ChangeLog and TODO list for lulzbuster
======================================

[ ] to be implemented
[.] in progress
[x] implemented
[-] canceled


===> 2.X.X

  [ ] new feature
      target list scan via -L <file> (one URL per line or '-' for stdin)
  [ ] new feature
      auto-probe backup variants on each hit (.bak, .old, ~, .swp, .orig)
  [ ] new feature
      vhost fuzzing mode: brute Host header instead of URL path
  [ ] new feature
      global rate limit (req/s cap) via token bucket
  [ ] new feature
      adaptive backoff on 429/503 honoring Retry-After
  [ ] new feature
      stdin wordlist support: -w -
  [ ] new feature
      enrichment columns in csv/jsonl: title, server, content-length
  [ ] new feature
      dry-run mode: print final URLs without firing
  [ ] new feature
      session resume across recursion levels (currently level 0 only)
  [ ] update
      migrate from manual thread pool to libcurl multi interface


===> 2.0.0

  [x] new feature
      -b / -B body regex match/exclude (POSIX extended, first 1 MiB)
  [x] update
      manpage docs/lulzbuster.1, installed via 'make install'
  [x] new feature
      -N flag for colored output, honors isatty + NO_COLOR env
  [x] new feature
      -m/-M response body size filters with K/M/G suffix
  [x] new feature
      mTLS client cert support: -E cert, -y key, -Y key passphrase
  [x] update
      added support for *BSD + MacOS
  [x] update
      -O for log/csv/jsonl/all/comma-list. -l auto-derives from -s when omitted
  [x] update
      extended all three wordlists


===> 1.8.0

  [x] new feature
      save/restore session on ctrl+c (level 0). resume with -z <file>
  [x] update
      per-code colored hit lines (2xx green, 3xx cyan, 4xx yellow, 5xx red)
  [x] update
      built-in UA list extended 51 -> 149 (modern browsers + AI crawlers)


===> 1.7.0

  [x] new feature
      recursive scan via -d <num> (default 0)
  [x] new feature
      -e <list> exclude paths from recursion (substring match)
  [x] bugfix
      http.c: check_conn_wildcard() ignored -p proxy


===> 1.6.0

  [x] new feature
      end-of-scan stats (duration, req/s, downloaded, code breakdown, hits)


===> 1.5.0

  [x] new feature
      hit table: lines and words columns counted in write_cb


===> 1.4.1

  [x] bugfix
      opts.c: -C/-R/-t/-T silently truncated to ushort
  [x] bugfix
      misc.c: touplow() one byte past buffer, build_urls() off-by-one
  [x] bugfix
      attack.c: size unit ladder (B/K/M/G) upside down, curjob race fixed
  [x] bugfix
      checks.c: check_file() unlink'd logfile unconditionally on -l
  [x] bugfix
      checks.c: check_proxy() crashed on -p '::' (strtok NULL)
  [x] bugfix
      opts.c: set_attack_urls() derefed tmpwords[0] without checking tmpwords
  [x] bugfix
      CURLOPT_DNS_CACHE_TIMEOUT was 1L, fixed to -1L (cache forever)


===> 1.4.0

  [x] update
      smart mode (-S) rewrite: 5 startup probes + runtime cluster detection.
      real-world: 6110 fps -> 37
  [x] new feature
      -K <num> tune smart mode cluster threshold (default 8)
  [x] bugfix
      ram usage on big wordlists: moved curl_easy_duphandle() into worker.
      big.txt: 1.47GB -> 55MB
  [x] bugfix
      http.c: srand(time(NULL)) reseeded every call, now once in init_http()
  [x] bugfix
      http.c: check_conn_wildcard() leaked randurl on curl_easy_init() failure
  [x] bugfix
      signals.c: handlers were dead code (never registered), now wired in main()
  [x] bugfix
      thpool.c: _POSIX_C_SOURCE redefinition warning
  [x] bugfix
      attack.c: cluster-detected message smashed \r-overwritten status line


===> 1.3.3

  [x] update
      update short description
  [x] update
      strip more unneeded GNU info symbols from binary
  [x] bugfix
      fix color codes in Makefile
  [x] bugfix
      fix a typo in help message


===> 1.3.2

  [x] update
      add sigaction() wrapper and signal handlers for later usage


===> 1.3.1

  [x] bugfix
      remove forgotten escape sequence char when loggin to file


===> 1.3.0

  [x] update
      do wildcard check for any HTTP resp. code except 404
  [x] bugfix
      skip 0 bytes size files/dirs
  [x] update
      remove count_lines() since not needed anymore


===> 1.2.0

  [x] update
      clean-up lists/*.txt (removed words with spaces)
  [x] update
      use libcurl's dns cache forever
  [-] update
      make fast if '-f' option was used. (handle 301 codes correctly). we
      probably would need to fetch location header and build/set new url :s
  [x] update
      add headline prior hit line
  [x] update
      add response time to stat line
  [x] update
      just for testing: let's get rid of pthread locks in attack.c for curl
      internals and see how it goes in future
  [x] update
      get rid of count_lines() in misc.c (not needed since we count already # of
      lines in read_lines())
  [x] update
      show also real size in bytes next to calculated size
  [x] bugfix
      fix a stupid bug at fclose()
  [x] update
      log also on stderr while '-l' was chosen
  [x] update
      update default excluded http status codes to: 400,404,500,501,502,503
  [x] update
      make better LOG functions and define them clearly so we can use it
      everywhere at anytime and don't mix shit
  [x] bugfix
      more fixes for wrong color codes
  [-] update
      pack opts_T struct


===> 1.1.0

  [x] update
      by default, turn off 'auto update referrer' of curl
  [x] update
      count num http ex codes outside of attack.c
  [x] update
      count num attack urls outside of attack.c
  [x] update
      set max line length (1024 bytes) to read from wordlists
  [x] update
      skip the curl-error checks in switch-case in do_req() for now, since we
      don't use it currently in pragmatic way anyway
  [x] update
      use a few register variables
  [x] bugfix
      fix wrong color reset code


===> 1.0.0

  [x] initial release
