-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
transmission 2.92: doesnt support Humble Bundle torrents #294
Comments
https://trac.transmissionbt.com/ticket/5517#comment:34
|
i'm afraid the only way to get such a torrent is by buying a humble bundle - @hauntingEcho as the original submitted to the debian bug, can you provide some help here? |
examples the problem. |
Due to copyright issues, I don't think I can forward along the torrent itself, but cfpp2p's sample torrent does demonstrate the same issue. I do want to clarify something with the title though - the problem doesn't seem to be present in any of Humble's other torrents that I've tried, just MiniMetro. I'll contact Humble again & ask if they can provide additional details on their torrent-creation process. |
sorry for my slow response time, this is the response I got from Humble support:
|
Supporting an absolute path in a torrent could easily be seen as a security risk. Utilities for file transfer (like 'tar', for example), deliberately strip off absolute paths due to the security problems. It would be all to easy to have a torrent overwrite all the files in your home directory or any directory on the system where you have write access. It makes sense to limit a file-transfer util (like transmission) to saving files under "some" subdirectory. To give torrents the ability to go out of its configured subdirectory would be a disaster waiting to happen. |
@Astara - while going up the folder tree should definitely be prevented, the torrent still should do something other than fail entirely. One possibility would be to just strip the path entirely as you mention. Another option would be the way |
The original poster states:
so this particular problem is not about supporting absolute paths, or relative paths and directory traversal security, but about the "/" path element contained in the info/name entry dinosaurpoloclub/MiniMetro-gamma19a-linux.tar.gz This can be dealt with without security issues and without stripping the path entirely by properly recognizing valid path elements. This has been already discussed quite thoroughly in TRAC - Don't create or add torrents with "../" at the beginning of the path or "/../" anywhere in the path |
If you strip the path, you would have people complaining because of filename collisions. I don't see the harm in adding (on linux, anyway), "." at the front of the path, so /etc/passwd, would become ./etc/passwd -- a subdir to be created under the curdir. That said, I'm guessing it's a matter of resources and how often this bug comes up "in general", while every bug that one reports is impacting the reporter (or they wouldn't have reported it), how many people it impacts is another matter. Most torrent creation software, I'm guessing strips out absolute path components when the torrent is created, but there are always some creation clients that won't test inputs and allow garbage-in, creating garbage-out. ;^/ Am wondering in your case, are the torrents created by humble utilities, or do they just host torrents created by any third party util. If it was the former, you could lobby them to patch up absolute paths to relative, but it sounds like its the latter, which makes it harder to get them to change things -- unless you can convince them of how it is a security risk. To do that, you might need to create a torrent that would overwrite some homedir or profile dir file as a proof of concept to convince them, though they still might abdicate responsibility saying it would be some torrent client (µtorrent?) that allows the overwrite that is at fault (i.e. engage in finger pointing). Almost every security problem is a |
@cfpp2p -- looking at the trac issue you mention shows that the path "dinosaurpoloclub/MiniMetro-gamma19a-linux.tar.gz" did work, but it looks like it was disabled due to problems on the mac(?). I've seen more than one change go into xmission to dumb it down for Mac clients, like extra sleep cycles added during torrent verification so as to not overwhelm the delicate i/o subsystem on a mac. They were reduced from what they were, but 2.92 still has some of them (verify.c#39, #139). What I don't understand is how torrents with multiple levels of subdirs work if paths w/subdirs doesn't work. It's not uncommon to have a top-folder with source material and a subdir with extra docs or images. So what is different about the torrent you mention? Maybe the subdir has to be "pre-mentioned" as a dir in the torrent file? Yeah, sounds like the torrent file is ill-formed. I bet you could recreate the torrent file, adding the metadata element, and it would work correctly. From the error message you got, it complained that "MiniMetro-gamma19a-linux.tar.gz" didn't match any registered torrent -- and it doesn't, as the file was under "dinosaurpoloclub/". BTW, it might help if you 'xz' (compressed) posted the torrent file as a sample (the torrent files shouldn't have any personally identifying information, since they get distributed to anyone who wants to download the torrent). NOTE: please only post a torrent file for free material (i.e. not for a copyrighted work). Either that or edit the filenames/dirnames to not be recognizable. |
I just tested with all games in my Humble Bundle account with Transmission 2.92 (14714), Mac OS. 7 of the 23 games in my account failed to open in Transmission with |
The difference is that transmission currently does not allow the "/" character to be contained in any torrent metadata path component, that's what triggers the torrent as invalid. If the info dictionary has any changes made to it the hash changes so that's why you just can't change the name or such, ... didn't match any registered torrent ... |
Just found that this happens with the Cuphead OST (MP3 and FLAC) sold via Humble Bundle.
|
I have the same problem with the Humble Bundle "Overgrowth" torrent. Filename in there also has a slash: |
As this is still an ongoing issue, I thought I'd add...
This affects almost every Humble Bundle game torrent (as in the ones that Humble distribute themselves). Only very rarely have I had one of their torrents actually work in Transmission due to this issue. |
ahh, but with cfpp2p/transmission@10fa7bd (plus a few other miniscule tweaks committed later for other TRAC 5517 related problems) fork of transmission with Humble Bundle and other similar, actually not a problem in transmission. |
It would seem that at least the version in Debian unstable (2.94 d8e60ee) is still affected by this issue. I have over 150 Humble Bundle torrents I cannot download because of the path component in the file name —and it's not clear why the torrent specifying a subdir where to place files should be invalid, provided it's not an absolute path. |
Attempting to download "Outcast 2" from Humble bundle recently i ran into the issue. |
This isn't a solution for Transmission, but as a workaround I am now running Deluge in a FreeNAS jail for Humble Bundle torrents with this issue. Deluge has no problem parsing these torrents. |
I opened a ticket with Humble Bundle to inform them of the problem. They seem receptive, in fact they replied
I think that if they see that many of their customers encounter this problem, they will more likely solve it. So I suggest you write to Humble Bundle a polite request to make their torrents compatible with Transmission (include a link to this issue so they can quickly understand the matter). |
@amagnolo - while that will solve one source of torrents which trigger this bug, the torrents that Humble are producing are valid torrents per the specification. The real bug here is that transmission does not function for single-file torrents specifying that their file should be in a child folder (which, though arguably dumb, is still valid per my understanding of the spec). |
@amagnolo Just don't get started on a nice dream. I've told HB about this possibly 2 years ago first, and they promised to do something about it. Then re-notified them a year ago, and they said they surely will do something about it. (They also noted that the torrents are prepared and served by an external contractor who is not cooperating, or in other words sticking to that it's all good and shiny as it is.) |
OK, so it should be solved by Transmission, it would be awesome; still, I think that if HB gets enough complaints, they may be more willing to not ignore the problem that their customers are facing. |
Any update on this? |
@cfpp2p do you think you could create a PR for your changesets that improve the path parsing? As an alternative, an option to disregard any path component in the torrent (just use the basename of the path) could be useful to support these torrents. |
It is called The correct way to create a |
Reproduced with Tacoma (Humble Bundle, linux version) which is now free atm (Transmission 2.92) |
@pyroscope - going by BEP 3:
and further down:
while I don't agree that having a name including paths is necessarily against spec, the spec does allow for it to be munged a bit - for example, dropping everything up to the last folder-separator would be a valid thing to do if otherwise protecting from directory traversal is not worthwhile. Further, the fact that |
@pyroscope brings up an interesting point in the linked discussion for rtorrent:
Since the spec can be interpreted either way, it's perhaps better to refer to the closest thing there is to a reference implementation. |
Juding from e.g. the source code of the original BT client as found here, the That being said, even given that the first releases of the original BT client didn't support it, the fact remains that currently in the ecosystem there are clients that produce
I think it's better for the users if transmission, while never producing such torrents, would accept it, at least given an appropriate “strip paths” option, that would eliminate all security issue and, being opt-in for the user, give them the possibility, if they so wish, to obtain the torrent data. |
Is it possible to manually fix these torrents somehow, so that they are accepted by transmission? |
as noted in the original issue report, that will break the hash of the info dictionary & cause trackers/peers to think your torrent has been tampered with edit with copy/paste:
|
You either patch transmission source to disable the check or ue a different client (like btdownload which is written in python and easier to modify). As noted already: this check could be trivially made a command line switch, it is not a technical question but a philosophical one for the developer(s). Right now they seem to believe that they wouldn't accept that some users are actually knowledgeable enough to be able to decide when to override the check. (The check could be disabled, or slashes could be replaced by underscores, or paths could be stripped altogether [possibly that'd the worst in case of multiple directories and clashing filenames].) |
Thanks to everyone involved. If someone is okay with trying the latest master build, please do and report back if you notice any issues with the fix. |
### All Platforms - Allow the RPC server to listen on an IPv6 address ([#161](transmission/transmission#161)) - Change `TR_CURL_SSL_VERIFY` to `TR_CURL_SSL_NO_VERIFY` and enable verification by default ([#334](transmission/transmission#334)) - Go back to using hash as base name for resume and torrent files (those stored in configuration directory) ([#122](transmission/transmission#122)) - Handle "fields" argument in "session-get" RPC request; if "fields" array is present in arguments, only return session fields specified; otherwise return all the fields as before - Limit the number of incorrect authentication attempts in embedded web server to 100 to prevent brute-force attacks ([#371](transmission/transmission#371)) - Set idle seed limit range to 1..40320 (4 weeks tops) in all clients ([#212](transmission/transmission#212)) - Add Peer ID for Xfplay, PicoTorrent, Free Download Manager, Folx, Baidu Netdisk torrent clients ([#256](transmission/transmission#256), [#285](transmission/transmission#285), [#355](transmission/transmission#355), [#363](transmission/transmission#363), [#386](transmission/transmission#386)) - Announce `INT64_MAX` as size left if the value is unknown (helps with e.g. Amazon S3 trackers) ([#250](transmission/transmission#250)) - Add `TCP_FASTOPEN` support (should result in slight speedup) ([#184](transmission/transmission#184)) - Improve ToS handling on IPv6 connections ([#128](transmission/transmission#128), [#341](transmission/transmission#341), [#360](transmission/transmission#360), [#692](transmission/transmission#692), [#737](transmission/transmission#737)) - Abort handshake if establishing DH shared secret fails (leads to crash) ([#27](transmission/transmission#27)) - Don't switch trackers while announcing (leads to crash) ([#297](transmission/transmission#297)) - Improve completion scripts execution and error handling; add support for .cmd and .bat files on Windows ([#405](transmission/transmission#405)) - Maintain a "session ID" file (in temporary directory) to better detect whether session is local or remote; return the ID as part of "session-get" response (TRAC-5348, [#861](transmission/transmission#861)) - Change torrent location even if no data move is needed ([#35](transmission/transmission#35)) - Support CIDR-notated blocklists ([#230](transmission/transmission#230), [#741](transmission/transmission#741)) - Update the resume file before running scripts ([#825](transmission/transmission#825)) - Make multiscrape limits adaptive ([#837](transmission/transmission#837)) - Add labels support to libtransmission and transmission-remote ([#822](transmission/transmission#822)) - Parse `session-id` header case-insensitively ([#765](transmission/transmission#765)) - Sanitize suspicious path components instead of rejecting them ([#62](transmission/transmission#62), [#294](transmission/transmission#294)) - Load CA certs from system store on Windows / OpenSSL ([#446](transmission/transmission#446)) - Add support for mbedtls (formely polarssl) and wolfssl (formely cyassl), LibreSSL ([#115](transmission/transmission#115), [#116](transmission/transmission#116), [#284](transmission/transmission#284), [#486](transmission/transmission#486), [#524](transmission/transmission#524), [#570](transmission/transmission#570)) - Fix building against OpenSSL 1.1.0+ ([#24](transmission/transmission#24)) - Fix quota support for uClibc-ng 1.0.18+ and DragonFly BSD ([#42](transmission/transmission#42), [#58](transmission/transmission#58), [#312](transmission/transmission#312)) - Fix a number of memory leaks (magnet loading, session shutdown, bencoded data parsing) ([#56](transmission/transmission#56)) - Bump miniupnpc version to 2.0.20170509 ([#347](transmission/transmission#347)) - CMake-related improvements (Ninja generator, libappindicator, systemd, Solaris and macOS) ([#72](transmission/transmission#72), [#96](transmission/transmission#96), [#117](transmission/transmission#117), [#118](transmission/transmission#118), [#133](transmission/transmission#133), [#191](transmission/transmission#191)) - Switch to submodules to manage (most of) third-party dependencies - Fail installation on Windows if UCRT is not installed ### Mac Client - Bump minimum macOS version to 10.10 - Dark Mode support ([#644](transmission/transmission#644), [#722](transmission/transmission#722), [#757](transmission/transmission#757), [#779](transmission/transmission#779), [#788](transmission/transmission#788)) - Remove Growl support, notification center is always used ([#387](transmission/transmission#387)) - Fix autoupdate on High Sierra and up by bumping the Sparkle version ([#121](transmission/transmission#121), [#600](transmission/transmission#600)) - Transition to ARC ([#336](transmission/transmission#336)) - Use proper UTF-8 encoding (with macOS-specific normalization) when setting download/incomplete directory and completion script paths ([#11](transmission/transmission#11)) - Fix uncaught exception when dragging multiple items between groups ([#51](transmission/transmission#51)) - Add flat variants of status icons for message log ([#134](transmission/transmission#134)) - Optimize image resources size ([#304](transmission/transmission#304), [#429](transmission/transmission#429)) - Update file icon when file name changes ([#37](transmission/transmission#37)) - Update translations ### GTK+ Client - Add queue up/down hotkeys ([#158](transmission/transmission#158)) - Modernize the .desktop file ([#162](transmission/transmission#162)) - Add AppData file ([#224](transmission/transmission#224)) - Add symbolic icon variant for the Gnome top bar and when the high contrast theme is in use ([#414](transmission/transmission#414), [#449](transmission/transmission#449)) - Update file icon when its name changes ([#37](transmission/transmission#37)) - Switch from intltool to gettext for translations ([#584](transmission/transmission#584), [#647](transmission/transmission#647)) - Update translations, add new translations for Portuguese (Portugal) ### Qt Client - Bump minimum Qt version to 5.2 - Fix dropping .torrent files into main window on Windows ([#269](transmission/transmission#269)) - Fix prepending of drive letter to various user-selected paths on Windows ([#236](transmission/transmission#236), [#307](transmission/transmission#307), [#404](transmission/transmission#404), [#437](transmission/transmission#437), [#699](transmission/transmission#699), [#723](transmission/transmission#723), [#877](transmission/transmission#877)) - Fix sorting by progress in presence of magnet transfers ([#234](transmission/transmission#234)) - Fix .torrent file trashing upon addition ([#262](transmission/transmission#262)) - Add queue up/down hotkeys ([#158](transmission/transmission#158)) - Reduce torrent properties (file tree) memory usage - Display tooltips in torrent properties (file tree) in case the names don't fit ([#411](transmission/transmission#411)) - Improve UI look on hi-dpi displays (YMMV) - Use session ID (if available) to check if session is local or not ([#861](transmission/transmission#861)) - Use default (instead of system) locale to be more flexible ([#130](transmission/transmission#130)) - Modernize the .desktop file ([#162](transmission/transmission#162)) - Update translations, add new translations for Afrikaans, Catalan, Danish, Greek, Norwegian Bokmål, Slovenian ### Daemon - Use libsystemd instead of libsystemd-daemon (TRAC-5921) - Harden transmission-daemon.service by disallowing privileges elevation ([#795](transmission/transmission#795)) - Fix exit code to be zero when dumping settings ([#487](transmission/transmission#487)) ### Web Client - Fix tracker error XSS in inspector (CVE-?) - Fix performance issues due to improper use of `setInterval()` for UI refresh (TRAC-6031) - Fix recognition of `https://` links in comments field ([#41](transmission/transmission#41), [#180](transmission/transmission#180)) - Fix torrent list style in Google Chrome 59+ ([#384](transmission/transmission#384)) - Show ETA in compact view on non-mobile devices ([#146](transmission/transmission#146)) - Show upload file button on mobile devices ([#320](transmission/transmission#320), [#431](transmission/transmission#431), [#956](transmission/transmission#956)) - Add keyboard hotkeys for web interface ([#351](transmission/transmission#351)) - Disable autocompletion in torrent URL field ([#367](transmission/transmission#367)) ### Utils - Prevent crash in transmission-show displaying torrents with invalid creation date ([#609](transmission/transmission#609)) - Handle IPv6 RPC addresses in transmission-remote ([#247](transmission/transmission#247)) - Add `--unsorted` option to transmission-show ([#767](transmission/transmission#767)) - Widen the torrent-id column in transmission-remote for cleaner formatting ([#840](transmission/transmission#840))
net/transmission-gtk: security update net/transmission-qt: security update net/transmission: security update Revisions pulled up: - net/transmission-gtk/Makefile 1.46 - net/transmission-gtk/PLIST 1.2 - net/transmission-qt/Makefile 1.54 - net/transmission/Makefile 1.27 - net/transmission/Makefile.common 1.10 - net/transmission/PLIST 1.4 - net/transmission/distinfo 1.16 - net/transmission/patches/patch-qt_qtr.pro 1.7 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: wiz Date: Mon Jul 13 13:01:02 UTC 2020 Modified Files: pkgsrc/net/transmission: Makefile Makefile.common PLIST distinfo pkgsrc/net/transmission-gtk: Makefile PLIST pkgsrc/net/transmission-qt: Makefile pkgsrc/net/transmission/patches: patch-qt_qtr.pro Log Message: transmission*: update to 3.00 ### All Platforms - Allow the RPC server to listen on an IPv6 address ([#161](transmission/transmission#161)) - Change `TR_CURL_SSL_VERIFY` to `TR_CURL_SSL_NO_VERIFY` and enable verification by default ([#334](transmission/transmission#334)) - Go back to using hash as base name for resume and torrent files (those stored in configuration directory) ([#122](transmission/transmission#122)) - Handle "fields" argument in "session-get" RPC request; if "fields" array is present in arguments, only return session fields specified; otherwise return all the fields as before - Limit the number of incorrect authentication attempts in embedded web server to 100 to prevent brute-force attacks ([#371](transmission/transmission#371)) - Set idle seed limit range to 1..40320 (4 weeks tops) in all clients ([#212](transmission/transmission#212)) - Add Peer ID for Xfplay, PicoTorrent, Free Download Manager, Folx, Baidu Netdisk torrent clients ([#256](transmission/transmission#256), [#285](transmission/transmission#285), [#355](transmission/transmission#355), [#363](transmission/transmission#363), [#386](transmission/transmission#386)) - Announce `INT64_MAX` as size left if the value is unknown (helps with e.g. Amazon S3 trackers) ([#250](transmission/transmission#250)) - Add `TCP_FASTOPEN` support (should result in slight speedup) ([#184](transmission/transmission#184)) - Improve ToS handling on IPv6 connections ([#128](transmission/transmission#128), [#341](transmission/transmission#341), [#360](transmission/transmission#360), [#692](transmission/transmission#692), [#737](transmission/transmission#737)) - Abort handshake if establishing DH shared secret fails (leads to crash) ([#27](transmission/transmission#27)) - Don't switch trackers while announcing (leads to crash) ([#297](transmission/transmission#297)) - Improve completion scripts execution and error handling; add support for .cmd and .bat files on Windows ([#405](transmission/transmission#405)) - Maintain a "session ID" file (in temporary directory) to better detect whether session is local or remote; return the ID as part of "session-get" response (TRAC-5348, [#861](transmission/transmission#861)) - Change torrent location even if no data move is needed ([#35](transmission/transmission#35)) - Support CIDR-notated blocklists ([#230](transmission/transmission#230), [#741](transmission/transmission#741)) - Update the resume file before running scripts ([#825](transmission/transmission#825)) - Make multiscrape limits adaptive ([#837](transmission/transmission#837)) - Add labels support to libtransmission and transmission-remote ([#822](transmission/transmission#822)) - Parse `session-id` header case-insensitively ([#765](transmission/transmission#765)) - Sanitize suspicious path components instead of rejecting them ([#62](transmission/transmission#62), [#294](transmission/transmission#294)) - Load CA certs from system store on Windows / OpenSSL ([#446](transmission/transmission#446)) - Add support for mbedtls (formely polarssl) and wolfssl (formely cyassl), LibreSSL ([#115](transmission/transmission#115), [#116](transmission/transmission#116), [#284](transmission/transmission#284), [#486](transmission/transmission#486), [#524](transmission/transmission#524), [#570](transmission/transmission#570)) - Fix building against OpenSSL 1.1.0+ ([#24](transmission/transmission#24)) - Fix quota support for uClibc-ng 1.0.18+ and DragonFly BSD ([#42](transmission/transmission#42), [#58](transmission/transmission#58), [#312](transmission/transmission#312)) - Fix a number of memory leaks (magnet loading, session shutdown, bencoded data parsing) ([#56](transmission/transmission#56)) - Bump miniupnpc version to 2.0.20170509 ([#347](transmission/transmission#347)) - CMake-related improvements (Ninja generator, libappindicator, systemd, Solaris and macOS) ([#72](transmission/transmission#72), [#96](transmission/transmission#96), [#117](transmission/transmission#117), [#118](transmission/transmission#118), [#133](transmission/transmission#133), [#191](transmission/transmission#191)) - Switch to submodules to manage (most of) third-party dependencies - Fail installation on Windows if UCRT is not installed ### Mac Client - Bump minimum macOS version to 10.10 - Dark Mode support ([#644](transmission/transmission#644), [#722](transmission/transmission#722), [#757](transmission/transmission#757), [#779](transmission/transmission#779), [#788](transmission/transmission#788)) - Remove Growl support, notification center is always used ([#387](transmission/transmission#387)) - Fix autoupdate on High Sierra and up by bumping the Sparkle version ([#121](transmission/transmission#121), [#600](transmission/transmission#600)) - Transition to ARC ([#336](transmission/transmission#336)) - Use proper UTF-8 encoding (with macOS-specific normalization) when setting download/incomplete directory and completion script paths ([#11](transmission/transmission#11)) - Fix uncaught exception when dragging multiple items between groups ([#51](transmission/transmission#51)) - Add flat variants of status icons for message log ([#134](transmission/transmission#134)) - Optimize image resources size ([#304](transmission/transmission#304), [#429](transmission/transmission#429)) - Update file icon when file name changes ([#37](transmission/transmission#37)) - Update translations ### GTK+ Client - Add queue up/down hotkeys ([#158](transmission/transmission#158)) - Modernize the .desktop file ([#162](transmission/transmission#162)) - Add AppData file ([#224](transmission/transmission#224)) - Add symbolic icon variant for the Gnome top bar and when the high contrast theme is in use ([#414](transmission/transmission#414), [#449](transmission/transmission#449)) - Update file icon when its name changes ([#37](transmission/transmission#37)) - Switch from intltool to gettext for translations ([#584](transmission/transmission#584), [#647](transmission/transmission#647)) - Update translations, add new translations for Portuguese (Portugal) ### Qt Client - Bump minimum Qt version to 5.2 - Fix dropping .torrent files into main window on Windows ([#269](transmission/transmission#269)) - Fix prepending of drive letter to various user-selected paths on Windows ([#236](transmission/transmission#236), [#307](transmission/transmission#307), [#404](transmission/transmission#404), [#437](transmission/transmission#437), [#699](transmission/transmission#699), [#723](transmission/transmission#723), [#877](transmission/transmission#877)) - Fix sorting by progress in presence of magnet transfers ([#234](transmission/transmission#234)) - Fix .torrent file trashing upon addition ([#262](transmission/transmission#262)) - Add queue up/down hotkeys ([#158](transmission/transmission#158)) - Reduce torrent properties (file tree) memory usage - Display tooltips in torrent properties (file tree) in case the names don't fit ([#411](transmission/transmission#411)) - Improve UI look on hi-dpi displays (YMMV) - Use session ID (if available) to check if session is local or not ([#861](transmission/transmission#861)) - Use default (instead of system) locale to be more flexible ([#130](transmission/transmission#130)) - Modernize the .desktop file ([#162](transmission/transmission#162)) - Update translations, add new translations for Afrikaans, Catalan, Danish, Greek, Norwegian Bokmål, Slovenian ### Daemon - Use libsystemd instead of libsystemd-daemon (TRAC-5921) - Harden transmission-daemon.service by disallowing privileges elevation ([#795](transmission/transmission#795)) - Fix exit code to be zero when dumping settings ([#487](transmission/transmission#487)) ### Web Client - Fix tracker error XSS in inspector (CVE-?) - Fix performance issues due to improper use of `setInterval()` for UI refresh (TRAC-6031) - Fix recognition of `https://` links in comments field ([#41](transmission/transmission#41), [#180](transmission/transmission#180)) - Fix torrent list style in Google Chrome 59+ ([#384](transmission/transmission#384)) - Show ETA in compact view on non-mobile devices ([#146](transmission/transmission#146)) - Show upload file button on mobile devices ([#320](transmission/transmission#320), [#431](transmission/transmission#431), [#956](transmission/transmission#956)) - Add keyboard hotkeys for web interface ([#351](transmission/transmission#351)) - Disable autocompletion in torrent URL field ([#367](transmission/transmission#367)) ### Utils - Prevent crash in transmission-show displaying torrents with invalid creation date ([#609](transmission/transmission#609)) - Handle IPv6 RPC addresses in transmission-remote ([#247](transmission/transmission#247)) - Add `--unsorted` option to transmission-show ([#767](transmission/transmission#767)) - Widen the torrent-id column in transmission-remote for cleaner formatting ([#840](transmission/transmission#840)) To generate a diff of this commit: cvs rdiff -u -r1.26 -r1.27 pkgsrc/net/transmission/Makefile cvs rdiff -u -r1.9 -r1.10 pkgsrc/net/transmission/Makefile.common cvs rdiff -u -r1.3 -r1.4 pkgsrc/net/transmission/PLIST cvs rdiff -u -r1.15 -r1.16 pkgsrc/net/transmission/distinfo cvs rdiff -u -r1.45 -r1.46 pkgsrc/net/transmission-gtk/Makefile cvs rdiff -u -r1.1 -r1.2 pkgsrc/net/transmission-gtk/PLIST cvs rdiff -u -r1.52 -r1.53 pkgsrc/net/transmission-qt/Makefile cvs rdiff -u -r1.6 -r1.7 pkgsrc/net/transmission/patches/patch-qt_qtr.pro ------------------------------------------------------------------- Module Name: pkgsrc Committed By: wiz Date: Sat Jul 25 20:20:05 UTC 2020 Modified Files: pkgsrc/net/transmission-qt: Makefile Log Message: transmission-qt: needs gcc 7.x (for <optional>) Reported and tested by spz. To generate a diff of this commit: cvs rdiff -u -r1.53 -r1.54 pkgsrc/net/transmission-qt/Makefile
net/transmission-gtk: security update net/transmission-qt: security update net/transmission: security update Revisions pulled up: - net/transmission-gtk/Makefile 1.46 - net/transmission-gtk/PLIST 1.2 - net/transmission-qt/Makefile 1.54 - net/transmission/Makefile 1.27 - net/transmission/Makefile.common 1.10 - net/transmission/PLIST 1.4 - net/transmission/distinfo 1.16 - net/transmission/patches/patch-qt_qtr.pro 1.7 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: wiz Date: Mon Jul 13 13:01:02 UTC 2020 Modified Files: pkgsrc/net/transmission: Makefile Makefile.common PLIST distinfo pkgsrc/net/transmission-gtk: Makefile PLIST pkgsrc/net/transmission-qt: Makefile pkgsrc/net/transmission/patches: patch-qt_qtr.pro Log Message: transmission*: update to 3.00 ### All Platforms - Allow the RPC server to listen on an IPv6 address ([#161](transmission/transmission#161)) - Change `TR_CURL_SSL_VERIFY` to `TR_CURL_SSL_NO_VERIFY` and enable verification by default ([#334](transmission/transmission#334)) - Go back to using hash as base name for resume and torrent files (those stored in configuration directory) ([#122](transmission/transmission#122)) - Handle "fields" argument in "session-get" RPC request; if "fields" array is present in arguments, only return session fields specified; otherwise return all the fields as before - Limit the number of incorrect authentication attempts in embedded web server to 100 to prevent brute-force attacks ([#371](transmission/transmission#371)) - Set idle seed limit range to 1..40320 (4 weeks tops) in all clients ([#212](transmission/transmission#212)) - Add Peer ID for Xfplay, PicoTorrent, Free Download Manager, Folx, Baidu Netdisk torrent clients ([#256](transmission/transmission#256), [#285](transmission/transmission#285), [#355](transmission/transmission#355), [#363](transmission/transmission#363), [#386](transmission/transmission#386)) - Announce `INT64_MAX` as size left if the value is unknown (helps with e.g. Amazon S3 trackers) ([#250](transmission/transmission#250)) - Add `TCP_FASTOPEN` support (should result in slight speedup) ([#184](transmission/transmission#184)) - Improve ToS handling on IPv6 connections ([#128](transmission/transmission#128), [#341](transmission/transmission#341), [#360](transmission/transmission#360), [#692](transmission/transmission#692), [#737](transmission/transmission#737)) - Abort handshake if establishing DH shared secret fails (leads to crash) ([#27](transmission/transmission#27)) - Don't switch trackers while announcing (leads to crash) ([#297](transmission/transmission#297)) - Improve completion scripts execution and error handling; add support for .cmd and .bat files on Windows ([#405](transmission/transmission#405)) - Maintain a "session ID" file (in temporary directory) to better detect whether session is local or remote; return the ID as part of "session-get" response (TRAC-5348, [#861](transmission/transmission#861)) - Change torrent location even if no data move is needed ([#35](transmission/transmission#35)) - Support CIDR-notated blocklists ([#230](transmission/transmission#230), [#741](transmission/transmission#741)) - Update the resume file before running scripts ([#825](transmission/transmission#825)) - Make multiscrape limits adaptive ([#837](transmission/transmission#837)) - Add labels support to libtransmission and transmission-remote ([#822](transmission/transmission#822)) - Parse `session-id` header case-insensitively ([#765](transmission/transmission#765)) - Sanitize suspicious path components instead of rejecting them ([#62](transmission/transmission#62), [#294](transmission/transmission#294)) - Load CA certs from system store on Windows / OpenSSL ([#446](transmission/transmission#446)) - Add support for mbedtls (formely polarssl) and wolfssl (formely cyassl), LibreSSL ([#115](transmission/transmission#115), [#116](transmission/transmission#116), [#284](transmission/transmission#284), [#486](transmission/transmission#486), [#524](transmission/transmission#524), [#570](transmission/transmission#570)) - Fix building against OpenSSL 1.1.0+ ([#24](transmission/transmission#24)) - Fix quota support for uClibc-ng 1.0.18+ and DragonFly BSD ([#42](transmission/transmission#42), [#58](transmission/transmission#58), [#312](transmission/transmission#312)) - Fix a number of memory leaks (magnet loading, session shutdown, bencoded data parsing) ([#56](transmission/transmission#56)) - Bump miniupnpc version to 2.0.20170509 ([#347](transmission/transmission#347)) - CMake-related improvements (Ninja generator, libappindicator, systemd, Solaris and macOS) ([#72](transmission/transmission#72), [#96](transmission/transmission#96), [#117](transmission/transmission#117), [#118](transmission/transmission#118), [#133](transmission/transmission#133), [#191](transmission/transmission#191)) - Switch to submodules to manage (most of) third-party dependencies - Fail installation on Windows if UCRT is not installed ### Mac Client - Bump minimum macOS version to 10.10 - Dark Mode support ([#644](transmission/transmission#644), [#722](transmission/transmission#722), [#757](transmission/transmission#757), [#779](transmission/transmission#779), [#788](transmission/transmission#788)) - Remove Growl support, notification center is always used ([#387](transmission/transmission#387)) - Fix autoupdate on High Sierra and up by bumping the Sparkle version ([#121](transmission/transmission#121), [#600](transmission/transmission#600)) - Transition to ARC ([#336](transmission/transmission#336)) - Use proper UTF-8 encoding (with macOS-specific normalization) when setting download/incomplete directory and completion script paths ([#11](transmission/transmission#11)) - Fix uncaught exception when dragging multiple items between groups ([#51](transmission/transmission#51)) - Add flat variants of status icons for message log ([#134](transmission/transmission#134)) - Optimize image resources size ([#304](transmission/transmission#304), [#429](transmission/transmission#429)) - Update file icon when file name changes ([#37](transmission/transmission#37)) - Update translations ### GTK+ Client - Add queue up/down hotkeys ([#158](transmission/transmission#158)) - Modernize the .desktop file ([#162](transmission/transmission#162)) - Add AppData file ([#224](transmission/transmission#224)) - Add symbolic icon variant for the Gnome top bar and when the high contrast theme is in use ([#414](transmission/transmission#414), [#449](transmission/transmission#449)) - Update file icon when its name changes ([#37](transmission/transmission#37)) - Switch from intltool to gettext for translations ([#584](transmission/transmission#584), [#647](transmission/transmission#647)) - Update translations, add new translations for Portuguese (Portugal) ### Qt Client - Bump minimum Qt version to 5.2 - Fix dropping .torrent files into main window on Windows ([#269](transmission/transmission#269)) - Fix prepending of drive letter to various user-selected paths on Windows ([#236](transmission/transmission#236), [#307](transmission/transmission#307), [#404](transmission/transmission#404), [#437](transmission/transmission#437), [#699](transmission/transmission#699), [#723](transmission/transmission#723), [#877](transmission/transmission#877)) - Fix sorting by progress in presence of magnet transfers ([#234](transmission/transmission#234)) - Fix .torrent file trashing upon addition ([#262](transmission/transmission#262)) - Add queue up/down hotkeys ([#158](transmission/transmission#158)) - Reduce torrent properties (file tree) memory usage - Display tooltips in torrent properties (file tree) in case the names don't fit ([#411](transmission/transmission#411)) - Improve UI look on hi-dpi displays (YMMV) - Use session ID (if available) to check if session is local or not ([#861](transmission/transmission#861)) - Use default (instead of system) locale to be more flexible ([#130](transmission/transmission#130)) - Modernize the .desktop file ([#162](transmission/transmission#162)) - Update translations, add new translations for Afrikaans, Catalan, Danish, Greek, Norwegian Bokmål, Slovenian ### Daemon - Use libsystemd instead of libsystemd-daemon (TRAC-5921) - Harden transmission-daemon.service by disallowing privileges elevation ([#795](transmission/transmission#795)) - Fix exit code to be zero when dumping settings ([#487](transmission/transmission#487)) ### Web Client - Fix tracker error XSS in inspector (CVE-?) - Fix performance issues due to improper use of `setInterval()` for UI refresh (TRAC-6031) - Fix recognition of `https://` links in comments field ([#41](transmission/transmission#41), [#180](transmission/transmission#180)) - Fix torrent list style in Google Chrome 59+ ([#384](transmission/transmission#384)) - Show ETA in compact view on non-mobile devices ([#146](transmission/transmission#146)) - Show upload file button on mobile devices ([#320](transmission/transmission#320), [#431](transmission/transmission#431), [#956](transmission/transmission#956)) - Add keyboard hotkeys for web interface ([#351](transmission/transmission#351)) - Disable autocompletion in torrent URL field ([#367](transmission/transmission#367)) ### Utils - Prevent crash in transmission-show displaying torrents with invalid creation date ([#609](transmission/transmission#609)) - Handle IPv6 RPC addresses in transmission-remote ([#247](transmission/transmission#247)) - Add `--unsorted` option to transmission-show ([#767](transmission/transmission#767)) - Widen the torrent-id column in transmission-remote for cleaner formatting ([#840](transmission/transmission#840)) To generate a diff of this commit: cvs rdiff -u -r1.26 -r1.27 pkgsrc/net/transmission/Makefile cvs rdiff -u -r1.9 -r1.10 pkgsrc/net/transmission/Makefile.common cvs rdiff -u -r1.3 -r1.4 pkgsrc/net/transmission/PLIST cvs rdiff -u -r1.15 -r1.16 pkgsrc/net/transmission/distinfo cvs rdiff -u -r1.45 -r1.46 pkgsrc/net/transmission-gtk/Makefile cvs rdiff -u -r1.1 -r1.2 pkgsrc/net/transmission-gtk/PLIST cvs rdiff -u -r1.52 -r1.53 pkgsrc/net/transmission-qt/Makefile cvs rdiff -u -r1.6 -r1.7 pkgsrc/net/transmission/patches/patch-qt_qtr.pro ------------------------------------------------------------------- Module Name: pkgsrc Committed By: wiz Date: Sat Jul 25 20:20:05 UTC 2020 Modified Files: pkgsrc/net/transmission-qt: Makefile Log Message: transmission-qt: needs gcc 7.x (for <optional>) Reported and tested by spz. To generate a diff of this commit: cvs rdiff -u -r1.53 -r1.54 pkgsrc/net/transmission-qt/Makefile
net/transmission-gtk: security update net/transmission-qt: security update net/transmission: security update Revisions pulled up: - net/transmission-gtk/Makefile 1.46 - net/transmission-gtk/PLIST 1.2 - net/transmission-qt/Makefile 1.54 - net/transmission/Makefile 1.27 - net/transmission/Makefile.common 1.10 - net/transmission/PLIST 1.4 - net/transmission/distinfo 1.16 - net/transmission/patches/patch-qt_qtr.pro 1.7 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: wiz Date: Mon Jul 13 13:01:02 UTC 2020 Modified Files: pkgsrc/net/transmission: Makefile Makefile.common PLIST distinfo pkgsrc/net/transmission-gtk: Makefile PLIST pkgsrc/net/transmission-qt: Makefile pkgsrc/net/transmission/patches: patch-qt_qtr.pro Log Message: transmission*: update to 3.00 ### All Platforms - Allow the RPC server to listen on an IPv6 address ([#161](transmission/transmission#161)) - Change `TR_CURL_SSL_VERIFY` to `TR_CURL_SSL_NO_VERIFY` and enable verification by default ([#334](transmission/transmission#334)) - Go back to using hash as base name for resume and torrent files (those stored in configuration directory) ([#122](transmission/transmission#122)) - Handle "fields" argument in "session-get" RPC request; if "fields" array is present in arguments, only return session fields specified; otherwise return all the fields as before - Limit the number of incorrect authentication attempts in embedded web server to 100 to prevent brute-force attacks ([#371](transmission/transmission#371)) - Set idle seed limit range to 1..40320 (4 weeks tops) in all clients ([#212](transmission/transmission#212)) - Add Peer ID for Xfplay, PicoTorrent, Free Download Manager, Folx, Baidu Netdisk torrent clients ([#256](transmission/transmission#256), [#285](transmission/transmission#285), [#355](transmission/transmission#355), [#363](transmission/transmission#363), [#386](transmission/transmission#386)) - Announce `INT64_MAX` as size left if the value is unknown (helps with e.g. Amazon S3 trackers) ([#250](transmission/transmission#250)) - Add `TCP_FASTOPEN` support (should result in slight speedup) ([#184](transmission/transmission#184)) - Improve ToS handling on IPv6 connections ([#128](transmission/transmission#128), [#341](transmission/transmission#341), [#360](transmission/transmission#360), [#692](transmission/transmission#692), [#737](transmission/transmission#737)) - Abort handshake if establishing DH shared secret fails (leads to crash) ([#27](transmission/transmission#27)) - Don't switch trackers while announcing (leads to crash) ([#297](transmission/transmission#297)) - Improve completion scripts execution and error handling; add support for .cmd and .bat files on Windows ([#405](transmission/transmission#405)) - Maintain a "session ID" file (in temporary directory) to better detect whether session is local or remote; return the ID as part of "session-get" response (TRAC-5348, [#861](transmission/transmission#861)) - Change torrent location even if no data move is needed ([#35](transmission/transmission#35)) - Support CIDR-notated blocklists ([#230](transmission/transmission#230), [#741](transmission/transmission#741)) - Update the resume file before running scripts ([#825](transmission/transmission#825)) - Make multiscrape limits adaptive ([#837](transmission/transmission#837)) - Add labels support to libtransmission and transmission-remote ([#822](transmission/transmission#822)) - Parse `session-id` header case-insensitively ([#765](transmission/transmission#765)) - Sanitize suspicious path components instead of rejecting them ([#62](transmission/transmission#62), [#294](transmission/transmission#294)) - Load CA certs from system store on Windows / OpenSSL ([#446](transmission/transmission#446)) - Add support for mbedtls (formely polarssl) and wolfssl (formely cyassl), LibreSSL ([#115](transmission/transmission#115), [#116](transmission/transmission#116), [#284](transmission/transmission#284), [#486](transmission/transmission#486), [#524](transmission/transmission#524), [#570](transmission/transmission#570)) - Fix building against OpenSSL 1.1.0+ ([#24](transmission/transmission#24)) - Fix quota support for uClibc-ng 1.0.18+ and DragonFly BSD ([#42](transmission/transmission#42), [#58](transmission/transmission#58), [#312](transmission/transmission#312)) - Fix a number of memory leaks (magnet loading, session shutdown, bencoded data parsing) ([#56](transmission/transmission#56)) - Bump miniupnpc version to 2.0.20170509 ([#347](transmission/transmission#347)) - CMake-related improvements (Ninja generator, libappindicator, systemd, Solaris and macOS) ([#72](transmission/transmission#72), [#96](transmission/transmission#96), [#117](transmission/transmission#117), [#118](transmission/transmission#118), [#133](transmission/transmission#133), [#191](transmission/transmission#191)) - Switch to submodules to manage (most of) third-party dependencies - Fail installation on Windows if UCRT is not installed ### Mac Client - Bump minimum macOS version to 10.10 - Dark Mode support ([#644](transmission/transmission#644), [#722](transmission/transmission#722), [#757](transmission/transmission#757), [#779](transmission/transmission#779), [#788](transmission/transmission#788)) - Remove Growl support, notification center is always used ([#387](transmission/transmission#387)) - Fix autoupdate on High Sierra and up by bumping the Sparkle version ([#121](transmission/transmission#121), [#600](transmission/transmission#600)) - Transition to ARC ([#336](transmission/transmission#336)) - Use proper UTF-8 encoding (with macOS-specific normalization) when setting download/incomplete directory and completion script paths ([#11](transmission/transmission#11)) - Fix uncaught exception when dragging multiple items between groups ([#51](transmission/transmission#51)) - Add flat variants of status icons for message log ([#134](transmission/transmission#134)) - Optimize image resources size ([#304](transmission/transmission#304), [#429](transmission/transmission#429)) - Update file icon when file name changes ([#37](transmission/transmission#37)) - Update translations ### GTK+ Client - Add queue up/down hotkeys ([#158](transmission/transmission#158)) - Modernize the .desktop file ([#162](transmission/transmission#162)) - Add AppData file ([#224](transmission/transmission#224)) - Add symbolic icon variant for the Gnome top bar and when the high contrast theme is in use ([#414](transmission/transmission#414), [#449](transmission/transmission#449)) - Update file icon when its name changes ([#37](transmission/transmission#37)) - Switch from intltool to gettext for translations ([#584](transmission/transmission#584), [#647](transmission/transmission#647)) - Update translations, add new translations for Portuguese (Portugal) ### Qt Client - Bump minimum Qt version to 5.2 - Fix dropping .torrent files into main window on Windows ([#269](transmission/transmission#269)) - Fix prepending of drive letter to various user-selected paths on Windows ([#236](transmission/transmission#236), [#307](transmission/transmission#307), [#404](transmission/transmission#404), [#437](transmission/transmission#437), [#699](transmission/transmission#699), [#723](transmission/transmission#723), [#877](transmission/transmission#877)) - Fix sorting by progress in presence of magnet transfers ([#234](transmission/transmission#234)) - Fix .torrent file trashing upon addition ([#262](transmission/transmission#262)) - Add queue up/down hotkeys ([#158](transmission/transmission#158)) - Reduce torrent properties (file tree) memory usage - Display tooltips in torrent properties (file tree) in case the names don't fit ([#411](transmission/transmission#411)) - Improve UI look on hi-dpi displays (YMMV) - Use session ID (if available) to check if session is local or not ([#861](transmission/transmission#861)) - Use default (instead of system) locale to be more flexible ([#130](transmission/transmission#130)) - Modernize the .desktop file ([#162](transmission/transmission#162)) - Update translations, add new translations for Afrikaans, Catalan, Danish, Greek, Norwegian Bokmål, Slovenian ### Daemon - Use libsystemd instead of libsystemd-daemon (TRAC-5921) - Harden transmission-daemon.service by disallowing privileges elevation ([#795](transmission/transmission#795)) - Fix exit code to be zero when dumping settings ([#487](transmission/transmission#487)) ### Web Client - Fix tracker error XSS in inspector (CVE-?) - Fix performance issues due to improper use of `setInterval()` for UI refresh (TRAC-6031) - Fix recognition of `https://` links in comments field ([#41](transmission/transmission#41), [#180](transmission/transmission#180)) - Fix torrent list style in Google Chrome 59+ ([#384](transmission/transmission#384)) - Show ETA in compact view on non-mobile devices ([#146](transmission/transmission#146)) - Show upload file button on mobile devices ([#320](transmission/transmission#320), [#431](transmission/transmission#431), [#956](transmission/transmission#956)) - Add keyboard hotkeys for web interface ([#351](transmission/transmission#351)) - Disable autocompletion in torrent URL field ([#367](transmission/transmission#367)) ### Utils - Prevent crash in transmission-show displaying torrents with invalid creation date ([#609](transmission/transmission#609)) - Handle IPv6 RPC addresses in transmission-remote ([#247](transmission/transmission#247)) - Add `--unsorted` option to transmission-show ([#767](transmission/transmission#767)) - Widen the torrent-id column in transmission-remote for cleaner formatting ([#840](transmission/transmission#840)) To generate a diff of this commit: cvs rdiff -u -r1.26 -r1.27 pkgsrc/net/transmission/Makefile cvs rdiff -u -r1.9 -r1.10 pkgsrc/net/transmission/Makefile.common cvs rdiff -u -r1.3 -r1.4 pkgsrc/net/transmission/PLIST cvs rdiff -u -r1.15 -r1.16 pkgsrc/net/transmission/distinfo cvs rdiff -u -r1.45 -r1.46 pkgsrc/net/transmission-gtk/Makefile cvs rdiff -u -r1.1 -r1.2 pkgsrc/net/transmission-gtk/PLIST cvs rdiff -u -r1.52 -r1.53 pkgsrc/net/transmission-qt/Makefile cvs rdiff -u -r1.6 -r1.7 pkgsrc/net/transmission/patches/patch-qt_qtr.pro ------------------------------------------------------------------- Module Name: pkgsrc Committed By: wiz Date: Sat Jul 25 20:20:05 UTC 2020 Modified Files: pkgsrc/net/transmission-qt: Makefile Log Message: transmission-qt: needs gcc 7.x (for <optional>) Reported and tested by spz. To generate a diff of this commit: cvs rdiff -u -r1.53 -r1.54 pkgsrc/net/transmission-qt/Makefile
Hello,
this has been reported in Debian as http://bugs.debian.org/862063:
+
+
The text was updated successfully, but these errors were encountered: