|
| 1 | +Changelog for rest-server 0.11.0 (2022-02-10) |
| 2 | +============================================ |
| 3 | + |
| 4 | +The following sections list the changes in rest-server 0.11.0 relevant |
| 5 | +to users. The changes are ordered by importance. |
| 6 | + |
| 7 | +Summary |
| 8 | +------- |
| 9 | + |
| 10 | + * Sec #131: Prevent loading of usernames containing a slash |
| 11 | + * Fix #119: Fix Docker configuration for `DISABLE_AUTHENTICATION` |
| 12 | + * Fix #142: Fix possible data loss due to interrupted network connections |
| 13 | + * Fix #157: Use platform-specific temporary directory as default data directory |
| 14 | + * Fix #155: Reply "insufficient storage" on disk full or over-quota |
| 15 | + * Chg #146: Build rest-server at docker container build time |
| 16 | + * Chg #112: Add subrepo support and refactor server code |
| 17 | + * Enh #122: Verify uploaded files |
| 18 | + * Enh #126: Allow running rest-server via systemd socket activation |
| 19 | + * Enh #148: Expand use of security features in example systemd unit file |
| 20 | + |
| 21 | +Details |
| 22 | +------- |
| 23 | + |
| 24 | + * Security #131: Prevent loading of usernames containing a slash |
| 25 | + |
| 26 | + "/" is valid char in HTTP authorization headers, but is also used in rest-server to map |
| 27 | + usernames to private repos. |
| 28 | + |
| 29 | + This commit prevents loading maliciously composed usernames like "/foo/config" by |
| 30 | + restricting the allowed characters to the unicode character class, numbers, "-", "." and "@". |
| 31 | + |
| 32 | + This prevents requests to other users files like: |
| 33 | + |
| 34 | + Curl -v -X DELETE -u foo/config:attack http://localhost:8000/foo/config |
| 35 | + |
| 36 | + https://github.com/restic/rest-server/issues/131 |
| 37 | + https://github.com/restic/rest-server/pull/132 |
| 38 | + https://github.com/restic/rest-server/pull/137 |
| 39 | + |
| 40 | + * Bugfix #119: Fix Docker configuration for `DISABLE_AUTHENTICATION` |
| 41 | + |
| 42 | + Rest-server 0.10.0 introduced a regression which caused the `DISABLE_AUTHENTICATION` |
| 43 | + environment variable to stop working for the Docker container. This has been fixed by |
| 44 | + automatically setting the option `--no-auth` to disable authentication. |
| 45 | + |
| 46 | + https://github.com/restic/rest-server/issues/119 |
| 47 | + https://github.com/restic/rest-server/pull/124 |
| 48 | + |
| 49 | + * Bugfix #142: Fix possible data loss due to interrupted network connections |
| 50 | + |
| 51 | + When rest-server was run without `--append-only` it was possible to lose uploaded files in a |
| 52 | + specific scenario in which a network connection was interrupted. |
| 53 | + |
| 54 | + For the data loss to occur a file upload by restic would have to be interrupted such that restic |
| 55 | + notices the interrupted network connection before the rest-server. Then restic would have to |
| 56 | + retry the file upload and finish it before the rest-server notices that the initial upload has |
| 57 | + failed. Then the uploaded file would be accidentally removed by rest-server when trying to |
| 58 | + cleanup the failed upload. |
| 59 | + |
| 60 | + This has been fixed by always uploading to a temporary file first which is moved in position only |
| 61 | + once it was uploaded completely. |
| 62 | + |
| 63 | + https://github.com/restic/rest-server/pull/142 |
| 64 | + |
| 65 | + * Bugfix #157: Use platform-specific temporary directory as default data directory |
| 66 | + |
| 67 | + If no data directory is specificed, then rest-server now uses the Go standard library |
| 68 | + functions to retrieve the standard temporary directory path for the current platform. |
| 69 | + |
| 70 | + https://github.com/restic/rest-server/issues/157 |
| 71 | + https://github.com/restic/rest-server/pull/158 |
| 72 | + |
| 73 | + * Bugfix #155: Reply "insufficient storage" on disk full or over-quota |
| 74 | + |
| 75 | + When there was no space left on disk, or any other write-related error occurred, rest-server |
| 76 | + replied with HTTP status code 400 (Bad request). This is misleading (restic client will dump |
| 77 | + the status code to the user). |
| 78 | + |
| 79 | + Rest-server now replies with two different status codes in these situations: * HTTP 507 |
| 80 | + "Insufficient storage" is the status on disk full or repository over-quota * HTTP 500 |
| 81 | + "Internal server error" is used for other disk-related errors |
| 82 | + |
| 83 | + https://github.com/restic/rest-server/issues/155 |
| 84 | + https://github.com/restic/rest-server/pull/160 |
| 85 | + |
| 86 | + * Change #146: Build rest-server at docker container build time |
| 87 | + |
| 88 | + The Dockerfile now includes a build stage such that the latest rest-server is always built and |
| 89 | + packaged. This is done in a standard golang container to ensure a clean build environment and |
| 90 | + only the final binary is shipped rather than the whole build environment. |
| 91 | + |
| 92 | + https://github.com/restic/rest-server/issues/146 |
| 93 | + https://github.com/restic/rest-server/pull/145 |
| 94 | + |
| 95 | + * Change #112: Add subrepo support and refactor server code |
| 96 | + |
| 97 | + Support for multi-level repositories has been added, so now each user can have its own |
| 98 | + subrepositories. This feature is always enabled. |
| 99 | + |
| 100 | + Authentication for the Prometheus /metrics endpoint can now be disabled with the new |
| 101 | + `--prometheus-no-auth` flag. |
| 102 | + |
| 103 | + We have split out all HTTP handling to a separate `repo` subpackage to cleanly separate the |
| 104 | + server code from the code that handles a single repository. The new RepoHandler also makes it |
| 105 | + easier to reuse rest-server as a Go component in any other HTTP server. |
| 106 | + |
| 107 | + The refactoring makes the code significantly easier to follow and understand, which in turn |
| 108 | + makes it easier to add new features, audit for security and debug issues. |
| 109 | + |
| 110 | + https://github.com/restic/rest-server/issues/109 |
| 111 | + https://github.com/restic/rest-server/issues/107 |
| 112 | + https://github.com/restic/rest-server/pull/112 |
| 113 | + |
| 114 | + * Enhancement #122: Verify uploaded files |
| 115 | + |
| 116 | + The rest-server now by default verifies that the hash of content of uploaded files matches |
| 117 | + their filename. This ensures that transmission errors are detected and forces restic to retry |
| 118 | + the upload. On low-power devices it can make sense to disable this check by passing the |
| 119 | + `--no-verify-upload` flag. |
| 120 | + |
| 121 | + https://github.com/restic/rest-server/issues/122 |
| 122 | + https://github.com/restic/rest-server/pull/130 |
| 123 | + |
| 124 | + * Enhancement #126: Allow running rest-server via systemd socket activation |
| 125 | + |
| 126 | + We've added the option to have systemd create the listening socket and start the rest-server on |
| 127 | + demand. |
| 128 | + |
| 129 | + https://github.com/restic/rest-server/issues/126 |
| 130 | + https://github.com/restic/rest-server/pull/151 |
| 131 | + https://github.com/restic/rest-server/pull/127 |
| 132 | + |
| 133 | + * Enhancement #148: Expand use of security features in example systemd unit file |
| 134 | + |
| 135 | + The example systemd unit file now enables additional systemd features to mitigate potential |
| 136 | + security vulnerabilities in rest-server and the various packages and operating system |
| 137 | + components which it relies upon. |
| 138 | + |
| 139 | + https://github.com/restic/rest-server/issues/148 |
| 140 | + https://github.com/restic/rest-server/pull/149 |
| 141 | + |
| 142 | + |
1 | 143 | Changelog for rest-server 0.10.0 (2020-09-13) |
2 | 144 | ============================================ |
3 | 145 |
|
|
0 commit comments