Gmid Versions Save

signify(1) public key for this release: RWQ+Bm0F0FtPLtTnpRe09x/Z6Fiodk4toTZe2TJ4yCqDZ6l0c5wiU9te

This release fixes a logic error that cane result in a DoS; therefore is a strongly recommended update for all users. It is safe to update from any version of the 2.0.x series since there were no breaking changes.

• allow again empty lines at the start of the configuration.
• change how strnvis(3) is handled: on systems with the broken interface gmid will just use its own built-in version.
• reject requests with NUL bytes in them.
• don't error on a .. component at the start of the path.

signify(1) pubkeys for this release: RWQ+Bm0F0FtPLtTnpRe09x/Z6Fiodk4toTZe2TJ4yCqDZ6l0c5wiU9te

• add a nicer error message if the removed cgi option is still used. Reported by freezr.
• portability fix for systems with a wrong strnvis(3).

signify(1) pubkeys for this release: RWQ+Bm0F0FtPLtTnpRe09x/Z6Fiodk4toTZe2TJ4yCqDZ6l0c5wiU9te

• relax the SNI requirements
• gg: add -q to avoid printing the "Server Says:" line
• gg: unbreak -n
• fix parsing of IPv6 addresses
• fix fastcgi off handling

signify(1) pubkeys for this release: RWQ+Bm0F0FtPLtTnpRe09x/Z6Fiodk4toTZe2TJ4yCqDZ6l0c5wiU9te

• fix log access path with chroot enabled.
• fix config dumping (-nn).
• rework grammar to allow semicolors after top-level statements.
• don't make the log styles reserved keywords.
• contrib/vim: fixed indent, from Anna “CyberTailor”, thanks!

signify(1) pubkeys for this release: RWQ+Bm0F0FtPLtTnpRe09x/Z6Fiodk4toTZe2TJ4yCqDZ6l0c5wiU9te

Changelog

• convert gmid to the new imsg API
• update bundled imsg
• configure: fix --mandir handling; from Anna “CyberTailor”, thanks!

signify(1) pubkeys for this release: RWQ+Bm0F0FtPLtTnpRe09x/Z6Fiodk4toTZe2TJ4yCqDZ6l0c5wiU9te

New Features

• added listen on to specify per-server the list of addresses from where connections are to be accepted.
• added titan(1), a simple titan client.
• splitted the "configless" version of gmid as a standalone executable gemexp(1)
• added ability to log to files with log access <path>
• added ability to change the syslog(3) facility with log syslog facility <facility>
• added ability to change the logging style with log style <style>
• added `fastcgi strip'
• reworked the privsep implementation and added a privsep crypto engine
• implemented SCRIPT_NAME' and PATH_INFO' splitting for fastcgi

Bug fixes

• fixed handling of TLS handshake failures

Improvements

• contrib/gencert: added -e to generate EC keys
• use default prefork (3) in regress
• removed the sha256 dependency of the regress suite
• parse and log the fastcgi reply
• revamped the fastcgi configuration, now it's per-location
• attempt to load the TLS certificates, mimes and virtual hosts root as part of the configtest (-n) instead of verifying the syntax only.
• synced the parameters with RFC3875 (CGI)
• gg: exit with the gemini response code unless it's 2X
• gemexp: generate EC certificates too (it's also the new default)
• (contrib/vim) added an ALE linter and updated the Vim syntax file; thanks Anna “CyberTailor”

Breaking Changes

• removed CGI support
• gg now warns when the server doesn't use TLS' close_notify
• deprecated the global ipv6 and port settings in favour of the per-server listen on directive
• removed the already deprecated config options mime' and map'
• droped seccomp and capsicum support
• FastCGI: set REQUEST_METHOD to "GET" instead of the empty string

signify(1) pubkey for this release: RWTy3UJQzpxBUAymBwb2EGLLm0b3H/1n8hzhaC9HYFYzNuTavGt9QSwC

• add tests and compat for setresuid setresgid
• add GEMINI_SEARCH_STRING fastcgi parameter / cgi env variable
• manpage fix: QUERY_STRING is not urldecoded
• fixed use-after-free in the fastcgi code
• when switching user also set the groups
• always cast is*() arguments to unsigned char

Starting with this release tags are also signed with my ssh key like I'm doing with other projects as well:

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ0nD5I8BNVJknT87gnpLIJWK0fXTayDktQOlS38CGj4 [email protected]

Released November 1, 2022.

signify(1) pubkeys for this release: RWTy3UJQzpxBUAymBwb2EGLLm0b3H/1n8hzhaC9HYFYzNuTavGt9QSwC

Bug Fixes

• removed OpenBSD' rc file. it's now maintained in the ports tree
• (hopefully) fix build on DragonflyBSD
• call tzset(3) to fix times in logs
• always send custom list of fcgi parameters (@nytpu)

Released July 4, 2022.

signify(1) pubkeys for this release: RWTy3UJQzpxBUAymBwb2EGLLm0b3H/1n8hzhaC9HYFYzNuTavGt9QSwC

Starting from this release there will be no more pre-compiled binaries. gmid is already packaged by various repositories and the needed dependency are almost universally available.

Edit 2022/07/07: the tarball ended up without contrib/. gmid-1.8.4.-with-contrib.tar.gz was uploaded to recover from this issue and not tag another release; SHA256 and SHA256.sum had to be re-generated.

Bug Fixes

• allow "@" and ":" in paths; spotted by freezr
• URL-encode the file names in the directory index; reported by cage

Improvements

• move the documentation about the config file in its own manual page: gmid.conf.5
• improvements to the mime handling: fixed a memory leak and improve lookup speed.
• log (with low priority) when gmid failed to open a file because of its permissions.
• include a trailing "/" for dirs in the auto-generated directory index.

Breaking Changes

• deprecated the map rule in favour of the new types block.
• the default list is not loaded anymore when types is used; except for the text/gemini to ".gmi"/".gemini" mappings.

signify(1) pubkeys for this release: RWTy3UJQzpxBUAymBwb2EGLLm0b3H/1n8hzhaC9HYFYzNuTavGt9QSwC

(note: no aarch64 precompiled binaries this time)

Bug Fixes

• fix a possible out-of-bound access in the CGI handling. It was introduced last October during a refactoring, but due to how many malloc(3) implementations works this hasn't been found until now. Otto' malloc is more strict fortunately.