diff --git a/CHANGELOG.md b/CHANGELOG.md index f3f8d98b..23a23697 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,145 @@ +Changelog for rest-server 0.11.0 (2022-02-10) +============================================ + +The following sections list the changes in rest-server 0.11.0 relevant +to users. The changes are ordered by importance. + +Summary +------- + + * Sec #131: Prevent loading of usernames containing a slash + * Fix #119: Fix Docker configuration for `DISABLE_AUTHENTICATION` + * Fix #142: Fix possible data loss due to interrupted network connections + * Fix #157: Use platform-specific temporary directory as default data directory + * Fix #155: Reply "insufficient storage" on disk full or over-quota + * Chg #146: Build rest-server at docker container build time + * Chg #112: Add subrepo support and refactor server code + * Enh #122: Verify uploaded files + * Enh #126: Allow running rest-server via systemd socket activation + * Enh #148: Expand use of security features in example systemd unit file + +Details +------- + + * Security #131: Prevent loading of usernames containing a slash + + "/" is valid char in HTTP authorization headers, but is also used in rest-server to map + usernames to private repos. + + This commit prevents loading maliciously composed usernames like "/foo/config" by + restricting the allowed characters to the unicode character class, numbers, "-", "." and "@". + + This prevents requests to other users files like: + + Curl -v -X DELETE -u foo/config:attack http://localhost:8000/foo/config + + https://github.com/restic/rest-server/issues/131 + https://github.com/restic/rest-server/pull/132 + https://github.com/restic/rest-server/pull/137 + + * Bugfix #119: Fix Docker configuration for `DISABLE_AUTHENTICATION` + + Rest-server 0.10.0 introduced a regression which caused the `DISABLE_AUTHENTICATION` + environment variable to stop working for the Docker container. This has been fixed by + automatically setting the option `--no-auth` to disable authentication. + + https://github.com/restic/rest-server/issues/119 + https://github.com/restic/rest-server/pull/124 + + * Bugfix #142: Fix possible data loss due to interrupted network connections + + When rest-server was run without `--append-only` it was possible to lose uploaded files in a + specific scenario in which a network connection was interrupted. + + For the data loss to occur a file upload by restic would have to be interrupted such that restic + notices the interrupted network connection before the rest-server. Then restic would have to + retry the file upload and finish it before the rest-server notices that the initial upload has + failed. Then the uploaded file would be accidentally removed by rest-server when trying to + cleanup the failed upload. + + This has been fixed by always uploading to a temporary file first which is moved in position only + once it was uploaded completely. + + https://github.com/restic/rest-server/pull/142 + + * Bugfix #157: Use platform-specific temporary directory as default data directory + + If no data directory is specificed, then rest-server now uses the Go standard library + functions to retrieve the standard temporary directory path for the current platform. + + https://github.com/restic/rest-server/issues/157 + https://github.com/restic/rest-server/pull/158 + + * Bugfix #155: Reply "insufficient storage" on disk full or over-quota + + When there was no space left on disk, or any other write-related error occurred, rest-server + replied with HTTP status code 400 (Bad request). This is misleading (restic client will dump + the status code to the user). + + Rest-server now replies with two different status codes in these situations: * HTTP 507 + "Insufficient storage" is the status on disk full or repository over-quota * HTTP 500 + "Internal server error" is used for other disk-related errors + + https://github.com/restic/rest-server/issues/155 + https://github.com/restic/rest-server/pull/160 + + * Change #146: Build rest-server at docker container build time + + The Dockerfile now includes a build stage such that the latest rest-server is always built and + packaged. This is done in a standard golang container to ensure a clean build environment and + only the final binary is shipped rather than the whole build environment. + + https://github.com/restic/rest-server/issues/146 + https://github.com/restic/rest-server/pull/145 + + * Change #112: Add subrepo support and refactor server code + + Support for multi-level repositories has been added, so now each user can have its own + subrepositories. This feature is always enabled. + + Authentication for the Prometheus /metrics endpoint can now be disabled with the new + `--prometheus-no-auth` flag. + + We have split out all HTTP handling to a separate `repo` subpackage to cleanly separate the + server code from the code that handles a single repository. The new RepoHandler also makes it + easier to reuse rest-server as a Go component in any other HTTP server. + + The refactoring makes the code significantly easier to follow and understand, which in turn + makes it easier to add new features, audit for security and debug issues. + + https://github.com/restic/rest-server/issues/109 + https://github.com/restic/rest-server/issues/107 + https://github.com/restic/rest-server/pull/112 + + * Enhancement #122: Verify uploaded files + + The rest-server now by default verifies that the hash of content of uploaded files matches + their filename. This ensures that transmission errors are detected and forces restic to retry + the upload. On low-power devices it can make sense to disable this check by passing the + `--no-verify-upload` flag. + + https://github.com/restic/rest-server/issues/122 + https://github.com/restic/rest-server/pull/130 + + * Enhancement #126: Allow running rest-server via systemd socket activation + + We've added the option to have systemd create the listening socket and start the rest-server on + demand. + + https://github.com/restic/rest-server/issues/126 + https://github.com/restic/rest-server/pull/151 + https://github.com/restic/rest-server/pull/127 + + * Enhancement #148: Expand use of security features in example systemd unit file + + The example systemd unit file now enables additional systemd features to mitigate potential + security vulnerabilities in rest-server and the various packages and operating system + components which it relies upon. + + https://github.com/restic/rest-server/issues/148 + https://github.com/restic/rest-server/pull/149 + + Changelog for rest-server 0.10.0 (2020-09-13) ============================================