Changelog History
-
v0.7.1 Changes
September 06, 2019- Pull down top-right 0 button to show console
- ๐ New UiPluginManager plugin: Manage and install third-party plugins.
- ๐ Full support of OpenSSL 1.1 (Thanks to radfish & imachug)
- ๐ Fix a bug that did not load merged site data for 5 sec after the site got added
- โ Add fake SNI and ALPN to peer connections to make it more like standard https connections
โก๏ธ Important security update:
Wrapper template HTML injection vulnerability [Reported by ivanq]
In ZeroNet before rev4188 the wrapper template variables was rendered incorrectly.
Result: The opened site was able to gain WebSocket connection with unrestricted ADMIN/NOSANDBOX access, change configuration values and possible RCE on the client's machine.
๐ Fix: Fixed the template rendering code, disallowed WebSocket connections from unknown locations,
๐ง restricted open_browser configuration values to avoid possible RCE in case of sandbox escape. -
v0.7.0 Changes
September 06, 2019- Re-factored code to Python3 runtime (compatible with Python 3.4-3.8)
- ๐ More safe database sync mode
- โ Removed bundled third-party libraries where it's possible
- 5-10x faster signature verification by using libsecp256k1 (Thanks to ZeroMux)
- Generated SSL certificate randomization to avoid protocol filters (Thanks to ValdikSS)
- โก๏ธ P2P source code update using ZeroNet protocol
- Offline mode
- ๐ Fix sending files with \0 characters
-
v0.6.5 Changes
February 16, 2019- ๐ IPv6 support in peer exchange, bigfiles, optional file finding, tracker sharing, socket listening and connecting (based on tangdou1 modifications)
- ๐ New tracker database format with IPv6 support
- ๐จ Refactored port open checking with IPv6 support
- Display notification if there is an unpublished modification for your site
- ๐ Consider non-local IPs as external even is the open port check fails (for CJDNS and Yggdrasil support)
- Listen and shut down normally for SIGTERM (Thanks to blurHY)
- ๐ Check the length of master seed when executing cryptGetPrivatekey CLI command
- Only reload source code on file modification / creation
- โ Add IPv6 tracker and change unstable tracker
- ๐ Support tilde
~
in filenames (by d14na) - โ Detection and issue warning for latest no-script plugin
- Don't correct sent local time with the calculated time correction
- ๐ Support map for Namecoin subdomain names (Thanks to lola)
- โ Add log level to config page
- ๐ Don't show meek proxy option if the tor client does not supports it
- Quick check content.db on startup and rebuild if necessary
- ๐ Only support CREATE commands in dbschema indexes node and SELECT from storage.query
- ๐ Support
{data}
for data dir variable in trackers_file value - Disable CSP for Edge
- ๐ Fix site cloning before site downloaded (Reported by unsystemizer)
- ๐ Fix queryJson for non-list nodes (Reported by MingchenZhang)
- ๐ Fix multi-line parsing of zeronet.conf (Reported by xx)
- ๐ Fix site deletion from users.json
- ๐ Fix sql queries with lots of variables and sites with lots of content.json (Reported by xx)
- ๐ Fix atomic write of a non-existent file
-
v0.6.4 Changes
October 20, 2018โ Added
- ๐ New plugin: UiConfig. A web interface that allows changing ZeroNet settings.
- ๐ New plugin: AnnounceShare. Share trackers between users, automatically announce client's ip as tracker if Bootstrapper plugin is enabled.
- Global tracker stats on ZeroHello: Include statistics from all served sites instead of displaying request statistics only for one site.
- ๐ Support custom proxy for trackers. (Configurable with /Config)
- โ Adding peers to sites manually using zeronet_peers get parameter
- Copy site address with peers link on the sidebar.
- ๐ Zip file listing and streaming support for Bigfiles.
- Tracker statistics on /Stats page
- ๐ Peer reputation save/restore to speed up sync time after startup.
- ๐ Full support fileGet, fileList, dirList calls on tar.gz/zip files.
- ๐ Archived_before support to user content rules to allow deletion of all user files before the specified date
- ๐ Show and manage "Connecting" sites on ZeroHello
- โ Add theme support to ZeroNet sites
- Dark theme for ZeroHello, ZeroBlog, ZeroTalk
๐ Changed
- Dynamic big file allocation: More efficient storage usage by don't pre-allocate the whole file at the beginning, but expand the size as the content downloads.
- โฌ๏ธ Reduce the request frequency to unreliable trackers.
- Only allow 5 concurrent checkSites to run in parallel to reduce load under Tor/slow connection.
- Stop site downloading if it reached 95% of site limit to avoid download loop for sites out of limit
- ๐ The pinned optional files won't be removed from download queue after 30 retries and won't be deleted even if the site owner removes it.
- ๐ Don't remove incomplete (downloading) sites on startup
- โ Remove --pin_bigfile argument as big files are automatically excluded from optional files limit.
๐ Fixed
- โ Trayicon compatibility with latest gevent
- Request number counting for zero:// trackers
- Peer reputation boost for zero:// trackers.
- Blocklist of peers loaded from peerdb (Thanks tangdou1 for report)
- Sidebar map loading on foreign languages (Thx tangdou1 for report)
- FileGet on non-existent files (Thanks mcdev for reporting)
- Peer connecting bug for sites with low amount of peers
"The Vacation" Sandbox escape bug [Reported by GitCenter / Krixano / ZeroLSTN]
In ZeroNet 0.6.3 Rev3615 and earlier as a result of invalid file type detection, a malicious site could escape the iframe sandbox.
๐ป Result: Browser iframe sandbox escape
Applied fix: Replaced the previous, file extension based file type identification with a proper one.
Affected versions: All versions before ZeroNet Rev3616
-
v0.6.3 Changes
October 20, 2018โ Added
- ๐ New plugin: ContentFilter that allows to have shared site and user block list.
- ๐ Support Tor meek proxies to avoid tracker blocking of GFW
- Detect network level tracker blocking and easy setting meek proxy for tracker connections.
- ๐ Support downloading 2GB+ sites as .zip (Thx to Radtoo)
- ๐ Support ZeroNet as a transparent proxy (Thx to JeremyRand)
- ๐ Allow fileQuery as CORS command (Thx to imachug)
- ๐ Windows distribution includes Tor and meek client by default
- Download sites as zip link to sidebar
- File server port randomization
- Implicit SSL for all connection
- fileList API command for zip files
- Auto download bigfiles size limit on sidebar
- Local peer number to the sidebar
- Open site directory button in sidebar
๐ Changed
- Switched to Azure Tor meek proxy as Amazon one became unavailable
- ๐จ Refactored/rewritten tracker connection manager
- ๐ Improved peer discovery for optional files without opened port
- Also delete Bigfile's piecemap on deletion
๐ Fixed
- ๐ Important security issue: Iframe sandbox escape [Reported by Ivanq / gitcenter]
- Local peer discovery when running multiple clients on the same machine
- ๐ Uploading small files with Bigfile plugin
- Ctrl-c shutdown when running CLI commands
- ๐ High CPU/IO usage when Multiuser plugin enabled
- Firefox back button
- ๐ง Peer discovery on older Linux kernels
- Optional file handling when multiple files have the same hash_id (first 4 chars of the hash)
- Msgpack 0.5.5 and 0.5.6 compatibility
-
v0.6.2 Changes
February 18, 2018ZeroNet 0.6.2 (2018-02-18)
โ Added
- ๐ New plugin: AnnounceLocal to make ZeroNet work without an internet connection on the local network.
- ๐ Allow dbQuey and userGetSettings using the
as
API command on different sites with Cors permission - ๐ New config option:
--log_level
to reduce log verbosity and IO load - Prefer to connect to recent peers from trackers first
- ๐ Mark peers with port 1 is also unconnectable for future fix for trackers that do not support port 0 announce
๐ Changed
- Don't keep connection for sites that have not been modified in the last week
- ๐ Change unreliable trackers to new ones
- Send maximum 10 findhash request in one find optional files round (15sec)
- ๐ Change "Unique to site" to "No certificate" for default option in cert selection dialog.
- โ Dont print warnings if not in debug mode
- ๐ฒ Generalized tracker logging format
- Only recover sites from sites.json if they had peers
- Message from local peers does not means internet connection
- โ Removed
--debug_gevent
and turned on Gevent block logging by default
๐ Fixed
- ๐ Limit connections to 512 to avoid reaching 1024 limit on windows
- ๐ฒ Exception when logging foreign operating system socket errors
- Don't send private (local) IPs on pex
- Don't connect to private IPs in tor always mode
- Properly recover data from msgpack unpacker on file stream start
- ๐ Symlinked data directory deletion when deleting site using Windows
- De-duplicate peers before publishing
- Bigfile info for non-existing files
-
v0.6.1 Changes
January 25, 2018โ Added
- ๐ New plugin: Chart
- Collect and display charts about your contribution to ZeroNet network
- ๐ Allow list as argument replacement in sql queries. (Thanks to imachug)
- ๐ Newsfeed query time statistics (Click on "From XX sites in X.Xs on ZeroHello)
- ๐ New UiWebsocket API command: As to run commands as other site
- Ranged ajax queries for big files
- Filter feed by type and site address
- ๐ FileNeed, Bigfile upload command compatibility with merger sites
- Send event on port open / tor status change
- More description on permission request
๐ Changed
- โฌ๏ธ Reduce memory usage of sidebar geoip database cache
- ๐ Change unreliable tracker to new one
- Don't display Cors permission ask if it already granted
- ๐ Avoid UI blocking when rebuilding a merger site
- Skip listing ignored directories on signing
- ๐ In Multiuser mode show the seed welcome message when adding new certificate instead of first visit
- Faster async port opening on multiple network interfaces
- ๐ Allow javascript modals
- Only zoom sidebar globe if mouse button is pressed down
๐ Fixed
- Open port checking error reporting (Thanks to imachug)
- Out-of-range big file requests
- Don't output errors happened on gevent greenlets twice
- ๐ Newsfeed skip sites with no database
- ๐ Newsfeed queries with multiple params
- ๐ Newsfeed queries with UNION and UNION ALL
- ๐ Fix site clone with sites larger that 10MB
- Unreliable Websocket connection when requesting files from different sites at the same time
-
v0.6.0 Changes
October 17, 2017โ Added
- ๐ New plugin: Big file support
- ๐ Automatic pinning on Big file download
- ๐ Enable TCP_NODELAY for supporting sockets
- actionOptionalFileList API command arguments to list non-downloaded files or only big files
- ๐ป serverShowdirectory API command arguments to allow to display site's directory in OS file browser
- fileNeed API command to initialize optional file downloading
- wrapperGetAjaxKey API command to request nonce for AJAX request
- ๐ Json.gz support for database files
- P2P port checking (Thanks for grez911)
--download_optional auto
argument to enable automatic optional file downloading for newly added site- Statistics for big files and protocol command requests on /Stats
- ๐ Allow to set user limitation based on auth_address
๐ Changed
- โฑ More aggressive and frequent connection timeout checking
- ๐ Use out of msgpack context file streaming for files larger than 512KB
- ๐ Allow optional files workers over the worker limit
- Automatic redirection to wrapper on nonce_error
- Send websocket event on optional file deletion
- โก๏ธ Optimize sites.json saving
- 0๏ธโฃ Enable faster C-based msgpack packer by default
- ๐ Major optimization on Bootstrapper plugin SQL queries
- Don't reset bad file counter on restart, to allow easier give up on unreachable files
- ๐ Incoming connection limit changed from 1000 to 500 to avoid reaching socket limit on Windows
- ๐ Changed tracker boot.zeronet.io domain, because zeronet.io got banned in some countries
๐ Fixed
- Sub-directories in user directories
-
v0.5.7 Changes
July 30, 2017โ Added
- ๐ New plugin: CORS to request read permission to other site's content
- ๐ New API command: userSetSettings/userGetSettings to store site's settings in users.json
- Avoid file download if the file size does not match with the requested one
- JavaScript and wrapper less file access using /raw/ prefix (Example)
- ๐ฒ --silent command line option to disable logging to stdout
๐ Changed
- ๐ Better error reporting on sign/verification errors
- โ More test for sign and verification process
- โก๏ธ Update to OpenSSL v1.0.2l
- Limit compressed files to 6MB to avoid zip/tar.gz bomb
- ๐ Allow space, [], () characters in filenames
- Disable cross-site resource loading to improve privacy. [Reported by Beardog108]
- Download directly accessed Pdf/Svg/Swf files instead of displaying them to avoid wrapper escape using in JS in SVG file. [Reported by Beardog108]
- Disallow potentially unsafe regular expressions to avoid ReDoS [Reported by MuxZeroNet]
๐ Fixed
- ๐ Detecting data directory when running Windows distribution exe [Reported by Plasmmer]
- OpenSSL loading under Android 6+
- Error on exiting when no connection server started
-
v0.5.6 Changes
June 18, 2017๐ Fix
- โฌ๏ธ Proxy bypass during source upgrade
- XSS vulnerability using DNS rebinding
- Opened port checking
- โก๏ธ Standalone update.py argument parsing
- uPnP crash on startup
- CoffeeScript 1.12.6 compatibility
- ๐ Multi value argument parsing
- Database error when running from directory that contains special characters
- ๐ Site lock violation logging
โ Added
- Callback for certSelect API command
- More compact list formatting in json
๐ Changed
- Remove obsolete auth_key_sha512 and signature format
- ๐ Improved Spanish translation