Skip to content

Security and fixes
Compare
Choose a tag to compare
@boazsegev boazsegev released this 18 May 08:34
· 16 commits to master since this release
0.7.5
063c9bb

v. 0.7.5 (2020-05-18)

Security: backport the 0.8.x HTTP/1.1 parser and it's security updates to the 0.7.x version branch. This fixes a request smuggling attack vector and Transfer Encoding attack vector that were exposed by Sam Sanoop from the Snyk Security team (snyk.io). The parser was updated to deal with these potential issues.

Fix: (http) fixes an issue with date calculation by backporting code from the 0.8.x branch.

Fix: (fio) call less signal handlers during shutdown.

from v. 0.7.4

Fix: (http) fixes an issue and improves support for chunked encoded payloads. Credit to Ian Ker-Seymer ( @ianks ) for exposing this, writing tests (for the Ruby wrapper) and opening both the issue boazsegev/iodine#87 and the PR boazsegev/iodine#88.

Fix: (http) requests will fail when the path contains a dangling ? (empty query). Credit to @adam12 for exposing this and opening issue boazsegev/iodine#86.

Assets 2