vh/rest-server
1
0
Fork 0
mirror of https://github.com/restic/rest-server.git synced 2025-12-07 09:36:13 -08:00
Code Issues Actions Packages Projects Releases Wiki Activity

Move changelog files for 0.10.0

Browse Source
This commit is contained in:
Alexander Neumann
2020-09-13 11:24:26 +02:00
parent 13f56bbb3c
commit d4b929ef35
5 changed files with 0 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
changelog/unreleased/issue-102
View File

@@ -1,14 +0,0 @@
Change: Remove vendored dependencies
We've removed the vendored dependencies (in the subdir `vendor/`) similar to
what we did for `restic` itself. When building restic, the Go compiler
automatically fetches the dependencies. It will also cryptographically verify
that the correct code has been fetched by using the hashes in `go.sum` (see the
link to the documentation below).
Building the rest-server now requires Go 1.11 or newer, since we're using Go
Modules for dependency management. Older Go versions are not supported any more.
https://github.com/restic/rest-server/issues/102
https://golang.org/cmd/go/#hdr-Module_downloading_and_verification

19
changelog/unreleased/issue-117
View File

@@ -1,19 +0,0 @@
Security: Stricter path sanitization
The framework we're using in rest-server to decode paths to repositories
allowed specifying URL-encoded characters in paths, including sensitive
characters such as `/` (encoded as `%2F`).
We've changed this unintended behavior, such that rest-server now rejects
such paths. In particular, it is no longer possible to specify sub-repositories
for users by encoding the path with `%2F`, such as `http://localhost:8000/foo%2Fbar`,
which means that this will unfortunately be a breaking change in that case.
If using sub-repositories for users is important to you, please let us know in
the forum, so we can learn about your use case and implement this properly. As
it currently stands, the ability to use sub-repositories was an unintentional
feature made possible by the URL decoding framework used, and hence never meant
to be supported in the first place. If we wish to have this feature in
rest-server, we'd like to have it implemented properly and intentionally.
https://github.com/restic/rest-server/issues/117

4
changelog/unreleased/issue-44
View File

@@ -1,4 +0,0 @@
Enhancement: Add changelog file
https://github.com/restic/rest-server/issues/44
https://github.com/restic/rest-server/pull/62

8
changelog/unreleased/issue-60
View File

@@ -1,8 +0,0 @@
Security: Require auth by default, add --no-auth flag
In order to prevent users from accidentally exposing rest-server without
authentication, rest-server now defaults to requiring a .htpasswd. If you want
to disable authentication, you need to explicitly pass the new --no-auth flag.
https://github.com/restic/rest-server/issues/60
https://github.com/restic/rest-server/pull/61

8
changelog/unreleased/pull-64
View File

@@ -1,8 +0,0 @@
Security: Refuse overwriting config file in append-only mode
While working on the `rclone serve restic` command we noticed that is currently
possible to overwrite the config file in a repo even if `--append-only` is
specified. The first commit adds proper tests, and the second commit fixes the
issue.
https://github.com/restic/rest-server/pull/64