All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
- Add an endpoint for retrieving a list of files (#94)
Set the expose_list
option to true
in the configuration file for enabling this feature. It is disabled as default.
[server]
expose_list = true
Then you can receive the list of files as JSON via /list
endpoint:
$ curl "http://<server_address>/list" | jq .
[
{
"file_name": "accepted-cicada.txt",
"file_size": 241,
"expires_at_utc": null
},
{
"file_name": "evolving-ferret.txt",
"file_size": 111,
"expires_at_utc": "2023-08-07 10:51:14"
}
]
- Support multiple auth tokens (#84)
auth_token
option is now deprecated and replaced with auth_tokens
which supports an array of authentication tokens. For example:
[server]
auth_tokens = [
"super_secret_token1",
"super_secret_token2",
]
- Add new line character to most prominent messages (#97)
This is a follow-up to #72 for making the terminal output better:
$ curl http://localhost:8000/sweeping-tahr
unauthorized
- Bump Shuttle to
0.23.0
- Bump dependencies
- Deploy the Shuttle service when a new tag is created
This is a hotfix release for supporting the use of deprecated [server].landing_page*
fields.
- Allow using deprecated landing page fields
- Add a new section for the landing page
- Also, support a file for the landing page (#64)
Migration path:
Old:
[server]
landing_page = "Landing page text."
landing_page_file = "index.html"
landing_page_content_type = "text/html; charset=utf-8"
New:
[landing_page]
text = "Landing page text."
file = "index.html"
content_type = "text/html; charset=utf-8"
The configuration is backwards compatible but we recommend using the new landing_page
section as shown above since the other fields are now deprecated.
- Add random suffix mode (#69)
- Support appending a random suffix to the filename before the extension. For example,
foo.tar.gz
will result infoo.eu7f92x1.tar.gz
- Support appending a random suffix to the filename before the extension. For example,
To enable, set suffix_mode
to true
:
[paste]
random_url = { enabled = true, type = "alphanumeric", length = 6, suffix_mode = true }
-
Honor X-Forward-* headers (
X-Forwarded-For
/X-Forwarded-Host
/X-Forwarded-Proto
) (#61)- This would be really useful to have for setups where the service is running behind a reverse-proxy or gateway and the possibility to adjust the logging output based on their availability, to have the real IP addresses of the clients available in the log.
-
Add new line character to the 404 message (#72)
Terminal output will look better when the file is not found:
$ curl http://localhost:8000/sweeping-tahr
file is not found or expired :(
- Add editorconfig for correctly formatting the test fixture files
- Add pull request template
-
Bump Shuttle to
0.20.0
-
List all the supported units in the documentation (#63)
-
Note that the Alpine Linux package is moved to the community
-
Bump dependencies
- Use the static folder for the Shuttle config (#70)
- There was a regression in the previous release that has caused the static folder to be not present in Shuttle deployments. This shouldn't be an issue anymore and the deployment should be live.
- Also, it is now possible to trigger a deployment manually via GitHub Actions.
Thanks to @tessus for his contributions to this release!
- Add a middleware for checking the content length
- Before, the upload size was checked after full upload which was clearly wrong.
- With this change, total amount of bytes to upload is checked via
Content-Length
header before the upload.
- Bump Shuttle to
0.18.0
- Bump hotwatch to 0.5.0
- Fixes
RUSTSEC-2020-0016
- Fixes
- Do not drop the config watcher
- Since
0.9.0
, the configuration watcher was dropped early which caused for it to not work and resulted in mysterious spikes in CPU usage. - With this version, this issue is fixed.
- Since
- Support one shot URLs
With using the oneshot_url
multipart field, you can now shorten an URL and make it disappear after viewed once:
curl -F "oneshot_url=https://example.com" "<server_address>"
- Allow configuring the content type for the landing page
landing_page_content_type
is added as a configuration option for setting the Content-Type
header:
[server]
landing_page = ""
landing_page_content_type = "text/plain; charset=utf-8"
- Add information/example about using HTML forms
With utilizing the newly added option for the content type, you can now use HTML forms for the landing page:
[server]
landing_page = "<html>"
landing_page_content_type = "text/html; charset=utf-8"
There is an example added to the repository: html_form.toml
Also, there is an ongoing discussion about refactoring the usage of landing page fields in the configuration file. See #52
- An informative log message is added for showing the server address at startup
- Bump Shuttle to
0.17.0
- Tweak public instance settings
- Increase the default expiry time to 24 hours
- Increase the max content length to 20MB
- Bump dependencies
The public instance is now available at https://rustypaste.shuttleapp.rs 🚀
Read the blog post about rustypaste
and Shuttle deployments: https://blog.orhun.dev/blazingly-fast-file-sharing
- Deploy on Shuttle.rs
- Support setting a default expiry time
You can now specify a expiry time for uploaded files. For example, if you want all the files to expire after one hour:
[paste]
default_expiry = "1h"
- Support overriding the server URL
If you are using rustypaste
with a redirect or reverse proxy, it is now possible to set a different URL for the returned results:
[server]
url = "https://rustypaste.shuttleapp.rs"
- Add instructions for installing on Alpine Linux
rustypaste
is now available in testing repositories.
-
Add new crate features
shuttle
: enable an entry point for deploying on Shuttleopenssl
: use distro OpenSSL (binary size is reduced ~20% in release mode)rustls
: use rustls (enabled as default)
- Make the default landing page fancier
- Generate SBOM attestation for the Docker image
- Bump dependencies
- Update the funding options
- Consider donating if you liked
rustypaste
: https://donate.orhun.dev 💖
- Consider donating if you liked
- Allow downloading files via
?download=true
parameter- If you specify this for a file (e.g.
<server_address>/file?download=true
),rustypaste
will override the MIME type toapplication/octet-stream
and this will force your browser to download the file. - This is useful when e.g. you want to be able to share the link to a file that would play in the browser (like
.mp4
) but also share a link that will auto-download as well.
- If you specify this for a file (e.g.
- Bump dependencies
- Switch to Rust image for the Dockerfile
- Remove unused
clap
dependency
- Don't expose version endpoint in default config
- Set
expose_version
tofalse
in the configuration file
- Set
- Add
<server_address>/version
endpoint for retrieving the server version
[server]
expose_version=true
If expose_version
entry is not present in the configuration file, /version
is not exposed. It is recommended to use this feature with authorization enabled.
- Replace unmaintained
dotenv
crate withdotenvy
- Fixes RUSTSEC-2021-0141
- Support adding a landing page
You can now specify a landing page text in the configuration file as follows:
[server]
landing_page = """
boo 👻
======
welcome!
"""
If the landing page entry is not present in the configuration file, visiting the index page will redirect to the repository.
- Do not check for duplicate files by default
- Set
duplicate_files
totrue
in the configuration file - It is an expensive operation to do on slower hardware and can take an unreasonable amount of time for bigger files
- Set
- Enable GitHub Sponsors for funding
- Consider supporting me for my open-source work 💖
- Aggressively test everything
- Add the missing unit tests for the server endpoints (code coverage is increased to 84%)
- Create a custom testing framework (written in Bash) for adding test fixtures
- Support auto-deletion of expired files
rustypaste
can now delete the expired files by itself. To enable this feature, add the following line to the [paste]
section in the configuration file:
# expired files will be cleaned up hourly
delete_expired_files = { enabled = true, interval = "1h" }
For users who want to have this feature disabled, there is an alternative shell script recommended in the documentation.
- Add systemd service files
- systemd files have been added to serve files from
/var/lib/rustypaste
, createrustypaste
user automatically viasystemd-sysusers
and configureAUTH_TOKEN
viarustypaste.env
. - For the installation and usage, see the Arch Linux PKGBUILD.
- systemd files have been added to serve files from
- Upgrade Actix dependencies
actix-web
is updated to4.0.*
- Strip the binaries during automated builds
- Size of the Docker image is reduced by ~20%
- Prevent invalid attempts of serving directories
- This fixes an issue where requesting a directory was possible via e.g.
curl --path-as-is 0.0.0.0:8080/.
- This issue had no security impact (path traversal wasn't possible) since internal server error was returned.
- This fixes an issue where requesting a directory was possible via e.g.
- Add instructions for installing rustypaste on Arch Linux
pacman -S rustypaste
🎉
- Fix a bug where the use of
CONFIG
environment variable causes a conflict between the configuration file path and[config]
section
- Support setting the refresh rate for hot-reloading the configuration file.
[config]
refresh_rate="1s"
- Support setting the timeout for HTTP requests.
[server]
timeout="30s"
- Bump regex crate to 1.5.5
- Fixes CVE-2022-24713
- Support setting the authentication token in the configuration file.
- This is an alternative (but not recommended) way of setting up authentication when the use of
AUTH_TOKEN
environment variable is not applicable.
- This is an alternative (but not recommended) way of setting up authentication when the use of
[server]
auth_token="hunter2"
- Improve the concurrency
- Shrink the scope of non-suspendable types (
#[must_not_suspend]
) for dropping them before reaching a suspend point (.await
call). This avoids possible deadlocks, delays, and situations whereFuture
s not implementingSend
. - Reference: https://rust-lang.github.io/rfcs/3014-must-not-suspend-lint.html
- Shrink the scope of non-suspendable types (
- Gracefully handle the hot-reloading errors.
-
Support pasting files from remote URLs (via
remote=
form field){server.max_content_length}
is used for download limit- See README.md#paste-file-from-remote-url
-
Hot reload configuration file to apply configuration changes instantly without restarting the server
- Library: Switch to Rust 2021 edition
- Prevent serving an already expired file
In the previous versions, it was possible to view an expired file by using the correct extension (timestamp). e.g. paste.com/expired_file.txt.1630094518049
will serve the file normally although paste.com/expired_file.txt
says that it is expired. This version fixes this vulnerability by regex-checking the requested file's extension.
reference: f078a9afa74f8608ee3f2a6e705159df15915c78
- Added an entry in the configuration file to disable "duplicate uploads":
[paste]
# default: true
duplicate_files = false
Under the hood, it checks the SHA256 digest of the uploaded files.
- Update README.md:
- Mention the new standalone tool: rustypaste-cli
- Add installation section.
- Support expiring links (via
expire:
header)- Timestamps are used as extension for expiring files
- Expired files can be cleaned up with this command
- Support one shot links (via
oneshot=
form field){server.upload_path}/oneshot
is used for storage
- Switch to upload-release-action for uploading releases
- Support overriding MIME types (config:
mime_override
) - Support blacklisting MIME types (config:
mime_blacklist
)
- Support shortening URLs (via
url=
form field){server.upload_path}/url
is used for storage
- Prevent sending empty file name and zero bytes
- Prevent path traversal on upload directory (#2)
- Check the content length while reading bytes for preventing OOM (#1)
- Update Continuous Deployment workflow to publish Docker images
Initial release.