All notable changes to the project are documented in this file.
v2.8 - 2019-05-28
- The FTP command processor now always converts all inbound commands to uppercase to handle clients sending commands in lowercase
- Any arguments to the FTP
LISTcommand are now ignored - Improved user feedback on bad FTP root error message
- Fix #18: KDE Dolphin, FTP client interop problems.
v2.7 - 2019-03-03
- Documentation updates, commands added in v2.5 and
writableopt - Require libuEv v2.2, or later
- Issue #17: Issues with relative FTP root when running unpriviliged
v2.6 - 2018-07-03
Bug fix release.
- Issue #16: 100% CPU when client session exits
- Add missing include file for
gettimeofday() - Flush stdout logging when running in the foreground
v2.5 - 2018-06-06
The VLC Android app release.
- Support for
ABORFTP command, issue #14 - Support for
RESTFTP command, issue #13 - Support for
EPSVandEPSV ALLFTP commands, issue #11 - Basic support for
MLSTandMLSDFTP commands to provide support for the VLC android app., issue #9 and #12 - Add
OPTS MLST <ARG>to let client manage order of facts listed inMLSTandMLSDcalls - Add
CDUPFTP convenience command, alias toCWD .. - Add
DELEFTP command to delete files - Add
MKDandRMDFTP commands to create and remove directories - Refactor
LIST,RETR,STORandPASVFTP commands for speed
- Really fix 100% CPU problem, issue #9. Multiple failure modes in
libuEv and improper handling of
waitpid()in event loop callback - Use libuEv callback also for
PASVFTP connections - Fix
NLST+LISTline endings, must be \r\n
v2.4 - 2017-09-03
Bug fix release.
- Handle non-chrooted use-cases better, ensure CWD starts with /
- Increased default inactivty timer: 20 sec --> 180 sec
- Ensure FTP
PASVandPORTsockets are set non-blocking to prevent blocking the event loop - README.md updates, add usage section and improve build + install
- Fix 100% CPU issue. Triggered sometimes when a user issued
CWD ..
v2.3 - 2017-03-22
Bug fix release.
- Add support for
MDTM, modify time, some clients rely this - Add support for correct
SIZEwhen in ASCII mode - Add basic code of conduct to project
- Add contributing guidelines, automatically referenced by GitHub when filing a bug report or pull request
- Fix 100% CPU bug caused by
RETRof non-regular file or directory - Fix segfault on missing FTP home
- Fix ordering issue in fallback FTP user handling, introduced in v2.2
- Fix error message on
CWDto non-directory - Fix
.debgeneration and debconf installation/reconfigure issues
v2.2 - 2017-03-14
- Sort directories first in FTP
LISTcommand - Make sure to exit all lingering FTP sessions on exit
- Logging: reduced verbosity of common FTP commands
- Logging: show client address on failed file retrieval
- Full Debian/Ubuntu
.debbuild support, including debconf, asking user what services (FTP and/or TFTP) to run. - Verify FTP/TFTP root directory is not writable by default
- New option to allow writable FTP/TFTP root, disabled by default
- Fix FTP directory listings, was off-by-one, one entry missing
- Issue #7: Spelling error in
README.md - Issue #8: Install missing symlinks for
in.ftpd.8andin.tftpd.8
v2.1 - 2016-06-05
- Remove GIT submodules for libuEv and libite, these two libraries are now required to be installed separately.
- The output from
uftpd -vnow only shows the version.
v2.0.2 - 2016-02-02
Minor fix release.
- Distribution build fixes for companion libraries
- Missing critical files in uftpd distribution
v2.0.1 - 2016-02-02
Minor fix release.
- Upgrade to libite v1.4.2 (GCC 6 bug fixes)
- IPv6 address conversion error, found by GCC 6
- Make install of symlinks for
in.tftpd&in.ftpdidempotent. Check any existingin.ftpdandin.tftpdsymlinks before bugging out. Fixes problem of uftpd install failing on already existing symlinks.
v2.0 - 2016-01-22
Sleak, smart, simple ... UNIX
- Greatly simplified command line syntax
- Run inetd services by calling
in.ftpdandin.tftpdsymlinks - Migrate to GNU configure and build system
- Update and simplify man page
- Build statically against bundled versions of libite (LITE) and libuEv
- Update bundled libuEv to v1.3.0
- Update bundled libite to v1.4.1
- Do not allow VERSION to be overloaded by build system
- Do not enforce any optimization in Makefile, this is up to the user
- Minor fixes to redundant error messages when running as a regular user
v1.9.1 - 2015-09-27
Minor fix release.
- Upgrade to libuEv v1.2.3 (bug fixes)
- Upgrade to libite v1.1.1 (bug fixes)
- Add support for linking against external libuEv and libite
- Misc. README updates
- Check if libite or libuEv are missing as submodules
v1.9 - 2015-07-23
Bug fix release. FTP and TFTP sessions can now run fully in parallel, independent of each other. Also improved compatibility with Firefox built-in FTP client and wget.
- Upgrade to libuEv v1.2.1+ for improved error handling and a much cleaner API.
- Major refactor of both FTP and TFTP servers to use libuEv better.
- Move to use libite v1.0.0 for
strlcpy(),strlcat(),pidfile()and more. - Add proper session timout to TFTP, like what FTP already has.
- Add support for
NLSTFTP command, needed for multiple get operations. This fixes issue #2, thanks to @oz123 on GitHub for pointing this out! - Add support for
FEATandHELPFTP commands used by some clients.
- Fix issue #3: do not sleep 2 sec before exiting. Simply forward the
SIGTERMto any FTP/TFTP session in progress, yield the CPU to let the child sessions handle the signal, and then exit. Much quicker! - Fix issue #4: due to an ordering bug between the main process calling
daemon()andsig_init(), we never got theSIGCHILDto be able to reap any exiting FTP/TFTP sessions. This resulted in zombies(!) when not being called asuftpd -n - Fix issue #5:
LISTandNLSTignores path argument sent by client. - Fix issue #6: FTP clients not detecting session timeout. Caused by
uftpd not performing a proper
shutdown()on the client socket(s) beforeclose(). - Fix problem with libuEv not being properly cleaned on
distclean. - Fix problem with uftpd not exiting client session properly when client simply closes the connection.
v1.8 - 2015-02-02
- Updated README.md
- Add TODO.md
- Add CHANGELOG.md, attempt to align with http://keepachangelog.com
- From now on Travis-CI only runs when pushing to the dev branch, so all new development must be done there.
- Upgrade to libuEv v1.0.4
- Fix insecure
chroot()reported in Coverity Scan CID #54523. - Minor cleanup fixes.
v1.7 - 2014-12-21
The TFTP Blocksize Negotiation release.
- Support for RFC 2348, TFTP blocksize negotiation
- Support for custom server directory, instead of FTP user's
$HOME - Log to
stderrwhen running in foreground and debug is enabled
v1.6 - 2014-09-12
Fix missing libuEv directory content generated by make dist in v1.3, v1.4, and v1.5.
- Since the introduction of the event library libuEv the make
dist target has failed to include the libuev sub-directory.
This is due to the
git archivecommand unfortunately not supporting git sub-modules.
v1.5 - 2014-09-12 [YANKED]
Major fix release, lots of issues reported by Coverity Scan fixed. For details, see https://scan.coverity.com/projects/2947
Note: This release has been yanked from distribution due to the tarball (generated by the make dist) missing the required libuEv library. Instead, use v1.6 or later, where this is fixed, or roll your own build of this release from the GIT source tree.
- Add support for Travis-CI, continuous integration with GitHub
- Add support for Coverity Scan, the best static code analyzer, integrated with Travis-CI -- scan runs for each push to master
- Fix nasty invalid
sizeof()argument torecv()causing uftpd to only read 4/8 bytes (32/64 bit arch) at a time from the FTP socket. This should greatly reduce CPU utilisation and improve xfer speeds. Found by Coverity Scan. - Fix minor resource leak in
ftp_session()whengetsockname()orgetpeername()fail. Minor fix because the session exits and the OS usually frees resources at that point, unless you're using uClinux. Found by Coverity Scan. - Various fixes for unchecked API return values, prevents propagation of errors. Also, make sure to clear input data before calling API's. Found by Coverity Scan.
- Fix oversight in checking for invalid/missing FTP username. Found by Coverity Scan.
- Fix potential attack vector. Make sure to always store a NUL string terminator in all received FTP commands so the parser does not go out of bounds. Found by Coverity Scan.
- Fix parallel build problems in
Makefile.
v1.4 - 2014-09-04 [YANKED]
Note: This release has been yanked from distribution due to the tarball (generated by the make dist) missing the required libuEv library. Instead, use v1.6 or later, where this is fixed, or roll your own build of this release from the GIT source tree.
- Update documentation, both built-in usage text and man page.
- Fix bug in inetd.conf installed by .deb package for TFTP service. Inetd forked off a new TFTP session for each connection attempt.
v1.3 - 2014-09-04 [YANKED]
Added support for TFTP, RFC 1350. Integration of the asynchronous event library libuEv, to serialize all events. Massive refactoring.
Note: This release has been yanked from distribution due to the tarball (generated by the make dist) missing the required libuEv library. Instead, use v1.6 or later, where this is fixed, or roll your own build of this release from the GIT source tree.
- Incompatible changes to the command line arguments, compared to v1.2!
- Add libuEv as a GIT submodule, handles signals, timers, and all I/O.
- Refactor all signal handling, timers, and socket
poll()calls to use libuEv instead. Much cleaner and maintaiable code as a result. - Clarify copyright claims, not much remains of the original FtpServer code, by Xu Wang.
v1.2 - 2014-05-19
- Add support for logging to stdout as well as syslog.
- Fix embarrassing problem with listing big/average sized directories.
v1.1 - 2014-05-04
Haunted zombie (¬°-°)¬ release.
- Add strict FTP session inactivity timer, 20 sec.
- Change some logs to informational, only seen in verbose
-Vmode. - Revise .deb package slightly and add support for creating an FTP user and group on the system. This is used to both find the default FTP home directory, to serve files from, and also the UID/GID to drop to when being started as root.
- Fix zombie problem. Forked off FTP sessions did not exit properly and
were not
wait()'ed for properly, so uftpd left a zombie processes lingering after each session. - Fix ordering bug in security mechanism "drop privs"
v1.0 - 2014-05-04
First official uftpd release! :-)
- Forked from FtpServer, by Xu Wang.
- Add permissive ISC license.
- Massive refactor, code cleanup/renaming and "UNIX'ification":
- Add actual command line parser.
- Cleanup all log messages.
- Reindent to use Linux KNF.
- Use system's FTP user to figure out FTP home directory, with
built-in fallback to
/srv/ftp - Use system's
ftp/tcpport from/etc/services. - Chroot to FTP home directory.
- Support for dropping privileges if a valid FTP user exists.
- Use
fork()instead of pthreads for FTP client sessions. - Daemonize uftpd by default, detach from controlling terminal and reparent to PID 1 (init).
- Add support for running as an
inetdservice. - Add wrapper for
syslog()instead of usingstdout/stderr. - Add basic
uftpd.8man page.
- Add OpenBSD
strlcat()andstrlcpy()safe string functions. - Add support for NOOP (keepalive sent by some clients).
- Add support for SIZE.
- Add support for TYPE, at least
IMAGE/BINARY. - Add basic dependency handling to Makefile.
- Add support for building Debian .deb packages.
- Handle "walking up to parent" attacks in several FTP functions.
- Fix memory leaks in
recv_mesg()caused by dangerous homegrown string functions. Replaced with safer OpenBSD variants. - Fix absolute paths in FTP
LISTcommand. - Fix Firefox FTP mode
LISTcompatibility issue. - Fix "bare linefeeds" warning from certain FTP clients in ASCII mode.
Lines must end in the old
\r\nformat, rather than UNIX\n.