rustypaste/CHANGELOG.md

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[0.10.0] - 2023-05-31

Added

• Support one shot URLs

With using the oneshot_url multipart field, you can now shorten an URL and make it disappear after viewed once:

curl -F "oneshot_url=https://example.com" "<server_address>"

• Allow configuring the content type for the landing page

landing_page_content_type is added as a configuration option for setting the Content-Type header:

[server]
landing_page = ""
landing_page_content_type = "text/plain; charset=utf-8"

• Add information/example about using HTML forms

With utilizing the newly added option for the content type, you can now use HTML forms for the landing page:

[server]
landing_page = "<html>"
landing_page_content_type = "text/html; charset=utf-8"

There is an example added to the repository: html_form.toml

Also, there is an ongoing discussion about refactoring the usage of landing page fields in the configuration file. See #52

• An informative log message is added for showing the server address at startup

[0.9.1] - 2023-05-24

Changed

• Bump Shuttle to 0.17.0
• Tweak public instance settings
  • Increase the default expiry time to 24 hours
  • Increase the max content length to 20MB
• Bump dependencies

[0.9.0] - 2023-05-17

The public instance is now available at https://rustypaste.shuttleapp.rs 🚀

Read the blog post about rustypaste and Shuttle deployments: https://blog.orhun.dev/blazingly-fast-file-sharing

Added

• Deploy on Shuttle.rs
• Support setting a default expiry time

You can now specify a expiry time for uploaded files. For example, if you want all the files to expire after one hour:

[paste]
default_expiry = "1h"

• Support overriding the server URL

If you are using rustypaste with a redirect or reverse proxy, it is now possible to set a different URL for the returned results:

[server]
url = "https://rustypaste.shuttleapp.rs"

• Add instructions for installing on Alpine Linux

rustypaste is now available in testing repositories.

• Add new crate features

  • shuttle: enable an entry point for deploying on Shuttle
  • openssl: use distro OpenSSL (binary size is reduced ~20% in release mode)
  • rustls: use rustls (enabled as default)

Changed

• Make the default landing page fancier
• Generate SBOM attestation for the Docker image

Updated

• Bump dependencies
• Update the funding options
  • Consider donating if you liked rustypaste: https://donate.orhun.dev 💖

[0.8.4] - 2023-01-31

Added

• Allow downloading files via ?download=true parameter
  • If you specify this for a file (e.g. <server_address>/file?download=true), rustypaste will override the MIME type to application/octet-stream and this will force your browser to download the file.
  • This is useful when e.g. you want to be able to share the link to a file that would play in the browser (like .mp4) but also share a link that will auto-download as well.

[0.8.3] - 2023-01-30

Updated

• Bump dependencies
• Switch to Rust image for the Dockerfile
• Remove unused clap dependency

[0.8.2] - 2022-10-04

Updated

• Don't expose version endpoint in default config
  • Set expose_version to false in the configuration file

[0.8.1] - 2022-10-04

Added

• Add <server_address>/version endpoint for retrieving the server version

[server]
expose_version=true

If expose_version entry is not present in the configuration file, /version is not exposed. It is recommended to use this feature with authorization enabled.

Fixed

• Replace unmaintained dotenv crate with dotenvy
  • Fixes RUSTSEC-2021-0141

[0.8.0] - 2022-10-03

Added

• Support adding a landing page

You can now specify a landing page text in the configuration file as follows:

[server]
landing_page = """
boo 👻
======
welcome!
"""

If the landing page entry is not present in the configuration file, visiting the index page will redirect to the repository.

Updated

• Do not check for duplicate files by default
  • Set duplicate_files to true in the configuration file
  • It is an expensive operation to do on slower hardware and can take an unreasonable amount of time for bigger files
• Enable GitHub Sponsors for funding
  • Consider supporting me for my open-source work 💖

[0.7.1] - 2022-05-21

Added

• Aggressively test everything
  • Add the missing unit tests for the server endpoints (code coverage is increased to 84%)
  • Create a custom testing framework (written in Bash) for adding test fixtures

[0.7.0] - 2022-03-26

Added

• Support auto-deletion of expired files

rustypaste can now delete the expired files by itself. To enable this feature, add the following line to the [paste] section in the configuration file:

# expired files will be cleaned up hourly
delete_expired_files = { enabled = true, interval = "1h" }

For users who want to have this feature disabled, there is an alternative shell script recommended in the documentation.

• Add systemd service files
  • systemd files have been added to serve files from /var/lib/rustypaste, create rustypaste user automatically via systemd-sysusers and configure AUTH_TOKEN via rustypaste.env.
  • For the installation and usage, see the Arch Linux PKGBUILD.

Updated

• Upgrade Actix dependencies
  • actix-web is updated to 4.0.*
• Strip the binaries during automated builds
  • Size of the Docker image is reduced by ~20%

Fixed

• Prevent invalid attempts of serving directories
  • This fixes an issue where requesting a directory was possible via e.g. curl --path-as-is 0.0.0.0:8080/.
  • This issue had no security impact (path traversal wasn't possible) since internal server error was returned.

[0.6.5] - 2022-03-13

Added

• Add instructions for installing rustypaste on Arch Linux
  • pacman -S rustypaste 🎉

Fixed

• Fix a bug where the use of CONFIG environment variable causes a conflict between the configuration file path and [config] section

[0.6.4] - 2022-03-11

Added

• Support setting the refresh rate for hot-reloading the configuration file.

[config]
refresh_rate="1s"

• Support setting the timeout for HTTP requests.

[server]
timeout="30s"

Security

• Bump regex crate to 1.5.5
  • Fixes CVE-2022-24713

[0.6.3] - 2022-02-24

Added

• Support setting the authentication token in the configuration file.
  • This is an alternative (but not recommended) way of setting up authentication when the use of AUTH_TOKEN environment variable is not applicable.

[server]
auth_token="hunter2"

[0.6.2] - 2021-12-05

Updated

• Improve the concurrency
  • Shrink the scope of non-suspendable types (#[must_not_suspend]) for dropping them before reaching a suspend point (.await call). This avoids possible deadlocks, delays, and situations where Futures not implementing Send.
  • Reference: https://rust-lang.github.io/rfcs/3014-must-not-suspend-lint.html

[0.6.1] - 2021-11-16

Fixed

• Gracefully handle the hot-reloading errors.
  • Errors that may occur while locking the Mutex are handled properly hence a single configuration change cannot take down the whole service due to poisoning.

[0.6.0] - 2021-11-07

Added

• Support pasting files from remote URLs (via remote= form field)

  • {server.max_content_length} is used for download limit
  • See README.md#paste-file-from-remote-url

• Hot reload configuration file to apply configuration changes instantly without restarting the server

Changed

• Library: Switch to Rust 2021 edition

Security

• Prevent serving an already expired file

In the previous versions, it was possible to view an expired file by using the correct extension (timestamp). e.g. paste.com/expired_file.txt.1630094518049 will serve the file normally although paste.com/expired_file.txt says that it is expired. This version fixes this vulnerability by regex-checking the requested file's extension.

reference: f078a9afa74f8608ee3f2a6e705159df15915c78

[0.5.0] - 2021-10-12

Added

• Added an entry in the configuration file to disable "duplicate uploads":

[paste]
# default: true
duplicate_files = false

Under the hood, it checks the SHA256 digest of the uploaded files.

[0.4.1] - 2021-09-19

Changed

• Update README.md:
  • Mention the new standalone tool: rustypaste-cli
  • Add installation section.

[0.4.0] - 2021-08-27

Added

• Support expiring links (via expire: header)
  • Timestamps are used as extension for expiring files
  • Expired files can be cleaned up with this command
• Support one shot links (via oneshot= form field)
  • {server.upload_path}/oneshot is used for storage

[0.3.1] - 2021-08-10

Fixed

• Switch to upload-release-action for uploading releases

[0.3.0] - 2021-08-09

Added

• Support overriding MIME types (config: mime_override)
• Support blacklisting MIME types (config: mime_blacklist)

[0.2.0] - 2021-08-04

Added

• Support shortening URLs (via url= form field)
  • {server.upload_path}/url is used for storage

[0.1.3] - 2021-07-28

Fixed

• Prevent sending empty file name and zero bytes
• Prevent path traversal on upload directory (#2)
• Check the content length while reading bytes for preventing OOM (#1)

[0.1.2] - 2021-07-27

Changed

• Update Continuous Deployment workflow to publish Docker images

[0.1.1] - 2021-07-27

Initial release.