# OnionShare Changelog ## 2.6.2 * Security fix: Removes newlines from History item path * Security fix: Set a maximum length of 524288 characters for text messages in Receive mode * Security fix: Allows only specific ASCII characters for usernames and removes control characters * Security fix: Forcefully disconnect user from chat on `disconnect` event * Security fix: Handle username validation excpeptions to prevent silent joining ## 2.6.1 * Release updates: Automate builds with CI, make just 64-bit Windows release, make a single universal2 release for both Intel and Apple Silicon macOS * Upgrade dependencies, including Tor, meek, and snowflake * Bug fix: Restore the primary_action mode settings in a tab after OnionShare reconnects to Tor * Bug fix: Fix issue with auto-connecting to Tor with persistent tabs open * Bug fix: Fix packaging issue where Windows version of OnionShare conflicts with Windows version of Dangerzone * Bug fix: Fix 'Use a bridge' checkbox state change * Bug fix: Raise error from waitress if not shutdown ## 2.6 * Major feature: a new 'Quickstart' screen, which enables toggling on or off an animated automatic connection to Tor. This allows configuring network settings prior to automatic connection. * Major feature: Censorship circumvention. Use new features in the upstream Tor API to try to automatically obtain bridges depending on the user's location. * New feature: automatically fetch the built-in bridges from the upstream Tor API rather than hardcode them in each release of OnionShare. * New feature: keyboard shortcuts to access various modes and menus, and accessibility hints * Bug fix: Temporary Directory for serving the OnionShare web pages was broken on Windows * Packaging: Packaging is more automated, and Linux Snapcraft releases are available for amd64, arm64, and armhf * Miscellaneous: Many dependency updates and web page theming improvements ## 2.5 * Security fix: Sanitize the path parameter in History item widget to be plain text * Security fix: Use microseconds in Receive mode directory creation to avoid potential DoS * Security fix: Several hardening improvements for session and username management in Chat mode, to prevent impersonation and other issues * Major feature: Obtain bridges from Moat / BridgeDB (over a domain-fronted Meek client) * Major feature: Snowflake bridge support * New feature: Tor connection settings, as well as general settings, are now Tabs rather than dialogs * New feature: User can customize the Content-Security-Policy header in Website mode * New feature: Built-in bridges are automatically updated from Tor's API when the user has chosen to use them * Switch to using our `stem` fork called `cepa`, which is now published on Pypi so we can build it in releases * Various bug fixes ## 2.4 * Major feature: Private keys (v3 onion client authentication) replaces passwords and HTTP basic auth * Updated Tor to 0.4.6.7 on all platforms * Various bug fixes ## 2.3.3 * New feature: Setting for light or dark theme * Updated Tor to 0.4.6.7 for Linux, 0.4.5.10 for Windows and macOS * Various bug fixes ## 2.3.2 * New feature: Custom titles can be set for OnionShare's various modes * New feature: Receive mode supports notification webhooks * New feature: Receive mode supports submitting messages as well as files * New feature: New ASCII art banner and prettier verbose output * New feature: Partial support for range requests (pausing and resuming in HTTP) * Updated Tor to 0.4.5.7 * Updated built-in obfs4 bridges * Various bug fixes ## 2.3.1 * Bugfix: Fix chat mode * Bugfix: Fix --persistent in onionshare-cli * Bugfix: Fix checking for updates in Windows and macOS ## 2.3 * Major new feature: Multiple tabs, including better support for persistent services, faster Tor connections * New feature: Chat anonymously mode * New feature: All new design * New feature: Ability to display QR codes of OnionShare addresses * New feature: Web apps have responsive design and look better on mobile * New feature: Flatpak and Snapcraft packaging for Linux * Several bug fixes ## 2.2 * New feature: Website mode, which allows publishing a static HTML website as an onion service * Allow individual files to be viewed or downloaded in Share mode, including the ability to browse into subdirectories and use breadcrumbs to navigate back * Show a counter when individual files or pages are viewed * Better History items including colors and status codes to differentiate between successful and failed requests * Swap out the random /slug suffix for HTTP basic authentication (when in non-public mode) * Hide the Tor connection settings if the ONIONSHARE_HIDE_TOR_SETTINGS environment variable is set (Tails compatibility) * Remove the NoScript XSS warning in Receive Mode now that the NoScript/Tor Browser bug is fixed. The ajax upload method still exists when javascript is enabled. * Better support for DragonFly BSD * Updated various dependencies, including Flask, Werkzeug, urllib3, requests, and PyQt5 * Updated Tor to 0.4.1.5 * Other minor bug fixes * New translations: * Arabic (العربية) * Dutch (Nederlands) * Persian (فارسی) * Romanian (Română) * Serbian latin (Srpska (latinica)) * Removed translations with fewer than 90% of strings translated: * Finnish (Suomi) ## 2.1 * New feature: Auto-start timer, which allows scheduling when the server starts * Renamed CLI argument --debug to --verbose * Make Tor connection timeout configurable as a CLI argument * Updated various dependencies, including fixing third-party security issues in urllib3, Jinja2, and jQuery * Updated Tor to 0.3.5.8 * New translations: * Traditional Chinese (正體中文 (繁體)), * Simplified Chinese (中文 (简体)) * Finnish (Suomi) * German (Deutsch) * Icelandic (Íslenska) * Irish (Gaeilge) * Norwegian Bokmål (Norsk bokmål) * Polish (Polski) * Portuguese Portugal (Português (Portugal)) * Telugu (తెలుగు) * Turkish (Türkçe) * Ukrainian (Українська) * Removed translations with fewer than 90% of strings translated: * Bengali (বাংলা) * Persian (فارسی) ## 2.0 * New feature: Receiver mode allows you to receive files with OnionShare, instead of only sending files * New feature: Support for next generation onion services * New feature: macOS sandbox is enabled * New feature: Public mode feature, for public uses of OnionShare, which when enabled turns off slugs in the URL and removes the limit on how many 404 requests can be made * New feature: If you're sharing a single file, don't zip it up * New feature: Full support for meek_lite (Azure) bridges * New feature: Allow selecting your language from a dropdown * New translations: Bengali (বাংলা), Catalan (Català), Danish (Dansk), French (Français), Greek (Ελληνικά), Italian (Italiano), Japanese (日本語), Persian (فارسی), Portuguese Brazil (Português Brasil), Russian (Русский), Spanish (Español), Swedish (Svenska) * Several bugfixes * Invisible to users, this version includes some major refactoring of the codebase, and a robust set of unit tests which makes OnionShare easier to maintain going forward ## 1.3.2 * Bugfix: In debug mode, stop saving flask debug log in /tmp, where all users can access it ## 1.3.1 * Updated Tor to 0.2.3.10 * Windows and Mac binaries are now distributed with licenses for Tor and obfs4 ## 1.3 * Major UI redesign, introducing many UX improvements * Client-side web interface redesigned * New feature: Support for meek_lite pluggable transports (Amazon and Azure) - not yet ready for Windows or macOS, sorry * New feature: Support for custom obfs4 and meek_lite bridges (again, meek_lite not available on Windows/macOS yet) * New feature: Ability to cancel share before it starts * Bugfix: The UpdateChecker no longer blocks the UI when checking * Bugfix: Simultaneous downloads (broken in 1.2) * Updated Tor to 0.2.3.9 * Improved support for BSD * Updated French and Danish translations * Minor build script and build documentation fixes * Flake8 tests added ## 1.2 * New feature: Support for Tor bridges, including obfs4proxy * New feature: Ability to use a persistent URL * New feature: Auto-stop timer, to stop OnionShare at a specified time * New feature: Get notification when Tor connection dies * Updated versions of Python, Qt, Tor, and other dependencies that are bundled * Added ability to supply a custom settings file as a command line arg * Added support for FreeBSD * Fixed small user interface issues * Fixed minor bugs * New Dutch translations ## 1.1 * OnionShare connects to Tor itself now, so opening Tor Browser in the background isn't required * In Windows and macOS, OnionShare alerts users about updates * Removed the menu bar, and adding a "Settings" button * Added desktop notifications, and a system tray icon * Ability to add multiple files and folders with a single "Add" button * Ability to delete multiple files and folders at once with the "Delete" button * Hardened some response headers sent from the web server * Minor clarity improvements to the contents of the share's web page * Alert the user rather than share an empty archive if a file was unreadable * Prettier progress bars ## 1.0 * Fixed long-standing macOS X bug that caused OnionShare to crash on older Macs (!) * Added settings dialog to configure connecting to Tor, including support for system Tor * Added support for stealth onion services (advanced option) * Added support for Whonix * Improved AppArmor profiles * Added progress bar for zipping up files * Improved the look of download progress bars * Allows developers to launch OnionShare from source tree, without building a package * Deleted legacy code, and made OnionShare purely use ephemeral Tor onion services * Switched to EFF's diceware wordlist for slugs ## 0.9.2 (Linux only) * Looks for `TOR_CONTROL_PORT` environment variable, to help Tails integration * Change how OnionShare checks to see if it's installed system-wide, to help Subgraph OS integration ## 0.9.1 * Added Nautilus extension, so you can right-click on a file and choose "Share via OnionShare", thanks to Subgraph developers * Switch to using the term "onion service" rather than "hidden service" * Fix CVE-2016-5026, minor security issue related to use of /tmp directory * Switch from PyInstaller to cx_Freeze for Windows and OSX packaging * Support CLI in Windows and OSX ## 0.9 * Slugs are now shorter and human-readable, with rate limiting to prevent URL guessing * Uses a new slug each time the server restarts * "Stop sharing automatically" enforces only one download * Users get asked if they're sure they want to close OnionShare while server is running * Added estimated time remaining progress indicator * Fixed frozen window while waiting for hidden service to start * Displays version number in both GUI and CLI * Closing window causes downloads to stop immediately * Web server listens in ports 17600-17650, for future Tails support * Updated translations * Ported from Python 2 to Python 3 and from Qt4 to Qt5 * Ported from py2app and py2exe to PyInstaller ## 0.8.1 * Fixed crash in Windows 7 * Fixed crash related to non-ephemeral hidden services in Linux * Fixed minor bugs ## 0.8 * Add support for ephemeral hidden services * Stopped leaking sender's locale on download page * Add support for Tor Messenger as provider of Tor service * Minor bugfixes, code cleanup, and refactoring ## 0.7.1 * Fixed critical bug in OS X binaries that caused crashes on some computers * Added Security Design document * Minor bugfix with Windows code signing timestamp server * Linux version uses HS dir that is allowed by Tor Browser Launcher's AppArmor profiles ## 0.7 * Added code signing for Mac OS X * Does not disable existing hidden services * Uses allowZip64 to allow compressing files >5gb * Sets HS dir to be in /var/lib/tor in Tails, to obey AppArmor rules * Misc. minor code cleanup ## 0.6 * Brand new drag-and-drop GUI with ability to start and stop server * Much cleaner code split into several files * Support for sharing multiple files and folders at once, and automatically compresses files before sharing * Redesigned receiver HTML interface * Waits for hidden service to be available before displaying URL * Cleans up hidden service directory on exit * Continuous integration with Travis * Support for multiple downloads at once * Fixed unicode-related filename and display bugs * Warns that large files could take hours to send * New translations * Several misc. bugfixes * Added code signing for Windows with Authenticode ## 0.5 * Removed webkit GUI altogether, and refactored GUI with native Qt widget * In Tails, launches separate process as root for Tor control port and firewall stuff, everything else runs as amnesia * Fixed itsdangerous dependency bug in Debian Wheezy and Tails * Guesses content type of file, responds in HTTP header ## 0.4 * Fixed critical XSS bug that could deanonymize user: https://micahflee.com/2014/07/security-advisory-upgrade-to-onionshare-0-4-immediately/ * Added CSP headers in GUI to prevent any future XSS bugs from working * Hash urandom data before using it, to avoid leaking state of entropy * Constant time compare the slug to avoid timing attacks * Cleaned up Tails firewall code ## 0.3 * Built a simple, featureful cross-platform GUI * Graphical installers for Windows and OSX * Packaged for Linux in .deb, .rpm, with desktop launcher * Installable in Tails 1.1+, with simple "install" script * Automatically copies URL to clipboard * Automatically closes when download is done by default * Shows download progress * Limited suite of tests * If a localized string doesn't exist, falls back to English * New translations: Dutch, Portuguese, German, Russian, and updated translations: Norwegian Bokmål, Spanish, French, Italian