View Source TFTP Release Notes

Tftp 1.3

The legacy and and or operators have been replaced with other language constructs.
Own Id: OTP-19744 Aux Id: PR-10114, PR-10554, PR-10568, PR-10579, PR-10585, PR-10598, PR-10710, PR-10718, PR-10580, PR-10730
All use of legacy catch in the TFTP application has been rewritten.
In the process, deep return using exit/1 or throw/1 from callbacks has been changed to only work with throw/1, as customary. This was considered a misfeature.
Explicit loading of callback module or logger module has been removed, since that was against what one would expect for embedded mode.
Own Id: OTP-19996 Aux Id: PR-10753
Added support for -unsafe attributes, which is used to mark functions as unsafe to use.
This is similar to but separate from deprecation, and the compiler will by default now generate warnings for calls to functions in Erlang/OTP that are known to be always unsafe.
Furthermore, xref can now be used to find calls to functions in another application that lack a -doc attribute (undocumented_function_calls), calls to functions in another application marked -doc false. (private_function_calls), as well as calls to unsafe functions (unsafe_function_calls).
Own Id: OTP-20066 Aux Id: PR-10839

An issue in the undocumented initial state option [{root_dir,Dir}] to the tftp_file module has been fixed. The request file name was just concatenated to Dir so it was possible to traverse above Dir by using "../" file path components. Now the option actually restricts local file operations to the Dir directory and subdirectories.
The initial state option and how to use it was previously undocumented, so it is unlikely that anyone would have used it without understanding its peculiarities.
The documentation of the TFTP application has also been clarified to make it obvious that the default server configuration allows read and write access to all files that are readable or writable by the user running the Erlang VM, and that the default configuration therefore should be avoided.
Thanks to Luigino Camastra at Aisle Research, for finding and reporting this issue.
Own Id: OTP-19981 Aux Id: PR-10706, CVE-2026-21620

The license and copyright header has changed format to include an SPDX-License-Identifier. At the same time, most files have been updated to follow a uniform standard for license headers.
Own Id: OTP-19575 Aux Id: PR-9670

An issue in the undocumented initial state option [{root_dir,Dir}] to the tftp_file module has been fixed. The request file name was just concatenated to Dir so it was possible to traverse above Dir by using "../" file path components. Now the option actually restricts local file operations to the Dir directory and subdirectories.
The initial state option and how to use it was previously undocumented, so it is unlikely that anyone would have used it without understanding its peculiarities.
The documentation of the TFTP application has also been clarified to make it obvious that the default server configuration allows read and write access to all files that are readable or writable by the user running the Erlang VM, and that the default configuration therefore should be avoided.
Thanks to Luigino Camastra at Aisle Research, for finding and reporting this issue.
Own Id: OTP-19981 Aux Id: PR-10706, CVE-2026-21620

Fix specs in tftp:read_file function.
Own Id: OTP-19446 Aux Id: PR-9327, ERIERL-1179

The legacy dependency to error_logger has been removed. logger is now used.
Own Id: OTP-19114

There is a new tftp_logger callback behavior module.
Own Id: OTP-18787 Aux Id: PR-7700
The documentation has been migrated to use Markdown and ExDoc.
Own Id: OTP-18955 Aux Id: PR-8026

An issue in the undocumented initial state option [{root_dir,Dir}] to the tftp_file module has been fixed. The request file name was just concatenated to Dir so it was possible to traverse above Dir by using "../" file path components. Now the option actually restricts local file operations to the Dir directory and subdirectories.
The initial state option and how to use it was previously undocumented, so it is unlikely that anyone would have used it without understanding its peculiarities.
The documentation of the TFTP application has also been clarified to make it obvious that the default server configuration allows read and write access to all files that are readable or writable by the user running the Erlang VM, and that the default configuration therefore should be avoided.
Thanks to Luigino Camastra at Aisle Research, for finding and reporting this issue.
Own Id: OTP-19981 Aux Id: PR-10706, CVE-2026-21620

Replaced unintentional Erlang Public License 1.1 headers in some files with the intended Apache License 2.0 header.
Own Id: OTP-18815 Aux Id: PR-7780

The implementation has been fixed to use proc_lib:init_fail/2,3 where appropriate, instead of proc_lib:init_ack/1,2.
* POTENTIAL INCOMPATIBILITY *
Own Id: OTP-18490 Aux Id: OTP-18471, GH-6339, PR-6843

Replace size/1 with either tuple_size/1 or byte_size/1
The size/1 BIF is not optimized by the JIT, and its use can result in worse types for Dialyzer.
When one knows that the value being tested must be a tuple, tuple_size/1 should always be preferred.
When one knows that the value being tested must be a binary, byte_size/1 should be preferred. However, byte_size/1 also accepts a bitstring (rounding up size to a whole number of bytes), so one must make sure that the call to byte_size/ is preceded by a call to is_binary/1 to ensure that bitstrings are rejected. Note that the compiler removes redundant calls to is_binary/1, so if one is not sure whether previous code had made sure that the argument is a binary, it does not harm to add an is_binary/1 test immediately before the call to byte_size/1.
Own Id: OTP-18432 Aux Id: GH-6672,PR-6793,PR-6784,PR-6787,PR-6785,PR-6682,PR-6800,PR-6797,PR-6798,PR-6799,PR-6796,PR-6813,PR-6671,PR-6673,PR-6684,PR-6694,GH-6677,PR-6696,PR-6670,PR-6674

Missing runtime dependencies has been added to this application.
Own Id: OTP-17243 Aux Id: PR-4557

Inets application was split into multiple smaller protocol specific applications. The TFTP application is a standalone TFTP client and server with the same functionality as TFTP in Inets.
Own Id: OTP-14113