Releases: mccutchen/go-httpbin
Releases · mccutchen/go-httpbin
v2.14.0
What's Changed
- chore(ci): tweak codecov configuration by @mccutchen in #168
- add appProcotol to the k8s service for port name 'http' by @bcollard in #169
- fix: mitigate allowed redirect domain bypass by @mccutchen in #174
🔐 Security fix 🔐
This release fixes a bug that allowed clients to bypass the -allowed-redirect-domains
/ALLOWED_REDIRECT_DOMAINS
configuration used by the /redirect-to
endpoint by passing an absolute URL without a scheme (e.g. /redirect-to?url=//evil.com
).
See #173 and #174 for details about the issue and the fix, and see the Production Considerations section of the README for more info on why that configuration is important.
New Contributors
Full Changelog: v2.13.4...v2.14.0
v2.13.4
v2.13.3
What's Changed
- chore(ci): simplify CI config by @mccutchen in #164
- chore(ci): fix codecov configuration by @mccutchen in #165
- feat: add a kustomize base to the repository by @james-callahan in #144
- feat: allow POST, PUT, DELETE, PATCH methods on /basic-auth endpoint by @mgeuer in #166
New Contributors
- @james-callahan made their first contribution in #144
- @mgeuer made their first contribution in #166
Full Changelog: v2.13.2...v2.13.3
v2.13.2
What's Changed
- feat:
/status
endpoint supports weighted choice from multiple status codes by @mccutchen in #162
Full Changelog: v2.13.1...v2.13.2
v2.13.1
What's Changed
- fix: websocket conns do not require
Connection: upgrade
header by @mccutchen in #161
Full Changelog: v2.13.0...v2.13.1
v2.13.0
✨ Highlights ✨
- New
/websocket/echo
endpoint that implements a basic, conformant WebSocket echo server, useful for testing more advanced HTTP proxy use cases or WebSocket client implementations - New
/sse
endpoint that implements a simple Server-Sent Events stream, useful for testing more advanced HTTP proxy use cases - Support for serving go-httpbin under a path prefix (thanks @waschik!)
What's Changed
- chore: update linting configuration by @mccutchen in #154
- feat: add /websocket/echo endpoint by @mccutchen in #155
- fix: ensure websocket conns respect max duration by @mccutchen in #156
- fix: silence annoying network permission popups on macos by @mccutchen in #157
- chore: minor refactor of base64 handling by @mccutchen in #158
- feat: support serving under a path prefix by @waschik in #120
- docs: update EXCLUDE_HEADERS documentation by @mccutchen in #159
- feat: add /sse endpoint to test Server-Sent Events by @mccutchen in #160
New Contributors
Full Changelog: v2.12.0...v2.13.0
v2.12.0
What's Changed
- fix: /base64 endpoint decodes both URL-safe and standard b64 encodings by @mccutchen in #153
Full Changelog: v2.11.1...v2.12.0
v2.11.1
What's Changed
- chore: upgrade to Go 1.21 by @harryzcy in #143
- feat: special case CloudFlare client IP addrs by @vanodevium in #148
New Contributors
- @harryzcy made their first contribution in #143
- @vanodevium made their first contribution in #148
Full Changelog: v2.11.0...v2.11.1
v2.11.0
What's Changed
- Add tests for correct handling of Expect: 100-continue by @mccutchen in #138
- Allow filtering incoming request headers using
-exclude-headers
/EXCLUDE_HEADERS
by @bytemain in #139
New Contributors
Full Changelog: v2.10.0...v2.11.0
v2.10.0
What's Changed
- Improve /drip semantics by @mccutchen in #132
- Standardize common content types by @mccutchen in #134
- Improve and standardize error handling by @mccutchen in #135
- Consistently parse and validate user-provided status codes by @mccutchen in #137
- Major test suite overhaul in #131 and #133
⚠️ Response format changes ⚠️
- The behavior of the
/drip
endpoint has been adjusted slightly. In particular, the endpoint now waits until after the initial delay to start the response (i.e. write the status code), rather than starting the response immediately and then waiting for the initial delay to write the body. - The standard Content-Type used for JSON responses has been changed from the non-standard
application/json; encoding=utf-8
to the standardapplication/json; charset=utf-8
- Error responses generated by go-httpbin itself (e.g. due to invalid input) are returned as structured JSON:
{ "status_code": 400, "error": "Bad Request", "detail": "invalid status code: 1024 not in range [100, 599]" }
Full Changelog: v2.9.2...v2.10.0