Release 3.2.0

Fixes

• Empty PHPSESSID cookie

New

• Limited PHP Windows support (GET only)

Release 3.1.0

New

• REQ() is now forward slash-agnostic
• URI() accepting std::string
• NPP_PHP macro. If defined, php files in res – if requested – are passed to php-cgi. It allows to execute PHP code straight from the resource directory. PHP code does not share Node++ sessions. Query strings, POST payload and cookies are passed over to php-cgi and likewise, cookies and redirections are passed back to the client. It's designed to enable quick and simple PHP support. Therefore the request payload is limited to 3 KiB and rendered response to NPP_OUT_BUFSIZE bytes, which is 128 KiB by default (NPP_MEM_SMALL).

NPP_PHP security considerations

• The request is passed over to php-cgi only after confirming the requested php file exists in res directory.
• By default, the PHPSESSID is the only cookie allowed and is sanitized using npp_filter_strict() before passing over to php-cgi. To enable passing all cookies, add NPP_PHP_ALL_COOKIES.
• Query string and payload is sanitized using npp_filter_qs(). It practically means the only Content-type fully supported by NPP_PHP is www-form-urlencoded. Due to the way payload is passed to php-cgi, without this sanitization, the system would be open to shell attacks.

Release 3.0.1

Fixes

• NPP_CPP_STRINGS compilation fix

Release 3.0.0

Node++ 3 vs 2

ci

Version 3 gets rid of ci (connection index) carried around for all those years. I kind of forgot about it, even after it had become obvious that Node++ was going to retain a single-threaded model. Migration to 3.x.x requires removing int ci function arguments.

Silgy

Silgy compatibility has been removed. It's been so long that it no loger makes sense to clutter Node++'s code base with npp_silgy.h.

USERS

Although 62 power 15 gives insane number of possible combinations (exactly 768,909,704,948,766,668,552,634,368 of them), I decided to extend sessid to 20 characters, in case the whole universe and all of its IoT devices started using Node++. I skip providing the updated number of combinations here. Also, CSRF token has been extended to 15 characters.

One Time Password is now possible with NPP_USER_ONE_TIME_PASSWORD_ONLY macro present in npp_app.h.

All of the above requires some database changes:

alter table users add otp char(44);
alter table users add otp_expires datetime;
alter table users_logins modify sessid char(20);
alter table users_logins modify csrft char(15);

npp_open_read_file() has been renamed npp_read_file().

Release 2.3.1

• reverse cinttypes mistake

Release 2.3.0

Fixes

• include cinttypes
• convert backslash in npp_lib_escape_for_html()
• suppress CppCheck warnings in npp_lib_escape_for_html and npp_email

New

• npp_open_read_file() for reading potentially large files into memory

Release 2.2.1

• Accepting simultaneous plain and secure connections fix
• resCacheTreshold malloc fix
• Prevent log flood with NPP_DEBUG
• JSON null handling fix
• Resources' read errors recoverable
• NPP_EXPIRES_RENDERED instead of NPP_EXPIRES_GENERATED and defaults to 0
• Default Last-modified header for rendered content current instead of start time
• NPP_NO_SOCKETS for simpler client compilation

Release 2.2.0

New

• resCacheTreshold - static resource maximum size in bytes that is loaded into memory at startup. Larger files will be read from disk only when requested. Default is 16 MiB.

Fixes

• nppmake MacOS fix
• MySQL my_bool fix
• variadic templates GCC warnings

Release 2.1.5

Fixes

• CALL_HTTP IPv6 caching fix
• CALL_HTTP custom headers fix
• Windows msleep fix
• MariaDB MYSQL_OPT_SSL_MODE fix

New

• MEDIUM memory model as default
• Most common switches in npp_app.h

Internals

• The whole CALL_HTTP response available as global G_call_http_res_header

Release 2.1.4

Fixes

• MySQL > 5.7 connection fix

Newer MySQL requires clients to perform server certificate validation or explicitly disabling encryption. From now on, Node++ allows disabling database connection encryption with dbDisableEncryption configuration option set to 1.

It also allows to set up an encrypted channel using a full set of SSL options. The preferred SSL mode can be set with dbSSLMode option. The details will be added to documentation: Configuration Parameters.