which get installed by default on installation (but not shipped
as part of the tarball/zip). Nextcloud 17 users can just upgrade
as usual to 18, we encourage you to install the new and improved
apps like Talk, Calendar, Mail, ONLYOFFICE and more. You will get
notified of this recommendation on upgrade!
As this is a major release, the changelog is too long to put here.
Users can look at github milestones to find what has been merged.
0.11.1:
Fixed
* Fixed usage of `proxies=...` on `Client()`.
* Support both `zlib` and `deflate` style encodings on `Content-Encoding: deflate`.
* Fix for streaming a redirect response body with `allow_redirects=False`.
* Handle redirect with malformed Location headers missing host.
ChangeLog:
This release includes three new lexers: FreeFEM, GHC and Objective-C++.
Thanks to contributions from the community, we also have fixes for the
Console, Jinja, LLVM, Python, Rust and Swift lexers. Finally, you should
now be able to pass 'false' as an option after a fix to how CGI-style
options are parsed.
Logswan 2.1.3 (2020-01-17)
- Add a new test target, to test log processing
- Move printed statistics after the actual output
- Use OpenBSD style(9) for function prototypes and declarations
- Remove seccomp mention in README as it is currently disabled by default
I am under the impression we use _THING to mean "defined by the
implementation", which would be similar to the C meaning of __ prefix,
rather than "private to this file".
Old GNOME 2 LiveJournal client.
The upstream mantainer (Niel Williams) requested its removal from Debian
in 2014 due to no longer using it or being interested in developing it.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742348
Add ruby-http-accept version 2.1.1 package.
# HTTP::Accept
Provides a robust set of parsers for dealing with HTTP Accept,
Accept-Language, Accept-Encoding, Accept-Charset headers.
## Motivation
I've been developing some tools for building RESTful endpoints and part of
that involved versioning. After reviewing the options, I settled on using
the Accept: application/json;version=1 method as outlined here.
The version=1 part of the media-type is a parameter as defined by RFC7231
Section 3.1.1.1. After reviewing several existing different options for
parsing the Accept: header, I noticed a disturbing trend: header.split(',').
Because parameters may contain quoted strings which contain commas, this is
clearly not an appropriate way to parse the header.
I am concerned about correctness, security and performance. As such, I
implemented this gem to provide a simple high level interface for both
parsing and correctly interpreting these headers.
pkglint --only "https instead of http" -r -F
With manual adjustments afterwards since pkglint 19.4.4 fixed a few
indentations in unrelated lines.
This mainly affects projects hosted at SourceForce, as well as
freedesktop.org, CTAN and GNU.
## [1.10.3](https://github.com/go-gitea/gitea/releases/tag/v1.10.3) - 2020-01-17
* SECURITY
* Hide credentials when submitting migration (#9102) (#9704)
* Never allow an empty password to validate (#9682) (#9684)
* Prevent redirect to Host (#9678) (#9680)
* Hide public repos owned by private orgs (#9609) (#9616)
* BUGFIXES
* Allow assignee on Pull Creation when Issue Unit is deactivated (#9836) (#9838)
* Fix download file wrong content-type (#9825) (#9835)
* Fix wrong identify poster on a migrated pull request when submit review (#9827) (#9831)
* Fix dump non-exist log directory (#9818) (#9820)
* Fix compare (#9808) (#9815)
* Fix missing msteam webhook on organization (#9781) (#9795)
* Fix add team on collaborator page when same name as organization (#9783)
* Fix cache problem on dashboard (#9358) (#9703)
* Send tag create and push webhook when release created on UI (#8671) (#9702)
* Branches not at ref commit ID should not be listed as Merged (#9614) (#9639)
We no longer patch this in but it's still searching for the files if
you're using something FreeBSDish or Linuxish. This should resolve build
problems on these platforms.
On NetBSD this problem never appeared because it's been using native audio
instead of OSS for a while now.
from Michael Forney in PR pkg/54868
An HTTP client engine, intended as a base layer for more user-friendly
packages.
This codebase has been refactored from http-conduit.
Note that, if you want to make HTTPS secure connections, you should
use http-client-tls in addition to this library.
This package has an explicit dependency on the latest Extended Support
Release version of the Mozilla Firefox web browser. In case there are multiple
versions available, this package points to the most recent available version.
It is intended to allow easy upgrades to the most recent ESR release.
0.11.0:
The 0.11 release reintroduces our sync support, so that `httpx` now supports both a standard thread-concurrency API, and an async API.
Existing async `httpx` users that are upgrading to 0.11 should ensure that:
* Async codebases should always use a client instance to make requests, instead of the top-level API.
* The async client is named as `httpx.AsyncClient()`, instead of `httpx.Client()`.
* When instantiating proxy configurations use the `httpx.Proxy()` class, instead of the previous `httpx.HTTPProxy()`. This new configuration class works for configuring both sync and async clients.
We believe the API is now pretty much stable, and are aiming for a 1.0 release sometime on or before April 2020.
Changed
- Top level API such as `httpx.get(url, ...)`, `httpx.post(url, ...)`, `httpx.request(method, url, ...)` becomes synchronous.
- Added `httpx.Client()` for synchronous clients, with `httpx.AsyncClient` being used for async clients.
- Switched to `proxies=httpx.Proxy(...)` for proxy configuration.
- Network connection errors are wrapped in `httpx.NetworkError`, rather than exposing lower-level exception types directly.
Removed
- The `request.url.origin` property and `httpx.Origin` class are no longer available.
- The per-request `cert`, `verify`, and `trust_env` arguments are escalated from raising errors if used, to no longer being available. These arguments should be used on a per-client instance instead, or in the top-level API.
- The `stream` argument has escalated from raising an error when used, to no longer being available. Use the `client.stream(...)` or `httpx.stream()` streaming API instead.
Fixed
- Redirect loop detection matches against `(method, url)` rather than `url`.
3.2.6:
* Correctly handle HEAD requests (to send empty body) when gzip
encoding requested.
3.2.4
* Use is_alive instead of isAlive for Python 3.9 compatibility.
* Use encodebytes instead of deprecated encodestring.
* Fix Python 2 and 3 compatibility for base64.
Changelog:
Tomcat 9.0.30 (markt)
Catalina
Add: 63681: Introduce RealmBase#authenticate(GSSName, GSSCredential) and friends. (michaelo)
Fix: 63964: Correct a regression in the static resource caching changes introduced in 9.0.28. URLs constructed from URLs obtained from the cache could not be used to access resources. (markt)
Fix: 63970: Correct a regression in the static resource caching changes introduced in 9.0.28. Connections to URLs obtained for JAR resources could not be cast to JarURLConnection. (markt)
Add: 63937: Add a new attribute to the standard Authenticator implementations, allowCorsPreflight, that allows the Authenticators to be configured to allow CORS preflight requests to bypass authentication as required by the CORS specification. (markt)
Fix: 63939: Correct the same origin check in the CORS filter. An origin with an explicit default port is now considered to be the same as an origin without a deafult port and origins are now compared in a case-sensitive manner as required by the CORS specification. (markt)
Fix: 63981: Allow multiple calls to Registry.disableRegistry() without the second and subsequent calls triggering the logging of a warning. Based on a patch by Andy Wilkinson. (markt)
Fix: 63982: CombinedRealm makes assumptions about principal implementation (michaelo)
Fix: 63983: Correct a regression in the static resource caching changes introduced in 9.0.28. A large number of file descriptors were opened that could reach the OS limit before being released by GC. (markt)
Update: 63987: Deprecate Realm.getRoles(Principal). (michaelo)
Code: Add a unit test for the session FileStore implementation and refactor loops in FileStore to use the ForEach style. Pull request provided by Govinda Sakhare. (markt)
Update: Moved server-side include (SSI) module into a separate JAR library. (schultz)
Fix: Refactor FORM authentication to reduce duplicate code and to ensure that the authenticated Principal is not cached in the session when caching is disabled. (markt)
Coyote
Fix: Fix endpoint closeSocket and destroySocket discrepancies, in particular in the APR connector. (remm)
Fix: Harmonize maxConnections default value to 8192 across all connectors. (remm)
Fix: 63931: Improve timeout handling for asyncIO to ensure that blocking operations see a SocketTimeoutException if one occurs. (remm/markt)
Fix: 63932: By default, do not compress content that has a strong ETag. This behaviour is configuration for the HTTP/1.1 and HTTP/2 connectors via the new Connector attribute noCompressionStrongETag. (markt)
Fix: 63949: Fix non blocking write problems with NIO due to the need for a write loop. (remm)
Fix: Simplify regular endpoint writes by removing write(Non)BlockingDirect. All regular writes will now be buffered for a more predictable behavior. (remm)
Fix: Send an exception directly to the completion handler when a timeout exception occurs for the operation, and add a boolean to make sure the completion handler is called only once. (remm/markt)
WebSocket
Fix: Ensure a couple of very unlikely concurrency issues are avoided when writing WebSocket messages. (markt)
Web applications
Fix: Fix the broken re-try link on the error page for the FORM authentication example in the JSP section of the examples web application. (markt)
Add: Improvements to CsrfPreventionFilter: additional logging, allow the CSRF nonce request parameter name to be customized. (schultz)
Fix: Correct the documentation for the maxConnections attribute of the Connector in the documentation web application. (markt)
Add: Add the ability to set and display session attributes in the JSP FORM authentication example to demonstrate session persistence across restarts for authenticated sessions. (markt)
Other
Fix: Correct the fix for 63815 (quoting the use of CATALINA_OPTS and JAVA_OPTS when used in shell scripts to avoid the expansion of *) as it caused various regressions, particularly with daemon.sh. (markt)
Update: Update the OWB module to Apache OpenWebBeans 2.0.13. (remm)
Update: Support Java 11 in Graal Native Images with Graal 19.3+. (remm)
Add: Expand the search made by the Windows installer for a suitable Java installation to include the 64-bit JDK registry entries and the JAVA_HOME environment variable. Pull request provided by Alexander Norz. (markt)
Add: Expand the coverage of the Korean translations provided with Apache Tomcat. (woonsan)
Add: Expand the coverage of the French translations provided with Apache Tomcat. (remm)
Add: Expand the coverage of the Chinese translations provided with Apache Tomcat. Contributions provided by lins and 磊. (markt)
Add: Update the internal fork of Apache Commons BCEL to ff6941e (2019-12-06, 6.4.2-dev). Code clean-up only. (markt)
Add: Update the internal fork of Apache Commons Codec to 9637dd4 (2019-12-06, 1.14-SNAPSHOT). Code clean-up and a fix for CODEC-265. (markt)
Add: Update the internal fork of Apache Commons FileUpload to 2317552 (2019-12-06, 2.0-SNAPSHOT). Refactoring. (markt)
Add: Update the internal fork of Apache Commons Pool 2 to 6092f92 (2019-12-06, 2.8.0-SNAPSHOT). Clean-up and minor refactoring. (markt)
Add: Update the internal fork of Apache Commons DBCP 2 to a36390 (2019-12-06, 2.7.1-SNAPSHOT). Minor refactoringremote RMI registry creation. (remm)
Add: Improvement to CsrfPreventionFilter: expose the latest available nonce as a request attribute; expose the expected nonce request parameter name as a context attribute. (schultz)
Coyote
Add: 63835: Add suormance of the HTTP and AJP connectors if socket.txBufSize is configured with an explicit value rather than using the JVM default. (markt)
Other
Fix: Improve OWB module based using custom shade appender. (remm)
Fix: Add security filter in OWB mo error occurs on stop. (remm)
Add: Add more details on the usage of RewriteMap functionality in the RewriteValve. (fschumacher)
Fix: 63836 Ensure that references to the Host object are cleared once the Host instance is destroyed. (markt)
Fix: static files (including JSP files) goes via the cache so that a consistent view of the static files is seen. Prior to this change it was possible to see an updated last modified time but the content would be that prior to the modification. (markt)
Update: 63905 Clean up Tomcat CSS. (michaelo)
Fix: 63909: When the ExpiresFilter is used without a default and the response is served by the Default Servlet, ensure that the filter processes the response if the Default Servlet sets a 304 (Not Found) status code. (markt)
Coyote
Fix: Ensure that ServletRequest.isAsyncStarted() returns false once AsyncContext.complete() or AsyncContext.dispatch() has been called during AsyncListener.onTimeout() or AsyncListener.onError(). (markt)
Fix: 63816 and 63817: Correctly handle I/O errors after asynchronous processing has been started but before the container thread that started asynchronous processing has completed processing the current request/response. (markt)
Fix: 63825: When processing the Expect and Connection HTTP headers looking for a specific token, be stricter in ensuring that the exact token is present. (markt)
Fix: 63829: Improve the check of the Content-Encoding header when looking to see if Tomcat is serving pre-compressed content. Ensure that only a full token is matched and that the match is case insensitive. (markt)
Fix: 63864: Refactor parsing of the transfer-encoding request header to use the shared parsing code and reduce duplication. (markt)
Fix: 63865: Add Unset option to same-site cookies and pass through None value if set by user. Patch provided by John Kelly. (markt)
Fix: 63879: Remove stack trace from debug logging on socket wrapper close. (remm)
Update: Add connection tracking on the connector endpoint to remove excessive concurrency in the protocol handler when maintaining an association between the socket wrapper and its current processor. (remm)
Fix: 63894: Ensure that the configured values for certificateVerification and certificateVerificationDepth are correctly passed to the OpenSSL based SSLEngine implementation. (remm/markt)
Fix: Improve cleanup after errors when setting socket options. (remm)
Fix: Do not perform a blocking read after a CPING message is received by the AJP connector because, if the JK Connector is configured with ping_mode="I", the CPING message will not always be followed by the start of a request. (markt)
Fix: Properly calculate all dynamic parts of the ErrorReportValve response on the fly in org.apache.coyote.http2.TestHttp2InitialConnection. (michaelo)
Jasper
Fix: 63897: Capture the timestamp of a JSP for the purposes of modification tracking before the JSP is compiled to prevent a race condition if the JSP is modified during compilation. Patch provided by Karl von Randow. (markt)
Fix: Fix a race condition that could mean changes to a modified JSP were not visible to end users. (markt)
WebSocket
Fix: 63913: Wrap any NullPointerExceptions throw by the Inflater or Deflater used by the PerMessageDeflate extension in an IOException so that the error can be caught and handled by the WebSocket error handling mechanism. (markt)
Web applications
Fix: Correct the description of the default value for the server attribute in the security How-To. (markt)
Other
Fix: 63815: Quote the use of CATALINA_OPTS and JAVA_OPTS when used in shell scripts to avoid the expansion of *. Note that any newlines present in CATALINA_OPTS and/or JAVA_OPTS will no longer removed. (markt)
Fix: 63826: Remove commons-daemon-native.tar.gz and tomcat-native.tar.gz from the binary zip distributions for Windows since compiled versions of those components are already included within the zip distributions. (markt)
Fix: 63838: Suppress reflexive access warnings when running the unit tests on the command line. (markt)
Fix: Add missing charsets from the HPE JVM on HP-UX to pass unit tests in org.apache.tomcat.util.buf.TestCharsetCache. (michaelo)
Update: Update the CXF module to Apache CXF 3.3.4. (remm)
Add: Expand the coverage and quality of the French translations provided with Apache Tomcat. (remm)
Add: Expand the coverage and quality of the Japanese translations provided with Apache Tomcat. Patch provided by motohashi.yuki. (markt)
Add: Expand the coverage and quality of the Simplified Chinese translations provided with Apache Tomcat. Contributions provided by rpo130, Mason Shen, leeyazhou, winsonzhao, qingshi huang, Lay, Shucheng Hou and Yanming Zhou. (markt)
Add: Expand the coverage and quality of the Brazilian Portuguese translations provided with Apache Tomcat. Patch provided by Danielamorais. (markt)
2019-10-11 Tomcat 9.0.27 (markt)
Catalina
Fix: Correct a regression introduced in 9.0.25 that prevented configuration files from being loaded from the class path. (markt)
Coyote
Fix: Use URL safe base 64 encoding rather than standard base 64 encoding when generating or parsing the HTTP2-Settings header as part of an HTTP upgrade to h2c as required by RFC 7540. (markt)
Fix: 63765: NIO2 should try to unwrap after TLS handshake to avoid edge cases. (remm)
Fix: 63766: Ensure Processor objects are recycled when processing an HTTP upgrade connection that terminates before processing switches to the Processor for the upgraded protocol. (markt)
Fix: Fix a memory leak introduced by the HTTP/2 timeout refactoring in 9.0.23 that could occur when HTTP/2 or WebSocket was used. (markt)
Jasper
Update: Update to the Eclipse JDT compiler 4.13. (markt)
Fix: Add GraalVM specific ELResolver to avoid BeanInfo use in BeanElResolver if possible, as it needs manual reflection configuration. (remm)
Fix: 63781: When performing various checks related to the visibility of classes, fields an methods in the EL implementation, also check that the containing module has been exported. (markt)
Web Socket
Fix: 63753: Ensure that the Host header in a Web Socket HTTP upgrade request only contains a port if a non-default port is being used. (markt)
Fix: When running on Java 9 and above, don't attempt to instantiate WebSocket Endpoints found in modules that are not exported. (markt)
Web Applications
Add: Add base GraalVM documentation. (remm)
Add: Add Javadoc for the Common Annotations API implementation. (markt)
Fix: Correct various typos in the comments, error messages and Javadoc. Patch provided by 康智冬. (markt)
jdbc-pool
Fix: When connections are validated without an explicit validation query, ensure that any transactions opened by the validation process are committed. Patch provided by Pascal Davoust. (markt)
Other
Code: Deprecate org.apache.tomcat.util.compat.TLS. Its functionality was only used for unit tests in org.apache.tomcat.util.net.TesterSupport and has been moved there. (rjung)
Fix: 63759: When installing Tomcat with the Windows installer, grant sufficient privileges to enable the uninstaller to execute when user account control is active. (markt)
Add: Use a build property to define the minimum supported Java version and use that build property to reduce the number of edits required to update the minimum supported Java version. (markt)
Update: Update the OWB module to Apache OpenWebBeans 2.0.12. (remm)
Update: Update the CXF module to Apache CXF 3.3.3. (remm)
Update: 63767: Update to Commons Daemon 1.2.2. This corrects a regression in Commons Daemon 1.2.0 and 1.2.1 that caused the Windows Service to crash on start when running on an operating system that had not been fully updated. (markt)
Changelog:
Tomcat 8.5.50 (markt)
Catalina
Add: Improvements to CsrfPreventionFilter: additional logging, allow the CSRF nonce request parameter name to be customized. (schultz)
Add: 63681: Introduce RealmBase#authenticate(GSSName, GSSCredential) and friends. (michaelo)
Fix: 63964: Correct a regression in the static resource caching changes introduced in 9.0.28. URLs constructed from URLs obtained from the cache could not be used to access resources. (markt)
Fix: 63968: Fix ClassCastException in the Expires filter which was a regression in the fix for 63909. (markt)
Fix: 63970: Correct a regression in the static resource caching changes introduced in 9.0.28. Connections to URLs obtained for JAR resources could not be cast to JarURLConnection. (markt)
Add: 63937: Add a new attribute to the standard Authenticator implementations, allowCorsPreflight, that allows the Authenticators to be configured to allow CORS preflight requests to bypass authentication as required by the CORS specification. (markt)
Fix: 63939: Correct the same origin check in the CORS filter. An origin with an explicit default port is now considered to be the same as an origin without a deafult port and origins are now compared in a case-sensitive manner as required by the CORS specification. (markt)
Fix: 63982: CombinedRealm makes assumptions about principal implementation (michaelo)
Fix: 63983: Correct a regression in the static resource caching changes introduced in 9.0.28. A large number of file descriptors were opened that could reach the OS limit before being released by GC. (markt)
Update: 63987: Deprecate Realm.getRoles(Principal). (michaelo)
Code: Add a unit test for the session FileStore implementation and refactor loops in FileStore to use the ForEach style. Pull request provided by Govinda Sakhare. (markt)
Fix: Refactor FORM authentication to reduce duplicate code and to ensure that the authenticated Principal is not cached in the session when caching is disabled. (markt)
Coyote
Code: Refactor the APR poller to always use a single pollset now that the Windows operating systems that required multiple smaller pollsets to be used are no longer supported. (markt)
Update: Add vectoring for NIO in the base and SSL channels. (remm)
Add: Add async API to the NIO and APR connector. (remm)
Fix: 63931: Improve timeout handling for asyncIO to ensure that blocking operations see a SocketTimeoutException if one occurs. (remm/markt)
Fix: 63932: By default, do not compress content that has a strong ETag. This behaviour is configuration for the HTTP/1.1 and HTTP/2 connectors via the new Connector attribute noCompressionStrongETag. (markt)
Fix: Simplify regular endpoint writes by removing write(Non)BlockingDirect. All regular writes will now be buffered for a more predictable behavior. (remm)
Fix: Send an exception directly to the completion handler when a timeout exception occurs for the operation, and add a boolean to make sure the completion handler is called only once. (remm/markt)
WebSocket
Fix: Ensure a couple of very unlikely concurrency issues are avoided when writing WebSocket messages. (markt)
Web applications
Fix: Fix the broken re-try link on the error page for the FORM authentication example in the JSP section of the examples web application. (markt)
Fix: Correct the documentation for the maxConnections attribute of the Connector in the documentation web application. (markt)
Add: Add the ability to set and display session attributes in the JSP FORM authentication example to demonstrate session persistence across restarts for authenticated sessions. (markt)
Other
Fix: Correct the fix for 63815 (quoting the use of CATALINA_OPTS and JAVA_OPTS when used in shell scripts to avoid the expansion of *) as it caused various regressions, particularly with daemon.sh. (markt)
Add: Expand the search made by the Windows installer for a suitable Java installation to include the 64-bit JDK registry entries and the JAVA_HOME environment variable. Pull request provided by Alexander Norz. (markt)
Add: Expand the coverage of the German translations provided with Apache Tomcat. Contribution provided by Jens. (markt)
Add: Expand the coverage of the French translations provided with Apache Tomcat. (remm)
Add: Expand the coverage of the Japanese translations provided with Apache Tomcat. (markt)
Add: Expand the coverage of the Korean translations provided with Apache Tomcat. (woonsan)
Add: Expand the coverage of the Chinese translations provided with Apache Tomcat. Contributions provided by lins and 磊. (markt)
Add: Update the internal fork of Apache Commons BCEL to ff6941e (2019-12-06, 6.4.2-dev). Code clean-up only. (markt)
Add: Update the internal fork of Apache Commons Codec to 9637dd4 (2019-12-06, 1.14-SNAPSHOT). Code clean-up and a fix for CODEC-265. (markt)
Add: Update the internal fork of Apache Commons FileUpload to 2317552 (2019-12-06, 2.0-SNAPSHOT). Refactoring. (markt)
Add: Update the internal fork of Apache Commons Pool 2 to 6092f92 (2019-12-06, 2.8.0-SNAPSHOT). Clean-up and minor refactoring. (markt)
Add: Update the internal fork of Apache Commons DBCP 2 to a36390 (2019-12-06, 2.7.1-SNAPSHOT). Minor refactoring. (markt)
2019-11-21 Tomcat 8.5.49 (markt)
Catalina
Fix: Correption when using a RequestDispatcher. (markt)
Add: Improvement to CsrfPreventionFilter: expose the latest available nonce as a request attribute; expose the expected nonce request parameter name as a context attribute. (schultz)
not released Tomcat 8 63872: Fix some edge cases where the docBase was not being set using a canonical path which in turn meant resource URLs were not being constructed as expected. (markt)
Fix: Make a best effort attempt to clean-up if a request fails during processing dle to see an updated last modified time but the content would be that prior to the modification. (markt)
Update: 63905 Clean up Tomcat CSS. (michaelo)
Fix: 63909: When the ExpiresFilter is used without a default and the response is served by the D sets a 304 (Not Found) status code. (markt)
Fix: Update the Servlet 4 preview API to reflect changes made to the API in the final release. Note that this preview API has been deprecated for over a year and may be removed as soon as the next 8.5.x release. (markt)
Fix: Refactor JMX remote RMI registry creation. (remm)
Coyote
Fix: Ensure that ServletRequest.isAsyncStarted() returns false once AsyncContext.complete() or AsyncContext.dispatch() has been called during AsyncListener.onTimeout() or AsyncListener.onError(). (markt)
Fix: 63816 and 63817: Correctly handle I/O errors after asynchronous processing has been started but before the container thread that started asynchronous processing has completed processing the current request/response. (markt)
Fix: 63825: When processing the Expect and Connection HTTP headers looking for a specific token, be stricter in ensuring that the exact token is present. (markt)
Fix: 63829: Improve the check of the Content-Encoding header when looking to see if Tomcat is serving pre-compressed content. Ensure that only a full token is matched and that the match is case insensitive. (markt)
Add: 63835: Add support for Keep-Alive response header. (michaelo)
Fix: 63864: Refactor parsing of the transfer-encoding request header to use the shared parsing code and reduce duplication. (markt)
Fix: 63865: Add Unset option to same-site cookies and pass through None value if set by user. Patch provided by John Kelly. (markt)
Fix: 63894: Ensure that the configured values for certificateVerification and certificateVerificationDepth are correctly passed to the OpenSSL based SSLEngine implementation. (remm/markt)
Fix: Do not perform a blocking read after a CPING message is received by the AJP connector because, if the JK Connector is configured with ping_mode="I", the CPING message will not always be followed by the start of a request. (markt)
Fix: Properly calculate all dynamic parts of the ErrorReportValve response on the fly in org.apache.coyote.http2.TestHttp2InitialConnection. (michaelo)
Jasper
Fix: 63897: Capture the timestamp of a JSP for the purposes of modification tracking before the JSP is compiled to prevent a race condition if the JSP is modified during compilation. Patch provided by Karl von Randow. (markt)
Fix: Fix a race condition that could mean changes to a modified JSP were not visible to end users. (markt)
WebSocket
Fix: 63913: Wrap any NullPointerExceptions throw by the Inflater or Deflater used by the PerMessageDeflate extension in an IOException so that the error can be caught and handled by the WebSocket error handling mechanism. (markt)
Web applications
Fix: Correct the description of the default value for the server attribute in the security How-To. (markt)
Other
Fix: 63815: Quote the use of CATALINA_OPTS and JAVA_OPTS when used in shell scripts to avoid the expansion of *. Note that any newlines present in CATALINA_OPTS and/or JAVA_OPTS will no longer removed. (markt)
Fix: 63826: Remove commons-daemon-native.tar.gz and tomcat-native.tar.gz from the binary zip distributions for Windows since compiled versions of those components are already included within the zip distributions. (markt)
Fix: 63838: Suppress reflexive access warnings when running the unit tests on the command line. (markt)
Fix: Add missing charsets from the HPE JVM on HP-UX to pass unit tests in org.apache.tomcat.util.buf.TestCharsetCache. (michaelo)
Add: Expand the coverage and quality of the French translations provided with Apache Tomcat. (remm)
Add: Expand the coverage and quality of the Korean translations provided with Apache Tomcat. (woonsan)
Add: Expand the coverage and quality of the Simplified Chinese translations provided with Apache Tomcat. Contributions provided by rpo130, Mason Shen, leeyazhou, winsonzhao, qingshi huang, Lay, Shucheng Hou and Yanming Zhou. (markt)
2019-10-11 Tomcat 8.5.47 (markt)
Coyote
Fix: Use URL safe base 64 encoding rather than standard base 64 encoding when generating or parsing the HTTP2-Settings header as part of an HTTP upgrade to h2c as required by RFC 7540. (markt)
Fix: 63765: NIO2 should try to unwrap after TLS handshake to avoid edge cases. (remm)
Fix: 63766: Ensure Processor objects are recycled when processing an HTTP upgrade connection that terminates before processing switches to the Processor for the upgraded protocol. (markt)
Jasper
Fix: 63781: When performing various checks related to the visibility of classes, fields and methods in the EL implementation, also check that the containing module has been exported. (markt)
Web Socket
Fix: 63753: Ensure that the Host header in a Web Socket HTTP upgrade request only contains a port if a non-default port is being used. (markt)
Fix: When running on Java 9 and above, don't attempt to instantiate WebSocket Endpoints found in modules that are not exported. (markt)
Web Applications
Docs: Add Javadoc for the Common Annotations API implementation. (markt)
jdbc-pool
Fix: When connections are validated without an explicit validation query, ensure that any transactions opened by the validation process are committed. Patch provided by Pascal Davoust. (markt)
Other
Code: Deprecate org.apache.tomcat.util.compat.TLS. Its functionality was only used for unit tests in org.apache.tomcat.util.net.TesterSupport and has been moved there. (rjung)
Fix: 63759: When installing Tomcat with the Windows installer, grant sufficient privileges to enable the uninstaller to execute when user account control is active. (markt)
Add: Use a build property to define the minimum supported Java version and use that build property to reduce the number of edits required to update the minimum supported Java version. (markt)
Update: 63767: Update to Commons Daemon 1.2.2. This corrects a regression in Commons Daemon 1.2.0 and 1.2.1 that caused the Windows Service to crash on start when running on an operating system that had not been fully updated. (markt)
Changelog:
Tomcat 7.0.99 (violetagg)
Catalina
add 63681: Introduce RealmBase#authenticate(GSSName, GSSCredential) and friends. (michaelo)
add 63937: Add a new attribute to the standard Authenticator implementations, allowCorsPreflight, that allows the Authenticators to be configured to allow CORS preflight requests to bypass authentication as required by the CORS specification. (markt)
fix 63939: Correct the same origin check in the CORS filter. An origin with an explicit default port is now considered to be the same as an origin without a default port and origins are now compared in a case-sensitive manner as required by the CORS specification. (markt)
fix 63950: Fix timing issue in TestAsyncContextStateChanges test that caused it to hang indefinitely. (markt)
fix 63982: CombinedRealm makes assumptions about principal implementation (michaelo)
code Add a unit test for the session FileStore implementation and refactor loops in FileStore to use the ForEach style. Pull request provided by Govinda Sakhare. (markt)
fix Refactor FORM authentication to reduce duplicate code and to ensure that the authenticated Principal is not cached in the session when caching is disabled. (markt)
update Do not store username and password as session notes during authentication if they are not needed. (kkolinko)
Coyote
fix 63932: By default, do not compress content that has a strong ETag. This behaviour is configuration for the HTTP/1.1 connectors via the new Connector attribute noCompressionStrongETag. (markt)
WebSocket
fix Ensure a very unlikely concurrency issue is avoided when writing WebSocket messages. (markt)
Web applications
add Add the ability to set and display session attributes in the JSP FORM authentication example to demonstrate session persistence across restarts for authenticated sessions. (markt)
Other
fix Correct the fix for 63815 (quoting the use of CATALINA_OPTS and JAVA_OPTS when used in shell scripts to avoid the expansion of *) as it caused various regressions, particularly with daemon.sh. (markt)
add Expand the search made by the Windows installer for a suitable Java installation to include the 64-bit JDK registry entries and the JAVA_HOME environment variable. Pull request provided by Alexander Norz. (markt)
add Expand the coverage of the German translations provided with Apache Tomcat. Contribution provided by Jens. (markt)
add Expand the coverage of the French translations provided with Apache Tomcat. (remm)
add Expand the coverage of the Japanese translations provided with Apache Tomcat. (markt)
add Expand the coverage of the Korean translations provided with Apache Tomcat. (woonsan)
add Expand the coverage of the Chinese translations provided with Apache Tomcat. Contributions provided by lins and 磊. (markt)
add Update the internal fork of Apache Commons BCEL to ff6941e (2019-12-06, 6.4.2-dev). Code clean-up only. (markt)
add Update the internal fork of Apache Commons Codec to 9637dd4 (2019-12-06, 1.14-SNAPSHOT). Code clean-up and a fix for CODEC-265. (markt)
add Update the internal fork of Apache Commons FileUpload to 2317552 (2019-12-06, 2.0-SNAPSHOT). Refactoring. (markt)
Tomcat 7.0.98 (violetagg) not released
Catalina
fix 63832: Properly mark container as FAILED when a JVM error occurs on stop. (remm)
fix Make a best efforts attempt to clean-up if a request fails during processing due to an OutOfMemoryException. (markt)
update 63905 Clean up Tomcat CSS. (michaelo)
fix Refactor JMX remote RMI registry creation. (remm)
Coyote
fix 63814: Do not set server socket timeout with negative values in NIO. (remm)
fix Ensure that ServletRequest.isAsyncStarted() returns false once AsyncContext.complete() or AsyncContext.dispatch() has been called during AsyncListener.onTimeout() or AsyncListener.onError(). (markt)
fix 63816 and 63817: Correctly handle I/O errors after asynchronous processing has been started but before the container thread that started asynchronous processing has completed processing the current request/response. (markt)
fix 63825: When processing the Expect and Connection HTTP headers looking for a specific token, be stricter in ensuring that the exact token is present. (markt)
fix 63829: Improve the check of the Content-Encoding header when looking to see if Tomcat is serving pre-compressed content. Ensure that only a full token is matched and that the match is case insensitive. (markt)
fix 63836: Ensure that the memory reserved for the OOME parachute is released when the NIO endpoint is stopped. (markt)
fix 63864: Refactor parsing of the transfer-encoding request header to use the shared parsing code and reduce duplication. (markt)
code Refactor the APR poller to always use a single pollset now that the Windows operating systems that required multiple smaller pollsets to be used are no longer supported. (markt)
Jasper
fix 63897: Capture the timestamp of a JSP for the purposes of modification tracking before the JSP is compiled to prevent a race condition if the JSP is modified during compilation. Patch provided by Karl von Randow. (markt)
fix Fiible to end users. (markt)
WebSocket
fix 63913: Wrap any NullPointerExceptions throw by the Inflater or Deflater used by the PerMessageDeflate extension in an IOException so that the error can be caught and handled by the WebSocket error hanion web application. (markt)
Other
fix 63815: Quote the use of CATALINA_OPTS and JAVA_OPTS when used in shell scripts to avoid the expansion of *. Note that any newlines present in CATALINA_OPTS and/or JAVA_OPTS will no longer removed. (marke generification of the copied Commons DBCP 1.x code that caused a NullPointerException if a DataSource was configured with a database that did not exist. Patch provided by Guoxiong Li. (markt)
fix 63838: Suppress reflexive access warnings when ruhe French translations provided with Apache Tomcat. (remm)
add Expand the coverage and quality of the Korean translations provided with Apache Tomcat. (woonsan)
add Expand the coverage and quality of the Simplified Chinese translations proeader to the RemoteIpFilter and RemoteIpValve. (markt)
add 62496: Add option to write auth information (remote user/auth type) to response headers. (michaelo)
fix 63550: Only try the alternateURL in the JNDIRealm if one has been specified. update 63627: Implement more fine-grained handling in RealmBase.authenticate(GSSContext, boolean). (michaelo)
fix Avoid a NullPointerException in the CrawlerSessionManagerValve if no ROOT Context is deployed and a request does not map to any of the other deployed Contexts. Patch provided by Jop Zinkweg. (markt)
fix 63636: Context.findRoleMapping() never called in StandardWrapper.findSecurityReference(). (michaelo)
fix Fix a crash on shutdown with the APR/native connector when a blocking I/O operation was still in progress when the connector stopped. (markt)
fix 63684: Wrapper never passed to RealmBase.hasRole() for given security constraints. (michaelo)
fix Avoid a potential NullPointerException on Service stop if a Service is embedded directly (i.e. with no Server) in an application and JNDI is enabled. Patch provided by S. Ali Tokmen. (markt)
add Add a new PropertySource implementation, EnvironmentPropertySource, that can be used to do property replacement in configuration files with environment variables. Based on a pull request provided by Thomas Meyer. (markt)
fix 63758: Include the XML schema for the tomcat-users.xml file in the binary distributions. (markt)
fix 63778: When running on Java 7, use the correct signature to look up the DatabaseMetaData.getPseudoColumns() method and avoid the NullPointerExceptions caused by using the wrong method. Add error logging to detect similar bugs. Based on a pull request by liguoxiong. (markt)
Coyote
fix 63571: Use the implementation default for JSSE TLS session cache size. (markt)
fix 63578: Improve handling of invalid requests so that 400 responses are returned to the client rather than 500 responses. (markt)
code Remove the code in the sendfile poller that ensured smaller pollsets were used with older, no longer supported versions of Windows that could not support larger pollsets. (markt)
fix 63737: Correct various issues when parsing the accept-encoding header to determine if gzip encoding is supported including only parsing the first header found. (markt)
fix 63766: Ensure Processor objects are recycled when processing an HTTP upgrade connection that terminates before processing switches to the Processor for the upgraded protocol. (markt)
Jasper
fix 63781: When performing various checks related to the visibility of classes, fields an methods in the EL implementation, also check that the containing module has been exported. (markt)
Web Socket
fix 63753: Ensure that the Host header in a Web Socket HTTP upgrade request only contains a port if a non-default port is being used. (markt)
fix When running on Java 9 and above, don't attempt to instantiate WebSocket Endpoints found in modules that are not exported. (markt)
Web applications
fix Correct the source code links on the index page for the ROOT web application to point to Git rather than Subversion. (markt)
fix Fix various issues with the Javadoc generated for the documentation web application to enable release builds to be built with Java 10 onwards. (markt)
fix Fix a large number of Javadoc and documentation typos. Patch provided by KangZhiDong. (markt)
fix Spelling and formatting corrections for the cluster how-to. Pull request provided by Bill Mitchell. (markt)
docs Add Javadoc for the Common Annotations API implementation. (markt)
jdbc-pool
fix When connections are validated without an explicit validation query, ensure that any transactions opened by the validation process are committed. Patch provided by Pascal Davoust. (markt)
Other
fix 55620: Partial fix. Prevent Tomcat from starting when $CATALINA_HOME and/or $CATALINA_BASE contains a semi-colon on Windows or a colon on Linux/FreeBSD/etc. (markt)
fix 62140: Additional usage documentation in comments for catalina.[bat|sh]. (markt)
add 63285: Add an option to service.bat so that when installing a Windows service, the name of the executables used by the Windows service may be changed to match the service name. This makes the installation behaviour consistent with the Windows installer. The original executable names will be restored when the Windows service is removed. The renaming can be enabled by using the new --rename option after the service name. (markt)
update 63625: Update to Commons Daemon 1.2.1. This corrects several regressions in Commons Daemon 1.2.0, most notably the Windows Service crashing on start when using 32-bit JVMs. (markt)
update 63634: Align setproxy target in build.xml with 8.5/9.0. (michaelo)
add Limit the default JPDA (remote debugging interface) listen address to localhost:8000. (markt)
update Tighten up the default file permissions for the .tar.gz distribution so no files or directories are world readable by default. Configure Tomcat to run with a default umask of 0027 which may be overridden by setting UMASK in setenv.sh. (markt)
fix Allow customization of service.bat, such as heap memory size, service startup mode and JVM args. (isapir)
update Update the internal fork of Commons Codec to 3ebef4a (2018-08-01) to pick up the fix for CODEC-134. (markt)
update 63648: Update the test TLS keys and certificates used in the test suite to replace the keys and certificates that are about to expire. (markt)
fix Back-port various corrections and improvements to the English versions of the i18n messages. (markt)
fix Back-port various corrections and improvements to the Spanish i18n messages. (markt)
fix Back-port various corrections and improvements to the French i18n messages. (markt)
fix Back-port various corrections and improvements to the Japanese i18n messages. (markt)
fix Back-port various corrections and improvements to the Russian i18n messages. (markt)
add Include the available German translations in the standard Tomcat distribution. Back-port additions and updates to the German i18n messages. (markt)
add Add Korean translations to the standard Tomcat distribution. (markt)
add Add simplified Chinese translations to the standard Tomcat distribution. (markt)
fix Fix JSSE_OPTS quoting in catalina.bat. Contributed by Peter Uhnak. (fschumacher)
fix Remove unused i18n messages and associated translations. Patch provided by KangZhiDong. (markt)
code Deprecate org.apache.tomcat.util.compat.TLS. Its functionality was only used for unit tests in org.apache.tomcat.util.net.TesterSupport and has been moved there. (rjung)
fix When performing a silent install with the Windows Installer, ensure that the registry entries are added to the 64-bit registry when using a 64-bit JVM. (markt)
fix 63759: When installing Tomcat with the Windows installer, grant sufficient privileges to enable the uninstaller to execute when user account control is active. (markt)
add Use a build property to define the minimum supported Java version and use that build property to reduce the number of edits required to update the minimum supported Java version. (markt)
update 63767: Update to Commons Daemon 1.2.2. This corrects a regression in Commons Daemon 1.2.0 and 1.2.1 that caused the Windows Service to crash on start when running on an operating system that had not been fully updated. (markt)
Tomcat 7.0.96 (violetagg) released 2019-07-29
Catalina
fix 63579: Correct parsing of malformed OPTIONS requests and reject them with a 400 response rather than triggering an internal error that results in a 500 response. (markt)
Coyote
fix Correct parsing of invalid host names that contain bytes in the range 128 to 255 and reject them with a 400 response rather than triggering an internal error that results in a 500 response. (markt)
WebSocket
fix Correct a regression that prevented a default Tomcat 7 install from starting on Java 6. (markt)
Other
add Enable the unit tests to execute in parallel. (markt)
Tomcat 7.0.95 (violetagg) not released
Catalina
add 43548: Add an XML schema for the tomcat-users.xml file. (markt)
fix 63324: Refactor the CrawlerSessionManagerValve so that the object placed in the session is compatible with session serialization with mem-cached. Patch provided by Martin Lemanski. (markt)
fix 63531: Refactor authenticators so that the session last accessed time is not updated if the cache attribute is set to false and FORM authentication is not being used. (markt)
add 63556: Mark request as forwarded in RemoteIpValve and RemoteIpFilter (michaelo)
fix Fix a potential resource leak when executing CGI scripts from a WAR file. Identified by Coverity scan. (markt)
fix Fix a potential concurrency issue in the StringCache identified by Coverity scan. (markt)
fix Fix a potential concurrency issue in the main Sendfile thread of the APR connector. Identified by Coverity scan. (markt)
fix Fix a potential resource leak on some exception paths in the DataSourceRealm. Identified by Coverity scan. (markt)
fix Fix a potential resource leak on an exception path when parsing JSP files. Identified by Coverity scan. (markt)
fix Fix a potential resource leak when a JNDI lookup returns an object of an in compatible class. Identified by Coverity scan. (markt)
code Refactor ManagerServlet to avoid loading classes when filtering JNDI resources for resources of a specified type. (markt)
fix Avoid a NullPointerException when a Context is defined in server.xml with a docBase but not the optional path. (markt)
fix Ensure that the default servlet reads the entire global XSLT file if one is defined. Identified by Coverity Scan. (markt)
fix Avoid potential NullPointerException when generating an HTTP Allow header. Identified by Coverity Scan. (markt)
add Remove any fragment included in the target path used to obtain a RequestDispatcher. The requested target path is logged as a warning since this is an application error. (markt)
update Modify the Default and WebDAV Servlets so that a 405 status code is returned for PUT and DELETE requests when disabled via the readonly initialisation parameter.
fix Align the contents of the Allow header with the response code for the Default and WebDAV Servlets. For any given resource a method that returns a 405 status code will not be listed in the Allow header and a method listed in the Allow header will not return a 405 status code. (markt)
fix Correct two failing tests from the Litmus test suite for WebDAV when copying/moving a file over a collection. (markt)
update Update the recommended minimum Tomcat Native version to 1.2.23. (markt)
fix If an unhandled exception occurs on a asynchronous thread started via AsyncContext.start(Runnable), process it using the standard error page mechanism. (markt)
Coyote
code Refactor Hostname validation to improve performance. Patch provided by Uwe Hees. (markt)
fix Fix to avoid the possibility of long poll times for individual pollers when using multiple pollers with APR. (markt)
fix Refactor the fix for 63205 so it only applies when using PKCS12 keystores as regressions have been reported with some other keystore types. (markt)
Jasper
add Include file names in error messages if SMAP processor is unable to delete or rename a class file during SMAP generation. (markt)
fix Improvements to varargs handling in the Java UEL implementation. (markt)
Cluster
fix 62841: Refactor the DeltaRequest serialization to reduce the window during which the DeltaSession is locked and to remove a potential cause of deadlocks during serialization. (markt)
fix 63441: Further streamline the processing of session creation messages in the DeltaManager to reduce the possibility of a session update message being processed before the session has been created. (markt)
WebSocket
fix 63521: As required by the WebSocket specification, if a POJO that is deployed as a result of the SCI scan for annotated POJOs is subsequently deployed via the programmatic API ignore the programmatic deployment. (markt)
Tribes
fix Treat NoRouteToHostException the same way as SocketTimeoutException when checking the health of group members. This avoids a SEVERE log message every time the check is performed when the host associated with a group member is not powered on. (markt)
Other
fix 55969: Tighten up the security of the Apache Tomcat installation created by the Windows installer. Change the default shutdown port used by the Windows installer from 8005 to -1 (disabled). Limit access to the chosen installation directory to local administrators, Local System and Local Service. (markt)
add 59871: Add a property (timeFormat) to JULI's OneLineFormatter to enable the format of the time stamp used in log messages to be configured. (markt)
update 63310: Update to Commons Daemon 1.2.0. This provides improved support for Java 11. This also changes the user configured by the Windows installer for the Windows service from Local System to the lower privileged Local Service. (markt)
fix 63335: Ensure that stack traces written by the OneLineFormatter are fully indented. The entire stack trace is now indented by an additional TAB character. (markt)
fix When using the OneLineFormatter, don't print a blank line in the log after printing a stack trace. (markt)
fix Use the test command to check for terminal availability rather than the tty command since the tty based test fails on non-English locales. Patch provided by Radosław Józwik. (markt)
update Update JUnit to version 4.12. (markt)
update Update optional WSDL dependency to 1.6.3. (markt)
update Update Checkstyle to version 8.22. (markt)
Tomcat 7.0.94 (markt) released 2019-04-12
Catalina
fix 63196: Provide a default (X-Forwarded-Proto) for the protocolHeader attribute of the RemoteIpFilter and RemoteIpValve. (markt)
add 63206: Add a new attribute to Context - createUploadTargets which, if true enables Tomcat to create the temporary upload location used by a Servlet if the location specified by the Servlet does not already exist. The default value is false. (markt)
fix 63213: Ensure the correct escaping of group names when searching for nested groups when the JNDIRealm is configured with roleNested set to true. (markt)
fix 63235: Refactor Charset cache to reduce start time. (markt)
fix 63236: Use String.intern() as suggested by Phillip Webb to reduce memory wasted due to String duplication. This changes saves ~245k when starting a clean installation. With additional thanks to YourKit Java profiler for helping to track down the wasted memory and the root causes. (markt)
fix 63246: Fix a potential NullPointerException when calling AsyncContext.dispatch(). (markt)
fix 63249: Use a consistent log level (WARN) when logging the failure to register or deregister a JMX Bean. (markt)
fix 63249: Use a consistent log level (ERROR) when logging the LifecycleException associated with the failure to start or stop a component. (markt)
fix When the SSI directive fsize is used with an invalid target, return a file size of - rather than 1k. (markt)
fix 63251: Implement a work-around for a known JRE bug (JDK-8194653) that may cause a dead-lock when Tomcat starts. (markt)
fix Ensure that the JarScanner correctly tests whether JARs found on the class path should be skipped when running on Java 9 or later. (markt)
fix 63275: When using a RequestDispatcher ensure that HttpServletRequest.getContextPath() returns an encoded path in the dispatched request. (markt)
fix 63286: Document the differences in behaviour between the LogFormat directive in httpd and the pattern attribute in the AccessLogValve for %D and %T. (markt)
fix 63311: Add support for https URLs to the local resolver within Tomcat used to resolve standard XML DTDs and schemas when Tomcat is configured to validate XML configuration files such as web.xml. (markt)
fix Encode the output of the SSI printenv command. This is the fix for CVE-2019-0221. (markt)
code Use constants for SSI encoding values. (markt)
add When the CGI Servlet is configured with enableCmdLineArguments set to true, limit the encoded form of the individual command line arguments to those values allowed by RFC 3875. This restriction may be relaxed by the use of the new initialisation parameter cmdLineArgumentsEncoded. (markt)
add When the CGI Servlet is configured with enableCmdLineArguments set to true, limit the decoded form of the individual command line arguments to known safe values when running on Windows. This restriction may be relaxed by the use of the new initialisation parameter cmdLineArgumentsDecoded. This is the fix for CVE-2019-0232. (markt)
update Change the default for the enableCmdLineArguments parameter of the CGI servlet from true to false as additional hardening against CVE-2019-0232. (markt)
Coyote
fix 63194: Fix failing unit test so TLS1.3 client authentication tests work correctly when using Java 11 onwards and the APR/Native connector. (markt)
add 63205: Add a work-around for a known JRE KeyStore loading bug. (markt)
Jasper
add Add support for specifying Java 11 (with the value 11) as the compiler source and/or compiler target for JSP compilation. (markt)
add Add support for specifying Java 12 (with the value 12) and Java 13 (with the value 13) as the compiler source and/or compiler target for JSP compilation. If used with an ECJ version that does not support these values, a warning will be logged and the latest supported version will used. Based on a patch by Thomas Collignon. (markt)
Web applications
fix 63184: Expand the SSI documentation to provide more information on the supported directives and their attributes. Patch provided by nightwatchcyber. (markt)
jdbc-pool
fix 63320: Ensure that StatementCache caches statements that include arrays in arguments. (kfujino)
Other
code Copy Apache Commons DBCP 1.4 and Apache Commons Pool 1.5.7 source code into the Tomcat 7.0.x tree to enable additional fixes to be pulled in. (markt)
fix Update the copy of Apache Commons DBCP 1.4.x and Apache Commons pool 1.5.x to the latest source code as of 2019-03-15 to pick up multiple bug fixes including 58338. (markt)
code Update the copy of Apache Commons Pool to 1.6.x to pick up the generics changes. (markt)
add Add JDBC 4.1 support to the default database connection pool provided by Tomcat. (markt)
update Switch from Checkstyle to the JRE6 backport and update to version 8.17. This allows Tomcat 7 to use the newer configuration format (required by Gump that uses the latest Checkstyle snapshot) while still building with Java 6. (markt)
This release fixes one zero-day vulnerability:
CVE-2019-17026: IonMonkey type confusion with StoreElementHole and FallibleStoreElement
Incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to a type confusion.
We are aware of targeted attacks in the wild abusing this flaw
Changelog:
72.0.1
Security fixes:
#CVE-2019-17026: IonMonkey type confusion with StoreElementHole and FallibleStoreElement
72.0
New
Firefox’s Enhanced Tracking Protection marks a major new
milestone in our battle against cross-site tracking: we now
block fingerprinting scripts by default for all users, taking
a new bold step in the fight for our users’ privacy.
Firefox replaces annoying notification request pop-ups with a
more delightful experience, by default for all users. The
pop-ups no longer interrupt your browsing, in its place, a
speech bubble will appear in the address bar when you interact
with the site.
Picture-in-picture video is now also available in Firefox for
Mac and Linux: Select the blue icon from the right edge of a
video to pop open a floating window so you can keep watching
while working in other tabs or apps. Learn how the feature
works.
Security fixes:
#CVE-2019-17015: Memory corruption in parent process during new content process initialization on Windows
#CVE-2019-17016: Bypass of @namespace CSS sanitization during pasting
#CVE-2019-17017: Type Confusion in XPCVariant.cpp
#CVE-2019-17018: Windows Keyboard in Private Browsing Mode may retain word suggestions
#CVE-2019-17019: Python files could be inadvertently executed upon opening a download
#CVE-2019-17020: Content Security Policy not applied to XSL stylesheets applied to XML documents
#CVE-2019-17021: Heap address disclosure in parent process during content process initialization on Windows
#CVE-2019-17022: CSS sanitization does not escape HTML tags
#CVE-2019-17023: NSS may negotiate TLS 1.2 or below after a TLS 1.3 HelloRetryRequest had been sent
#CVE-2019-17024: Memory safety bugs fixed in Firefox 72 and Firefox ESR 68.4
#CVE-2019-17025: Memory safety bugs fixed in Firefox 72
Changelog picked from https://github.com/nifty-site-manager/nsm/releases:
Nift (aka nsm) v2.0.1
* fixed bug when cloning a website repository from an empty directory
(and any other similar bugs from using remove_path where remove_file
is more appropriate, ie. when creating temporary text files)
Nift (aka nsm) v2.0
* changed @inputcontent to @content()
* changed @inputraw(file-path) to @input{raw}(file-path)
* addded if-exists/raw option to @input(file-path) and @content()
* added file/name options to @pathto
* changed @userin(msg) to @in(msg) and @userfilein(msg) to @in{from-file}(msg)
* added if-exists/inject/raw/content options to @script/@System
* changed from using @[varname] and @{varname} to @[varname] and
@<varname> when printing variables
* changed to @funcname{options}(params) for function call syntax
* changed from using * option to parse params to {!p} option to
NOT parse function name, options and params
* changed from using ^ option to not backup scripts to {!bs} option
* added read_params
* fixup up read_def and read_func_name
* fixed multi-line comments
Security Vulnerabilities fixed in Firefox ESR 68.4:
# CVE-2019-17015: Memory corruption in parent process during new content process initialization on Windows
# CVE-2019-17016: Bypass of @namespace CSS sanitization during pasting
# CVE-2019-17017: Type Confusion in XPCVariant.cpp
# CVE-2019-17021: Heap address disclosure in parent process during content process initialization on Windows
# CVE-2019-17022: CSS sanitization does not escape HTML tags
# CVE-2019-17024: Memory safety bugs fixed in Firefox 72 and Firefox ESR 68.4
4.8.2:
* Added Python docstrings to all public methods of the most commonly
used classes.
* Added a Chinese translation by Deron Wang and a Brazilian Portuguese
translation by Cezar Peixeiro to the repository.
* Fixed two deprecation warnings.
* The html.parser tree builder now correctly handles DOCTYPEs that are
not uppercase.
* PageElement.select() now returns a ResultSet rather than a regular
list, making it consistent with methods like find_all().
0.57.0
- wsdump: Fix --headers option
- Fix getting 400 bad request with long proxy authorization string
- Fix for errors that occur when closing websocket from another thread
- avoid calling repr(data) if tracing is not enabled
- Fixed typo
- Create dummy `ssl` object
- Show compressed text messages in wsdump.py
- Resolve issue opening socket to intranet on Windows 10 with no proxy settings but behind proxy
- Expose http connection header to user
- Improve the readability of HTTP status codes.
- fix the compatible issue with gevent+dnspython
- v should be checked for emptry string before splitting it
- _handshake: hasattr checks on six before accessing the values
Version 19.12.0
Bugfixes
Fix blueprint middleware application
Currently, any blueprint middleware registered, irrespective of which blueprint was used to do so, was being applied to all of the routes created by the @app and @blueprint alike.
As part of this change, the blueprint based middleware application is enforced based on where they are registered.
If you register a middleware via @blueprint.middleware then it will apply only to the routes defined by the blueprint.
If you register a middleware via @blueprint_group.middleware then it will apply to all blueprint based routes that are part of the group.
If you define a middleware via @app.middleware then it will be applied on all available routes
Fix url_for behavior with missing SERVER_NAME
If the SERVER_NAME was missing in the app.config entity, the url_for on the request and app were failing due to an AttributeError. This fix makes the availability of SERVER_NAME on our app.config an optional behavior.
Improved Documentation
Move docs from RST to MD
Moved all docs from markdown to restructured text like the rest of the docs to unify the scheme and make it easier in the future to update documentation.
Fix documentation for get and getlist of the request.args
Add additional example for showing the usage of getlist and fix the documentation string for request.args behavior
Version 19.6.3
Enable Towncrier Support
As part of this feature, towncrier is being introduced as a mechanism to partially automate the process of generating and managing change logs as part of each of pull requests.
Improved Documentation
Documentation infrastructure changes
Enable having a single common CHANGELOG file for both GitHub page and documentation
Fix Sphinix deprecation warnings
Fix documentation warnings due to invalid rst indentation
Enable common contribution guidelines file across GitHub and documentation via CONTRIBUTING.rst
Version 19.6.2
Features
* Remove aiohttp dependencey and create new SanicTestClient based upon requests-async
* Added ASGI support (Beta)
* Add Configure support from object string
Bugfixes
* Add missing handle for Expect header.
* Allow to disable Transfer-Encoding: chunked.
* Fix graceful shutdown.
* Strict Slashes behavior fix
Deprecations and Removals
* Drop dependency on distutil
* Drop support for Python 3.5
* Deprecate route removal.
Warning
Sanic will not support Python 3.5 from version 19.6 and forward. However, version 18.12LTS will have its support period extended thru December 2020, and therefore passing Python's official support version 3.5, which is set to expire in September 2020.
Uvicorn is a lightning-fast ASGI server implementation, using uvloop and
httptools.
Until recently Python has lacked a minimal low-level server/application
interface for asyncio frameworks. The ASGI specification fills this gap, and
means we're now able to start building a common set of tooling usable across
all asyncio frameworks.
The package provides a single function: in_hsts_preload() which takes an
IDNA-encoded host and returns either True or False regarding whether that host
should be only accessed via HTTPS.
rfc3986 is a Python implementation of RFC 3986 including validation and
authority parsing. This module also supports RFC 6874 which adds support for
zone identifiers to IPv6 Addresses.
Release 4.3.1:
* Added check to avoid unnecessary database query for ``MP_Node.get_ancestors()``
if the node is a root node.
* Drop support for Python-3.4.
* Play more nicely with other form classes, that implement ``__init__(self, *args, **kwargs)``,
e.g. django-parler's ``TranslatableModelForm``, where `kwargs.get('instance')` is ``None``
when called from here.
* Sorting on path on necessary queries, fixes some issues and stabilizes the whole MP section.
* Add German translation strings.
3.1.1:
Bugfixes
- Ignore WINDOW_UPDATE and RST_STREAM frames received after stream
closure.
3.1.0:
API Changes (Backward-Incompatible)
- ``h2.connection.H2Connection.data_to_send`` first and only argument ``amt``
was renamed to ``amount``.
- Support for Python 3.3 has been removed.
API Changes (Backward-Compatible)
- ``h2.connection.H2Connection.send_data`` now supports ``data`` parameter
being a ``memoryview`` object.
- Refactor ping-related events: a ``h2.events.PingReceived`` event is fired
when a PING frame is received and a ``h2.events.PingAckReceived`` event is
fired when a PING frame with an ACK flag is received.
``h2.events.PingAcknowledged`` is deprecated in favour of the identical
``h2.events.PingAckReceived``.
- Added ``ENABLE_CONNECT_PROTOCOL`` to ``h2.settings.SettingCodes``.
- Support ``CONNECT`` requests with a ``:protocol`` pseudo header
thereby supporting RFC 8441.
- A limit to the number of closed streams kept in memory by the
connection is applied. It can be configured by
``h2.connection.H2Connection.MAX_CLOSED_STREAMS``.
Bugfixes
- Debug logging when stream_id is None is now fixed and no longer errors.
pkgsrc changes:
- Removes patch-configure hunks applied upstream
Changes:
7.68.0
------
This release includes the following changes:
o TLS: add BearSSL vtls implementation
o XFERINFOFUNCTION: support CURL_PROGRESSFUNC_CONTINUE
o curl: add --etag-compare and --etag-save
o curl: add --parallel-immediate
o multi: add curl_multi_wakeup()
o openssl: CURLSSLOPT_NO_PARTIALCHAIN can disable partial cert chains
This release includes the following bugfixes:
o CVE-2019-15601: file: on Windows, refuse paths that start with \\
o Azure Pipelines: add several builds
o CMake: add support for building with the NSS vtls backend
o CURL-DISABLE: initial docs for the CURL_DISABLE_* defines
o CURLOPT_HEADERFUNCTION.3: Document that size is always 1
o CURLOPT_QUOTE.3: fix typos
o CURLOPT_READFUNCTION.3: fix the example
o CURLOPT_URL.3: "curl supports SMB version 1 (only)"
o CURLOPT_VERBOSE.3: see also ERRORBUFFER
o HISTORY: added cmake, HTTP/3 and parallel downloads with curl
o HISTORY: the SMB(S) support landed in 2014
o INSTALL.md: provide Android build instructions
o KNOWN_BUGS: Connection information when using TCP Fast Open
o KNOWN_BUGS: LDAP on Windows doesn't work correctly
o KNOWN_BUGS: TLS session cache doesn't work with TFO
o OPENSOCKETFUNCTION.3: correct the purpose description
o TrackMemory tests: always remove CR before LF
o altsvc: bump to h3-24
o altsvc: make the save function ignore NULL filenames
o build: Disable Visual Studio warning "conditional expression is constant"
o build: fix for CURL_DISABLE_DOH
o checksrc.bat: Add a check for vquic and vssh directories
o checksrc: repair the copyrightyear check
o cirrus-ci: enable clang sanitizers on freebsd 13
o cirrus: Drop the FreeBSD 10.4 build
o config-win32: cpu-machine-OS for Windows on ARM
o configure: avoid unportable `==' test(1) operator
o configure: enable IPv6 support without `getaddrinfo`
o configure: fix typo in help text
o conncache: CONNECT_ONLY connections assumed always in-use
o conncache: fix multi-thread use of shared connection cache
o copyrights: fix copyright year range
o create_conn: prefer multiplexing to using new connections
o curl -w: handle a blank input file correctly
o curl.h: add two missing defines for "pre ISO C" compilers
o curl/parseconfig: fix mem-leak
o curl/parseconfig: use curl_free() to free memory allocated by libcurl
o curl: cleanup multi handle on failure
o curl: fix --upload-file . hangs if delay in STDIN
o curl: fix -T globbing
o curl: improved cleanup in upload error path
o curl: make a few char pointers point to const char instead
o curl: properly free mimepost data
o curl: show better error message when no homedir is found
o curl: show error for --http3 if libcurl lacks support
o curl_setup_once: consistently use WHILE_FALSE in macros
o define: remove HAVE_ENGINE_LOAD_BUILTIN_ENGINES, not used anymore
o docs: Change 'experiemental' to 'experimental'
o docs: TLS SRP doesn't work with TLS 1.3
o docs: fix several typos
o docs: mention CURL_MAX_INPUT_LENGTH restrictions
o doh: improved both encoding and decoding
o doh: make it behave when built without proxy support
o examples/postinmemory.c: Call curl_global_cleanup always
o examples/url2file.c: corrected erroneous comment
o examples: add multi-poll.c
o global_init: undo the "intialized" bump in case of failure
o hostip: suppress compiler warning
o http_ntlm: Remove duplicate NSS initialisation
o lib: Move lib/ssh.h -> lib/vssh/ssh.h
o lib: fix compiler warnings with `CURL_DISABLE_VERBOSE_STRINGS`
o lib: fix warnings found when porting to NuttX
o lib: remove ASSIGNWITHINCONDITION exceptions, use our code style
o lib: remove erroneous +x file permission on some c files
o libssh2: add support for ECDSA and ed25519 knownhost keys
o multi.h: remove INITIAL_MAX_CONCURRENT_STREAMS from public header
o multi: free sockhash on OOM
o multi_poll: avoid busy-loop when called without easy handles attached
o ngtcp2: Support the latest update key callback type
o ngtcp2: fix thread-safety bug in error-handling
o ngtcp2: free used resources on disconnect
o ngtcp2: handle key updates as ngtcp2 master branch tells us
o ngtcp2: increase QUIC window size when data is consumed
o ngtcp2: use overflow buffer for extra HTTP/3 data
o ntlm: USE_WIN32_CRYPTO check removed to get USE_NTLM2SESSION set
o ntlm_wb: fix double-free in OOM
o openssl: Revert to less sensitivity for SYSCALL errors
o openssl: improve error message for SYSCALL during connect
o openssl: prevent recursive function calls from ctx callbacks
o openssl: retrieve reported LibreSSL version at runtime
o openssl: set X509_V_FLAG_PARTIAL_CHAIN by default
o parsedate: offer a getdate_capped() alternative
o pause: avoid updating socket if done was already called
o projects: Fix Visual Studio projects SSH builds
o projects: Fix Visual Studio wolfSSL configurations
o quiche: reject HTTP/3 headers in the wrong order
o remove_handle: clear expire timers after multi_done()
o runtests: --repeat=[num] to repeat tests
o runtests: introduce --shallow to reduce huge torture tests
o schannel: fix --tls-max for when min is --tlsv1 or default
o setopt: Fix ALPN / NPN user option when built without HTTP2
o strerror: Add Curl_winapi_strerror for Win API specific errors
o strerror: Fix an error looking up some Windows error strings
o strerror: Fix compiler warning "empty expression"
o system.h: fix for MCST lcc compiler
o test/sws: search for "Testno:" header unconditionally if no testno
o test1175: verify symbols-in-versions and libcurl-errors.3 in sync
o test1270: a basic -w redirect_url test
o test1456: remove the use of a fixed local port number
o test1558: use double slash after file:
o test1560: require IPv6 for IPv6 aware URL parsing
o tests/lib1557: fix mem-leak in OOM
o tests/lib1559: fix mem-leak in OOM
o tests/lib1591: free memory properly on OOM, in the trailers callback
o tests/unit1607: fix mem-leak in OOM
o tests/unit1609: fix mem-leak in OOM
o tests/unit1620: fix bad free in OOM
o tests: Change NTLM tests to require SSL
o tests: Fix bounce requests with truncated writes
o tests: fix build with `CURL_DISABLE_DOH`
o tests: fix permissions of ssh keys in WSL
o tests: make it possible to set executable extensions
o tests: make sure checksrc runs on header files too
o tests: set LC_ALL=en_US.UTF-8 instead of blank in several tests
o tests: use DoH feature for DoH tests
o tests: use \r\n for log messages in WSL
o tool_operate: fix mem leak when failed config parse
o travis: Fix error detection
o travis: abandon coveralls, it is not reliable
o travis: build ngtcp2 with --enable-lib-only
o travis: export the CC/CXX variables when set
o vtls: make BearSSL possible to set with CURL_SSL_BACKEND
o winbuild: Define CARES_STATICLIB when WITH_CARES=static
o winbuild: Document CURL_STATICLIB requirement for static libcurl
This release includes the following known bugs:
o see docs/KNOWN_BUGS (https://curl.haxx.se/docs/knownbugs.html)
7.7:
Security fix: CVE-2017-1000501
Security fix: Missing sanitizing of parameters
Fix LogFormat=4 with url containing spaces.
Fix to window.opener vulnerability in external referral site links.
Add methodurlprot in key to define log format.
Add Dynamic DNS Lookup.
Fix edge support.
