- Breaking change: All request parameters are automatically decoded using
decodeUrl
. Accessing the parameters with the@
operator or directly through the rawrequest.params
returns the value decoded. - Fix for #211 - custom routers now have the same error handling as normal routes.
- Fix for #269 - a bug that prevented redirecting from within error handlers.
For full list, see the commits since the last version:
https://github.com/dom96/jester/compare/v0.5.0...v0.6.0
Major new release mainly due to some breaking changes. This release brings compatibility with Nim 1.4.0 as well.
- Breaking change: By default
redirect
now skips future handlers, including when used in abefore
route. To retain the old behavior, set the parameterhalt=false
(e.g.redirect("/somewhere", halt=false)
)
For full list, see the commits since the last version:
https://github.com/dom96/jester/compare/v0.4.3...v0.5.0
Minor release correcting a few packaging issues and includes some other fixes by the community.
For full list, see the commits since the last version:
https://github.com/dom96/jester/compare/v0.4.2...v0.4.3
This is a minor release containing a number of bug fixes. In particular it fixes a 0-day vulnerability, which allows an attacker to request static files from outside the static directory in certain circumastances. See this commit for a test which reproduces the bug.
For other changes, see the commits since the last version:
https://github.com/dom96/jester/compare/v0.4.1...v0.4.2
This is a minor release containing a number of bug fixes. The main purpose of this release is compatibility with the recent Nim seq/string changes.
This is a major new release focusing on optimizations. In one specific benchmark
involving pipelined HTTP requests, the speed up was 650% in comparison to
Jester v0.3.0. For another benchmark using the wrk
tool, with no pipelining,
the speed up was 178%.
A list of changes follows:
- Breaking change: The response headers are now stored in a more efficient
data structure called
RawHeaders
. This new data structure is also stored in anOption
type, this makes some responses significantly more efficient. sendFile
has been implemented, so it's now possible to easily respond to a request with a file.
This is a major new release containing many changes and improvements. Primary new addition is support for the brand new HttpBeast server which offers unparalleled performance and scalability across CPU cores.
This release also fixes a security vulnerability. which even got a CVE number: CVE-2018-13034. If you are exposing Jester directly to outside users, i.e. without a reverse proxy (such as nginx), then you are vulnerable and should upgrade ASAP. See below for details.
Routes can now be separated into multiple router
blocks and each block
can be placed inside a separate module. For example:
import jester
router api:
get "/names":
resp "Dom,George,Charles"
get "/info/@name":
resp @"name"
routes:
extend api, "/api"
The api
routes are all prefixed with /api
, for example
http://localhost:5000/api/names.
Errors including exceptions and error HTTP codes can now be handled. For example:
import jester
routes:
error Http404:
resp Http404, "Looks you took a wrong turn somewhere."
error Exception:
resp Http500, "Something bad happened: " & exception.msg
Jester now supports before
and after
routes. So you can easily perform
actions before or after requests, you don't have to specify a pattern if you
want the handler to run before/after all requests. For example:
import jester
routes:
before:
resp Http200, "<xml></xml>", "text/xml"
get "/test":
result[3] = "<content>foobar</content>"
The fix for this vulnerability has been backported to Jester v0.2.1. Use it if you do not wish to upgrade to Jester v0.3.0 or are stuck with Nim 0.18.0 or earlier.
This vulnerability makes it possible for an attacker to access files outside
your designated static
directory. This can be done by requesting URLs such as
http://localhost:5000/../webapp.nim. An attacker could potentially access
anything on your filesystem using this method, as long as the running application
had the necessary permissions to read the file.
Note: It is recommended to always run Jester applications behind a reverse proxy such as nginx. If your application is running behind such a proxy then you are not vulnerable. Services such as cloudflare also protect against this form of attack.
- Breaking change: The
body
,headers
,status
templates have been removed. These may be brought back in the future. - Templates and macros now work in routes.
- HttpBeast support.
- SameSite support for cookies.
- Multi-core support.
Fixes CVE-2018-13034. See above for details.
This release contains small improvements and fixes to support Nim 0.15.0.
- Breaking change: The
ReqMeth
type was removed in favour of Nim'sHttpMethod
type. - The
CONNECT
HTTP method is now supported.