View Single Post
Old 05-18-2010, 02:27 PM  
Yil
Too much time...
 
Join Date: May 2005
Posts: 1,194
Default Changelog

Code:
v7.5.0 Release Notes:

1) Files in \System:
   Changed : ioFTPD.[exe,pdb] - Version 7.5.0.0.
   Changed : ioFTPD-Watch.[exe,pdb] - Version 2.0.0.0
   Changed : Theme.ini
   Changed : Help.ini, Help-SiteCmds.ini, Help-nxTools.ini, Help-ioNiNJA.ini
   Changed : ioFTPD.ini - summary of changes by section...
     [FTP_Service] : Description deleted
		     Create_Certificate added
                     Min_Cipher_Strength deleted
                     Max_Cipher_Strength deleted
                     OpenSSL_Options added
                     OpenSSL_Ciphers added
                     Deny_Port_Host_# added
     [Network]     : Log_OpenSSL_Transfer_Errors added
     [VFS_PreLoad] : VFS comment/features changed.
     [FTP]         : Site_Name added at top
                     Data_Timeout added
                     Chmod_Check added
                     Site_Box_Header, Site_Box_Footer added
                     Help_Box_Header, Help_Box_Footer added
     [Threads]     : Restart_On_Deadlock comment/features changed.


2) Files in \text\ftp:
   Changed : [AllDn, AllUp, WkDn, WkUp, MonthDn, MonthUp, DayDn, DayUp].Header
             [AllDn, AllUp, WkDn, WkUp, MonthDn, MonthUp, DayDn, DayUp].Footer
   Changed : [ClientList, MyInfo, UserInfo, Who].Header
             [ClientList, MyInfo, UserInfo, Who].Footer
   Changed : ClientInfo.[Common, Download, Idle, List, Login, Upload]
   Changed : Welcome

3) Files in \scripts:
   Changed : FormatHelp.itcl

4) Files in \Source:
   Changed : Site-cmds.help

5) Files in \Doc:
   Changed : Cookies.txt, iTCL.txt
   Changed : FTP-cmds.txt, Site-cmds.txt, nxTools.txt, ioNiNJA.txt


*** Incompatible changes/defaults:

6) The default settings for the new safety feature preventing the PORT
   command from accessing private/local LAN IP addresses means you will need
   to use PASV connections for local transfers using a FTP client on the LAN.
   This is usually the default method so you probably won't notice.  However
   FXPing between 2 FTP servers across the local LAN (i.e. both 192.168.*)
   will no longer work with the default settings.  The server will also not
   be able to FXP to itself (although if people want this I can probably
   find a way to allow it).  To enable FXP between two local machines you
   can choose to either disable the new feature on one site, or you can
   just define a second Service that is only accessible to machines on the
   local LAN that has the feature disabled.  The second Service method is
   HIGHLY recommended because you can also do things like relax the encrypted
   data transfer requirement which will improve local transfer speeds.

7) To take advantage of Diffie-Huffman ephemeral keying you will need a new
   new key file (<name>.dhp) which means you need to re-generate the SSL
   certificate.  To do this you can remove the old certificate by deleting
   the <name>.key and <name>.pem files in the system directory before
   starting the server or use "site removecert <name>".  Then use the
   "site makecert" command, or enable the new auto-generate cert feature
   and re-start the server.

8) Removed ioFTPD.ini options Min_Cipher_Strength and Max_Cipher_Strength
   under [FTP_Service].  These have been replaced with the OpenSSL_Ciphers
   option.

*** New features:

9) New ioFTPD.ini option (Deny_Port_Host_<num> under [FTP_Service]).  Active
   mode data transfers require the server to create connections to a user
   specified IP/Port.  For security reasons the server should be prevented
   from initiating connections to the server box or any other machine behind
   your firewall if you have one.  By default the server will now block
   access to the following non-routable private IP ranges: 10.*, 172.16.*,
   192.168.*, and the loopback interface 127.*.  To disable this feature
   entirely just specify 0.0.0.0 as the host to block.  Alternatively, you
   may specify your own custom list of IP addresses/ranges to block.

10) The 'Restart_On_Deadlock' feature under [Threads] has been re-done.
    It was originally designed to handle the DLL loader lock getting stuck.
    When that happened the server would be unable to exit and so it would
    signal the ioFTPD-Watch process to forcefully terminate the server.
    That part remains the same, but the ioFTPD-Watch process now requires
    the server to signal it's alive at least once every minute else it will
    assume something bad happened and forcefully terminate it.  On top of
    that, the server will now attempt to connect to all active services
    every minute and if that fails 3 times in a row it will try to exit
    gracefully.  If it can't exit the ioFTPD-Watch process will time it out
    after another minute or so and forcefully terminate it.  You can view
    actions or error messages by the ioFTPD-Watch.exe process in the new
    "Watch.log" file stored in the server's log directory ($Log_Files).

11) New ioFTPD.ini option (Create_Certificate under [FTP_Service]).  If
    'True' this feature will create a new SSL certificate right after the
    server is started if no certificate was found for the service.

12) New ioFTPD.ini option (OpenSSL_Options under [FTP_Service]).  You can now
    specify any v1.0 OpenSSL option flag to modify the encryption library's
    behavior.  Arguments are separated by "|" and the "SSL_OP_" prefix should
    be left off.  The complete list of options is available at:
      http://www.openssl.org/docs/ssl/SSL_CTX_set_options.html
    The 2 suggested options are:
     ALL       - enable all compatibility options to work around broken SSL
                 implementations.
     NO_TICKET - Disable RFC4507bis tickets for stateless session resumption.
                 FlashFXP disabled this because of issues with some Java SSL
                 implementations so I figure we should do the same.
     The default is no options.

13) New ioFTPD.ini option (OpenSSL_Ciphers under [FTP_Service]).  You can now
    control exactly which ciphers are available and in what order they should
    be chosen.  Documentation is available at:
       http://www.openssl.org/docs/apps/ciphers.html
    The default, if undefined, is "DEFAULT:!LOW:!EXPORT" which excludes
    anything under 128 bits.  This affects both control and data connections.

14) New site command (site ciphers [-all]).  This command displays available
    ciphers in the order they are chosen for the service you are connected to.
    A bit of information about each is also included by the OpenSSL library.
    [Note: the columns are generated by OpenSSL itself and aren't aligned, but
    pulling the data out of private structures subject to change just to align
    the columns didn't seem worth it - I may fix OpenSSL itself later though!]
    If you supply the "-all" argument then it will display the complete list
    of ciphers supported by OpenSSL itself.

15) The server now supports elliptic-curve and Diffie-Huffman based ephemeral
    key algorithms for one-time use ciphers which means the server now uses
    the most secure algorithms available to OpenSSL.  You will need to
    re-generate the certificate to enable DH based algorithms.  See #7 above.
    The "parameters" for generating ephemeral keys are stored in a new file
    "<certname>.dhp".

16) The server will now display the descriptive error messages returned by
    the OpenSSL library in a number of cases including data transfer errors
    to help users understand what the problem is and report problems better.

17) New ioFTPD.ini option (Log_OpenSSL_Transfer_Errors under [Network]). You
    can have the server automatically log OpenSSL error messages to the
    Debug.log file.  The default is not to.

18) New ioFTPD.ini option (Data_Timeout under [FTP]).  ioFTPD used to have
    a very liberal 10 minute timeout between receive/send calls of a data
    transfer before automatically aborting the transfer.  The new default is
    2 minutes, however you can use this setting to make it whatever you want.
    Be aware that exponential backoff for ethernet re-transmission can be 30
    seconds across a LAN and that internet routing hiccups can lose or delay
    packets for several minutes.

19) New ioFTPD.ini option (Chmod_Check under [FTP]).  You can now modify the
    behavior of the 'site chmod' command by choosing one of 3 settings.
    Master accounts can do anything under any setting so are not affected.
      Default  : Require +w to parent of item being modified, and non-VFS
                 admins must own the item being modified.
      WriteOnly: Require +w to parent of item being modified (no owner check).
      NoChecks : Can modify anything provided you can see it.
    The 'Default' setting is the original behavior and the default.

20) Modified ioFTPD.ini option (VFS under [VFS_PreLoad]).  You can now
    completely disable the directory cache preloading feature by specifing
    the name of the VFS file to use as 'DISABLE'.

21) New ioFTPD.ini option (Site_Name under [FTP]).  You can now define a
    custom name for your ftp server that will be used to customize the
    output of some site commands and help output.  The default is 'ioFTPD'.

22) New ioFTPD.ini options (Site_Box_Header and Site_Box_Footer under [FTP]).
    This is the string to display in the top and bottom of site commands that
    contain bounding boxes or borders (- and |) around them.  The string is
    fully processed by the message cookie parser and the defaults use the
    new formatting super cookies below so you can use custom themes to get
    colors and you don't have to worry about the box aligning correctly.

23) New ioFTPD.ini options (Help_Box_Header and Help_Box_Footer under [FTP]).
    Essentially the same as the Site_Box versions but used for 'help' and
    'site help' output.

24) New super cookies (%[SiteName], %[SiteBoxHeader], %[SiteBoxFooter],
    %[HelpBoxHeader], %[HelpBoxFooter]).  Returns the value of the associated
    option under the [FTP] section in the .ini configuration file.

25) New super cookie (%[SiteCmd]).  Returns the name of the current site
    command being executed.

26) New super cookies (%[Mark], %[Fill(<num>,<str>)], %[Pad(<num>,<str>)]).
    These 3 cookies provide a powerful means of aligning data.  First you
    use the Mark cookie to record the current position on a line, and then
    you use the Fill cookie to guarantee that there are at least <num>
    characters from the marked position by appending data as needed.  The
    default is to fill with spaces, however you can provide an arbitrary
    string and characters from it will be used one at a time, in order with
    looping, until the field is exactly <num> characters wide not counting
    any ANSI control codes such as color specifiers.  The Pad cookie works
    the same way except instead of appending to the end of the original
    string to reach the desired width it inserts characters at the beginning
    (marked position) so the original string will be right aligned.  There
    probably should be a Center cookie as well, let me know if you need that.
    NOTE: Mark/Fill or Mark/Pad cannot span lines.

27) New super cookies (%[Save] and %[Restore]).  The Save cookie will record
    the current theme/subtheme, and the current text settings of colors, etc.
    You can then change these however you want and at a later time revert to
    the saved settings via the Restore cookie.

28) Exported functions Config_Get, Config_GetInt, Config_GetBool,
    Config_GetPath changed to support multiple .ini files again such as v7.1
    supported.  This requires use of nxMyDB v2.1.0+, however only v2.1.1+
    should be used as that is the first release to support the required
    handle locking and should be used with the custom libmysql.dll as well.


*** Bug Fixes:

29) Fixed a serious bug where the server was passing the port re-use flag to
    the bind() function when processing the PASV command.  This could result
    in server giving the same port # to 2 or more users at the same time and
    if the connections to that port didn't arrive in the order they were
    handed out the uploaded files would get swapped!  This bug goes all the
    way back to before v5.8.5 so it isn't new and in most configurations with
    a decent range of passive ports must have been relatively rare but it's a
    big bug.

30) Fixed a serious bug introduced in v7.4 that would cause the server to
    crash if the number of outstanding requests to a particular disk was
    higher than the Device_Concurrency setting in the .ini file.

31) Fixed a bug where an already closed handle for a socket could be
    referenced by the server.  When a TCP connection is timed out by the
    server or an ABOR command is issued the server forces closed the socket
    handle which results in any active overlapped I/O operations being
    aborted and invalidates the handle.  However, if the server was just
    about to issue a new send or receive request it could use the just
    closed handle.  I've added additional locking to prevent this from
    happening now.

32) Fixed a bug where the server failed to mark the cached directory as
    stale after creating the new file for uploads.

33) Fixed a bug with marking directories as stale.  The dirty/stale flag is
    set outside of any locks, but is tested later while holding the lock and
    cleared if set.  The test/clear operations were not atomic and thus
    a rare race condition was possible and it could be marked as current
    instead of stale.  A simple change to make this atomic fixes it.

34) Fixed a bug where a thread could make a change to a directory, mark the
    directory as stale, and then request information about a file or the
    directory itself and not see the change.  This can happen because the
    server assumed that if someone was already updating the cached directory
    entry that it would be up to date when finished.  This is obviously not
    true if the update started before the 2nd thread made it's change.  The
    directory stale flag is now tested before making this assumption and
    if it is set updates the directory again.  This does not guarantee that
    a directory returned is always perfectly up to date (which would be both
    hard to do and a really bad idea), but rather than any actions made by
    the calling thread will be visible.

35) Fixed a bug where the server wasn't setting the blocking thread flag
    early enough when sending non-buffered data (iputs -nobuffer or
    SendQuick()) that could cause a deadlock if all worker threads decided
    to do this all at the same time.

36) Fixed a bug where the TCL [waitobject wait] command wasn't setting the
    blocking thread flag which indicates it could block the worker thread
    indefinitely.

37) Fixed a bug where the server could reject an upload because too many
    were in progress by a user but no error description was provided.

38) Fixed a bug where the Default_VFS file was always processed even if
    a custom one was specified via the 'VFS' option of [VFS_PreLoad].  Even
    worse was the fact that Default_VFS wouldn't do this in parallel during
    startup.

39) Changed PORT failure response code to 501 from 550 to comply with RFC.

40) The Dark-Bright theme for 'site who' changed to use high intensity colors.


*** Known Bugs:

41) ioFTPD is unable to handle key re-negotiation of an established SSL
    connection.  The OpenSSL library provides support for this but currently
    the server cannot handle it.  This is not a feature loss since ioFTPD
    also didn't do this with the MS encryption library.

42) ioFTPD does not provide support for 512 bit ephemeral keys for use with
    weak "export" grade ciphers.  Those ciphers should not be used at all.
Yil is offline   Reply With Quote