Releases Tags
-
2.2.1
neil released this 6 months ago | 3 commits to master since this release
Security
f4b3753e27: Fixing XSS vulnerability on the link administration page due to bad URL sanitization. NB: The main instance (s.42l.fr) is not affected by this issue thanks to the CSP header, which forbids JavaScript execution on the page.
Thanks to polyedre for reporting the issue.
Fixes
a5028ec515: Links are now trimmed before being saved in database.f4d2edb4ad: The hoster logo now displays correctly on phishing page.
Downloads
-
2.2.0
Security
- Added protocol restrictions. Notably,
file://is no longer allowed.
The allowed protocols list is hardcoded in
src/init.rs.To my knowledge, there has been no abuse of this security vulnerability in production on the main instance.
Added
- Soft blacklist to prevent users from shortening certain URLs without banning them
- Now catching 404 (invalid routes)
- Implemented link caching.
- The link cache works as a failover when the SQLite database is locked, making it way more resilient in production.
- The cache size can be configured using the new config option
max_cache_size. The default recommended value is 250. - It doesn't change the fact that SQLite in production sucks, though. I'll add postgres/mysql support later.
Fixed
- Instance hostname is now prefixing the custom link name (UX improvement)
Downloads
- Added protocol restrictions. Notably,
-
2.1.2
Fixes
- 500 Internal Server Errors due to database locks, mitigated with #1
Downloads
-
2.1.1
Fixed
- Template error in
templates/phishing.htmlintroduced in version 2.1.0.
Downloads
- Template error in
-
2.1.0
Version 2.1.0
Added
hoster_nameoption in configuration- Configuration file versioning
- CSS versioning
Changed
- Now uses Rust
stablebranch instead ofnightly. - Replaced
tryblocks intemplates.rsto compile in stable. - Increased default duration for suspicious link detection
Fixes
- Removing
env_loggerdependency - Last octet of the remote host's IP being cut
- Lowercasing the page language attribute in the
<html>tag - Code quality improvements (fixed clippy warnings)
Downloads
-
2.0.0
Version 2.0.0
The code base has been almost fully rewritten.
The next version, which will be published very soon, will include further code quality improvements and the ability to compile on Rust stable.
BREAKING
Database migrations feature has been introduced, but you need to your the database first to make it work.
Please execute the following query:UPDATE __diesel_schema_migrations SET version="20190125012345" WHERE version="create";Now it should work. Feel free to tell me if it doesn't.
- You must now edit the new configuration file
config.toml. Please follow the README for more information. - If you had custom templates until now, they don't work anymore. But I don't believe anyone is concerned.
Added
- Automatic database migrations
- Light theme improvements
- New dark theme
- Option to specify a link to the hoster's ToS and contact address
- Ability to mark a link as phishing, that causes the phishing victim to be redirected to an information page.
- Customizable captcha difficulty
- Support for shortcut name blacklists
- Phishing detection system, based on the number of clicks on a link for a specified duration.
- Options to increase software verbosity
Changed
- Migrated from Rocket to Actix.
- Migrated from Handlebars to Askama.
- Lots of internal changes. Take care while migrating.
- URL blacklists has been renamed. Please check the repository to know the new names and rename your blacklists accordingly.
Deprecated
- Admin link route
/{shortcut}/{admin_key}now redirects to the new route/{shortcut}/admin/{admin_key}and might be removed in the future.
Removed
- You can remove the
Rocket.tomlfile at the repository root.
Fixes
- Redirected URLs containing a hash
#and some other characters were not redirected.
Security
- Reserved characters and some symbols (such as
.) are now forbidden in shortcut names.
Downloads
- You must now edit the new configuration file
-
1.1.0
Added
- Keyword blacklisting support for shortened URLs (attempts returns 403)
Fixed
- Deleted links now returns a 404 status code instead of 200
- Inputs are now trimmed correctly
- Links can't be created if the URL to be shortened contains the instance hostname
Downloads
-
1.0.0 - Initial release
Ghost
released this
2 years ago
| 46 commits to master since this release
The first release. There's still a lot to do, but the software is usable as-is.
Downloads