AUP Version 10.0 Build 500.2

SPECIAL NOTES ABOUT THIS UPDATE:

Official Release of v10.0 series starting with build 500.

Plug & Play: If you use 3rd-party applications that load Wildcat! RPC DLLs outside of the main Wildcat! installation path (for example, moved copies in external door directories), you may encounter a version mismatch between the new 500 DLLs and older 454 DLLs. Replace those external copies with the updated 500 RPC DLLs.

SEE SPECIAL UPGRADE NOTES

- ENH: defender-exclusions.cmd -- optional Defender exclusion script for Windows Server 2022/2025 (500.2 26.6.4). Running Wildcat! on Windows Server 2022 or Windows Server 2025 with Windows Defender real-time protection active can cause measurable I/O overhead and application launch delays. Defender intercepts every file operation performed by high-frequency server processes (wcserver.exe, wcloader.exe, wconline.exe, pxonline.exe, pxecho.exe), adding latency to logins, message reads, conference activity, and desktop tool startup. A stock optional script is now provided: defender-exclusions.cmd Run this script once as Administrator on any Wildcat! server running Windows Server 2022 or Windows Server 2025. It configures process-level Defender exclusions for all Wildcat! and PX/WIN server executables and path exclusions for the PX/WIN inbound pipeline folders (C:\pxwin\work, C:\pxwin\outbound). Adjust the path exclusions for your PX/WIN layout if it differs from the defaults. IMPORTANT: The Wildcat! session work\ folder is intentionally NOT excluded. The scanfile.wcx upload hook fires in a work\ subfolder -- Defender must continue to monitor that path to intercept threats on upload. Excluding work\ would defeat the on-demand virus scan. No restart required. Exclusions take effect immediately. - FIX: corrected Makewild.Public.SMTPConfig.dwRevision during wcServer startup. The following log line as showing up in wildcat.log file redundantly the SMTP setup was updated. "! Updating SMTP Configuration. See AUP.CHM WCSMTP 454.15 Require SSL for AUTH" - FIX: Fixed wcserver Tray Icon (Shell_NotifyIcon) on Windows 2025. When starting Wcserver as desktop app on Windows 2025, it caused a Explorer to abort and restart. After the Explorer restart recovery, the wcserver tray icon disappeared. Wcserver now has a M_TASKBARCREATED handler to display the icon.

- NEW: Added new wcODBC functions to the wcodbc.wch library: function OdbcResultReal (result as Long, field as String) as Real function OdbcResultDouble (result as Long, field as String) as Real see the updated wcodbc.wch header declarations. example usage: if OdbcFetchRow(result,0) then print "as string : "; OdbcResultString(result,"money") print "as valreal: "; ValReal(OdbcResultString(result,"money")) print "as double : "; odbcResultDouble(result,",money") print "as real : "; odbcResultReal(result,"money") end if Note: Importing a function returning a DOUBLE will be converted to REAL. wcBASIC does not support the DOUBLE type at this time.

- FIX: Attachment file prompt now handles full path input correctly. When typing a full file path (e.g. c:\pxwin\pxw1.log) at the "Enter name of file to attach" prompt, wcLocal now copies the file directly without showing the file browser, and stores only the filename (not the full path) as the attachment name. Entering a directory path (e.g. c:\pxwin) opens the file browser positioned at that directory with a blank filename field. Previously, a full path was concatenated onto the temp upload folder path, producing an invalid destination and an "Error Copying File" message.

- NEW: Added pxtype.wch -- PX/WIN FidoFlags (obXXXX) constants for wcBASIC. A new include file wcbasic\include\pxtype.wch exposes the TMsgHeader.FidoFlags bit constants used by PX/WIN for FTN message state tracking. Constants are translated from the PX/WIN pxtype.pas definitions with the leading underscore removed (the wcc compiler does not accept identifiers starting with underscore). Included automatically via fidoutil.wch. Usage example: if (msg.fidoflags and obSent) <> 0 then // message has been delivered via FTN end if Full constant list: obHold, obImmed, obDirect, obImported, obKillMsg, obKillFile, obLocked, obFileReq, obFileAtt, obFileUReq, obCrash, obSent, obForward, obOrphan, obTruncFile, obExtra, obSkipPkt, obPackUp, obNewMail, obPktFull, obSkipMsg, obTagged, obBookMark. - UPD: html-read message.wcc now shows "Sent" label for FTN netmail delivered by PX/WIN, matching the existing label shown for SMTP-delivered email. The HTML message header previously showed "Sent" only when wcSMTP had delivered the message (mfSmtpDelivered flag). The condition now also checks the PX/WIN FidoFlags obSent bit so that FTN netmail delivered via BinkP or the modem path shows the same "Sent" label and sets the MailFlags.sent template variable for custom templates. - UPD: msgutil.wcc DisplayMessage() and MSGHDR.BBS updated to show "Sent" label in the TUI message header for delivered FTN netmail. The ANSI/text message header (Private line) now appends "Sent" when either mfSmtpDelivered or the PX/WIN obSent FidoFlag is set on the message. No change to the header layout for messages that have not been delivered. - UPD: well-known.wcc updated (04/20/26) -- VDG-aware autoconfig and runtime XML fallback. print_config_v1_1(): domain now derived from the HTTP Host header instead of hardcoded mail.winserver.com. Supports VDG configurations where multiple domains share one Wildcat! server. wk_autoconfig(): runtime fallback to print_config_v1_1() when no physical autoconfig\mail\config-v1.1.xml exists. Replaces the prior compile-time #if 1/#else switch. See wcWEB for sysop-level description. - FIX: Fixed "Chat Between Nodes.wcc" /JOIN fix. See wcbasic_readme.txt for more details. - FIX: msgutil.wcc EditMessage() attachment name now uses JustFileName() to strip any full path typed by the user. Previously, entering a full path (e.g. c:\pxwin\pxw1.log) at the attach prompt stored the entire path as msg.Attachment and caused an invalid MoveFile destination in the upload staging area. The attachment name stored in the message header is now always the filename only. - ENH: html-new message.wcc now shows a FidoFrom AKA selector when composing Fidonet netmail (500.2 26.6.8). When composing a Fidonet netmail message in wcWEB, the From line now includes a dropdown list of all locally configured AKA addresses read from px.ini. The primary address is pre-selected. Select the AKA whose zone matches the destination node before sending. See wcWEB for the complementary autosuggest and auto-select feature that selects the correct AKA automatically when a destination is chosen.

- UPD: Improved Thunderbird autoconfig support via /.well-known/autoconfig. The autoconfig endpoint now correctly serves the mail domain for each Virtual Domain Group (VDG) on the same Wildcat! server, rather than returning a hardcoded domain name. A physical config-v1.1.xml file is no longer required -- PX generates the response automatically when the file is absent. See wcBASIC well-known.wcc for source details. - NEW: wc10.css added to stock HTTP template library (http\template\wc10.css). A minimal, self-contained modern stylesheet for wcWEB templates. Dark theme with CSS custom properties, system-ui font stack, CSS grid card layout, and responsive design. Intended to be inlined via @include@ so pages carry no external CSS dependency. Used by the default home pages and the new terminal.htm template. - NEW: terminal.htm added to stock HTTP template library (http\template\terminal.htm). Modern telnet terminal launch page served by html-terminal.wcx (terminal.wcn). Edge, Chrome, and other Chromium-based browsers block automatic server-side redirects (HTTP 302) to external protocol URLs such as telnet:// as a security measure. The redirect worked only when the user right-clicked the link and chose "Open in new tab or window." The fix requires a user gesture before the browser will honor the external protocol hand-off. html-terminal.wcc already checked for this template file and fell through to HttpRedirect() only when it was absent. terminal.htm fills that hook, serving a styled intermediate page with a clickable Launch Terminal button. Clicking the button satisfies the browser user-gesture requirement and launches the locally installed Telnet client. After the click, the page navigates back automatically so no orphan tab is left open. A Home button provides an escape path for users who arrive at the page by mistake. The page uses @GET HTTP.HOST@ for the hostname (Computer.Config.WWWHostname is not required to be configured) and @GET Computer.Config.TelnetPort@ for the port number. - ENH: Fidonet nodelist autosuggest for the wcWEB new message compose form (500.2 26.6.9/10). When composing a Fidonet netmail message in wcWEB, the To: name and FTN address fields now support live search against the compiled PX nodelist: - Type any part of a sysop name (first name, last name, or partial) in the To: field to see matching nodelist entries. Selecting one fills both the To: name and FTN address fields automatically. - Type a zone:net/node prefix in the FTN address field to search by address. Entering a zone number alone (e.g. "99") shows all nodes in that zone. - When a destination node is selected, the FidoFrom AKA dropdown automatically switches to the local AKA whose zone matches the destination zone. - When the To: name is AreaFix or FileFix, the Subject field is automatically pre-filled with the node's password from the PX Node Book Manager, if one is configured. Requires PX/WIN installed and the nodelist compiled by PXNLIST. See wcBASIC html-new message.wcc for the FidoFrom AKA dropdown and PX/WIN for the html-suggest-nodes.wcx and html-get-fixpwd.wcx server scripts. - FIX: wchttps.dll now rejects unauthenticated HTTP POST requests before writing the request body to a temp file. On Windows Server 2022 and Windows Server 2025, Windows Defender real-time protection scans files as they are written to disk. External scanners and bots frequently send HTTP POST requests carrying exploit payloads (SQL injection, shell code, etc.) to any reachable HTTP server. wchttps was saving the POST body to a temp file (wcp*.tmp) before performing any authorization check. Defender flagged these temp files and issued security notifications, even though the requests were harmless because the protected URL would have returned 401 anyway. Fix: wchttps now checks for authentication credentials before creating the temp file. If the POST URL does not fall under a public path and the request carries no session cookie or Authorization header, a 401 response is returned immediately and the socket is closed. The POST body is never read or written to disk. Paths exempt from the early reject (no auth required): /public/* login form, signup page, and all other public pages /newuser new user registration form All other POST destinations require an authenticated session as they always have. The /.well-known/ path is unaffected; those requests are intercepted by wcohttp.dll before reaching wchttps. Each rejected POST is logged to wchttp-unauth-post.log in the Wildcat! working directory. Log lines include a timestamp, the source IP address, and the requested URL, making it easy to review the volume and nature of abuse attempts: 20260531 14:23:07 IP: 185.220.101.42 URL: /client?wp-login.php HTTP/1.0 20260531 14:23:09 IP: 45.33.32.156 URL: /client?phpmyadmin HTTP/1.0

PX/WIN 500.2 adds BinkP/1.1 TCP/IP Fidonet mail support to the Platinum Xpress Frontend Mailer (PXONLINE), plus extensive event scheduler improvements, CRAM-MD5 authentication, compatibility fixes, and configuration enhancements. For the complete list of PX/WIN changes organized by component (PXONLINE, PXCONFIG, PXECHO, PXTOOLS, PXNLIST), see: PX/WIN Version 10.0 Build 500.2 Changes