trillium-http-v0.3.4
Themes: Critical Bugfixes and Performance Improvements
Bugs:
A critical bug was discovered in the chunked body parser, with many thanks to @divergentdave for writing a fuzzer to find it. If the client disconnected at the start of a chunk, the future would never complete and would spin the cpu. As disconnecting without a last-chunk 0\r\n is not allowed, this scenario now results in an error.
In addressing this bug, another edge case was discovered, in which attempting to read a chunked body into a buffer that is smaller than the chunk header never terminated. This is believed to be unlikely in realistic usage, so this patch fix treats it as an error.
Additionally, a misuse of std::mem::forget as been removed, although it has not been observed to leak memory in practice.
Performance:
trillium-http now offers a number of tunable performance and security parameters, available as HttpConfig
Previous to this release, trillium performed an unreasonably high number of transport (tcp) writes when producing headers. As of this release, headers are always sent as a single transport write, and for short responses, the body will be included in that first write. This represents a substantial performance improvement.
Changelog
- add
From<Cow<'static, str>>andFrom<Cow<'static, [u8]>>for Body in #381 - use memchr instead of memmem in #396
- send fewer tcp packets by buffering in #397
- only buffer the top of the response in #400
- bugfix: address theoretical memory leak in after_send caused by std::mem::forget in #403
- test for common methods before uncommon methods in #405
- perf improvements in #406
- bugfix: chunked body reads did not properly handle closed transports in #412
- bugfix: add a default limiter to received request bodies in #413
- add HttpConfig to trillium in #414
- add in
received_body_max_preallocatein #417
