1 OpenSRF 2.4 Release Notes
2 =========================
6 The following Linux distributions are supported:
8 * Debian 6 (Squeeze), 7 (Wheezy), and 8 (Jessie)
10 * Ubuntu 12.04 LTS (Precise Pangolin) and 14.04 (Trusty Tahr)
14 OpenSRF 2.4.2 is a security release. Users of 2.4.1 and earlier are strongly
15 urged to upgrade as soon as possible.
20 * LP#1652382: improve normalization of memcache keys to avoid potential
21 denial of service and privilege escalation attacks.
22 * LP#1652122: fix an infinite recursion bug in opensrf.system.method.all.
23 * LP#1655449: propagate bundling/chunking limits to subrequests.
24 * LP#1559121: remove support for Debian Squeeze
25 * LP#1350457: pass caller's session to subrequests called via method_lookup
26 * LP#1494486: limit damage caused by dropped drone XMPP socket
27 * LP#1474507: fix interval_to_seconds for weeks and seconds
31 We would like to acknowledge the following people who contributed to
46 Improved documentation for configuring `ejabberd` on Debian Jessie (LP#1445503)
47 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
48 The documentation now reflects the fact that the version of
49 `ejabberd` packaged for Jessie uses a new configuration file format.
51 Minor `srfsh` enhancements (LP#1436047, LP#1152272)
52 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
53 `srfsh` now accepts a new command-line switch, `--safe`. When
54 `--safe` is supplied, `srfsh` will not allow the user to use
55 the bang (`!`) command to run an external program.
57 Also, when `srfsh` is run non-interactively (e.g., `srfsh /path/to/script.srfsh`
58 or `srfsh < /path/to/script.srfsh`), it no longer
59 records the commands run in the `srfsh` history file (`~/.srfsh_history`).
60 This allows `srfsh` to be invoked as a cronjob without
61 cluttering up its command history.
66 Avoid re-sending messages extraneously over WebSockets (LP#1418613)
67 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
68 Under certain circumstances, the JavaScript OpenSRF WebSockets client
69 library could inappropriately re-send messages. This is now fixed.
71 Testers of the prototype Evergreen web staff client are particularly
72 encouraged to upgrade OpenSRF to get this bugfix.
74 `srfsh` no longer closes STDOUT prematurely (LP#1461625)
75 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
76 When run non-interactively, `srfsh` used to close STDOUT
77 after handling the first command, which meant that the
78 output of subsequent commands was not displayed. This is now
81 Python gateway client now supports HTTPS-only gateways (LP#1409055)
82 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
83 The Python gateway client used to coerce gateway requests to HTTP. As
84 of this release, if the value supplied to `setDefaultHost()` starts with
85 "https://" or "http://", the specified protocol is used.
93 WebSockets support (LP#1268619)
94 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
95 WebSockets are a standards-compliant, cross-browser mechanism to support
96 streaming, bi-directional communication between the browser and the
97 server. For more information, see http://en.wikipedia.org/wiki/WebSocket
99 OpenSRF now offers a WebSockets gateway via an Apache plugin
100 as well as updates to the OpenSRF JavaScript client library to
101 support WebSockets as a transport.
103 To install the WebSockets gateway, follow the instructions
104 in `README.websockets`. By default, the WebSockets gateway
105 listens on ports 7680 and 7682 and uses a separate Apache
108 Cross Origin Resource Sharing for OpenSRF (LP#1002028)
109 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
110 Browsers' same-origin policy currently restricts requests to the current
111 website's domain to prevent various nefarious scenarios. However,
112 because APIs and other web resources need to remain open to cross-site
113 use, Cross Origin Resource Sharing (CORS) was created to allow services
114 to formally authorize cross-origin requests. CORS makes it simple to use
115 OpenSRF's HTTP translator and gateway APIs on websites using separate
118 A couple examples of scenarios where this would be useful:
120 . A library would like an AJAX-driven "quicksearch" box on their main
121 site, which is hosted on a different domain than their catalog.
122 . A developer wants to create new web applications and services that
123 tie into Evergreen, but does not wish to install Evergreen locally or
126 Domains that are allowed to send cross-origin requests can now be
127 specified in `opensrf_core.xml` as `cross_origin/origin` elements
128 in the `gateway` element (full XPath `/config/gateway/cross_origin/origin`).
130 Note that the OpenSRF Javascript client library (`opensrf.js`) currently
131 defaults to the root of the current web host (`/osrf-http-translator`).
132 In addition, synchronous requests are presumed in some situations,
133 resulting in the oncomplete method never returning (as blocking requests
134 are not possible with cross-domain XHR).
136 Support for log tagging (LP#1343578)
137 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
138 It is now possible to specify a log tag, i.e., a string to append
139 to the application name in syslog message. This allows easy filtering
140 of log entries when running multiple OpenSRF instances on the same
143 Log tags can be set by adding `logtag` elements in `opensrf_core.xml`.
145 Enhancements in 2.4.0
146 ~~~~~~~~~~~~~~~~~~~~~
148 JavaScript library now uses browser-native JSON routines (LP#1316245)
149 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
150 The routines `JSON2js` and `js2JSON` now use native browser JSON
151 routines. In addition, `jsonPretty` is removed in favor of
154 Users of the OpenSRF JavaScript library should note that as a
155 consequence of this change, `JSON2js` will now throw an exception
156 if it is given input not is not a valid JSON string.
158 Listeners now log and drop XMPP error messages (LP#1341687)
159 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
160 The most common form of XMPP error messages are "bounced" messages, i.e.
161 those where the recipient is not available. Instead of passing these
162 useless and confusing messages down to a drone for processing, listeners
163 now log the error and drop the message.
165 An example of when this can occur is when a service is starting up and
166 attempts to register with a router that is not yet available.
168 Removes osrf_ctl.sh (LP#1286248)
169 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
170 The control script `osrf_ctl.sh` is removed in favor of `osrf_control`,
171 which was introduced in OpenSRF 2.3.0.
173 Improved docgen output(LP#1292214)
174 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
175 Docgen output now respects formatting present in method description.
179 * Add support for Debian Jessie (LP#1306044)
180 * Add support for Ubuntu Trusty (and removes support for Lucid) (LP#1315525)
181 * Remove deprecated Jabber registration script (LP#1306044)
182 * Improve const-correctness of osrfCachePutString and osrfCachePutObject (LP#1234816)
183 * Document that perl2JSON doesn't order hash keys (LP#1285915)
184 * Reorder changes to ejabberd.cfg in the install instructions
189 OpenSRF.pm no longer supplies AUTOLOAD (LP#1179660)
190 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
191 Instead of simply producing an error message in the OpenSRF logs, calls
192 to nonexistent subroutines are now fatal errors which will stop code
195 `osrf_control` only affects processes owned by current user (LP#1337401)
196 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
197 As of 2.3.0, OpenSRF can readily support running multiple instances on
198 one server. This bugfix ensures that `osrf_control` only affects OpenSRF
199 processes owened by the current user.