ZeroNet v0.7.1 Release Notes

Release Date: 2019-09-06 // almost 5 years ago
    • Pull down top-right 0 button to show console
    • ๐Ÿ†• New UiPluginManager plugin: Manage and install third-party plugins.
    • ๐Ÿ‘ Full support of OpenSSL 1.1 (Thanks to radfish & imachug)
    • ๐Ÿ›  Fix a bug that did not load merged site data for 5 sec after the site got added
    • โž• Add fake SNI and ALPN to peer connections to make it more like standard https connections

    โšก๏ธ Important security update:

    Wrapper template HTML injection vulnerability [Reported by ivanq]

    In ZeroNet before rev4188 the wrapper template variables was rendered incorrectly.

    Result: The opened site was able to gain WebSocket connection with unrestricted ADMIN/NOSANDBOX access, change configuration values and possible RCE on the client's machine.

    ๐Ÿ›  Fix: Fixed the template rendering code, disallowed WebSocket connections from unknown locations,
    ๐Ÿ”ง restricted open_browser configuration values to avoid possible RCE in case of sandbox escape.


Previous changes from v0.6.5

    • ๐Ÿ‘ IPv6 support in peer exchange, bigfiles, optional file finding, tracker sharing, socket listening and connecting (based on tangdou1 modifications)
    • ๐Ÿ†• New tracker database format with IPv6 support
    • ๐Ÿ”จ Refactored port open checking with IPv6 support
    • Display notification if there is an unpublished modification for your site
    • ๐Ÿ‘ Consider non-local IPs as external even is the open port check fails (for CJDNS and Yggdrasil support)
    • Listen and shut down normally for SIGTERM (Thanks to blurHY)
    • ๐Ÿ‘€ Check the length of master seed when executing cryptGetPrivatekey CLI command
    • Only reload source code on file modification / creation
    • โž• Add IPv6 tracker and change unstable tracker
    • ๐Ÿ‘Œ Support tilde ~ in filenames (by d14na)
    • โœ… Detection and issue warning for latest no-script plugin
    • Don't correct sent local time with the calculated time correction
    • ๐Ÿ‘Œ Support map for Namecoin subdomain names (Thanks to lola)
    • โž• Add log level to config page
    • ๐Ÿ‘ Don't show meek proxy option if the tor client does not supports it
    • Quick check content.db on startup and rebuild if necessary
    • ๐Ÿ‘ Only support CREATE commands in dbschema indexes node and SELECT from storage.query
    • ๐Ÿ‘Œ Support {data} for data dir variable in trackers_file value
    • Disable CSP for Edge
    • ๐Ÿ›  Fix site cloning before site downloaded (Reported by unsystemizer)
    • ๐Ÿ›  Fix queryJson for non-list nodes (Reported by MingchenZhang)
    • ๐Ÿ›  Fix multi-line parsing of zeronet.conf (Reported by xx)
    • ๐Ÿ›  Fix site deletion from users.json
    • ๐Ÿ›  Fix sql queries with lots of variables and sites with lots of content.json (Reported by xx)
    • ๐Ÿ›  Fix atomic write of a non-existent file