faye 1.2.2 → 1.4.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
- SHA1:
3
- metadata.gz: 3967c7b4952180a05b8912f3e03741e99b1df087
4
- data.tar.gz: c13dbb30ae55e50760fbea48a0dd957072f970bd
2
+ SHA256:
3
+ metadata.gz: 75788ddfabe886ea54ef361093becae8966721c002d50f15cc73fdcc5e8d9989
4
+ data.tar.gz: ffed4468e7ee32ab131191edae3cca52f96cfacd7ae6680db73e6922471a464d
5
5
  SHA512:
6
- metadata.gz: d4f8352d202ddf496f393d5065c0cf9f9f7ac5f5faf0ca6c471144c78d0d9b86c5a494302f0d0abb2ab70389a5e5923111806ff23bba931e5e47adcbe383c206
7
- data.tar.gz: 3d9b5d943fa9329c648664f97fee1558f2c70ebea122d1abe7d08065a0a4d555f6fc7ad60face25096556c3399342676c882112bf7ee07b22f15d10181a92da8
6
+ metadata.gz: 6d2955083bd87e4c290f3331551d5ec477e57c401b9aadc75aa94f78b1a208962248238fdda186b99c317b4a5aacfc7707d262ea0465e3c8c31f6152f00d22bc
7
+ data.tar.gz: 92c68a4b89f3e730aa1e0ace1ec2ba2bf1640a7625ae2ab98f5625fbc4c2af9ec016e16410d03600ea41caad793f14429d1da5eb8ee18ca55617dffe5c3df73b
@@ -1,66 +1,146 @@
1
+ ### 1.4.0 / 2020-07-31
2
+
3
+ - Implement TLS certificate verification and enable it by default in the Ruby
4
+ client class `Faye::Client`
5
+ - Add a `:tls` option to the Ruby client with sub-field `:verify_peer` for
6
+ configuring TLS verification
7
+ - Officially support the `tls` option in the Node.js client, whose contents are
8
+ forward to the `https` and `tls` modules as appropriate
9
+
10
+ ### 1.3.0 / 2020-06-08
11
+
12
+ - Support `user:pass@` authorization in URIs and send `Authorization` headers
13
+ from the Node HTTP transport
14
+ - Support IPv6 hostnames in URIs
15
+ - Allow credentials (cookies and `Authorization` headers) in cross-origin
16
+ requests, by:
17
+ - setting `Access-Control-Allow-Origin` to the value of the `Origin` header
18
+ (not `*`)
19
+ - enabling `Access-Control-Allow-Credentials`
20
+ - Enable credentials when sending cross-origin requests
21
+ - Don't disconnect WebSocket on page unload if `autodisconnect` is turned off
22
+ - Catch errors when creating a WebSocket, which happens when Content Security
23
+ Policy blocks it, allowing other transports to be tried
24
+ - Fix a bug in the client where it handles messages from other clients as though
25
+ they're the server's response to its own messages, based on the `id` field;
26
+ now we only treat messages as server responses if they contain `successful:
27
+ true`
28
+ - Stop sending an empty message list `[]` from the WebSocket client as a
29
+ keep-alive mechanism since CometD does not accept this message
30
+ - Fix deprecation warnings for using the `new Buffer()` constructor
31
+ - Switch to the Apache 2.0 license
32
+
33
+
34
+ ### 1.2.5 / 2020-04-28
35
+
36
+ - Fix `/meta/*` channel recognition bug in the server that enables
37
+ authentication bypass
38
+ - https://blog.jcoglan.com/2020/04/28/authentication-bypass-in-faye/
39
+
40
+
41
+ ### 1.2.4 / 2017-01-28
42
+
43
+ - Fix `RackAdapter#get_client` that was failing due to a URI error
44
+ - Define `Promise#catch` in a safe way for old browsers
45
+ - Log errors in the Node HTTP transport
46
+
47
+
48
+ ### 1.2.3 / 2016-10-11
49
+
50
+ - Return an error if the `data` field is missing on published messages
51
+ - Fix errors that occur in the new `websocket` util when the browser does not
52
+ support WebSocket
53
+
54
+
1
55
  ### 1.2.2 / 2016-07-18
2
56
 
3
- * Mitigate the HTTPoxy vulnerability: https://httpoxy.org/
57
+ - Mitigate the HTTPoxy vulnerability: https://httpoxy.org/
4
58
 
5
59
 
6
60
  ### 1.2.1 / 2016-06-29
7
61
 
8
- * Fix a missing variable error in `NodeAdapter`
62
+ - Fix a missing variable error in `NodeAdapter`
9
63
 
10
64
 
11
65
  ### 1.2.0 / 2016-06-26
12
66
 
13
- * Add `client.subscribe().withChannel()` to yield the message channel for wildcard subscriptions
14
- * Restructure the JavaScript codebase around Node modules (require/exports) rather than globals
15
- * Update the Promise shim to reflect the standard API, including `catch()` and `all()`
16
- * Support connecting to servers that use SNI in the Ruby client
17
- * Make the JavaScript client work inside React Native and Web Workers
18
- * Remove JSON2; you should import a JSON shim yourself if necessary
19
- * Handle errors that occur when a message is partially delivered via EventSource
20
- * Reject requests with invalid (non-array or -object) top-level JSON values
21
- * Make local client requests asynchronous to avoid re-entrant request handling errors
22
- * Remove `Connection: Close` from HTTP responses to allow use of keep-alive
23
- * Use `XMLHttpRequest` in preference to the ActiveX API in IE10
24
- * Fix bug where flushing large message batches puts promises in an invalid state
67
+ - Add `client.subscribe().withChannel()` to yield the message channel for
68
+ wildcard subscriptions
69
+ - Restructure the JavaScript codebase around Node modules (require/exports)
70
+ rather than globals
71
+ - Update the Promise shim to reflect the standard API, including `catch()` and
72
+ `all()`
73
+ - Support connecting to servers that use SNI in the Ruby client
74
+ - Make the JavaScript client work inside React Native and Web Workers
75
+ - Remove JSON2; you should import a JSON shim yourself if necessary
76
+ - Handle errors that occur when a message is partially delivered via EventSource
77
+ - Reject requests with invalid (non-array or -object) top-level JSON values
78
+ - Make local client requests asynchronous to avoid re-entrant request handling
79
+ errors
80
+ - Remove `Connection: Close` from HTTP responses to allow use of keep-alive
81
+ - Use `XMLHttpRequest` in preference to the ActiveX API in IE10
82
+ - Fix bug where flushing large message batches puts promises in an invalid state
83
+
84
+
85
+ ### 1.1.3 / 2020-04-28
86
+
87
+ - Fix `/meta/*` channel recognition bug in the server that enables
88
+ authentication bypass
89
+ - https://blog.jcoglan.com/2020/04/28/authentication-bypass-in-faye/
25
90
 
26
91
 
27
92
  ### 1.1.2 / 2015-07-19
28
93
 
29
- * Allow the `Authorization` header to be used on CORS requests
30
- * Disallow unused methods like PUT and DELETE on CORS requests
31
- * Stop IE prematurely garbage-collecting `XDomainRequest` objects
32
- * Make sure messages can be sent if they overflow the request size limit and the outbox is empty
33
- * Don't send messages over WebSockets unless they are in the 'open' ready-state
34
- * Fix a bug preventing use of the in-process transport in Ruby
94
+ - Allow the `Authorization` header to be used on CORS requests
95
+ - Disallow unused methods like PUT and DELETE on CORS requests
96
+ - Stop IE prematurely garbage-collecting `XDomainRequest` objects
97
+ - Make sure messages can be sent if they overflow the request size limit and the
98
+ outbox is empty
99
+ - Don't send messages over WebSockets unless they are in the 'open' ready-state
100
+ - Fix a bug preventing use of the in-process transport in Ruby
35
101
 
36
102
 
37
103
  ### 1.1.1 / 2015-02-25
38
104
 
39
- * Make sure the client ID associated with a WebSocket is not dropped, so the socket can be closed properly
40
- * Handle cases where a JSON-P endpoint returns no response argument
41
- * Stop trying to retry messages after the client has been disconnected
42
- * Remove duplication of the client ID in EventSource URLs
105
+ - Make sure the client ID associated with a WebSocket is not dropped, so the
106
+ socket can be closed properly
107
+ - Handle cases where a JSON-P endpoint returns no response argument
108
+ - Stop trying to retry messages after the client has been disconnected
109
+ - Remove duplication of the client ID in EventSource URLs
43
110
 
44
111
 
45
112
  ### 1.1.0 / 2014-12-22
46
113
 
47
- * Allow the server and client to use WebSocket extensions, for example permessage-deflate
48
- * Support the `HTTP_PROXY` and `HTTPS_PROXY` environment variables to send all client connections through an HTTP proxy
49
- * Introduce the `Scheduler` API to allow the user to control message retries
50
- * Add the `attempts` and `deadline` options to `Client#publish()`
51
- * Let `RackAdapter` take a block that yields the instance, so extensions can be added to middleware
52
- * Allow monitoring listeners to see the `clientId` on publishd messages but still avoid sending it to subscribers
53
- * Return a promise from `Client#disconnect()`
54
- * Fix client-side retry bugs causing the client to flood the server with duplicate messages
55
- * Send all transport types in the `supportedConnectionTypes` handshake parameter
56
- * Don't close WebSockets when the client recovers from an error and sends a new `clientId`
57
- * Replace `cookiejar` with `tough-cookie` to avoid global variable leaks
114
+ - Allow the server and client to use WebSocket extensions, for example
115
+ permessage-deflate
116
+ - Support the `HTTP_PROXY` and `HTTPS_PROXY` environment variables to send all
117
+ client connections through an HTTP proxy
118
+ - Introduce the `Scheduler` API to allow the user to control message retries
119
+ - Add the `attempts` and `deadline` options to `Client#publish()`
120
+ - Let `RackAdapter` take a block that yields the instance, so extensions can be
121
+ added to middleware
122
+ - Allow monitoring listeners to see the `clientId` on publishd messages but
123
+ still avoid sending it to subscribers
124
+ - Return a promise from `Client#disconnect()`
125
+ - Fix client-side retry bugs causing the client to flood the server with
126
+ duplicate messages
127
+ - Send all transport types in the `supportedConnectionTypes` handshake parameter
128
+ - Don't close WebSockets when the client recovers from an error and sends a new
129
+ `clientId`
130
+ - Replace `cookiejar` with `tough-cookie` to avoid global variable leaks
131
+
132
+
133
+ ### 1.0.4 / 2020-04-28
134
+
135
+ - Fix `/meta/*` channel recognition bug in the server that enables
136
+ authentication bypass
137
+ - https://blog.jcoglan.com/2020/04/28/authentication-bypass-in-faye/
58
138
 
59
139
 
60
140
  ### 1.0.3 / 2014-07-08
61
141
 
62
- * Make some changes to JSON-P responses to mitigate the Rosetta Flash attack
63
- * http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/
142
+ - Make some changes to JSON-P responses to mitigate the Rosetta Flash attack
143
+ - http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/
64
144
 
65
145
 
66
146
  ### 1.0.2 -- removed due to error while publishing
@@ -68,62 +148,83 @@
68
148
 
69
149
  ### 1.0.1 / 2013-12-10
70
150
 
71
- * Add `Adapter#close()` method for gracefully shutting down the server
72
- * Fix error recover bug in WebSocket that made transport cycle through `up`/`down` state
73
- * Update Promise implementation to pass `promises-aplus-tests 2.0`
74
- * Correct some incorrect variable names in the Ruby transports
75
- * Make logging methods public to fix a problem on Ruby 2.1
151
+ - Add `Adapter#close()` method for gracefully shutting down the server
152
+ - Fix error recover bug in WebSocket that made transport cycle through
153
+ `up`/`down` state
154
+ - Update Promise implementation to pass `promises-aplus-tests 2.0`
155
+ - Correct some incorrect variable names in the Ruby transports
156
+ - Make logging methods public to fix a problem on Ruby 2.1
76
157
 
77
158
 
78
159
  ### 1.0.0 / 2013-10-01
79
160
 
80
- * Client changes:
81
- * Allow clients to be instantiated with URI objects rather than strings
82
- * Add a `ca` option to the Node `Client` class for passing in trusted server certificates
83
- * Objects supporting the `callback()` method in JavaScript are now Promises
84
- * Fix protocol-relative URI parsing in the client
85
- * Remove the `getClientId()` and `getState()` methods from the `Client` class
86
- * Transport changes:
87
- * Add request-size limiting to all batching transports
88
- * Make the WebSocket transport more robust against quiet network periods and clients going to sleep
89
- * Support cookies across all transports when using the client on Node.js or Ruby
90
- * Support custom headers in the `cross-origin-long-polling` and server-side `websocket` transports
91
- * Adapter changes:
92
- * Support the `rack.hijack` streaming API
93
- * Migrate to MultiJson for JSON handling on Ruby, allowing use of JRuby
94
- * Escape U+2028 and U+2029 in JSON-P output
95
- * Fix a bug stopping requests being routed when the mount point is `/`
96
- * Fix various bugs that cause errors to be thrown if we try to send a message over a closed socket
97
- * Remove the `listen()` method from `Adapter` in favour of using server-specific APIs
98
- * Server changes:
99
- * Use cryptographically secure random number generators to create client IDs
100
- * Allow extensions to access request properties by using 3-ary methods
101
- * Objects supporting the `bind()` method now implement the full `EventEmitter` API
102
- * Stop the server from forwarding the `clientId` property of published messages
103
- * Miscellaneous:
104
- * Support Browserify by returning the client module
105
- * `Faye.logger` can now be a logger object rather than a function
161
+ - Client changes:
162
+ - Allow clients to be instantiated with URI objects rather than strings
163
+ - Add a `ca` option to the Node `Client` class for passing in trusted server
164
+ certificates
165
+ - Objects supporting the `callback()` method in JavaScript are now Promises
166
+ - Fix protocol-relative URI parsing in the client
167
+ - Remove the `getClientId()` and `getState()` methods from the `Client` class
168
+ - Transport changes:
169
+ - Add request-size limiting to all batching transports
170
+ - Make the WebSocket transport more robust against quiet network periods and
171
+ clients going to sleep
172
+ - Support cookies across all transports when using the client on Node.js or
173
+ Ruby
174
+ - Support custom headers in the `cross-origin-long-polling` and server-side
175
+ `websocket` transports
176
+ - Adapter changes:
177
+ - Support the `rack.hijack` streaming API
178
+ - Migrate to MultiJson for JSON handling on Ruby, allowing use of JRuby
179
+ - Escape U+2028 and U+2029 in JSON-P output
180
+ - Fix a bug stopping requests being routed when the mount point is `/`
181
+ - Fix various bugs that cause errors to be thrown if we try to send a message
182
+ over a closed socket
183
+ - Remove the `listen()` method from `Adapter` in favour of using
184
+ server-specific APIs
185
+ - Server changes:
186
+ - Use cryptographically secure random number generators to create client IDs
187
+ - Allow extensions to access request properties by using 3-ary methods
188
+ - Objects supporting the `bind()` method now implement the full `EventEmitter`
189
+ API
190
+ - Stop the server from forwarding the `clientId` property of published
191
+ messages
192
+ - Miscellaneous:
193
+ - Support Browserify by returning the client module
194
+ - `Faye.logger` can now be a logger object rather than a function
195
+
196
+
197
+ ### 0.8.11 / 2014-07-08
198
+
199
+ - Make some changes to JSON-P responses to mitigate the Rosetta Flash attack
200
+ - http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/
201
+
202
+
203
+ ### 0.8.10 -- removed due to error while publishing
106
204
 
107
205
 
108
206
  ### 0.8.9 / 2013-02-26
109
207
 
110
- * Specify ciphers for SSL on Node to mitigate the BEAST attack
111
- * Mitigate increased risk of socket hang-up errors in Node v0.8.20
112
- * Fix race condition when processing outgoing extensions in the Node server
113
- * Fix problem loading the client script when using `{mount: '/'}`
114
- * Clean up connection objects when a WebSocket is re-used with a new clientId
115
- * All JavaScript code now runs in strict mode
116
- * Select transport on handshake, instead of on client creation to allow time for `disable()` calls
117
- * Do not speculatively open WebSocket/EventSource connections if they are disabled
118
- * Gracefully handle WebSocket messages with no data on the client side
119
- * Close and reconnect WebSocket when onerror is fired, not just when onclose is fired
120
- * Fix problem with caching of EventSource connections with stale clientIds
121
- * Don't parse query strings when checking if a URL is same-origin or not
208
+ - Specify ciphers for SSL on Node to mitigate the BEAST attack
209
+ - Mitigate increased risk of socket hang-up errors in Node v0.8.20
210
+ - Fix race condition when processing outgoing extensions in the Node server
211
+ - Fix problem loading the client script when using `{mount: '/'}`
212
+ - Clean up connection objects when a WebSocket is re-used with a new clientId
213
+ - All JavaScript code now runs in strict mode
214
+ - Select transport on handshake, instead of on client creation to allow time for
215
+ `disable()` calls
216
+ - Do not speculatively open WebSocket/EventSource connections if they are
217
+ disabled
218
+ - Gracefully handle WebSocket messages with no data on the client side
219
+ - Close and reconnect WebSocket when onerror is fired, not just when onclose is
220
+ fired
221
+ - Fix problem with caching of EventSource connections with stale clientIds
222
+ - Don't parse query strings when checking if a URL is same-origin or not
122
223
 
123
224
 
124
225
  ### 0.8.8 / 2013-01-10
125
226
 
126
- * Patch security hole allowing remote execution of arbitrary Server methods
227
+ - Patch security hole allowing remote execution of arbitrary Server methods
127
228
 
128
229
 
129
230
  ### 0.8.7 -- removed due to error while publishing
@@ -131,280 +232,311 @@
131
232
 
132
233
  ### 0.8.6 / 2012-10-07
133
234
 
134
- * Make sure messages pushed to the client over a socket pass through outgoing extensions
235
+ - Make sure messages pushed to the client over a socket pass through outgoing
236
+ extensions
135
237
 
136
238
 
137
239
  ### 0.8.5 / 2012-09-30
138
240
 
139
- * Fix a bug in `URI.parse()` that caused Faye endpoints to inherit search and hash from `window.location`
241
+ - Fix a bug in `URI.parse()` that caused Faye endpoints to inherit search and
242
+ hash from `window.location`
140
243
 
141
244
 
142
245
  ### 0.8.4 / 2012-09-29
143
246
 
144
- * Optimise upgrade process so that WebSocket is tested earlier and the connection is cached
145
- * Check that EventSource actually works to work around broken Opera implementation
146
- * Emit `connection:open` and `connection:close` events from the Engine proxy
147
- * Increase size of client IDs from 128 to 160 bits
148
- * Fix bug with relative URL resolution in IE
149
- * Limit the JSON-P transport's message buffer so it doesn't create over-long URLs
150
- * Send `Pragma: no-cache` with XHR requests to guard against iOS 6 POST caching
151
- * Add `charset=utf-8` to response Content-Type headers
247
+ - Optimise upgrade process so that WebSocket is tested earlier and the
248
+ connection is cached
249
+ - Check that EventSource actually works to work around broken Opera
250
+ implementation
251
+ - Emit `connection:open` and `connection:close` events from the Engine proxy
252
+ - Increase size of client IDs from 128 to 160 bits
253
+ - Fix bug with relative URL resolution in IE
254
+ - Limit the JSON-P transport's message buffer so it doesn't create over-long
255
+ URLs
256
+ - Send `Pragma: no-cache` with XHR requests to guard against iOS 6 POST caching
257
+ - Add `charset=utf-8` to response Content-Type headers
152
258
 
153
259
 
154
260
  ### 0.8.3 / 2012-07-15
155
261
 
156
- * `Client#subscribe` returns an array of Subscriptions if given an array of channels
157
- * Allow different endpoints to be specified per-transport
158
- * Only use IE's `XDomainRequest` for same-protocol requests
159
- * Replace URL parser with one that treats relative URLs the same as the browser
160
- * Improve logging of malformed requests and detect problems earlier
161
- * Make sure socket connections are closed when a client session is timed out
162
- * Stop WebSocket reconnecting after `window.onbeforeunload`
262
+ - `Client#subscribe` returns an array of Subscriptions if given an array of
263
+ channels
264
+ - Allow different endpoints to be specified per-transport
265
+ - Only use IE's `XDomainRequest` for same-protocol requests
266
+ - Replace URL parser with one that treats relative URLs the same as the browser
267
+ - Improve logging of malformed requests and detect problems earlier
268
+ - Make sure socket connections are closed when a client session is timed out
269
+ - Stop WebSocket reconnecting after `window.onbeforeunload`
163
270
 
164
271
 
165
272
  ### 0.8.2 / 2012-04-12
166
273
 
167
- * Fix replacement of `null` with `{}` in `copyObject()`
168
- * Make EventSource transport trigger `transport:up/down` events
169
- * Supply source map for minified JavaScript client, and include source in gem
170
- * Return `Content-Length: 0` for 304 responses
171
- * Handle pre-flight CORS requests from old versions of Safari
274
+ - Fix replacement of `null` with `{}` in `copyObject()`
275
+ - Make EventSource transport trigger `transport:up/down` events
276
+ - Supply source map for minified JavaScript client, and include source in gem
277
+ - Return `Content-Length: 0` for 304 responses
278
+ - Handle pre-flight CORS requests from old versions of Safari
172
279
 
173
280
 
174
281
  ### 0.8.1 / 2012-03-15
175
282
 
176
- * Make `Publisher#trigger` safe for event listeners that modify the listener list
177
- * Make `Server#subscribe` return a response if the incoming message has an error
178
- * Fix edge case in code that identifies the `clientId` of socket connections
179
- * Return `Content-Length` headers for HTTP responses
180
- * Don't send empty lists of messages from the WebSocket transport
181
- * Stop client sending multiple `/meta/subscribe` messages for subscriptions made before handshaking
182
- * Stop client treating incoming published messages as responses to `/meta/*` messages
283
+ - Make `Publisher#trigger` safe for event listeners that modify the listener
284
+ list
285
+ - Make `Server#subscribe` return a response if the incoming message has an error
286
+ - Fix edge case in code that identifies the `clientId` of socket connections
287
+ - Return `Content-Length` headers for HTTP responses
288
+ - Don't send empty lists of messages from the WebSocket transport
289
+ - Stop client sending multiple `/meta/subscribe` messages for subscriptions made
290
+ before handshaking
291
+ - Stop client treating incoming published messages as responses to `/meta/*`
292
+ messages
183
293
 
184
294
 
185
295
  ### 0.8.0 / 2012-02-26
186
296
 
187
- * Extract the Redis engine into a separate library, `faye-redis`
188
- * Stabilize and document the Engine API so others can write backends
189
- * Extract WebSocket and EventSource tools into a separate library, `faye-websocket`
190
- * Improve use of WebSocket so messages are immediately pushed rather than polling
191
- * Introduce new EventSource-based transport, for proxies that block WebSocket
192
- * Support the Rainbows and Goliath web servers for Ruby, same as `faye-websocket`
193
- * Improve detection of network errors and switch to fixed-interval for reconnecting
194
- * Add `setHeader()` method to Client (e.g. for connecting to Salesforce API)
195
- * Add `timeout()` method to `Faye.Deferrable` to match `EventMachine::Deferrable`
196
- * Fix some bugs in client-side message handlers created with `subscribe()`
197
- * Improve speed and memory consumption of `copyObject()`
198
- * Switch from JSON to Yajl for JSON parsing in Ruby
297
+ - Extract the Redis engine into a separate library, `faye-redis`
298
+ - Stabilize and document the Engine API so others can write backends
299
+ - Extract WebSocket and EventSource tools into a separate library,
300
+ `faye-websocket`
301
+ - Improve use of WebSocket so messages are immediately pushed rather than
302
+ polling
303
+ - Introduce new EventSource-based transport, for proxies that block WebSocket
304
+ - Support the Rainbows and Goliath web servers for Ruby, same as
305
+ `faye-websocket`
306
+ - Improve detection of network errors and switch to fixed-interval for
307
+ reconnecting
308
+ - Add `setHeader()` method to Client (e.g. for connecting to Salesforce API)
309
+ - Add `timeout()` method to `Faye.Deferrable` to match
310
+ `EventMachine::Deferrable`
311
+ - Fix some bugs in client-side message handlers created with `subscribe()`
312
+ - Improve speed and memory consumption of `copyObject()`
313
+ - Switch from JSON to Yajl for JSON parsing in Ruby
314
+
315
+
316
+ ### 0.7.2 / 2013-01-10
317
+
318
+ - Patch security hole allowing remote execution of arbitrary Server methods
199
319
 
200
320
 
201
321
  ### 0.7.1 / 2011-12-22
202
322
 
203
- * Extension `added()` and `removed()` methods now receive the extended object
204
- * Detection of WebSockets in RackAdapter is more strict
323
+ - Extension `added()` and `removed()` methods now receive the extended object
324
+ - Detection of WebSockets in RackAdapter is more strict
205
325
 
206
326
 
207
327
  ### 0.7.0 / 2011-11-22
208
328
 
209
- * Provide an event API for monitoring engine events on the server side
210
- * Implement server-side WebSocket connections for improved latency
211
- * Fix WebSocket protocol bugs and expose APIs for developers to use
212
- * Make server-side HTTP transports support SSL and cookies
213
- * Allow clients to disable selected transports and autodisconnection
214
- * Add callback/errback API to `Client#publish()` interface
215
- * Add `socket` setting for the Redis engine for connecting through a Unix socket
329
+ - Provide an event API for monitoring engine events on the server side
330
+ - Implement server-side WebSocket connections for improved latency
331
+ - Fix WebSocket protocol bugs and expose APIs for developers to use
332
+ - Make server-side HTTP transports support SSL and cookies
333
+ - Allow clients to disable selected transports and autodisconnection
334
+ - Add callback/errback API to `Client#publish()` interface
335
+ - Add `socket` setting for the Redis engine for connecting through a Unix socket
336
+
337
+
338
+ ### 0.6.8 / 2013-01-10
339
+
340
+ - Patch security hole allowing remote execution of arbitrary Server methods
216
341
 
217
342
 
218
343
  ### 0.6.7 / 2011-10-20
219
344
 
220
- * Cache client script in memory and add `ETag` and `Last-Modified` headers
221
- * Fix bug in Node Redis engine where `undefined` was used if no namespace given
222
- * Flush Redis message queues using a transaction to avoid re-delivery of messages
223
- * Fix race condition and timing errors present in Redis locking code
224
- * Use `Cache-Control: no-cache, no-store` on JSON-P responses
225
- * Improvements to the CORS and JSON-P transports
226
- * Prevent retry handlers in transports from being invoked multiple times
227
- * Use the current page protocol by default when parsing relative URIs
345
+ - Cache client script in memory and add `ETag` and `Last-Modified` headers
346
+ - Fix bug in Node Redis engine where `undefined` was used if no namespace given
347
+ - Flush Redis message queues using a transaction to avoid re-delivery of
348
+ messages
349
+ - Fix race condition and timing errors present in Redis locking code
350
+ - Use `Cache-Control: no-cache, no-store` on JSON-P responses
351
+ - Improvements to the CORS and JSON-P transports
352
+ - Prevent retry handlers in transports from being invoked multiple times
353
+ - Use the current page protocol by default when parsing relative URIs
228
354
 
229
355
 
230
356
  ### 0.6.6 / 2011-09-12
231
357
 
232
- * Add `:key` and `:cert` options to the `Adapter#listen` methods for setting up SSL
233
- * Fix error detection of CORS transport in IE9 running IE8 compatibility mode
234
- * Fix dependency versions so that Rubygems lets Faye install
358
+ - Add `:key` and `:cert` options to the `Adapter#listen` methods for setting up
359
+ SSL
360
+ - Fix error detection of CORS transport in IE9 running IE8 compatibility mode
361
+ - Fix dependency versions so that Rubygems lets Faye install
235
362
 
236
363
 
237
364
  ### 0.6.5 / 2011-08-29
238
365
 
239
- * Fix UTF-8 encoding bugs in draft-75/76 and protocol-8 WebSocket parsers
240
- * Switch to streaming parser for WebSocket protocol-8
241
- * Remove an `SREM` operation that shouldn't have been in the Redis engine
242
- * Move `thin_extensions.rb` so it's not on the Rubygems load path
366
+ - Fix UTF-8 encoding bugs in draft-75/76 and protocol-8 WebSocket parsers
367
+ - Switch to streaming parser for WebSocket protocol-8
368
+ - Remove an `SREM` operation that shouldn't have been in the Redis engine
369
+ - Move `thin_extensions.rb` so it's not on the Rubygems load path
243
370
 
244
371
 
245
372
  ### 0.6.4 / 2011-08-18
246
373
 
247
- * Support WebSocket protocol used by Chrome 14 and Firefox 6
248
- * Fix handling of multibyte characters in WebSocket messages on Node
249
- * Improve message routing in Node memory engine to avoid false duplicates
374
+ - Support WebSocket protocol used by Chrome 14 and Firefox 6
375
+ - Fix handling of multibyte characters in WebSocket messages on Node
376
+ - Improve message routing in Node memory engine to avoid false duplicates
250
377
 
251
378
 
252
379
  ### 0.6.3 / 2011-07-10
253
380
 
254
- * Use sequential message IDs to reduce memory usage on the client side
255
- * Only send advice with handshake and connect responses
256
- * Stop trying to publish `/meta/*` messages - no-one is listening and it breaks `/**`
257
- * Fix bug causing invalid listeners to appear after a client reconnection
258
- * Stop loading `rubygems` within our library code
259
- * Make sure we only queue a message for each client once in the Redis engine
260
- * Use lists instead of sets for message queues in Redis
261
- * Improve clean-up of expired clients in Redis engine
381
+ - Use sequential message IDs to reduce memory usage on the client side
382
+ - Only send advice with handshake and connect responses
383
+ - Stop trying to publish `/meta/*` messages - no-one is listening and it breaks
384
+ `/**`
385
+ - Fix bug causing invalid listeners to appear after a client reconnection
386
+ - Stop loading `rubygems` within our library code
387
+ - Make sure we only queue a message for each client once in the Redis engine
388
+ - Use lists instead of sets for message queues in Redis
389
+ - Improve clean-up of expired clients in Redis engine
262
390
 
263
391
 
264
392
  ### 0.6.2 / 2011-06-19
265
393
 
266
- * Add authentication, database selection and namespacing to Redis engine
267
- * Clean up all client data when removing clients from Redis
268
- * Fix `cross-origin-long-polling` for `OPTIONS`-aware browsers
269
- * Update secure WebSocket detection for recent Node versions
270
- * Reinstate `faye.client` field in Rack environment
394
+ - Add authentication, database selection and namespacing to Redis engine
395
+ - Clean up all client data when removing clients from Redis
396
+ - Fix `cross-origin-long-polling` for `OPTIONS`-aware browsers
397
+ - Update secure WebSocket detection for recent Node versions
398
+ - Reinstate `faye.client` field in Rack environment
271
399
 
272
400
 
273
401
  ### 0.6.1 / 2011-06-06
274
402
 
275
- * Fix `cross-origin-long-polling` support in `RackAdapter`
276
- * Plug some potential memory leaks in `Memory` engine
403
+ - Fix `cross-origin-long-polling` support in `RackAdapter`
404
+ - Plug some potential memory leaks in `Memory` engine
277
405
 
278
406
 
279
407
  ### 0.6.0 / 2011-05-21
280
408
 
281
- * Extract core logic into the `Engine` class to support swappable backends
282
- * Introduce a Redis-backed engine to support clustered web front-ends
283
- * Use CORS for `cross-domain long-polling`
284
- * Make server more resilient against bad requests, including empty message lists
285
- * Perform subscription validation on the server and use errbacks to signal errors
286
- * Prohibit publishing to wildcard channels
287
- * Unsubscribing from a channel is now O(1) instead of O(N)
288
- * Much more thorough and consistent unit test coverage of both versions
289
- * Automatic integration tests using Terminus and TestSwarm
409
+ - Extract core logic into the `Engine` class to support swappable backends
410
+ - Introduce a Redis-backed engine to support clustered web front-ends
411
+ - Use CORS for `cross-domain long-polling`
412
+ - Make server more resilient against bad requests, including empty message lists
413
+ - Perform subscription validation on the server and use errbacks to signal
414
+ errors
415
+ - Prohibit publishing to wildcard channels
416
+ - Unsubscribing from a channel is now O(1) instead of O(N)
417
+ - Much more thorough and consistent unit test coverage of both versions
418
+ - Automatic integration tests using Terminus and TestSwarm
290
419
 
291
420
 
292
421
  ### 0.5.5 / 2011-01-16
293
422
 
294
- * Open a real socket to check for WebSocket usability, not just object detection
295
- * Catch server-side errors when handshaking with WebSockets
423
+ - Open a real socket to check for WebSocket usability, not just object detection
424
+ - Catch server-side errors when handshaking with WebSockets
296
425
 
297
426
 
298
427
  ### 0.5.4 / 2010-12-19
299
428
 
300
- * Add a `#callback` method to `Subscriptions` to detect when they become active
301
- * Add `:extensions` option to `RackAdapter` to make it easier to extend middleware
302
- * Detect secure WebSocket requests through the `HTTP_X_FORWARDED_PROTO` header
303
- * Handle socket errors when sending WebSocket messages from `NodeAdapter`
304
- * Use exponential backoff to reconnect client-side WebSockets to reduce CPU load
429
+ - Add a `#callback` method to `Subscriptions` to detect when they become active
430
+ - Add `:extensions` option to `RackAdapter` to make it easier to extend
431
+ middleware
432
+ - Detect secure WebSocket requests through the `HTTP_X_FORWARDED_PROTO` header
433
+ - Handle socket errors when sending WebSocket messages from `NodeAdapter`
434
+ - Use exponential backoff to reconnect client-side WebSockets to reduce CPU load
305
435
 
306
436
 
307
437
  ### 0.5.3 / 2010-10-21
308
438
 
309
- * Improve detection of `wss:` requirement for secure WebSocket connections
310
- * Correctly use default ports (80,443) for server-side HTTP connections
311
- * Support legacy `application/x-www-form-urlencoded` POST requests
312
- * Delete unused Channel objects that have all their subscribers removed
313
- * Fix resend/reconnect logic in WebSocket transport
314
- * Keep client script in memory rather than reading it from disk every time
315
- * Prevent error-adding extensions from breaking the core protocol
439
+ - Improve detection of `wss:` requirement for secure WebSocket connections
440
+ - Correctly use default ports (80,443) for server-side HTTP connections
441
+ - Support legacy `application/x-www-form-urlencoded` POST requests
442
+ - Delete unused Channel objects that have all their subscribers removed
443
+ - Fix resend/reconnect logic in WebSocket transport
444
+ - Keep client script in memory rather than reading it from disk every time
445
+ - Prevent error-adding extensions from breaking the core protocol
316
446
 
317
447
 
318
448
  ### 0.5.2 / 2010-08-12
319
449
 
320
- * Support draft-76 of the WebSocket protocol (FF4, Chrome 6)
321
- * Reduce `Connection::MAX_DELAY` to improve latency
450
+ - Support draft-76 of the WebSocket protocol (FF4, Chrome 6)
451
+ - Reduce `Connection::MAX_DELAY` to improve latency
322
452
 
323
453
 
324
454
  ### 0.5.1 / 2010-07-21
325
455
 
326
- * Fix a publishing problem in Ruby `LocalTransport`
456
+ - Fix a publishing problem in Ruby `LocalTransport`
327
457
 
328
458
 
329
459
  ### 0.5.0 / 2010-07-17
330
460
 
331
- * Handle multiple event listeners bound to a channel
332
- * Add extension system for adding domain-specific logic to the protocol
333
- * Improve handling of client reconnections if the server goes down
334
- * Change default polling interval to 0 (immediate reconnect)
335
- * Add support for WebSockets (draft75 only) as a network transport
336
- * Remove support for Ruby servers other than Thin
337
- * Make client and server compatible with CometD (1.x and 2.0) components
338
- * Improve clean-up of unused server-side connections
339
- * Change Node API for adding Faye service to an HTTP server
461
+ - Handle multiple event listeners bound to a channel
462
+ - Add extension system for adding domain-specific logic to the protocol
463
+ - Improve handling of client reconnections if the server goes down
464
+ - Change default polling interval to 0 (immediate reconnect)
465
+ - Add support for WebSockets (draft75 only) as a network transport
466
+ - Remove support for Ruby servers other than Thin
467
+ - Make client and server compatible with CometD (1.x and 2.0) components
468
+ - Improve clean-up of unused server-side connections
469
+ - Change Node API for adding Faye service to an HTTP server
340
470
 
341
471
 
342
472
  ### 0.3.4 / 2010-06-20
343
473
 
344
- * Stop local clients going into an infinite loop if a subscription block causes a reconnect
474
+ - Stop local clients going into an infinite loop if a subscription block causes
475
+ a reconnect
345
476
 
346
477
 
347
478
  ### 0.3.3 / 2010-06-07
348
479
 
349
- * Bring Node APIs up to date with 0.1.97
350
- * Catch `ECONNREFUSED` errors in Node clients to withstand server outages
351
- * Refactor the `Server` internals
480
+ - Bring Node APIs up to date with 0.1.97
481
+ - Catch `ECONNREFUSED` errors in Node clients to withstand server outages
482
+ - Refactor the `Server` internals
352
483
 
353
484
 
354
485
  ### 0.3.2 / 2010-04-04
355
486
 
356
- * Fix problems with JSON serialization when Prototype, MooTools present
357
- * Make the client reconnect if it doesn't hear from the server after a timeout
358
- * Stop JavaScript server returning `NaN` for `advice.interval`
359
- * Make Ruby server return an integer for `advice.interval`
360
- * Ensure EventMachine is running before handling messages
361
- * Handle `data` and `end` events properly in Node HTTP API
362
- * Switch to `application/json` for content types and stop using querystring format in POST bodies
363
- * Respond to any URL path under the mount point, not just the exact match
487
+ - Fix problems with JSON serialization when Prototype, MooTools present
488
+ - Make the client reconnect if it doesn't hear from the server after a timeout
489
+ - Stop JavaScript server returning `NaN` for `advice.interval`
490
+ - Make Ruby server return an integer for `advice.interval`
491
+ - Ensure EventMachine is running before handling messages
492
+ - Handle `data` and `end` events properly in Node HTTP API
493
+ - Switch to `application/json` for content types and stop using querystring
494
+ format in POST bodies
495
+ - Respond to any URL path under the mount point, not just the exact match
364
496
 
365
497
 
366
498
  ### 0.3.1 / 2010-03-09
367
499
 
368
- * Pass client down through Rack stack as `env['faye.client']`
369
- * Refactor some JavaScript internals to mirror Ruby codebase
500
+ - Pass client down through Rack stack as `env['faye.client']`
501
+ - Refactor some JavaScript internals to mirror Ruby codebase
370
502
 
371
503
 
372
504
  ### 0.3.0 / 2010-03-01
373
505
 
374
- * Add server-side clients for Node.js and Ruby environments
375
- * Clients support both HTTP and in-process transports
376
- * Fix ID generation in JavaScript version to 128-bit IDs
377
- * Fix bug in interpretation of `**` channel wildcard
378
- * Users don't have to call `#connect()` on clients any more
379
- * Fix timeout race conditions that were killing active connections
380
- * Support new Node APIs from 0.1.29.
506
+ - Add server-side clients for Node.js and Ruby environments
507
+ - Clients support both HTTP and in-process transports
508
+ - Fix ID generation in JavaScript version to 128-bit IDs
509
+ - Fix bug in interpretation of `**` channel wildcard
510
+ - Users don't have to call `#connect()` on clients any more
511
+ - Fix timeout race conditions that were killing active connections
512
+ - Support new Node APIs from 0.1.29.
381
513
 
382
514
 
383
515
  ### 0.2.2 / 2010-02-10
384
516
 
385
- * Kick out requests with malformed JSON as 400s
517
+ - Kick out requests with malformed JSON as 400s
386
518
 
387
519
 
388
520
  ### 0.2.1 / 2010-02-04
389
521
 
390
- * Fix server-side flushing of callback-polling connections
391
- * Backend can be used cross-domain if running on Node or Thin
522
+ - Fix server-side flushing of callback-polling connections
523
+ - Backend can be used cross-domain if running on Node or Thin
392
524
 
393
525
 
394
526
  ### 0.2.0 / 2010-02-02
395
527
 
396
- * Port server to JavaScript with an adapter for Node.js
397
- * Support Thin's async responses in the Ruby version for complete non-blocking
398
- * Fix some minor client-side bugs in transport choice
528
+ - Port server to JavaScript with an adapter for Node.js
529
+ - Support Thin's async responses in the Ruby version for complete non-blocking
530
+ - Fix some minor client-side bugs in transport choice
399
531
 
400
532
 
401
533
  ### 0.1.1 / 2009-07-26
402
534
 
403
- * Fix a broken client build
535
+ - Fix a broken client build
404
536
 
405
537
 
406
538
  ### 0.1.0 / 2009-06-15
407
539
 
408
- * Ruby Bayeux server and Rack adapter
409
- * Internally evented using EventMachine, web frontend blocks
410
- * JavaScript client with `long-polling` and `callback-polling`
540
+ - Ruby Bayeux server and Rack adapter
541
+ - Internally evented using EventMachine, web frontend blocks
542
+ - JavaScript client with `long-polling` and `callback-polling`