facil.io v0.7.5 Release Notes
Release Date: 2020-05-18 // almost 4 years ago-
v. 0.7.5 (2020-05-18)
๐ Security : backport the 0.8.x HTTP/1.1 parser and it's security updates to the 0.7.x version branch. This fixes a request smuggling attack vector and Transfer Encoding attack vector that were exposed by Sam Sanoop from the Snyk Security team (snyk.io). The parser was updated to deal with these potential issues.
๐ Fix : (
http) fixes an issue with date calculation by backporting code from the 0.8.x branch.๐ Fix : (
fio) call less signal handlers during shutdown.from v. 0.7.4
๐ Fix : (
http) fixes an issue and improves support forchunkedencoded payloads. Credit to Ian Ker-Seymer ( @ianks ) for exposing this, writing tests (for the Ruby wrapper) and opening both the issue boazsegev/iodine#87 and the PR boazsegev/iodine#88.๐ Fix : (
http) requests will fail when the path contains a dangling?(empty query). Credit to @adam12 for exposing this and opening issue boazsegev/iodine#86.
Previous changes from v0.7.3
-
Fix : (
http) fixes a security issue in the static file name resolution logic, where a maliciously encoded request could invoke an arbitrary response.๐ Fix : (
fio,fiobj) improved C++ compatibility. Credit to Joey (@joeyhoek) for PR #76.๐ Fix : (
fio) fixes an issue where timer cleanup wasn't performed afterfio_stop(or SIGINT/SIGTERM). No a "clean slate" will be provided iffio_startis called more then once. Note: this may break previous behavior , which should be considered undocumented and unexpected behavior. (this fax may be deferred to version 0.8.x, still undecided). Credit to @fbrausse for opening issue #72.๐ Fix : (
fio) fixes an issue where timer cleanup would be performed after theAT_EXITstate callbacks. Now the timer cleanup callbacks will be performed before theAT_EXITcallback (as they should). (See issue #72).๐ Fix : (
fio) fixes signal handler (re)establishment test to prevent recursive signal calling.