ZeroNet changelog

Changelog History

• v0.7.1 Changes

  September 06, 2019

  • Pull down top-right 0 button to show console
  • 🆕 New UiPluginManager plugin: Manage and install third-party plugins.
  • 👍 Full support of OpenSSL 1.1 (Thanks to radfish & imachug)
  • 🛠 Fix a bug that did not load merged site data for 5 sec after the site got added
  • ➕ Add fake SNI and ALPN to peer connections to make it more like standard https connections

  ⚡️ Important security update:

  Wrapper template HTML injection vulnerability [Reported by ivanq]

  In ZeroNet before rev4188 the wrapper template variables was rendered incorrectly.

  Result: The opened site was able to gain WebSocket connection with unrestricted ADMIN/NOSANDBOX access, change configuration values and possible RCE on the client's machine.

  🛠 Fix: Fixed the template rendering code, disallowed WebSocket connections from unknown locations,
  🔧 restricted open_browser configuration values to avoid possible RCE in case of sandbox escape.

• v0.7.0 Changes

  September 06, 2019

  • Re-factored code to Python3 runtime (compatible with Python 3.4-3.8)
  • 🔀 More safe database sync mode
  • ✂ Removed bundled third-party libraries where it's possible
  • 5-10x faster signature verification by using libsecp256k1 (Thanks to ZeroMux)
  • Generated SSL certificate randomization to avoid protocol filters (Thanks to ValdikSS)
  • ⚡️ P2P source code update using ZeroNet protocol
  • Offline mode
  • 🛠 Fix sending files with \0 characters

• v0.6.5 Changes

  February 16, 2019

  • 👍 IPv6 support in peer exchange, bigfiles, optional file finding, tracker sharing, socket listening and connecting (based on tangdou1 modifications)
  • 🆕 New tracker database format with IPv6 support
  • 🔨 Refactored port open checking with IPv6 support
  • Display notification if there is an unpublished modification for your site
  • 👍 Consider non-local IPs as external even is the open port check fails (for CJDNS and Yggdrasil support)
  • Listen and shut down normally for SIGTERM (Thanks to blurHY)
  • 👀 Check the length of master seed when executing cryptGetPrivatekey CLI command
  • Only reload source code on file modification / creation
  • ➕ Add IPv6 tracker and change unstable tracker
  • 👌 Support tilde ~ in filenames (by d14na)
  • ✅ Detection and issue warning for latest no-script plugin
  • Don't correct sent local time with the calculated time correction
  • 👌 Support map for Namecoin subdomain names (Thanks to lola)
  • ➕ Add log level to config page
  • 👍 Don't show meek proxy option if the tor client does not supports it
  • Quick check content.db on startup and rebuild if necessary
  • 👍 Only support CREATE commands in dbschema indexes node and SELECT from storage.query
  • 👌 Support {data} for data dir variable in trackers_file value
  • Disable CSP for Edge
  • 🛠 Fix site cloning before site downloaded (Reported by unsystemizer)
  • 🛠 Fix queryJson for non-list nodes (Reported by MingchenZhang)
  • 🛠 Fix multi-line parsing of zeronet.conf (Reported by xx)
  • 🛠 Fix site deletion from users.json
  • 🛠 Fix sql queries with lots of variables and sites with lots of content.json (Reported by xx)
  • 🛠 Fix atomic write of a non-existent file

• v0.6.4 Changes

  October 20, 2018

  ➕ Added

  • 🆕 New plugin: UiConfig. A web interface that allows changing ZeroNet settings.
  • 🆕 New plugin: AnnounceShare. Share trackers between users, automatically announce client's ip as tracker if Bootstrapper plugin is enabled.
  • Global tracker stats on ZeroHello: Include statistics from all served sites instead of displaying request statistics only for one site.
  • 👌 Support custom proxy for trackers. (Configurable with /Config)
  • ➕ Adding peers to sites manually using zeronet_peers get parameter
  • Copy site address with peers link on the sidebar.
  • 👍 Zip file listing and streaming support for Bigfiles.
  • Tracker statistics on /Stats page
  • 🔀 Peer reputation save/restore to speed up sync time after startup.
  • 👍 Full support fileGet, fileList, dirList calls on tar.gz/zip files.
  • 👍 Archived_before support to user content rules to allow deletion of all user files before the specified date
  • 👉 Show and manage "Connecting" sites on ZeroHello
  • ➕ Add theme support to ZeroNet sites
  • Dark theme for ZeroHello, ZeroBlog, ZeroTalk

  🔄 Changed

  • Dynamic big file allocation: More efficient storage usage by don't pre-allocate the whole file at the beginning, but expand the size as the content downloads.
  • ⬇️ Reduce the request frequency to unreliable trackers.
  • Only allow 5 concurrent checkSites to run in parallel to reduce load under Tor/slow connection.
  • Stop site downloading if it reached 95% of site limit to avoid download loop for sites out of limit
  • 🚚 The pinned optional files won't be removed from download queue after 30 retries and won't be deleted even if the site owner removes it.
  • 🚚 Don't remove incomplete (downloading) sites on startup
  • ✂ Remove --pin_bigfile argument as big files are automatically excluded from optional files limit.

  🛠 Fixed

  • ✅ Trayicon compatibility with latest gevent
  • Request number counting for zero:// trackers
  • Peer reputation boost for zero:// trackers.
  • Blocklist of peers loaded from peerdb (Thanks tangdou1 for report)
  • Sidebar map loading on foreign languages (Thx tangdou1 for report)
  • FileGet on non-existent files (Thanks mcdev for reporting)
  • Peer connecting bug for sites with low amount of peers

  "The Vacation" Sandbox escape bug [Reported by GitCenter / Krixano / ZeroLSTN]

  In ZeroNet 0.6.3 Rev3615 and earlier as a result of invalid file type detection, a malicious site could escape the iframe sandbox.

  💻 Result: Browser iframe sandbox escape

  Applied fix: Replaced the previous, file extension based file type identification with a proper one.

  Affected versions: All versions before ZeroNet Rev3616

• v0.6.3 Changes

  October 20, 2018

  ➕ Added

  • 🆕 New plugin: ContentFilter that allows to have shared site and user block list.
  • 👌 Support Tor meek proxies to avoid tracker blocking of GFW
  • Detect network level tracker blocking and easy setting meek proxy for tracker connections.
  • 👌 Support downloading 2GB+ sites as .zip (Thx to Radtoo)
  • 👌 Support ZeroNet as a transparent proxy (Thx to JeremyRand)
  • 👍 Allow fileQuery as CORS command (Thx to imachug)
  • 🏁 Windows distribution includes Tor and meek client by default
  • Download sites as zip link to sidebar
  • File server port randomization
  • Implicit SSL for all connection
  • fileList API command for zip files
  • Auto download bigfiles size limit on sidebar
  • Local peer number to the sidebar
  • Open site directory button in sidebar

  🔄 Changed

  • Switched to Azure Tor meek proxy as Amazon one became unavailable
  • 🔨 Refactored/rewritten tracker connection manager
  • 👌 Improved peer discovery for optional files without opened port
  • Also delete Bigfile's piecemap on deletion

  🛠 Fixed

  • 🔒 Important security issue: Iframe sandbox escape [Reported by Ivanq / gitcenter]
  • Local peer discovery when running multiple clients on the same machine
  • 🔌 Uploading small files with Bigfile plugin
  • Ctrl-c shutdown when running CLI commands
  • 🔌 High CPU/IO usage when Multiuser plugin enabled
  • Firefox back button
  • 🐧 Peer discovery on older Linux kernels
  • Optional file handling when multiple files have the same hash_id (first 4 chars of the hash)
  • Msgpack 0.5.5 and 0.5.6 compatibility

• v0.6.2 Changes

  February 18, 2018

  ZeroNet 0.6.2 (2018-02-18)

  ➕ Added

  • 🆕 New plugin: AnnounceLocal to make ZeroNet work without an internet connection on the local network.
  • 👍 Allow dbQuey and userGetSettings using the as API command on different sites with Cors permission
  • 🆕 New config option: --log_level to reduce log verbosity and IO load
  • Prefer to connect to recent peers from trackers first
  • 👍 Mark peers with port 1 is also unconnectable for future fix for trackers that do not support port 0 announce

  🔄 Changed

  • Don't keep connection for sites that have not been modified in the last week
  • 🔄 Change unreliable trackers to new ones
  • Send maximum 10 findhash request in one find optional files round (15sec)
  • 🔄 Change "Unique to site" to "No certificate" for default option in cert selection dialog.
  • ⚠ Dont print warnings if not in debug mode
  • 🌲 Generalized tracker logging format
  • Only recover sites from sites.json if they had peers
  • Message from local peers does not means internet connection
  • ✂ Removed --debug_gevent and turned on Gevent block logging by default

  🛠 Fixed

  • 🏁 Limit connections to 512 to avoid reaching 1024 limit on windows
  • 🌲 Exception when logging foreign operating system socket errors
  • Don't send private (local) IPs on pex
  • Don't connect to private IPs in tor always mode
  • Properly recover data from msgpack unpacker on file stream start
  • 🏁 Symlinked data directory deletion when deleting site using Windows
  • De-duplicate peers before publishing
  • Bigfile info for non-existing files

• v0.6.1 Changes

  January 25, 2018

  ➕ Added

  • 🆕 New plugin: Chart
  • Collect and display charts about your contribution to ZeroNet network
  • 👍 Allow list as argument replacement in sql queries. (Thanks to imachug)
  • 🆕 Newsfeed query time statistics (Click on "From XX sites in X.Xs on ZeroHello)
  • 🆕 New UiWebsocket API command: As to run commands as other site
  • Ranged ajax queries for big files
  • Filter feed by type and site address
  • 🔀 FileNeed, Bigfile upload command compatibility with merger sites
  • Send event on port open / tor status change
  • More description on permission request

  🔄 Changed

  • ⬇️ Reduce memory usage of sidebar geoip database cache
  • 🔄 Change unreliable tracker to new one
  • Don't display Cors permission ask if it already granted
  • 🔀 Avoid UI blocking when rebuilding a merger site
  • Skip listing ignored directories on signing
  • 👀 In Multiuser mode show the seed welcome message when adding new certificate instead of first visit
  • Faster async port opening on multiple network interfaces
  • 👍 Allow javascript modals
  • Only zoom sidebar globe if mouse button is pressed down

  🛠 Fixed

  • Open port checking error reporting (Thanks to imachug)
  • Out-of-range big file requests
  • Don't output errors happened on gevent greenlets twice
  • 🆕 Newsfeed skip sites with no database
  • 🆕 Newsfeed queries with multiple params
  • 🆕 Newsfeed queries with UNION and UNION ALL
  • 🛠 Fix site clone with sites larger that 10MB
  • Unreliable Websocket connection when requesting files from different sites at the same time

• v0.6.0 Changes

  October 17, 2017

  ➕ Added

  • 🆕 New plugin: Big file support
  • 📌 Automatic pinning on Big file download
  • 👍 Enable TCP_NODELAY for supporting sockets
  • actionOptionalFileList API command arguments to list non-downloaded files or only big files
  • 💻 serverShowdirectory API command arguments to allow to display site's directory in OS file browser
  • fileNeed API command to initialize optional file downloading
  • wrapperGetAjaxKey API command to request nonce for AJAX request
  • 👍 Json.gz support for database files
  • P2P port checking (Thanks for grez911)
  • --download_optional auto argument to enable automatic optional file downloading for newly added site
  • Statistics for big files and protocol command requests on /Stats
  • 👍 Allow to set user limitation based on auth_address

  🔄 Changed

  • ⏱ More aggressive and frequent connection timeout checking
  • 👉 Use out of msgpack context file streaming for files larger than 512KB
  • 👍 Allow optional files workers over the worker limit
  • Automatic redirection to wrapper on nonce_error
  • Send websocket event on optional file deletion
  • ⚡️ Optimize sites.json saving
  • 0️⃣ Enable faster C-based msgpack packer by default
  • 🔌 Major optimization on Bootstrapper plugin SQL queries
  • Don't reset bad file counter on restart, to allow easier give up on unreachable files
  • 🏁 Incoming connection limit changed from 1000 to 500 to avoid reaching socket limit on Windows
  • 🔄 Changed tracker boot.zeronet.io domain, because zeronet.io got banned in some countries

  🛠 Fixed

  • Sub-directories in user directories

• v0.5.7 Changes

  July 30, 2017

  ➕ Added

  • 🆕 New plugin: CORS to request read permission to other site's content
  • 🆕 New API command: userSetSettings/userGetSettings to store site's settings in users.json
  • Avoid file download if the file size does not match with the requested one
  • JavaScript and wrapper less file access using /raw/ prefix (Example)
  • 🌲 --silent command line option to disable logging to stdout

  🔄 Changed

  • 👍 Better error reporting on sign/verification errors
  • ✅ More test for sign and verification process
  • ⚡️ Update to OpenSSL v1.0.2l
  • Limit compressed files to 6MB to avoid zip/tar.gz bomb
  • 👍 Allow space, [], () characters in filenames
  • Disable cross-site resource loading to improve privacy. [Reported by Beardog108]
  • Download directly accessed Pdf/Svg/Swf files instead of displaying them to avoid wrapper escape using in JS in SVG file. [Reported by Beardog108]
  • Disallow potentially unsafe regular expressions to avoid ReDoS [Reported by MuxZeroNet]

  🛠 Fixed

  • 🏁 Detecting data directory when running Windows distribution exe [Reported by Plasmmer]
  • OpenSSL loading under Android 6+
  • Error on exiting when no connection server started

• v0.5.6 Changes

  June 18, 2017

  🛠 Fix

  • ⬆️ Proxy bypass during source upgrade
  • XSS vulnerability using DNS rebinding
  • Opened port checking
  • ⚡️ Standalone update.py argument parsing
  • uPnP crash on startup
  • CoffeeScript 1.12.6 compatibility
  • 📜 Multi value argument parsing
  • Database error when running from directory that contains special characters
  • 🔒 Site lock violation logging

  ➕ Added

  • Callback for certSelect API command
  • More compact list formatting in json

  🔄 Changed

  • Remove obsolete auth_key_sha512 and signature format
  • 👌 Improved Spanish translation