ZeroNet - Decentralized websites using Bitcoin crypto and BitTorrent network

Overview

ZeroNet Build Status Documentation Help tests Docker Pulls

Decentralized websites using Bitcoin crypto and the BitTorrent network - https://zeronet.io / onion

Why?

  • We believe in open, free, and uncensored network and communication.
  • No single point of failure: Site remains online so long as at least 1 peer is serving it.
  • No hosting costs: Sites are served by visitors.
  • Impossible to shut down: It's nowhere because it's everywhere.
  • Fast and works offline: You can access the site even if Internet is unavailable.

Features

  • Real-time updated sites
  • Namecoin .bit domains support
  • Easy to setup: unpack & run
  • Clone websites in one click
  • Password-less BIP32 based authorization: Your account is protected by the same cryptography as your Bitcoin wallet
  • Built-in SQL server with P2P data synchronization: Allows easier site development and faster page load times
  • Anonymity: Full Tor network support with .onion hidden services instead of IPv4 addresses
  • TLS encrypted connections
  • Automatic uPnP port opening
  • Plugin for multiuser (openproxy) support
  • Works with any browser/OS

How does it work?

  • After starting zeronet.py you will be able to visit zeronet sites using http://127.0.0.1:43110/{zeronet_address} (eg. http://127.0.0.1:43110/1HeLLo4uzjaLetFx6NH3PMwFP3qbRbTf3D).
  • When you visit a new zeronet site, it tries to find peers using the BitTorrent network so it can download the site files (html, css, js...) from them.
  • Each visited site is also served by you.
  • Every site contains a content.json file which holds all other files in a sha512 hash and a signature generated using the site's private key.
  • If the site owner (who has the private key for the site address) modifies the site, then he/she signs the new content.json and publishes it to the peers. Afterwards, the peers verify the content.json integrity (using the signature), they download the modified files and publish the new content to other peers.

Slideshow about ZeroNet cryptography, site updates, multi-user sites »

Frequently asked questions »

ZeroNet Developer Documentation »

Screenshots

Screenshot ZeroTalk

More screenshots in ZeroNet docs »

How to join

Windows

macOS

Linux (x86-64bit)

  • wget https://github.com/HelloZeroNet/ZeroNet-linux/archive/dist-linux64/ZeroNet-py3-linux64.tar.gz
  • tar xvpfz ZeroNet-py3-linux64.tar.gz
  • cd ZeroNet-linux-dist-linux64/
  • Start with: ./ZeroNet.sh
  • Open the ZeroHello landing page in your browser by navigating to: http://127.0.0.1:43110/

Tip: Start with ./ZeroNet.sh --ui_ip '*' --ui_restrict your.ip.address to allow remote connections on the web interface.

Android (arm, arm64, x86)

Docker

There is an official image, built from source at: https://hub.docker.com/r/nofish/zeronet/

Install from source

  • wget https://github.com/HelloZeroNet/ZeroNet/archive/py3/ZeroNet-py3.tar.gz
  • tar xvpfz ZeroNet-py3.tar.gz
  • cd ZeroNet-py3
  • sudo apt-get update
  • sudo apt-get install python3-pip
  • sudo python3 -m pip install -r requirements.txt
  • Start with: python3 zeronet.py
  • Open the ZeroHello landing page in your browser by navigating to: http://127.0.0.1:43110/

Current limitations

  • No torrent-like file splitting for big file support (big file support added)
  • No more anonymous than Bittorrent (built-in full Tor support added)
  • File transactions are not compressed or encrypted yet (TLS encryption added)
  • No private sites

How can I create a ZeroNet site?

  • Click on > "Create new, empty site" menu item on the site ZeroHello.
  • You will be redirected to a completely new site that is only modifiable by you!
  • You can find and modify your site's content in data/[yoursiteaddress] directory
  • After the modifications open your site, drag the topright "0" button to left, then press sign and publish buttons on the bottom

Next steps: ZeroNet Developer Documentation

Help keep this project alive

Sponsors

Thank you!

Comments
  • Proposal: Reverse iframe

    Proposal: Reverse iframe

    Abstract

    Currently ZeroNet uses a wrapper for sidebar and notifications UI, and embeds site content with an iframe. This proposal fixes some issues caused by iframing by embedding ZeroNet UI into site content.

    Rationale

    • #2165, #2057 - All features have to be marked unsafe by default, so supporting new ones is troublesome;
    • #2154 - Most people don't understand what NOSANDBOX means;
    • #2086 - Some interactive content in iframes might get blocked;
    • #2058 - Pull-to-refresh is working weird with iframes;
    • #2003 - "Opening as child window" is sometimes impossible to bypass;
    • #1736 - Opening link in a new tab is more difficult than required;
    • #1707, #565 - Embedding a site into a site is unsafe with an iframe;
    • #1667 - Browser header style can only be set by root frame;
    • #1403 - Scrolling is impossible, iframe is most likely the reason;
    • #1399, #1054, #29 - localStorage, IndexedDB, etc. are not available in sandboxed iframes;
    • #1237 - Fullscreen API doesn't work;
    • #1236, #1262 - Some Vue plugins don't work;
    • #1010 - Creating Web Workers requires data: URI usage;
    • #469 - History management requires ZeroFrame usage.

    Overview

    Current architecture:

    ┌─────────────────────────────────────────────────────┐
    │ WRAPPER (src/Ui/template/wrapper.html)              │
    │ Stores secrets (e.g. wrapper key)                   │
    │ ┌─────────────────────────────────────────────────┐ │
    │ │ WS UPLINK                                       │ │
    │ │ UiWebsocket API                                 │ │
    │ └─────────────────────────────────────────────────┘ │
    │ ┌─────────────────────────────────────────────────┐ │
    │ │ NOTIFICATIONS (<div>)                           │ │
    │ │ ╔═════════════════════════════════════════════╗ │ │
    │ │ ║ SITE NOTIFICATIONS (<div>)                  ║ │ │
    │ │ ║ Unsafe content (possible XSS)               ║ │ │
    │ │ ╚═════════════════════════════════════════════╝ │ │
    │ │ ┌─────────────────────────────────────────────┐ │ │
    │ │ │ WRAPPER NOTIFICATIONS (<div>)               │ │ │
    │ │ │ Safe content (no leaking or spoofing)       │ │ │
    │ │ └─────────────────────────────────────────────┘ │ │
    │ └─────────────────────────────────────────────────┘ │
    │ ┌─────────────────────────────────────────────────┐ │
    │ │ SIDEBAR (<div>)                                 │ │
    │ │ Site and key management, safe                   │ │
    │ │ ╔═════════════════════════════════════════════╗ │ │
    │ │ ║ SITE DATA                                   ║ │ │
    │ │ ║ Title, description, donate links, etc.      ║ │ │
    │ │ ╚═════════════════════════════════════════════╝ │ │
    │ └─────────────────────────────────────────────────┘ │
    │ ╔═════════════════════════════════════════════════╗ │
    │ ║ IFRAME SANDBOX                                  ║ │
    │ ║ Unsafe content (managed by site code)           ║ │
    │ ╚═════════════════════════════════════════════════╝ │
    └─────────────────────────────────────────────────────┘
    

    Safety layers are separated with double border.

    No software has zero bugs. This includes security issues. There are many possible attack points here:

    • Site notifications (protected by manual escaping) were exploited by me, revealing site private keys;
    • Sidebar content (protected by manual escaping) wasn't exploited according to my sources, but it's still a valid point of attack;
    • Iframe sandbox (protected by browser) is in theory unbreakable, but still adds unnecessary complexity;
    • The final attack point is the external iframe (in case the wrapper is in an iframe itself). This was exploited by me once.

    Proposed architecture;

    ┌─────────────────────────────────────────────────────┐
    │ HTML PAGE                                           │
    │ ┌─────────────────────────────────────────────────┐ │
    │ │ PREFIX (shadow DOM)                             │ │
    │ │ Practically invisible to site content           │ │
    │ │ ┌─────────────────────────────────────────────┐ │ │
    │ │ │ SITE NOTIFICATIONS (<div>)                  │ │ │
    │ │ │ Unsafe content (possible XSS)               │ │ │
    │ │ └─────────────────────────────────────────────┘ │ │
    │ │ ╔═════════════════════════════════════════════╗ │ │
    │ │ ║ WRAPPER NOTIFICATIONS (<iframe>)            ║ │ │
    │ │ ║ Safe content (no leaking or spoofing)       ║ │ │
    │ │ ╚═════════════════════════════════════════════╝ │ │
    │ │ ╔═════════════════════════════════════════════╗ │ │
    │ │ ║ SIDEBAR (iframe)                            ║ │ │
    │ │ ║ Site and key management                     ║ │ │
    │ │ ║ ╔═════════════════════════════════════════╗ ║ │ │
    │ │ ║ ║ GATE (iframe)                           ║ ║ │ │
    │ │ ║ ║ ┌─────────────────────────────────────┐ ║ ║ │ │
    │ │ ║ ║ │ WS UPLINK                           │ ║ ║ │ │
    │ │ ║ ║ │ UiWebsocket API (ADMIN)             │ ║ ║ │ │
    │ │ ║ ║ └─────────────────────────────────────┘ ║ ║ │ │
    │ │ ║ ╚═════════════════════════════════════════╝ ║ │ │
    │ │ ╚═════════════════════════════════════════════╝ │ │
    │ │ ╔═════════════════════════════════════════════╗ │ │
    │ │ ║ GATE (iframe)                               ║ │ │
    │ │ ║ ┌─────────────────────────────────────────┐ ║ │ │
    │ │ ║ │ WS UPLINK                               │ ║ │ │
    │ │ ║ │ UiWebsocket API (site)                  │ ║ │ │
    │ │ ║ └─────────────────────────────────────────┘ ║ │ │
    │ │ ╚═════════════════════════════════════════════╝ │ │
    │ └─────────────────────────────────────────────────┘ │
    │ ┌─────────────────────────────────────────────────┐ │
    │ │ SITE DATA                                       │ │
    │ │ Unsafe content (managed by site code)           │ │
    │ └─────────────────────────────────────────────────┘ │
    └─────────────────────────────────────────────────────┘
    

    Sure, it might look more difficult at the first glance, but security comes with a cost.

    Resulting HTML

    The resulting HTML (the one that browser receives) consists of a prefix and the real site .html file.

    Prefix

    Prefix is a "magic" HTML code that sets up an analogue of what was a wrapper by creating a shadow DOM node. This ensures that the sidebar and notifications are shown correctly, independent of main site styles, and that it doesn't affect the site itself.

    Gate

    A gate is an iframe that acts like a gate between UiWebsocket and its user. The gate handler uses the referrer to check what permissions the websocket must have.

    Fixed issues / added features

    • #2165, #2057 - All features are now safe;
    • #2154 - No need for NOSANDBOX anymore;
    • #2086 - The only interactive content is simple notifications (i.e. buttons);
    • #2058 - Pull-to-refresh can now be controlled by the site;
    • #2003 - No need to be top frame anymore;
    • #1736 - Opening in a new tab made easy;
    • #1707, #565 - Embedding made possible (requires a separate proposal);
    • #1667 - Controlled by the site now;
    • #1403 - Scrolling is fixed;
    • #1399, #1054, #29 - localStorage, IndexedDB, etc. made possible (requires a separate proposal);
    • #1237 - Fullscreen API without ZeroFrame;
    • #1236, #1262 - SecurityError's fixed;
    • #1010 - Web Workers by path should work now;
    • #469 - History API without ZeroFrame.

    Implementation status

    • [x] Prefix
    • [x] Gate
    • [ ] 0 button
    • [ ] Sidebar
    • [ ] Debug logs
    • [ ] Notifications
    • [ ] Modified panel
    • [x] Old wrapper compatiblity
    • [ ] Local storage
    • [ ] Wrapper commands
      • [x] innerReady [compat]
      • [x] innerLoaded & wrapperInnerLoaded [compat]
      • [ ] wrapperNotification, wrapperConfirm, wrapperPrompt, wrapperProgress
      • [x] wrapperSetViewport [compat]
      • [x] wrapperSetTitle [compat]
      • [x] wrapperReload [compat]
      • [ ] wrapperGetLocalStorage & wrapperSetLocalStorage
      • [x] wrapperPushState, wrapperReplaceState, wrapperGetState [compat]
      • [ ] wrapperGetAjaxKey
      • [x] wrapperOpenWindow [compat]
      • [ ] wrapperPermissionAdd
      • [x] wrapperRequestFullscreen [compat]
      • [ ] wrapperWebNotification & wrapperCloseWebNotification [compat]

    ETA: at most 1 week if no major issues are found

    opened by imachug 92
  • Switch to sslcrypto for cryptography tasks

    Switch to sslcrypto for cryptography tasks

    sslcrypto is a new MIT-licensed library I've recently made. It supports AES and ECC. I originally made it to get rid of GPLv3 pyelliptic, but interestingly it turned out even more useful.

    First, it replaces pyelliptic, pybitcointools and a part of CryptMessage so there's less code involved. Second, it supports both OpenSSL backend and pure-Python fallback both for AES and ECC (pyelliptic doesn't support pure-Python ECC so CryptMessage didn't work on some machines). Third, it's licensed under MIT (I can add any other license you choose) so we wouldn't have problems if we wanted to re-license a part of ZeroNet code under some lax license. Fourth, it supports all OpenSSL versions since 0.9.8 (other cryptography libraries support a lot less). Fifth, its fallback implementation is a bit safer than pybitcointools because it fixes a vulnerability (I don't want to name it here to avoid possible private key leaks).

    Sixth, it's fast. Plain performance tests say that it's about as fast as pyelliptic (both for AES and ECC) and that its fallback implementation is 1.5 times faster than pybitcointools (ECIES only, ECDSA is about the same). However, some tests I ran on ZeroMail show that message decryption is about 2 or 3 times faster than the current version (I've only run tests on single-thread model because more threads are slower for me for some reason both for sslcrypto and your version).

    Additionally, sslcrypto is tested on Python 3.4 to 3.8 with OpenSSL 0.9.8, 1.0.0, 1.0.1, 1.0.2, 1.1.0 and 1.1.1.

    /cc @filips123


    This PR closes #1974, closes #917 and closes #993.

    opened by imachug 76
  • IPV6 Supports in the smallest code change

    IPV6 Supports in the smallest code change

    If you can not wait the official ipv6 support, you can use ipv6 version directly replacing the core code (see: zihu.bit/?Topic:1537342516_1K7tW4WEbso38uMs4RN3W7GihA6tTqrApz/+IPV6) (And I delete the original source in github because zeronet would transfer to Python3 and many codes would change, this PR would be just a reference for Python3.) IPV6 Supports: (If you donot have ipv6, these change would not change the logic of your code. If you have public ipv6, these change would let you choose ipv6 as your connection server first (can let the users to choose if needed ), not your public ipv4 address, in which you can also connect these ipv4 peers and ipv4 trackers. )

    • [x] UDP/TCP Trackers Supports

    • [x] Peer Exchange Supports

    • [x] BigFile Supports

    • [x] Bootstrapper Supports

    • [x] Tested in real condition

    opened by tangdou1 60
  • Fixing Licensing Issues

    Fixing Licensing Issues

    Ok, so first we have our license violations. All of these have a license that's currently incompatible with ZeroNet's GPLv2 License:

    • Sidebar/media_globe/globe.js - Apache 2
    • pyelliptic - GPLv3
    • msgpack - Apache 2
    • rsa - Apache 2
    • gevent websocket - Apache 2
    • bencode.py - BitTorrent License
    • Coincurve - Apache 2
    • python-bitcoinlib

    Now... I propose 2 steps that will solve all of this:

    1. Switch to GPLv3 license. This will allow for pyelliptic, python-bitcoinlib, and all Apache 2 licensed-libraries being used (Apache 2 is not compatible with GPLv2, but is compatible with GPLv3)
    2. Switch out bencode.py for an alternative that @imachug has just published to PyPi - https://pypi.org/project/bencode-open/

    If you don't wish to change to GPLv3, then we need to find a way to replace all of the 8 libraries above, or we can switch out pyelliptic and python-bitcoinlib for an alternative and find a new license that is compatible with Apache 2.

    opened by krixano 59
  • Merger sites

    Merger sites

    The Merger sites feature allow to to query and display other site's data. Using this its possible to create infinitely scalable social sites by having separate sites for every user profile, so you will get updates for profiles that you follow.

    ZeroMe: A twitter-like social site

    • [x] Layout mockups:
      • [x] Welcome page
      • [x] Profile profile
      • [x] User search
      • [x] News feed
    • [x] Static html version
      • [x] Welcome page
      • [x] Profile profile
      • [x] User search
      • [x] News feed
    • [x] Logo
    • [X] Merger site permission handling/request
    • [X] New database structure to allow easier and faster joins
    • [X] Merge sub-site data files to merger site's database
    • [X] Sub-site adding/delete/list
    • [x] Make Sign/File oprations merger site compatible: actionSiteSign, actionSitePublish, actionFileWrite, actionFileDelete, actionFileGet, actionFileRules
    • [x] Profile page data structure
    • [x] Merger site rebuild DB
    • [x] Profile page db structure
    • [x] User directory data structure
    • [x] User directory db structure
    • [x] Update database on new merger/merged site add/remove
    • [x] User directory
    • [x] Sub-site feed listing
    • [x] Profile creation
    • [x] Profile page
    • [x] Profile editing
    • [x] Posting
    • [x] Post editing
    • [x] Post deleting
    • [x] Activity list
    • [x] Like
    • [x] Commenting
    • [x] Comment editing
    • [x] Comment deleting
    • [x] Follow profile
    • [x] List followed users
    • [x] Auto download new site on follow
    • [x] Following without registered profile
    • [x] Also update user database on profile modification
    • [x] User content delete solution for efficient user directory archiving
    • [x] Avatar upload

    Later:

    • [ ] Re-share
    • [ ] File upload
    • [ ] Image upload with thumbnail generation (optional files)

    ZeroHello:

    • [ ] Group sites by type
    enhancement hard 
    opened by HelloZeroNet 58
  • Rebase ZeroNet infrastructure to IPFS or Dat

    Rebase ZeroNet infrastructure to IPFS or Dat

    ZeroTalk: http://127.0.0.1:43110/Talk.ZeroNetwork.bit/?Topic:1538407463_14ytAKDfNjArMTqGecTi7ginG3aZTsRAum/Rebase+ZeroNet+infrastructure+to+IPFS+or+Dat

    Advantage: DHT, archiving system, bigger developer team & community, no repeated code… Also a chance to migrate to Python 3.

    Before I start to write code, is there any suggestion for me?

    opened by 0polar 57
  • ZeroNet Censorship! .bit domains not working with ZeroNet!

    ZeroNet Censorship! .bit domains not working with ZeroNet!

    I have registered a domain with the .bit tld and configured the name accordingly, also included in the content.json file the domain field but can't get it work!

    Ping: @HelloZeroNet @JeremyRand @imachug

    opened by ghost 54
  • Road to better sandbox. Lowercase announce

    Road to better sandbox. Lowercase announce

    This is the first PR of the "Road to better sandbox" series. This one announces lower-case site addresses as well as full site addresses to trackers.

    The next steps should be:

    • Refer to sites with lowercase addresses only;
    • Support http://address.zeronet or zhttp://address or zero://address schemes;
    • Switch to reverse iframe.
    opened by imachug 49
  • Browser plugin for 127.0.0.1:43110 -less site access

    Browser plugin for 127.0.0.1:43110 -less site access

    Possibilities:

    • Browser plugin with custom zero:// protocol handler. Access sites: zero://talk.zeronetwork.bit zero://1EU1tbG9oC1A8jz2ouVwGZyQ5asrNsE4Vr
    • Browser plugin, but keep http://. Access sites: http://1EU1tbG9oC1A8jz2ouVwGZyQ5asrNsE4Vr(.zero?), http://talk.zeronetwork.bit. Can be problematic if .bit site also has zeronet and clearnet address
    • Using system's host file maps all site address to 127.0.0.0, this allows to access zeronet sites in any browser using http://talk.zeronetwork.bit (needs to map zeronet webui to port 80). Access new sites can be problematic.
    • Register a domain and map all subdomain to 127.0.0.1 (needs to map zeronet webui to port 80). Access sites using http://talk.zeronetwork.bit.gozero.net
    • Extend zeronet to also act as dns server and configure your os to 127.0.0.1 dns. Access sites like http://talk.zeronetwork.bit

    Something you can do now: add 127.0.0.1 zero to your host file, start zeronet with zeronet.py --ui_port 80 then you can access zeronet sites http://zero/talk.zeronetwork.bit

    Probably the browser plugin is the best solution (if possible)

    enhancement help wanted 
    opened by HelloZeroNet 45
  • IPV6 Supports

    IPV6 Supports

    IPV6 Supports: (If you donot have ipv6, these change would not change the logic of your code. If you have public ipv6, these change would let you choose ipv6 as your connection server first (can let the users to choose if needed ), not your public ipv4 address, in which you can also connect these ipv4 peers and ipv4 trackers. )

    • [x] UDP/TCP Trackers Supports

    • [x] Peer Exchange Supports

    • [x] BigFile Supports

    • [x] Bootstrapper Supports

    • [x] Testing

    opened by tangdou1 43
  • Gzipped file support

    Gzipped file support

    To reduce space/network bw used by data files:

    • On network protocol level: less work, but does not reduces the storage requirements
    • On file storage level
    enhancement medium 
    opened by HelloZeroNet 42
  • Spammers attack ZeroNet with hostile forks in order to defraud ZeroNet users.

    Spammers attack ZeroNet with hostile forks in order to defraud ZeroNet users.

    @caryoscelus is still spamming this repository with her ostensibly "zeronet conservancy" fork, which is nothing more than a scam in which she simply changed the donation addresses without making any significant changes.

    You should avoid using the fork promoted by @caryoscelus; she has also spammed the ZeroNet Wikipedia page with links to her fork.

    While the name implies "preserving ZeroNet," the entire fork is about defrauding ZeroNet users and "rewriting ZeroNet" from Python to a creepy language called Rust, which was created in 2010. She formed a phoney organization called "Riza committee" with some seriously deranged individuals with the goal of completely destroying ZeroNet.

    Except for the word "conservation," "ZeroNet conservancy" refers to everything. It's a giant scam.

    You're mistaken if you think you can hide behind @imachug.

    Imachug is a retard who attacked ZeroNet users and faked a license change, literally manipulating legal voting to ensure that ZeroNet will have a GPLv3 license rather than a GPLv3+, then @imachug pretended he is standing with RMS (Richard Stallman) and even became the creator of the "Stand with RMS" campaign on GitHub, which has since been archived.

    If, as he claims, @imachug has changed over the years, he should speak out against your hostile fork @caryoscelus. Even if he doesn't, I will, so prepare yourself.

    I will not fail ZeroNet; I did not fail when the license was changed, and I will not fail now.

    opened by redarmyfaction 9
  • fix(sec): upgrade msgpack to 0.6.0

    fix(sec): upgrade msgpack to 0.6.0

    What happened?

    There are 1 security vulnerabilities found in msgpack 0.4.4

    What did I do?

    Upgrade msgpack from 0.4.4 to 0.6.0 for vulnerability fix

    What did you expect to happen?

    Ideally, no insecure libs should be used.

    The specification of the pull request

    PR Specification from OSCS

    opened by chncaption 4
  • zeroid not working for create id

    zeroid not working for create id

    Step 1: Please describe your environment

    • ZeroNet version: _____
    • Operating system: _____
    • Web browser: _____
    • Tor status: not available/always/disabled
    • Opened port: yes/no
    • Special configuration: ____

    Step 2: Describe the problem:

    Steps to reproduce:




    Observed Results:

    • What happened? This could be a screenshot, a description, log output (you can send log/debug.log file to [email protected] if necessary), etc.

    Expected Results:

    • What did you expect to happen?
    opened by sdg3m 2
  • Potential SQL Injection

    Potential SQL Injection

    Step 1: Vulnerable Code to SQL INJECTION

    • ZeroNet version: latest
    • Operating system: all operating system

    Step 2: Describe the problem:

    The types of attacks that can be performed using SQL injection vary depending on the type of database engine. The attack works on dynamic SQL statements. A dynamic statement is a statement that is generated at run time using parameters password from a web form or URI query string. Vulnerable Code: https://github.com/HelloZeroNet/ZeroNet/blob/py3/plugins/OptionalManager/ContentDbPlugin.py line 126 is vulnerable to sql injection res = cur.execute("SELECT * FROM content WHERE size_files_optional > 0 AND site_id = %s" % site_id) an attacker can bypass like that "site_id OR malicious_sql_query#

    How to prevent SQLI?

    User input should never be trusted – It must always be sanitized before it is used in dynamic SQL statements. Stored procedures – these can encapsulate the SQL statements and treat all input as parameters. Prepared statements –prepared statements to work by creating the SQL statement first then treating all submitted user data as parameters. This has no effect on the syntax of the SQL statement. Regular expressions –these can be used to detect potential harmful code and remove it before executing the SQL statements. Database connection user access rights –only necessary access rights should be given to accounts used to connect to the database. This can help reduce what the SQL statements can perform on the server. Error messages –these should not reveal sensitive information and where exactly an error occurred. Simple custom error messages such as “Sorry, we are experiencing technical errors. The technical team has been contacted. Please try again later” can be used instead of display the SQL statements that caused the error.

    Observed Results:

    Expected Results:

    • SQL injection attack occurs when:

    An unintended data enters a program from an untrusted source. The data is used to dynamically construct a SQL query

    opened by MustafaBilgici 7
  • 错误

    错误

    错误:./main.go:177:8:标识符中的字符 U+FF1A ':' 无效 错误:./main.go:177:8: 语法错误: 意外: 在语句的末尾 错误:./main.go:177:19: 无效字符 U+3002 '。' 在标识符中 错误:./main.go:177:31:标识符中的字符 U+FF08 '(' 无效 错误:./main.go:177:34: 标识符中的字符 U+201C '“' 无效 错误:./main.go:177:38: 标识符中的字符 U+201D '“' 无效 错误:./main.go:177:41:标识符中的字符 U+FF0C ',' 无效 错误:./main.go:177:44: 标识符中的字符 U+201C '“' 无效 错误:./main.go:177:56: 标识符中的字符 U+201D '“' 无效 错误:进程已完成,退出代码为 2。 QQ图片20220828082429

    opened by Shizuku582 1
Releases(v0.7.1)
  • v0.7.1(Sep 6, 2019)

    • Pull down top-right 0 button to show console
    • New UiPluginManager plugin: Manage and install third-party plugins.
    • Full support of OpenSSL 1.1 (Thanks to radfish & imachug)
    • Fix a bug that did not load merged site data for 5 sec after the site got added
    • Add fake SNI and ALPN to peer connections to make it more like standard https connections

    Important security update:

    Wrapper template HTML injection vulnerability [Reported by ivanq]

    In ZeroNet before rev4188 the wrapper template variables was rendered incorrectly.

    Result: The opened site was able to gain WebSocket connection with unrestricted ADMIN/NOSANDBOX access, change configuration values and possible RCE on the client's machine.

    Fix: Fixed the template rendering code, disallowed WebSocket connections from unknown locations, restricted open_browser configuration values to avoid possible RCE in case of sandbox escape.

    Source code(tar.gz)
    Source code(zip)
  • v0.7.0(Sep 6, 2019)

    • Re-factored code to Python3 runtime (compatible with Python 3.4-3.8)
    • More safe database sync mode
    • Removed bundled third-party libraries where it's possible
    • 5-10x faster signature verification by using libsecp256k1 (Thanks to ZeroMux)
    • Generated SSL certificate randomization to avoid protocol filters (Thanks to ValdikSS)
    • P2P source code update using ZeroNet protocol
    • Offline mode
    • Fix sending files with \0 characters
    Source code(tar.gz)
    Source code(zip)
  • v0.6.5(Feb 16, 2019)

    • IPv6 support in peer exchange, bigfiles, optional file finding, tracker sharing, socket listening and connecting (based on tangdou1 modifications)
    • New tracker database format with IPv6 support
    • Refactored port open checking with IPv6 support
    • Display notification if there is an unpublished modification for your site
    • Consider non-local IPs as external even is the open port check fails (for CJDNS and Yggdrasil support)
    • Listen and shut down normally for SIGTERM (Thanks to blurHY)
    • Check the length of master seed when executing cryptGetPrivatekey CLI command
    • Only reload source code on file modification / creation
    • Add IPv6 tracker and change unstable tracker
    • Support tilde ~ in filenames (by d14na)
    • Detection and issue warning for latest no-script plugin
    • Don't correct sent local time with the calculated time correction
    • Support map for Namecoin subdomain names (Thanks to lola)
    • Add log level to config page
    • Don't show meek proxy option if the tor client does not supports it
    • Quick check content.db on startup and rebuild if necessary
    • Only support CREATE commands in dbschema indexes node and SELECT from storage.query
    • Support {data} for data dir variable in trackers_file value
    • Disable CSP for Edge
    • Fix site cloning before site downloaded (Reported by unsystemizer)
    • Fix queryJson for non-list nodes (Reported by MingchenZhang)
    • Fix multi-line parsing of zeronet.conf (Reported by xx)
    • Fix site deletion from users.json
    • Fix sql queries with lots of variables and sites with lots of content.json (Reported by xx)
    • Fix atomic write of a non-existent file
    Source code(tar.gz)
    Source code(zip)
  • v0.6.4(Oct 20, 2018)

    Added

    • New plugin: UiConfig. A web interface that allows changing ZeroNet settings.
    • New plugin: AnnounceShare. Share trackers between users, automatically announce client's ip as tracker if Bootstrapper plugin is enabled.
    • Global tracker stats on ZeroHello: Include statistics from all served sites instead of displaying request statistics only for one site.
    • Support custom proxy for trackers. (Configurable with /Config)
    • Adding peers to sites manually using zeronet_peers get parameter
    • Copy site address with peers link on the sidebar.
    • Zip file listing and streaming support for Bigfiles.
    • Tracker statistics on /Stats page
    • Peer reputation save/restore to speed up sync time after startup.
    • Full support fileGet, fileList, dirList calls on tar.gz/zip files.
    • Archived_before support to user content rules to allow deletion of all user files before the specified date
    • Show and manage "Connecting" sites on ZeroHello
    • Add theme support to ZeroNet sites
    • Dark theme for ZeroHello, ZeroBlog, ZeroTalk

    Changed

    • Dynamic big file allocation: More efficient storage usage by don't pre-allocate the whole file at the beginning, but expand the size as the content downloads.
    • Reduce the request frequency to unreliable trackers.
    • Only allow 5 concurrent checkSites to run in parallel to reduce load under Tor/slow connection.
    • Stop site downloading if it reached 95% of site limit to avoid download loop for sites out of limit
    • The pinned optional files won't be removed from download queue after 30 retries and won't be deleted even if the site owner removes it.
    • Don't remove incomplete (downloading) sites on startup
    • Remove --pin_bigfile argument as big files are automatically excluded from optional files limit.

    Fixed

    • Trayicon compatibility with latest gevent
    • Request number counting for zero:// trackers
    • Peer reputation boost for zero:// trackers.
    • Blocklist of peers loaded from peerdb (Thanks tangdou1 for report)
    • Sidebar map loading on foreign languages (Thx tangdou1 for report)
    • FileGet on non-existent files (Thanks mcdev for reporting)
    • Peer connecting bug for sites with low amount of peers

    "The Vacation" Sandbox escape bug [Reported by GitCenter / Krixano / ZeroLSTN]

    In ZeroNet 0.6.3 Rev3615 and earlier as a result of invalid file type detection, a malicious site could escape the iframe sandbox.

    Result: Browser iframe sandbox escape

    Applied fix: Replaced the previous, file extension based file type identification with a proper one.

    Affected versions: All versions before ZeroNet Rev3616

    Source code(tar.gz)
    Source code(zip)
  • v0.6.3(Oct 20, 2018)

    Added

    • New plugin: ContentFilter that allows to have shared site and user block list.
    • Support Tor meek proxies to avoid tracker blocking of GFW
    • Detect network level tracker blocking and easy setting meek proxy for tracker connections.
    • Support downloading 2GB+ sites as .zip (Thx to Radtoo)
    • Support ZeroNet as a transparent proxy (Thx to JeremyRand)
    • Allow fileQuery as CORS command (Thx to imachug)
    • Windows distribution includes Tor and meek client by default
    • Download sites as zip link to sidebar
    • File server port randomization
    • Implicit SSL for all connection
    • fileList API command for zip files
    • Auto download bigfiles size limit on sidebar
    • Local peer number to the sidebar
    • Open site directory button in sidebar

    Changed

    • Switched to Azure Tor meek proxy as Amazon one became unavailable
    • Refactored/rewritten tracker connection manager
    • Improved peer discovery for optional files without opened port
    • Also delete Bigfile's piecemap on deletion

    Fixed

    • Important security issue: Iframe sandbox escape [Reported by Ivanq / gitcenter]
    • Local peer discovery when running multiple clients on the same machine
    • Uploading small files with Bigfile plugin
    • Ctrl-c shutdown when running CLI commands
    • High CPU/IO usage when Multiuser plugin enabled
    • Firefox back button
    • Peer discovery on older Linux kernels
    • Optional file handling when multiple files have the same hash_id (first 4 chars of the hash)
    • Msgpack 0.5.5 and 0.5.6 compatibility
    Source code(tar.gz)
    Source code(zip)
  • v0.6.2(Feb 18, 2018)

    ZeroNet 0.6.2 (2018-02-18)

    Added

    • New plugin: AnnounceLocal to make ZeroNet work without an internet connection on the local network.
    • Allow dbQuey and userGetSettings using the as API command on different sites with Cors permission
    • New config option: --log_level to reduce log verbosity and IO load
    • Prefer to connect to recent peers from trackers first
    • Mark peers with port 1 is also unconnectable for future fix for trackers that do not support port 0 announce

    Changed

    • Don't keep connection for sites that have not been modified in the last week
    • Change unreliable trackers to new ones
    • Send maximum 10 findhash request in one find optional files round (15sec)
    • Change "Unique to site" to "No certificate" for default option in cert selection dialog.
    • Dont print warnings if not in debug mode
    • Generalized tracker logging format
    • Only recover sites from sites.json if they had peers
    • Message from local peers does not means internet connection
    • Removed --debug_gevent and turned on Gevent block logging by default

    Fixed

    • Limit connections to 512 to avoid reaching 1024 limit on windows
    • Exception when logging foreign operating system socket errors
    • Don't send private (local) IPs on pex
    • Don't connect to private IPs in tor always mode
    • Properly recover data from msgpack unpacker on file stream start
    • Symlinked data directory deletion when deleting site using Windows
    • De-duplicate peers before publishing
    • Bigfile info for non-existing files
    Source code(tar.gz)
    Source code(zip)
  • v0.6.1(Jan 25, 2018)

    Added

    • New plugin: Chart
    • Collect and display charts about your contribution to ZeroNet network
    • Allow list as argument replacement in sql queries. (Thanks to imachug)
    • Newsfeed query time statistics (Click on "From XX sites in X.Xs on ZeroHello)
    • New UiWebsocket API command: As to run commands as other site
    • Ranged ajax queries for big files
    • Filter feed by type and site address
    • FileNeed, Bigfile upload command compatibility with merger sites
    • Send event on port open / tor status change
    • More description on permission request

    Changed

    • Reduce memory usage of sidebar geoip database cache
    • Change unreliable tracker to new one
    • Don't display Cors permission ask if it already granted
    • Avoid UI blocking when rebuilding a merger site
    • Skip listing ignored directories on signing
    • In Multiuser mode show the seed welcome message when adding new certificate instead of first visit
    • Faster async port opening on multiple network interfaces
    • Allow javascript modals
    • Only zoom sidebar globe if mouse button is pressed down

    Fixed

    • Open port checking error reporting (Thanks to imachug)
    • Out-of-range big file requests
    • Don't output errors happened on gevent greenlets twice
    • Newsfeed skip sites with no database
    • Newsfeed queries with multiple params
    • Newsfeed queries with UNION and UNION ALL
    • Fix site clone with sites larger that 10MB
    • Unreliable Websocket connection when requesting files from different sites at the same time
    Source code(tar.gz)
    Source code(zip)
  • v0.6.0(Oct 17, 2017)

    Added

    • New plugin: Big file support
    • Automatic pinning on Big file download
    • Enable TCP_NODELAY for supporting sockets
    • actionOptionalFileList API command arguments to list non-downloaded files or only big files
    • serverShowdirectory API command arguments to allow to display site's directory in OS file browser
    • fileNeed API command to initialize optional file downloading
    • wrapperGetAjaxKey API command to request nonce for AJAX request
    • Json.gz support for database files
    • P2P port checking (Thanks for grez911)
    • --download_optional auto argument to enable automatic optional file downloading for newly added site
    • Statistics for big files and protocol command requests on /Stats
    • Allow to set user limitation based on auth_address

    Changed

    • More aggressive and frequent connection timeout checking
    • Use out of msgpack context file streaming for files larger than 512KB
    • Allow optional files workers over the worker limit
    • Automatic redirection to wrapper on nonce_error
    • Send websocket event on optional file deletion
    • Optimize sites.json saving
    • Enable faster C-based msgpack packer by default
    • Major optimization on Bootstrapper plugin SQL queries
    • Don't reset bad file counter on restart, to allow easier give up on unreachable files
    • Incoming connection limit changed from 1000 to 500 to avoid reaching socket limit on Windows
    • Changed tracker boot.zeronet.io domain, because zeronet.io got banned in some countries

    Fixed

    • Sub-directories in user directories
    Source code(tar.gz)
    Source code(zip)
  • v0.5.7(Jul 30, 2017)

    Added

    • New plugin: CORS to request read permission to other site's content
    • New API command: userSetSettings/userGetSettings to store site's settings in users.json
    • Avoid file download if the file size does not match with the requested one
    • JavaScript and wrapper less file access using /raw/ prefix (Example)
    • --silent command line option to disable logging to stdout

    Changed

    • Better error reporting on sign/verification errors
    • More test for sign and verification process
    • Update to OpenSSL v1.0.2l
    • Limit compressed files to 6MB to avoid zip/tar.gz bomb
    • Allow space, [], () characters in filenames
    • Disable cross-site resource loading to improve privacy. [Reported by Beardog108]
    • Download directly accessed Pdf/Svg/Swf files instead of displaying them to avoid wrapper escape using in JS in SVG file. [Reported by Beardog108]
    • Disallow potentially unsafe regular expressions to avoid ReDoS [Reported by MuxZeroNet]

    Fixed

    • Detecting data directory when running Windows distribution exe [Reported by Plasmmer]
    • OpenSSL loading under Android 6+
    • Error on exiting when no connection server started
    Source code(tar.gz)
    Source code(zip)
  • v0.5.6(Jun 18, 2017)

    Fix

    • Proxy bypass during source upgrade
    • XSS vulnerability using DNS rebinding
    • Opened port checking
    • Standalone update.py argument parsing
    • uPnP crash on startup
    • CoffeeScript 1.12.6 compatibility
    • Multi value argument parsing
    • Database error when running from directory that contains special characters
    • Site lock violation logging

    Added

    • Callback for certSelect API command
    • More compact list formatting in json

    Changed

    • Remove obsolete auth_key_sha512 and signature format
    • Improved Spanish translation
    Source code(tar.gz)
    Source code(zip)
  • v0.5.5(May 22, 2017)

    • Site blacklist option at deletion
    • Update cloned sites source code
    • New priority algorithm for faster site content display
    • Outgoing socket bind option
    Source code(tar.gz)
    Source code(zip)
  • v0.5.4(Apr 18, 2017)

  • v0.5.3(Mar 15, 2017)

  • v0.5.2(Feb 24, 2017)

  • v0.5.1(Feb 8, 2017)

  • v0.5.0(Nov 18, 2016)

  • v.0.4.1(Sep 6, 2016)

  • v0.4.0(Sep 5, 2016)

  • v.0.3.7(Aug 10, 2016)

  • v0.3.6(Apr 20, 2016)

  • v0.3.5(Feb 1, 2016)

  • v0.3.4(Jan 4, 2016)

ZeroNet - Decentralized websites using Bitcoin crypto and BitTorrent network

ZeroNet Decentralized websites using Bitcoin crypto and the BitTorrent network - https://zeronet.io / onion Why? We believe in open, free, and uncenso

ZeroNet 17.8k Jan 03, 2023
Bittorrent software for cats

NyaaV2 Setting up for development This project uses Python 3.7. There are features used that do not exist in 3.6, so make sure to use Python 3.7. This

3k Dec 30, 2022
Luigi is a Python module that helps you build complex pipelines of batch jobs. It handles dependency resolution, workflow management, visualization etc. It also comes with Hadoop support built in.

Luigi is a Python (3.6, 3.7 tested) package that helps you build complex pipelines of batch jobs. It handles dependency resolution, workflow managemen

Spotify 16.2k Jan 01, 2023
Distributed training framework for TensorFlow, Keras, PyTorch, and Apache MXNet.

Horovod Horovod is a distributed deep learning training framework for TensorFlow, Keras, PyTorch, and Apache MXNet. The goal of Horovod is to make dis

Horovod 12.9k Dec 29, 2022
Microsoft Distributed Machine Learning Toolkit

DMTK Distributed Machine Learning Toolkit https://www.dmtk.io Please open issues in the project below. For any technical support email to

Microsoft 2.8k Nov 19, 2022
Run MapReduce jobs on Hadoop or Amazon Web Services

mrjob: the Python MapReduce library mrjob is a Python 2.7/3.4+ package that helps you write and run Hadoop Streaming jobs. Stable version (v0.7.4) doc

Yelp.com 2.6k Dec 22, 2022
Run Python in Apache Storm topologies. Pythonic API, CLI tooling, and a topology DSL.

Streamparse lets you run Python code against real-time streams of data via Apache Storm. With streamparse you can create Storm bolts and spouts in Pyt

Parsely, Inc. 1.5k Dec 22, 2022
Framework and Library for Distributed Online Machine Learning

Jubatus The Jubatus library is an online machine learning framework which runs in distributed environment. See http://jubat.us/ for details. Quick Sta

Jubatus 701 Nov 29, 2022
Deluge BitTorrent client - Git mirror, PRs only

Deluge is a BitTorrent client that utilizes a daemon/client model. It has various user interfaces available such as the GTK-UI, Web-UI and a Console-UI. It uses libtorrent at it's core to handle the

Deluge team 1.3k Jan 07, 2023
A lightweight python module for building event driven distributed systems

Eventify A lightweight python module for building event driven distributed systems. Installation pip install eventify Problem Developers need a easy a

Eventify 16 Aug 18, 2022
Ray provides a simple, universal API for building distributed applications.

An open source framework that provides a simple, universal API for building distributed applications. Ray is packaged with RLlib, a scalable reinforcement learning library, and Tune, a scalable hyper

23.5k Jan 05, 2023
Python Stream Processing

Python Stream Processing Version: 1.10.4 Web: http://faust.readthedocs.io/ Download: http://pypi.org/project/faust Source: http://github.com/robinhood

Robinhood 6.4k Jan 07, 2023
Privacy enhanced BitTorrent client with P2P content discovery

Tribler Towards making Bittorrent anonymous and impossible to shut down. We use our own dedicated Tor-like network for anonymous torrent downloading.

4.2k Dec 31, 2022
An distributed automation framework.

Automation Kit Repository Welcome to the Automation Kit repository! Note: This package is progressing quickly but is not yet ready for full production

Automation Mojo 3 Nov 03, 2022
An open source framework that provides a simple, universal API for building distributed applications. Ray is packaged with RLlib, a scalable reinforcement learning library, and Tune, a scalable hyperparameter tuning library.

Ray provides a simple, universal API for building distributed applications. Ray is packaged with the following libraries for accelerating machine lear

23.2k Dec 30, 2022
PArallel Distributed Deep LEarning: Machine Learning Framework from Industrial Practice (『飞桨』核心框架,深度学习&机器学习高性能单机、分布式训练和跨平台部署)

English | 简体中文 Welcome to the PaddlePaddle GitHub. PaddlePaddle, as the only independent R&D deep learning platform in China, has been officially open

19.4k Dec 30, 2022
Distributed machine learning platform

Veles Distributed platform for rapid Deep learning application development Consists of: Platform - https://github.com/Samsung/veles Znicz Plugin - Neu

Samsung 897 Dec 05, 2022
Distributed-systems-algos - Distributed Systems Algorithms For Python

Distributed Systems Algorithms ISIS algorithm In an asynchronous system that kee

Tony Joo 2 Nov 30, 2022
Distributed Synchronization for Python

Distributed Synchronization for Python Tutti is a nearly drop-in replacement for python's built-in synchronization primitives that lets you fearlessly

Hamilton Kibbe 4 Jul 07, 2022
PowerGym is a Gym-like environment for Volt-Var control in power distribution systems.

Overview PowerGym is a Gym-like environment for Volt-Var control in power distribution systems. The Volt-Var control targets minimizing voltage violat

Siemens 44 Jan 01, 2023