TFTP Release Notes

Tftp 1.2.4

An issue in the undocumented initial state option [{root_dir,Dir}] to the tftp_file module has been fixed. The request file name was just concatenated to Dir so it was possible to traverse above Dir by using "../" file path components. Now the option actually restricts local file operations to the Dir directory and subdirectories.
The initial state option and how to use it was previously undocumented, so it is unlikely that anyone would have used it without understanding its peculiarities.
The documentation of the TFTP application has also been clarified to make it obvious that the default server configuration allows read and write access to all files that are readable or writable by the user running the Erlang VM, and that the default configuration therefore should be avoided.
Thanks to Luigino Camastra at Aisle Research, for finding and reporting this issue.
Own Id: OTP-19981 Aux Id: PR-10706, CVE-2026-21620

The license and copyright header has changed format to include an SPDX-License-Identifier. At the same time, most files have been updated to follow a uniform standard for license headers.
Own Id: OTP-19575 Aux Id: PR-9670

Fix specs in tftp:read_file function.
Own Id: OTP-19446 Aux Id: PR-9327, ERIERL-1179

The legacy dependency to error_logger has been removed. logger is now used.
Own Id: OTP-19114

There is a new tftp_logger callback behavior module.
Own Id: OTP-18787 Aux Id: PR-7700
The documentation has been migrated to use Markdown and ExDoc.
Own Id: OTP-18955 Aux Id: PR-8026

Replaced unintentional Erlang Public License 1.1 headers in some files with the intended Apache License 2.0 header.
Own Id: OTP-18815 Aux Id: PR-7780

The implementation has been fixed to use proc_lib:init_fail/2,3 where appropriate, instead of proc_lib:init_ack/1,2.
* POTENTIAL INCOMPATIBILITY *
Own Id: OTP-18490 Aux Id: OTP-18471, GH-6339, PR-6843

Replace size/1 with either tuple_size/1 or byte_size/1
The size/1 BIF is not optimized by the JIT, and its use can result in worse types for Dialyzer.
When one knows that the value being tested must be a tuple, tuple_size/1 should always be preferred.
When one knows that the value being tested must be a binary, byte_size/1 should be preferred. However, byte_size/1 also accepts a bitstring (rounding up size to a whole number of bytes), so one must make sure that the call to byte_size/ is preceded by a call to is_binary/1 to ensure that bitstrings are rejected. Note that the compiler removes redundant calls to is_binary/1, so if one is not sure whether previous code had made sure that the argument is a binary, it does not harm to add an is_binary/1 test immediately before the call to byte_size/1.
Own Id: OTP-18432 Aux Id: GH-6672,PR-6793,PR-6784,PR-6787,PR-6785,PR-6682,PR-6800,PR-6797,PR-6798,PR-6799,PR-6796,PR-6813,PR-6671,PR-6673,PR-6684,PR-6694,GH-6677,PR-6696,PR-6670,PR-6674

Missing runtime dependencies has been added to this application.
Own Id: OTP-17243 Aux Id: PR-4557

Inets application was split into multiple smaller protocol specific applications. The TFTP application is a standalone TFTP client and server with the same functionality as TFTP in Inets.
Own Id: OTP-14113