github tonikelope/megabasterd v8.24
on GitHub

5 hours ago

Big rollup release — comprehensive audit + fixes across the codebase (26 commits since 8.23). Focus on long-standing correctness, security and login reliability.

What's fixed

Login & MEGA API

  • Adds &v=3 + &ak= + &lang= to every API request, matching the official MEGA SDK / MEGAcmd. Without &ak=, MEGA's load balancer 402-throttles aggressively — this was the underlying cause of #614 ("argument 'content' is null", open since 2023) and the recurring "account works in megacmd, then MegaBasterd starts working" reports.
  • RAW_REQUEST now retries on HTTP 402 / 500 / 503, surfaces a real MegaAPIException on retry exhaustion instead of returning null (which used to NPE every caller).
  • _seqno is now atomic (was racy across concurrent workers sharing one MegaAPI).
  • Login uses SecureRandom for the initial sequence number.

Crypto / integrity

  • VERIFY_CBC_MAC is now ON by default and corrupted output is deleted on mismatch instead of being left on disk with a 100% UI status. Should close the "random video corruption" / "decryption broken" class of reports (#740, #672, #746).
  • AES at-rest blobs (sessions, password_aes, user_hash) now use a per-blob random IV with a magic-prefix format. Backwards compatible — pre-8.24 blobs still decrypt; new writes use the new format. No DB migration needed.
  • SecureRandom (not java.util.Random) for every AES file key, CTR nonce, salt and request ID.
  • ChunkUploader chunk-MAC race fixed — could silently corrupt uploads ("MEGA API Error -2").
  • MegaProxyServer now binds to loopback only; constant-time auth compare; redacted Proxy-Authorization in logs.
  • sid= / uh= / mfa= redaction in error logs so bug reports don't leak session tokens.

Stuck / "joining file chunks never stops" / .McTemp persists

  • Removed the global static ChunkWriterManager.JOIN_CHUNKS_LOCK (one bad path could deadlock every concurrent download app-wide).
  • _output_stream is now closed even on exception paths (Windows used to lock the .McTemp on a mid-flight failure).
  • Closes #706, #728, #684, #433, #557, #586, #570.

Single-instance / startup

  • File-lock based single-instance detection (previously a foreign process holding port 1338 made MegaBasterd silently exit on startup — #717).
  • Migration typo fixed in _check_old_version: every user since who-knows-when was losing settings on upgrade because old_version_minor was never assigned.
  • parseInt(selectSettingValue(...)) is wrapped — a single corrupt setting no longer aborts startup with a stack trace.
  • pom.xml source/target bumped from 1.8 → 11 (the code already required Java 11).

Resources / leaks

  • HttpURLConnection error streams drained before disconnect (was 0 occurrences across the codebase → socket churn on every 509/403/429).
  • Keep-alive preserved on API success path.
  • SqliteSingleton rewrite — previously every try(Connection conn = ...getConn()) closed the cached singleton on each call, defeating the cache entirely. Should reduce SQLITE_READONLY-class flakes.
  • Try-with-resources on ChunkUploader RAF, FileMergerDialog parts, Download._output_stream, MegaAPI.uploadThumbnails.
  • Thumbnailer/Xuggler native cleanup on every exit path. deleteOnExit + startup sweep for orphan thumbnail temp files.
  • MegaProxyServer bounded daemon ExecutorService (was raw new Thread().start() per connection, no cap).
  • ThrottledInputStream / ThrottledOutputStream finally override close() (the decorator was broken — caller closing the wrapper closed nothing).

Concurrency

  • volatile on every cross-thread-mutated field (_file_size, _chunkmanager, _paused_workers, _last_chunk_id_dispatched, ...).
  • getChunkworkers() returns a defensive copy (was throwing ConcurrentModificationException on iteration).
  • paused_workers >= instead of == (off-by-one left the UI stuck on "RESUME DOWNLOAD" forever).
  • secureWait across 10 classes now restores Thread.interrupt() status (was inert pre-fix).
  • _total_size / _total_progress drift on restart fixed (global progress bar used to drift over hours of use).
  • BoundedExecutor releases the permit on any Throwable (was only on RejectedExecutionException).

UI / EDT

  • SpeedMeter batched into a single invokeLater per tick (was per-row invokeAndWait × N transfers off-EDT).
  • Off-EDT Swing setters across the codebase wrapped via GUIRun / GUIRunAndWait.
  • JOptionPane.show* callsites wrapped (was pumping the modal event loop from worker threads).
  • _updateView only revalidates the affected scroll panel, not the full frame.
  • Reorder uses setComponentZOrder instead of remove+add per row.
  • FolderLinkDialog progress is throttled (was 10000+ invokeLater for a 10k-file folder).
  • New opt-in STRICT_EDT_CHECKS (-Dmegabasterd.strict_edt=true) catches future off-EDT regressions.

Charsets / locale / Windows paths

  • Explicit StandardCharsets.UTF_8 for folder cache write/read (was platform default, corrupted non-ASCII filenames on cp1252 Windows — #710 / #744 class).
  • Locale.ROOT on toLowerCase used for OS detection (Turkish-I bug).
  • cleanFilename handles Windows reserved names (CON, PRN, AUX, NUL, COM1-9, LPT1-9) and caps at 250 chars.
  • Locale.ROOT on SimpleDateFormat for the upload log timestamps.

Logging

  • The "Debug file" option actually works now. Previously it only redirected System.out / System.err; java.util.logging had cached the original stderr before the redirect, so every LOG.log(...) call was dropped. Now a FileHandler is installed on the root logger pointing at the same file.
  • MegaAPI / MegaCrypterAPI errors include the account email + redacted URL + full stack trace.
  • All ex.printStackTrace() replaced with Logger.log(..., ex).

Misc user-reported fixes

  • #719 same-name downloads — insertDownload retries with random filename suffix on UNIQUE(path, filename).
  • #715 clipboard monitor re-adding duplicates — LinkGrabberDialog dedupes against existing entries.
  • #699 deleted download keeps coming back on startup — Download.close() / DownloadManager.remove() always delete from DB, not only when _provision_ok.
  • #434 false "all transfers complete" tray notification — _genStatus now counts both preprocess queues.
  • #645 account import file errors — skip malformed lines (was NPE'ing the save loop).
  • Folder cache has a 24h TTL (was stale forever).
  • formatBytes(null) NPE guard.
  • HTTP Range: bytes=-N (suffix-range) support in streaming server.
  • Float→double in calculateLastWrittenChunk (resume of >16 MiB files could rewind a chunk).
  • MegaProxyServer.Handler.readLine has SO_TIMEOUT (slowloris cap).

Compatibility

  • Existing DB (megabasterd.db) is read fine. Sessions / accounts / downloads / settings carry over.
  • No master password re-entry needed.
  • New format AES blobs are written going forward; old blobs continue to decrypt with the legacy zero-IV path.

Known gaps

  • #746 partially addressed (Bugs #1 + #3 closed; SmartProxy/VPN runtime config-reload still needed for #2 + #4).
  • #736 (upload to root creates folder) diagnosed but not patched — pending UX decision on the share-link wrapping folder.
  • #737 (alias #S25 fails) not reproducible from code analysis; likely MEGA-side timing.

Build

JDK 11+ required. Jar is MegaBasterd_8.24.jar below. 

java -jar MegaBasterd_8.24.jar

Portable bundles will follow when the maintainer has the build scripts handy.

Full commit list: v8.23...v8.24

Check out latest releases or
releases around tonikelope/megabasterd v8.24

Don't miss a new megabasterd release

NewReleases is sending notifications on new releases.

Get notifications