Nghttp2 v1.46.0
build
A workaround is added to avoid the broken version check in AX_PYTHON_DEVEL macro.
It adds the missing cmake files to EXTRA_DIST.
nghttpx
HTTP/3 feature is now available with BoringSSL.
SCT data is now available with BoringSSL.
New QUIC and HTTP/3 related options were added: --frontend-quic-initial-rtt, --quic-server-id, and --rlimit-memlock.
--frontend-quic-connection-id-encryption-key has been removed, and the new option --frontend-quic-secret-file has been added which specifies initial keying materials to generate QUIC secrets and keys for connection ID and tokens. It also supports the rotation of keying materials.
HTTP/3 ALPN h3-29 is now supported.
--worker-process-grace-shutdown-period option was added to set the maximum grace period to wait for a worker process to terminate gracefully.
--max-worker-processes option was added to limit the number of the lingering worker processes.
h2load
HTTP/3 feature is now available with BoringSSL.
Upstream changes:
0.15 2021-10-15 20:21:23-07:00 America/Vancouver
- GH#8 - preserve newlines when collapsing whitespace; if a block of
whitespace contains a newline, then when collapsing we collapse to a
newline character, not just "the first whitespace char we found"
Upstream changes:
1.11 2021-09-27T04:11:20Z
commit 239b88f865305b59f7d193f0431fcd5c03df3dd3
Author: Harald Jörg <haj@posteo.de>
Date: Sun Jan 13 11:56:25 2019 +0100
Add the list of escaped characters to the docs and clarify usage in the synopsis
0.20.0:
Changed
* The `allow_redirects` flag is now `follow_redirects` and defaults to `False`.
* The `raise_for_status()` method will now raise an exception for any responses
except those with 2xx status codes. Previously only 4xx and 5xx status codes
would result in an exception.
* The low-level transport API changes to the much simpler `response = transport.handle_request(request)`.
* The `client.send()` method no longer accepts a `timeout=...` argument, but the
`client.build_request()` does. This required by the signature change of the
Transport API. The request timeout configuration is now stored on the request
instance, as `request.extensions['timeout']`.
Added
* Added the `httpx` command-line client.
* Response instances now include `.is_informational`, `.is_success`, `.is_redirect`, `.is_client_error`, and `.is_server_error`
properties for checking 1xx, 2xx, 3xx, 4xx, and 5xx response types. Note that the behaviour of `.is_redirect` is slightly different in that it now returns True for all 3xx responses, in order to allow for a consistent set of properties onto the different HTTP status code types. The `response.has_redirect_location` location may be used to determine responses with properly formed URL redirects.
Fixed
* `response.iter_bytes()` no longer raises a ValueError when called on a response with no content.
* The `'wsgi.error'` configuration now defaults to `sys.stderr`, and is corrected to be a `TextIO` interface, not a `BytesIO` interface. Additionally, the WSGITransport now accepts a `wsgi_error` confguration.
* Follow the WSGI spec by properly closing the iterable returned by the application.
Changes:
2.34.1
======
- Update user agent browser versions.
- Fix a crash with GTK >= 3.24.30.
- Fix a crash when loading videos on reddit.
- Fix file type detection when application calls
g_desktop_app_info_set_as_default_for_extension() passing html.
msharov released this Oct 2, 2021
* Make the UI more compact.
* Simplify HTML detagging and rewrapping.
* Store feed cache content detagged.
* New translation for Serbian.
* Support ncurses without widechars.
* Quit normally on non-fatal signals.
* Stop using libiconv because only UTF8 is supported.
* Remove the need to configure html_entities.
* Ignore atom link tags where rel != alternate.
* Fix saving of changes to smart feeds.
0.4.7 release
* Fix the ~ character being percent escaped when sending URLs to servers. See RFC 3986.
0.4.6 release
* Python 3.10 compatibility
* Fix a bug in the regex used to parse www-authenticate headers that could lead to Denial-of-Service
Changelog:
New
* Firefox now supports the new AVIF image format, which is based on the
modern and royalty free AV1 video codec. It offers significant bandwidth
savings for sites compared to existing image formats. It also supports
transparency and other advanced features.
* Firefox PDF viewer now supports filling more forms (XFA-based forms, used
by multiple governments and banks). Learn more.
* When available system memory is critically low, Firefox on Windows will
automatically unload tabs based on their last access time, memory usage,
and other attributes. This should help reduce Firefox out-of-memory
crashes. Switching to an unloaded tab automatically reloads it.
* To prevent session loss for macOS users who are running Firefox from a
mounted .dmg file, they??ll now be prompted to finish installation. This
permission prompt only appears the first time these users run Firefox on
their computer.
* Firefox now blocks downloads that rely on insecure connections, protecting
against potentially malicious or unsafe downloads. Learn more and see where
to find downloads in Firefox.
* Improved web compatibility for privacy protections with SmartBlock 3.0.
Learn more
* Introducing a new referrer tracking protection in Strict Tracking
Protection and Private Browsing. Learn more
* Introducing Firefox Suggest, a faster way to navigate the web. Learn more
about the experience and locale-specific features.
Fixed
* The VoiceOver screen reader now correctly reports checkable items in
accessible tree controls as checked or unchecked.
* The Orca screen reader now works correctly with Firefox, no longer
requiring users to switch to another application after starting Firefox.
* Various security fixes
Changed
* TLS ciphersuites that use 3DES have been disabled. Such ciphersuites can
only be enabled when deprecated versions of TLS are also enabled. Learn
more.
* The download panel now follows the Firefox visual styles.
Enterprise
* Various bug fixes and new policies have been implemented in the latest
version of Firefox. See more details in the Firefox for Enterprise 93
Release Notes.
Developer
* Developer Information
Web Platform
* The UI for <input type="datetime-local"> has been implemented.
Security fixes:
#CVE-2021-38496: Use-after-free in MessageTask
#CVE-2021-38497: Validation message could have been overlaid on another origin
#CVE-2021-38498: Use-after-free of nsLanguageAtomService object
#CVE-2021-32810: Data race in crossbeam-deque
#CVE-2021-38500: Memory safety bugs fixed in Firefox 93, Firefox ESR 78.15, and
Firefox ESR 91.2
#CVE-2021-38501: Memory safety bugs fixed in Firefox 93 and Firefox ESR 91.2
#CVE-2021-38499: Memory safety bugs fixed in Firefox 93
1.0.2
Fix regression introduced in 1.0.1, adding double item rows on SortableInlineAdminMixin and TabularInline.
1.0.1
Fix CSS classes change introduced in Django-2.1.
Prepared to run on Django-4.0.
Ditch Travis-CI in favor of GitHub Actions.
- Added EXPERIMENTAL support for top-level await to Mojo::Promise.
- Updated Future::AsyncAwait requirement to 0.52 for new features and
bug fixes.
- Improved *_attr and *_text methods in Test::Mojo to return undef
instead of empty string for values that do not exist. (tim-2)
- Fixed Mojo::DOM not to auto-close tags in <svg> and <math>
blocks. (mkende)
- Added trace log level to Mojo::Log.
- Changed default log level in Mojo::Log from "debug" to "trace" and
moved all built-in "debug" log messages to the level "trace". That
will allow for the "debug" level to be used exclusively for user
defined log messages.
- Switched from HMAC-SHA1 to HMAC-SHA256 for signed cookies. Note that
this means that all sessions will be reset.
- Improved signed cookie based sessions to pad short values, to make it
harder to brute force attack the application secret. (jberger)
- Remove Font Awesome from distribution.
- This release contains fixes for security issues, everybody
should upgrade!
[ENHANCEMENTS]
Use ok() instead of cmp_ok() inside of lacks_uncapped_inputs().
This output makes more sense.
lacks_uncapped_inputs() now has a a default message if one isn't supplied.
[FIXES]
Fixed the subtest name inside of C<lacks_ids_ok>.
Fixed the minimum version of Carp::Assert::More in Makefile.PL.
Changes in release 0.32.1:
* Fix configure CFLAGS handling in Kerberos detection.
* Various spelling fixes.
Changes in release 0.32.0:
* Interface changes:
- API and ABI backwards-compatible with 0.27.x and later
- NE_AUTH_DIGEST now only enables RFC 2617/7616 auth by default;
to enable weaker RFC 2069 Digest, use NE_AUTH_LEGACY_DIGEST
(treated as a security enhancement, not an API/ABI break)
* Interface clarifications:
- ne_auth.h: use of non-ASCII usernames with the ne_auth_creds
callback type is now rejected for Digest auth since the
encoding is not specified. ne_add_auth() can be used instead.
- ne_request.h: the ne_create_request_fn callback is passed the
request-target using RFC 7230 terminology
* New interfaces and features:
- ne_string.h: added ne_strhash(), ne_vstrhash(), ne_strparam()
- ne_auth.h: added RFC 7616 (Digest authentication) support,
including userhash=, username*= and SHA-2 algorithms
(SHA-2 requires GnuTLS/OpenSSL). added NE_AUTH_LEGACY_DIGEST
- ne_auth.h: added ne_add_auth() unified auth callback interface,
accepts (only) UTF-8 usernames, uses a larger password buffer,
and has different/improved attempt counter semantics.
- RFC 7617 scoping rules are now applied for Basic authentication.
- ne_ssl.h: added ne_ssl_cert_hdigest()
- ne_socket.h: added ne_sock_shutdown()
- sendmsg()/send() are used with the MSG_NOSIGNAL flag to write to
sockets on Unix, rather than write()/writev(), avoiding SIGPIPE
- explicit_bzero() is used where available to clear credentials
* Bug fixes:
- fixed TLS connection shutdown handling for OpenSSL 3
- fix various Coverity and cppcheck warnings (Sebastian Reschke)
- Kerberos library detection uses pkg-config where possible.
- fix some configure checks on Win32 (Christopher Degawa)
- fix some configure errors on MacOS (Ryan Schmidt)
Security Vulnerabilities fixed in Firefox ESR 91.2
#CVE-2021-38496: Use-after-free in MessageTask
#CVE-2021-38497: Validation message could have been overlaid on another
origin
#CVE-2021-38498: Use-after-free of nsLanguageAtomService object
#CVE-2021-32810: Data race in crossbeam-deque
#CVE-2021-38500: Memory safety bugs fixed in Firefox 93, Firefox ESR 78.15,
and Firefox ESR 91.2
4.1.0 (2021-10-05)
------------------
API Changes (Backward-Compatible)
- Support for Python 3.9 has been added.
- Support for Python 3.10 has been added.
- New example for a Python socket HTTP/2 client.
- New `OutputLogger` for use with ``h2.config.logger``. This is only provided
for convenience and not part of the stable API.
Bugfixes
- Header validation now rejects empty header names with a ProtocolError. While
hpack decodes such header blocks without issues, they violate the
HTTP semantics.
- Fix TE header name in error message.
Changes with Apache 2.4.51
*) SECURITY: CVE-2021-42013: Path Traversal and Remote Code
Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete
fix of CVE-2021-41773) (cve.mitre.org)
It was found that the fix for CVE-2021-41773 in Apache HTTP
Server 2.4.50 was insufficient. An attacker could use a path
traversal attack to map URLs to files outside the directories
configured by Alias-like directives.
If files outside of these directories are not protected by the
usual default configuration "require all denied", these requests
can succeed. If CGI scripts are also enabled for these aliased
pathes, this could allow for remote code execution.
This issue only affects Apache 2.4.49 and Apache 2.4.50 and not
earlier versions.
*) core: Add ap_unescape_url_ex() for better decoding control, and deprecate
unused AP_NORMALIZE_DROP_PARAMETERS flag.
Changes with Apache 2.4.50
*) SECURITY: CVE-2021-41773: Path traversal and file disclosure
vulnerability in Apache HTTP Server 2.4.49 (cve.mitre.org)
A flaw was found in a change made to path normalization in
Apache HTTP Server 2.4.49. An attacker could use a path
traversal attack to map URLs to files outside the expected
document root.
If files outside of the document root are not protected by
"require all denied" these requests can succeed. Additionally
this flaw could leak the source of interpreted files like CGI
scripts.
This issue is known to be exploited in the wild.
This issue only affects Apache 2.4.49 and not earlier versions.
Credits: This issue was reported by Ash Daulton along with the
cPanel Security Team
*) SECURITY: CVE-2021-41524: null pointer dereference in h2 fuzzing
(cve.mitre.org)
While fuzzing the 2.4.49 httpd, a new null pointer dereference
was detected during HTTP/2 request processing,
allowing an external source to DoS the server. This requires a
specially crafted request.
The vulnerability was recently introduced in version 2.4.49. No
exploit is known to the project.
Credits: Apache httpd team would like to thank LI ZHI XIN from
NSFocus Security Team for reporting this issue.
*) core: AP_NORMALIZE_DECODE_UNRESERVED should normalize the second dot in
the uri-path when it's preceded by a dot.
*) mod_md: when MDMessageCmd for a 'challenge-setup:<type>:<dnsname>'
fails (!= 0 exit), the renewal process is aborted and an error is
reported for the MDomain. This provides scripts that distribute
information in a cluster to abort early with bothering an ACME
server to validate a dns name that will not work. The common
retry logic will make another attempt in the future, as with
other failures.
Fixed a bug when adding private key specs to an already working
MDomain, see <https://github.com/icing/mod_md/issues/260>.
*) mod_proxy: Handle UDS URIs with empty hostname ("unix:///...") as if they
had no hostname ("unix:/...").
*) mod_md: fixed a bug in handling multiple parallel OCSP requests. These could
run into an assertion which terminated (and restarted) the child process where
the task was running. Eventually, all OCSP responses were collected, but not
in the way that things are supposed to work.
See also <https://bz.apache.org/bugzilla/show_bug.cgi?id=65567>.
The bug was possibly triggered when more than one OCSP status needed updating
at the same time. For example for several renewed certificates after a server
reload.
*) mod_rewrite: Fix UDS ("unix:") scheme for
*) event mpm: Correctly count active child processes in parent process if
child process dies due to MaxConnectionsPerChild.
*) mod_http2: when a server is restarted gracefully, any idle h2 worker
threads are shut down immediately.
Also, change OpenSSL API use for deprecations in OpenSSL 3.0.
Adds all other, never proposed code changes to make a clean
sync of http2 sources.
*) mod_dav: Correctly handle errors returned by dav providers on REPORT
requests.
*) core: do not install core input/output filters on secondary
connections.
*) core: Add ap_pre_connection() as a wrapper to ap_run_pre_connection()
and use it to prevent that failures in running the pre_connection
hook cause crashes afterwards.
*) mod_speling: Add CheckBasenameMatch.
Django 3.2.8 fixes two bugs in 3.2.7.
Bugfixes
Fixed a bug in Django 3.2 that caused incorrect links on read-only fields in the admin.
Fixed a regression in Django 3.2 that caused incorrect selection of items across all pages when actions were placed both on the top and bottom of the admin change-list view.
Highlights
* improve performance, reduce memory use, bugfixes
* HTTP/2 smoother and lower memory use (in general)
* HTTP/2 tuning to better handle aggressive client initial requests
* reduce memory footprint; workaround poor glibc behavior; jemalloc is better
* mod_magnet lua performance improvements
* mod_dirlisting performance improvements and new caching option
* memory constraints for extreme edge cases in mod_dirlisting, mod_ssi, mod_webdav
* connect(), write(), read() time limits on backends (separate from client timeouts)
* lighttpd restarts if large discontinuity in time occurs (embedded systems)
* RFC7233 Range support for all non-streaming responses, not only static files
-Change buildsystem to use a ./configure script
-badwolf.1: Add tip to list dictionairies in enchant
-badwolf.h: Add WEBKIT_CHECK_VERSION
-Switch from libsoup-2.4 to glib's GUri
-badwolf.1: Fix gtk-doc css-properties URL
Changelog:
92.0.1
Fixed
* Fixes an issue where audio playback was not working on some Linux systems (
bug 1730499)
* Fixes issues with the findbar close button on different operating systems (
bug 1728368)
92.0
New
* More secure connections: Firefox can now automatically upgrade to HTTPS
using HTTPS RR as Alt-Svc headers.
* Full-range color levels are now supported for video playback on many
systems.
* Mac users can now access the macOS share options from the Firefox File
menu.
* Support for images containing ICC v4 profiles is enabled on macOS.
Fixed
* Firefox performance with screen readers and other accessibility tools is no
longer severely degraded if Mozilla Thunderbird is installed or updated
after Firefox.
* macOS VoiceOver now correctly reports buttons and links marked as ??
expanded?? using the aria-expanded attribute.
* An open alert in a tab no longer causes performance issues in other tabs
using the same process.
* Various security fixes
Changed
* Canonical is now building the official Firefox snap. It's also now
available on two additional architectures, ARMhf and ARM64.
* The bookmark toolbar menus on macOS now follow Firefox visual styles.
* Certificate error pages have been redesigned for a better user experience.
* Continuing work to restructure Firefox??s JavaScript memory management to
be more performant and use less memory.
Nghttp2 v1.45.1
build
This release fixes packaging issues which lack some configuration files in tar archives.
Nghttp2 v1.45.0
lib
Stricter checks for :method: and :path pseudo header fields are introduced.
build
nghttp2 applications can be compiled with OpenSSL v3.0.0.
Fix warning about systemd when cmake is used.
Added build options to enable HTTP/3 and eBPF.
nghttpx
The experimental HTTP/3 support has been added.
“dnf” (= “do not forward”) parameter is added to backend option.
h2load
The experimental HTTP/3 support has been added.
SSLKEYLOGFILE environment variable support has been added.
1.26.7
------
* Fixed a bug with HTTPS hostname verification involving IP addresses and lack
of SNI.
* Fixed a bug where IPv6 braces weren't stripped during certificate hostname
matching.
Changes:
2.34.0
------
- Add support for HTTP/2 when building with libsoup3.
- Add support for CSS Scroll Snap.
- Add support for date and datetime-local input elements.
- Add support for display capture.
- Add support for ICC color management.
- Add support color-schemes CSS property.
- Add support for link preconnect when building with libsoup3.
- Add support for client side certificates when building with libsoup3.
- Add multi-track support to MSE media backend.
- Add new API to handle web process unresponsiveness.
- Add API to disable CORS on a web view for particular domains.
- Add new API to access/modify capture devices states.
- Add new API to configure the memory pressure handler.
Fixed in 7.79.1
Bugfixes:
Curl_http2_setup: don't change connection data on repeat invokes
curl_multi_fdset: make FD_SET() not operate on sockets out of range
dist: provide lib/.checksrc in the tarball
FAQ: add GOPHERS + curl works on data, not files
hsts: CURLSTS_FAIL from hsts read callback should fail transfer
hsts: handle unlimited expiry
http: fix the broken >3 digit response code detection
strerror: use sys_errlist instead of strerror on Windows
test1184: disable
tests/sshserver.pl: make it work with openssh-8.7p1
Update description and home page, per request from the current
upstream developer of this package. Addresses a PR submitted as
https://github.com/NetBSD/pkgsrc/pull/88. While here, address a
pkglint warning that it's associated with the wrong category.
0.7.5 (2021-06-12)
* Do not change the encoding of strings passed to Driver#text
0.7.4 (2021-05-24)
* Optimise conversions between strings and byte arrays and related encoding
operations, to reduce amount of allocation and copying
3.26.1: 2021-09-17
* CPP Lexer
Add year and date chrono literals, add std::complex literals, fix chrono
literals with digit separator (#1665 by swheaton)
* Factor and GHC Core Lexer
Fix catastrophic backtrack (#1690 by Ravlen)
* JSL Lexer
Fix single line block comments, scoped variables and functions (#1663 by
BenPH)
* YAML Lexer
Fix YAML key containing special character (#1667 by tancnle)
* Fix Ruby 2.7 keyword parameter deprecation warning (#1597 by stanhu)
* Updated README (#1666 by dchacke)
5.4.0 (2021-07-28)
Features
* Better/expanded names for threadpool threads (#2657)
* Allow pkg_config for OpenSSL (#2648, #1412)
* Add rack_url_scheme to Puma::DSL, allows setting of rack.url_scheme header
(#2586, #2569)
Bugfixes
* Binder#parse - allow for symlinked unix path, add create_activated_fds
debug ENV (#2643, #2638)
* Fix deprecation warning: minissl.c - Use Random.bytes if available (#2642)
* Client certificates: set session id context while creating SSLContext
(#2633)
* Fix deadlock issue in thread pool (#2656)
Refactor
* Replace IO.select with IO#wait_* when checking a single IO (#2666)
2.12.0 (2021-08-11)
Features
* Support empty HTML5 data attributes. [#215]
2.11.0 (2021-07-31)
Features
* Allow HTML5 element wbr.
* Allow all CSS property values for border-collapse. [#201]
Changes
* Deprecating Loofah::HTML5::SafeList::VOID_ELEMENTS which is not a
canonical list of void HTML4 or HTML5 elements.
* Removed some elements from Loofah::HTML5::SafeList::VOID_ELEMENTS that
either are not acceptable elements or aren't considered "void" by libxml2.
1.1.0 (2021-07-31)
Features
* Use wrapped exception in Faraday::ParsingError to improve legibility of
the error (#255, @d-m-u)
Bugs fixed
* Use JSON.generate instead of .dump in request middleware (#266,
@Be-ngt-oH)
Chores and misc
* Add rubocop-package and drop git ls-files in gemspec (#263, @utkarsh2102)
1.503.0 (2021-09-17)
* Feature - Updated the partitions source data the determines the AWS
service regions and endpoints.
1.502.0 (2021-09-16)
* Feature - Added support for enumerating regions for Aws::KafkaConnect.
1.501.0 (2021-09-13)
* Feature - Updated the partitions source data the determines the AWS
service regions and endpoints.
1.500.0 (2021-09-10)
* Feature - Updated the partitions source data the determines the AWS
service regions and endpoints.
1.499.0 (2021-09-09)
* Feature - Updated the partitions source data the determines the AWS
service regions and endpoints.
1.498.0 (2021-09-08)
* Feature - Added support for enumerating regions for
Aws::OpenSearchService.
1.497.0 (2021-09-07)
* Feature - Updated the partitions source data the determines the AWS
service regions and endpoints.
1.496.0 (2021-09-03)
* Feature - Updated the partitions source data the determines the AWS
service regions and endpoints.
1.495.0 (2021-09-02)
* Feature - Updated the partitions source data the determines the AWS
service regions and endpoints.
1.494.0 (2021-09-01)
* Feature - Updated the partitions source data the determines the AWS
service regions and endpoints.
* Feature - AWS SDK for Ruby no longer supports Ruby runtime versions 1.9,
2.0, 2.1, and 2.2.
1.493.0 (2021-08-31)
* Feature - Updated the partitions source data the determines the AWS
service regions and endpoints.
2.4.4
-----
This release contains numerous bug fixes, updated dependencies, and QoL
improvements.
Update: This release contains a known regression in the combination of encode
and reverse_proxy modules; please use v2.4.5 instead.
2.4.5
-----
A hotfix for a regression introduced in v2.4.4 related to combining the encode
and reverse_proxy directives.
Changes with Apache 2.4.49
*) SECURITY: CVE-2021-40438 (cve.mitre.org)
mod_proxy: Server Side Request Forgery (SSRF) vulnerabilty [Yann Ylavic]
*) SECURITY: CVE-2021-39275 (cve.mitre.org)
core: ap_escape_quotes buffer overflow
*) SECURITY: CVE-2021-36160 (cve.mitre.org)
mod_proxy_uwsgi: Out of bound read vulnerability [Yann Ylavic]
*) SECURITY: CVE-2021-34798 (cve.mitre.org)
core: null pointer dereference on malformed request
*) SECURITY: CVE-2021-33193 (cve.mitre.org)
mod_http2: Request splitting vulnerability with mod_proxy [Stefan Eissing]
*) core/mod_proxy/mod_ssl:
Adding `outgoing` flag to conn_rec, indicating a connection is
initiated by the server to somewhere, in contrast to incoming
connections from clients.
Adding 'ap_ssl_bind_outgoing()` function that marks a connection
as outgoing and is used by mod_proxy instead of the previous
optional function `ssl_engine_set`. This enables other SSL
module to secure proxy connections.
The optional functions `ssl_engine_set`, `ssl_engine_disable` and
`ssl_proxy_enable` are now provided by the core to have backward
compatibility with non-httpd modules that might use them. mod_ssl
itself no longer registers these functions, but keeps them in its
header for backward compatibility.
The core provided optional function wrap any registered function
like it was done for `ssl_is_ssl`.
[Stefan Eissing]
*) mod_ssl: Support logging private key material for use with
wireshark via log file given by SSLKEYLOGFILE environment
variable. Requires OpenSSL 1.1.1. PR 63391. [Joe Orton]
*) mod_proxy: Do not canonicalize the proxied URL when both "nocanon" and
"ProxyPassInterpolateEnv On" are configured. PR 65549.
[Joel Self <joelself gmail.com>]
*) mpm_event: Fix children processes possibly not stopped on graceful
restart. PR 63169. [Joel Self <joelself gmail.com>]
*) mod_proxy: Fix a potential infinite loop when tunneling Upgrade(d)
protocols from mod_proxy_http, and a timeout triggering falsely when
using mod_proxy_wstunnel, mod_proxy_connect or mod_proxy_http with
upgrade= setting. PRs 65521 and 65519. [Yann Ylavic]
*) mod_unique_id: Reduce the time window where duplicates may be generated
PR 65159
[Christophe Jaillet]
*) mpm_prefork: Block signals for child_init hooks to prevent potential
threads created from there to catch MPM's signals.
[Ruediger Pluem, Yann Ylavic]
*) Revert "mod_unique_id: Fix potential duplicated ID generation under heavy load.
PR 65159" added in 2.4.47.
This causes issue on Windows.
[Christophe Jaillet]
*) mod_proxy_uwsgi: Fix PATH_INFO setting for generic worker. [Yann Ylavic]
*) mod_md: Certificate/keys pairs are verified as matching before a renewal is accepted
as successful or a staged renewal is replacing the existing certificates.
This avoid potential mess ups in the md store file system to render the active
certificates non-working. [@mkauf]
*) mod_proxy: Faster unix socket path parsing in the "proxy:" URL.
[Yann Ylavic]
*) mod_ssl: tighten the handling of ALPN for outgoing (proxy)
connections. If ALPN protocols are provided and sent to the
remote server, the received protocol selected is inspected
and checked for a match. Without match, the peer handshake
fails.
An exception is the proposal of "http/1.1" where it is
accepted if the remote server did not answer ALPN with
a selected protocol. This accomodates for hosts that do
not observe/support ALPN and speak http/1.x be default.
*) mod_proxy: Fix possible reuse/merging of Proxy(Pass)Match worker instances
with others when their URLs contain a '$' substitution. PR 65419 + 65429.
[Yann Ylavic]
*) mod_dav: Add method_precondition hook. WebDAV extensions define
conditions that must exist before a WebDAV method can be executed.
This hook allows a WebDAV extension to verify these preconditions.
[Graham Leggett]
*) Add hooks deliver_report and gather_reports to mod_dav.h. Allows other
modules apart from versioning implementations to handle the REPORT method.
[Graham Leggett]
*) Add dav_get_provider(), dav_open_lockdb(), dav_close_lockdb() and
dav_get_resource() to mod_dav.h. [Graham Leggett]
*) core: fix ap_escape_quotes substitution logic. [Eric Covener]
*) Easy patches: synch 2.4.x and trunk
- mod_auth_basic: Use ap_cstr_casecmp instead of strcasecmp.
- mod_ldap: log and abort locking errors.
- mod_ldap: style fix for r1831165
- mod_ldap: build break fix for r1831165
- mod_deflate: Avoid hard-coded "%ld" format strings in mod_deflate's logging statements
- mod_deflate: Use apr_uint64_t instead of uint64_t (follow up to r1849590)
- mod_forensic: Follow up to r1856490: missing one mod_log_forensic test_char_table case.
- mod_rewrite: Save a few cycles.
- mod_request: Fix a comment (missing '_' in 'keep_body') and some style issues
- core: remove extra whitespace in HTTP_NOT_IMPLEMENTED
[Christophe Jaillet]
*) core/mpm: add hook 'child_stopping` that gets called when the MPM is
stopping a child process. The additional `graceful` parameter allows
registered hooks to free resources early during a graceful shutdown.
[Yann Ylavic, Stefan Eissing]
*) mod_proxy: Fix icomplete initialization of BalancerMember(s) from the
balancer-manager, which can lead to a crash. [Yann Ylavic]
*) mpm_event: Fix graceful stop/restart of children processes if connections
are in lingering close for too long. [Yann Ylavic]
*) mod_md: fixed a potential null pointer dereference if ACME/OCSP
server returned 2xx responses without content type. Reported by chuangwen.
[chuangwen, Stefan Eissing]
*) mod_md:
- Domain names in `<MDomain ...>` can now appear in quoted form.
- Fixed a failure in ACME challenge selection that aborted further searches
when the tls-alpn-01 method did not seem to be suitable.
- Changed the tls-alpn-01 setup to only become unsuitable when none of the
dns names showed support for a configured 'Protocols ... acme-tls/1'. This
allows use of tls-alpn-01 for dns names that are not mapped to a VirtualHost.
[Stefan Eissing]
*) Add CPING to health check logic. [Jean-Frederic Clere]
*) core: Split ap_create_request() from ap_read_request(). [Graham Leggett]
*) core, h2: common ap_parse_request_line() and ap_check_request_header()
code. [Yann Ylavic]
*) core: Add StrictHostCheck to allow unconfigured hostnames to be
rejected. [Eric Covener]
*) htcacheclean: Improve help messages. [Christophe Jaillet]
Firefox's build system defaults to "nightly" for builds without official
branding, and in practice there seems to be very little difference between
"nightly" and "unofficial", but this at least makes our choice explicit.
Bump PKGREVISION
Firefox's build system defaults to "nightly" for builds without official
branding, and in practice there seems to be very little difference between
"nightly" and "unofficial", but this at least makes our choice explicit.
Bump PKGREVISION
Changes with nginx 1.21.3 07 Sep 2021
*) Change: optimization of client request body reading when using
HTTP/2.
*) Bugfix: in request body filters internal API when using HTTP/2 and
buffering of the data being processed.
Changes with nginx 1.21.2 31 Aug 2021
*) Change: now nginx rejects HTTP/1.0 requests with the
"Transfer-Encoding" header line.
*) Change: export ciphers are no longer supported.
*) Feature: OpenSSL 3.0 compatibility.
*) Feature: the "Auth-SSL-Protocol" and "Auth-SSL-Cipher" header lines
are now passed to the mail proxy authentication server.
Thanks to Rob Mueller.
*) Feature: request body filters API now permits buffering of the data
being processed.
*) Bugfix: backend SSL connections in the stream module might hang after
an SSL handshake.
*) Bugfix: the security level, which is available in OpenSSL 1.1.0 or
newer, did not affect loading of the server certificates when set
with "@SECLEVEL=N" in the "ssl_ciphers" directive.
*) Bugfix: SSL connections with gRPC backends might hang if select,
poll, or /dev/poll methods were used.
*) Bugfix: when using HTTP/2 client request body was always written to
disk if the "Content-Length" header line was not present in the
request.
1.2.10 (Aug. 25 2021)
fix: Nchan could not be built without openssl due to hiredis dependency
(introduced in v1.2.9)
feature: allow no separator for http-raw-stream (thanks @sclem)
1.2.9 (Aug. 12 2021)
feature: Redis cluster reconfiguration check timer,
nchan_redis_cluster_check_interval setting
fix: detect Redis cluster reconfiguration when publishing messages in "nostore" mode
update: hiredis updated to v1.0.0
fix: segfault on out-of-shared-memory condition for multiplexed publishers
This release includes the following changes:
o bearssl: support CURLOPT_CAINFO_BLOB [3]
o http: consider cookies over localhost to be secure [24]
o secure transport: support CURLINFO_CERTINFO [63]
This release includes the following bugfixes:
o CVE-2021-22945: clear the leftovers pointer when sending succeeds [112]
o CVE-2021-22946: do not ignore --ssl-reqd [111]
o CVE-2021-22947: reject STARTTLS server response pipelining [110]
o ares: use ares_getaddrinfo() [51]
o asyn-ares.c: move all version number checks to the top
o auth: do not append zero-terminator to authorisation id in kerberos [32]
o auth: properly handle byte order in kerberos security message [36]
o auth: use sasl authzid option in kerberos [34]
o auth: we do not support a security layer after kerberos authentication [35]
o BINDINGS.md: update links to use https where available [50]
o build: fix compiler warnings [39]
o c-hyper: deal with Expect: 100-continue combined with POSTFIELDS [66]
o c-hyper: fix header value passed to debug callback [46]
o c-hyper: handle HTTP/1.1 => HTTP/1.0 downgrade on reused connection [65]
o c-hyper: initial step for 100-continue support [43]
o c-hyper: initial support for "dumping" 1xx HTTP responses [40]
o c-hyper: remove the hyper_executor_poll() loop from Curl_http [13]
o CI/cirrus: reduce compile time with increased parallism [19]
o CI: use GitHub Container Registry instead of Docker Hub [47]
o cirrus: Add FreeBSD 13.0 job and disable sanitizer build [128]
o cmake: avoid poll() on macOS [59]
o cmake: sync CURL_DISABLE options [55]
o codeql: fix error "Resource not accessible by integration" [61]
o compressed.d: it's a request, not an order [21]
o config.d: escape the backslash properly [81]
o config.d: note that curlrc is used even when --config [107]
o config: get rid of the unused HAVE_SIG_ATOMIC_T et. al.
o configure.ac: revert bad nghttp2 library detection improvements [9]
o configure: error out if both ngtcp2 and quiche are specified [30]
o configure: make --disable-hsts work [106]
o configure: set classic mingw minimum OS version to XP [83]
o configure: tweak nghttp2 library name fix [2]
o connect: get local port + ip also when reusing connections [95]
o connect: remove superfluous conditional [23]
o curl-openssl.m4: check lib64 for the pkg-config file [14]
o curl-openssl.m4: show correct output for OpenSSL v3 [75]
o curl.1: mention "global" flags [7]
o curl.1: provide examples for each option [99]
o curl: add warning for ignored data after quoted form parameter [60]
o curl: add warning for incompatible parameters usage [102]
o curl: better error message when -O fails to get a good name [88]
o curl: stop retry if Retry-After: is longer than allowed [104]
o curl_easy_setopt.3: improve the string copy wording [89]
o Curl_hsts_loadcb: don't attempt to load if hsts wasn't inited [116]
o curl_setup.h: sync values for HTTP_ONLY [82]
o curl_url_get.3: clarify about path and query [45]
o CURLMOPT_TIMERFUNCTION.3: remove misplaced "time" [5]
o CURLOPT_DOH_URL.3: CURLOPT_OPENSOCKETFUNCTION is not inherited [8]
o CURLOPT_SSL_CTX_*.3: tidy up the example [15]
o CURLOPT_UNIX_SOCKET_PATH.3: remove nginx reference, add see also [90]
o docs/MQTT: update state of username/password support [4]
o docs: remove experimental mentions from HSTS and MQTT [93]
o docs: the security list is reached at security at curl.se now [124]
o easy: use a custom implementation of wcsdup on Windows [31]
o examples/*hiperfifo.c: fix calloc arguments to match function proto [103]
o examples/cookie_interface: avoid printfing time_t directly [18]
o examples/cookie_interface: fix scan-build printf warning [16]
o examples/ephiperfifo.c: simplify signal handler [42]
o FAQ: add two dev related questions [108]
o getparameter: fix the --local-port number parser [58]
o happy-eyeballs-timeout-ms.d: polish the wording [10]
o hostip: Make Curl_ipv6works function independent of getaddrinfo [26]
o http2: Curl_http2_setup needs to init stream data in all invokes [119]
o http2: revert a change that broke upgrade to h2c [57]
o http2: revert call the handle-closed function correctly on closed stream [25]
o http: disallow >3-digit response codes [80]
o http: ignore content-length if any transfer-encoding is used [101]
o http_proxy: clear 'sending' when the outgoing request is sent [6]
o http_proxy: fix the User-Agent inclusion in CONNECT [115]
o http_proxy: fix user-agent and custom headers for CONNECT with hyper [38]
o http_proxy: only wait for writable socket while sending request [78]
o INTERNALS: bump c-ares requirement to 1.16.0
o INTERNALS: c-ares has a new home: c-ares.org
o lib: don't use strerror() [127]
o libcurl-errors.3: clarify two CURLUcode errors [72]
o limit-rate.d: clarify base unit [17]
o mailing lists: move from cool.haxx.se to lists.haxx.se
o mbedtls: avoid using a large buffer on the stack [105]
o mbedTLS: initial 3.0.0 support [33]
o mbedtls_threadlock: fix unused variable warning [11]
o mksymbolsmanpage.pl: Fix showing symbol's last used version [76]
o mksymbolsmanpage.pl: match symbols case insenitively [77]
o multi: fix compiler warning with `CURL_DISABLE_WAKEUP` [96]
o ngtcp2: compile with the latest ngtcp2 and nghttp3 [12]
o ngtcp2: fix build with ngtcp2 and nghttp3 [117]
o ngtcp2: remove the acked_crypto_offset struct field init [64]
o ngtcp2: replace deprecated functions with nghttp3_conn_shutdown_stream_read [28]
o ngtcp2: reset the oustanding send buffer again when drained [53]
o ngtcp2: rework the return value handling of ngtcp2_conn_writev_stream [29]
o ngtcp2: stop buffering crypto data [85]
o ngtcp2: utilize crypto API functions to simplify [52]
o openssl: annotate SSL3_MT_SUPPLEMENTAL_DATA [98]
o openssl: when creating a new context, there cannot be an old one [48]
o opt-docs: make sure all man pages have examples [92]
o opt-docs: verify man page sections + order [91]
o opts docs: unify phrasing in NAME header [126]
o output.d: add method to suppress response bodies [49]
o page-header: add GOPHERS, simplify wording in the 1st para [94]
o progress: fix a compile warning on some systems [54]
o progress: make trspeed avoid floats [100]
o runtests: add option -u to error on server unexpectedly alive [125]
o schannel: Work around typo in classic mingw macro [84]
o scripts: invoke interpreters through /usr/bin/env [68]
o setopt: enable CURLOPT_IGNORE_CONTENT_LENGTH for hyper [70]
o strerror.h: remove the #include from files not using it
o symbols-in-versions: fix CURLSSLBACKEND_QSOSSL last used version [73]
o test1138: remove trailing space to make work with hyper [71]
o test1173: check references to libcurl options [69]
o test1280: CRLFify the response to please hyper [86]
o test1565: fix windows build errors [27]
o test365: verify response with chunked AND Content-Length headers
o tests/*server.pl: flush output before executing subprocess [41]
o tests/*server.py: remove pidfile on server termination [1]
o tests/runtests.pl: cleanup copy&paste mistakes and unused code
o tests/server/*.c: align handling of portfile argument and file [56]
o tests: adjust the tftpd output to work with hyper mode [97]
o tests: be explicit about using 'python3' instead of 'python' [67]
o tests: enable test 1129 for hyper builds [87]
o tests: make three tests pass until 2037 [22]
o tool/tests: fix potential year 2038 issues [20]
o tool_operate: Fix --fail-early with parallel transfers [62]
o url: fix compiler warning in no-verbose builds [120]
o urlapi.c:seturl: assert URL instead of using if-check [74]
o vtls: fix typo in schannel_verify.c [44]
o winbuild/README.md: clarify GEN_PDB option
o wolfssl: clean up wolfcrypt error queue [79]
o write-out.d: clarify size_download/upload [118]
o x509asn1: fix heap over-read when parsing x509 certificates [37]
upstream changes:
-----------------
Bug fixes
o Alerting: Fix alert flapping in the internal alertmanager. #38648, @gotjosh
o Alerting: Fix request handler failed to convert dataframe "results" to
plugins.DataTimeSeriesSlice: input frame is not recognized as a time
series. #38587, @idafurjes
o Dashboard: Fix UIDs are not preserved when importing/creating dashboards
thru importing .json file. #38659, @axelavargas
o Dashboard: Forces panel re-render when exiting panel edit. #38913,
@hugohaggmark
o Dashboard: Prevent folder from changing when navigating to general
settings. #38103, @hugohaggmark
o Docker: Force use of libcrypto1.1 and libssl1.1 versions to fix
CVE-2021-3711. #38585, @dsotirakis
o Elasticsearch: Fix metric names for alert queries. #38546, @dsotirakis
o Elasticsearch: Limit Histogram field parameter to numeric values. #38631,
@Elfo404
o Elasticsearch: Prevent pipeline aggregations to show up in terms order by
options. #38448, @Elfo404
o LibraryPanels: Prevent duplicate repeated panels from being created.
#38804, @hugohaggmark
o Loki: Fix ad-hoc filter in dashboard when used with parser. #38542,
@ivanahuckova
o Plugins: Track signed files + add warn log for plugin assets which are not
signed. #38938, @wbrowne
o Postgres/MySQL/MSSQL: Fix region annotations not displayed correctly.
#38936, @marefr
o Prometheus: Fix validate selector in metrics browser. #38921, @ivanahuckova
httpuv 1.6.3
============
* Increased required version of Rcpp to 1.0.7, to work around an
incompatibility between Rcpp 1.0.6 and packages compiled with
Rcpp 1.0.7.
htmlwidgets 1.5.4
-------------------------------------------------------
* Closed#320: `getDependency()` no longer includes an absolute src path in its return value. (#384)
* Fixed#408: An error type-check did not work correctly because it was missing parentheses. (#409)
3.8.0
Add type hints.
Stop distributing tests to reduce package size. Tests are not intended to be run outside of the tox setup in the repository. Repackagers can use GitHub's tarballs per tag.
* Add security/php-sodium as dependency.
Changelog:
Changes
* Manual backport of "No limit in the number of group shares" #27875 (server#
27993)
* Extend pending shares list in frontend to include remote shares (server#
28209)
* Allow to disable group membership change notification (server#28231)
* Add h2 to personal info page, fixing accessibility issue (server#28252)
* Add quota restrictions options (server#28256)
* Bump marked from 2.0.6 to 2.0.7 (server#28271)
* Fix CI failures when building settings app (server#28274)
* Check that php was compiled with argon2 support or that the php-sodium
extensions is installed (server#28288)
* Allow upgrade from 22.1 (server#28304)
* Bump dompurify from 2.2.8 to 2.2.9 (server#28340)
* Bump @babel/preset-env from 7.14.8 to 7.14.9 (server#28341)
* Bump vue-loader from 15.9.7 to 15.9.8 (server#28342)
* Change the concurrent upload limit to less than 10 (server#28353)
* Fix Folder->getById() when a single storage is mounted multiple times
(server#28359)
* Make "name" column nullable for workflows (server#28384)
* Gracefully handle smb acls for users without a domain (server#28416)
* Add missing files for Composer v2 (server#28441)
* Improve auto expiration hint for trashbin and file versions (server#28446)
* UnifiedSearchController: strip webroot from URL before finding a route
(server#28454)
* Only trap E_ERROR in session handling (server#28470)
* Disable autofocus of primary Email (server#28479)
* Emit an error log when the app token login name does not match (server#
28489)
* Hash cache key (server#28494)
* Fix#20913: Check image resource before attempting to preserve alpha
(server#28499)
* Output exception in cron (server#28518)
* Properly log errors in Movie previews generation (server#28522)
* Fix folder size contained in S3 buckets (server#28534)
* Set alias for result of cast column function (server#28536)
* Do not load versions tab view if the files app is not available (server#
28545)
* Bump webdav from 4.6.0 to 4.6.1 (server#28553)
* Fix UserController tests (server#28568)
* Use case insensitive like when limiting search to jail (server#28573)
* Log exception message during failed ownership transfer share restore
(server#28576)
* Use getGetUnjailedRoot to determine if jailed search needs the path filter
(server#28583)
* 22.1.1-rc2 (server#28590)
* Fix setting up 2FA providers when 2FA is enforced and bc are generated
(server#28596)
* Fix activity design (activity#633)
* Check if `$knownPath` is set before invoking `rtrim()` (circles#776)
* Generate quick members' memberships during migration (circles#779)
* Verify shareType in params (circles#782)
* Details on non-visible (but open) circles (circles#787)
* Fix definition on single circles (circles#788)
* Emulate initiator on CircleJoin (circles#791)
* Owner of NO_OWNER should not have memberships cached (circles#799)
* Fix notification when invited to a circle (circles#800)
* Exception on non visible circle (circles#805)
* Force join_request on old secret circles (circles#806)
* Fix hide download and printing (files_pdfviewer#460)
* Fix body footer hiding (files_pdfviewer#463)
* Disable download for pdf files (files_pdfviewer#469)
* Fix download & print view (files_pdfviewer#473)
* Fix share option being displayed erroneously (files_rightclick#119)
* Give twofactor nextcloud notifications a high priority (notifications#1062)
* Always show the dismiss all button (notifications#1065)
* Fix maria db tests (notifications#1067)
* High priority for the PhoneTrack app (notifications#1070)
* Bump @babel/plugin-transform-modules-commonjs from 7.14.0 to 7.14.5 (text#
1732)
* Bump @babel/plugin-transform-classes from 7.14.5 to 7.14.9 (text#1813)
* Bump vue-loader from 15.9.7 to 15.9.8 (text#1814)
* Bump @babel/preset-env from 7.14.5 to 7.14.9 (text#1815)
Upstream changes:
Django 3.2.7 fixes a bug in 3.2.6.
Bugfixes
Fixed a regression in Django 3.2 that caused the incorrect offset extraction from fixed offset timezones (#32992).
Upstream changes:
0.13 2021-02-06 17:26:39-08:00 America/Vancouver
- Internals; avoid allocating memory for each node as we tokenize the
document, and simply use pointers back into original string.
- Dramatically improves performance; local testing shows boost from
~25/s to ~85MB/s
- Improve zero value minification further
- Simplified whitespace compaction
0.12 2021-01-30 21:46:07-08:00 America/Vancouver
- rewrote test suite into a single ".t" test
- GH #1 / RT #97574; whitespace before a ":" in a pseudo-selector is
meaningful and needs to be preserved (e.g. "#link :visited")
- Further reductions of "zero values", when possible
- "00000px" and "0.0px" become "0px"
- "000%" and "0.0%" become "0%"
- units are preserved inside of functions, but eliminated otherwise, and
percentages are always left as a percentages
- Optimized whitespace collapsing
- Optimized memory usage and string copying
0.11 2020-12-30 21:27:39-08:00 America/Vancouver
- POD spelling fixes
- Switch to DZil Author Bundle
0.10 2020-12-28 11:00:17-08:00 America/Vancouver
- RT #90879; correct minification of %s in "hsl()" and "hsla()" functions
Thanks to Philipp Soehnlein
- RT #103231; don't remove units on zero values inside of functions.
Thanks to Isaac Montoya, for an additional test case.
- No long drop units on zero percentages, as those may be required for CSS
animations. Thanks to Isaac Montoya for continuing to poke me on this.
- Now prunes leading whitespace before "!important"
e.g. "color: red !important" becomes "color:red!important"
- Switch to Dist::Zilla
Upstream changes:
0.14 2021-02-06 23:36:36-08:00 America/Vancouver
- rewrote test suite into a single ".t" test
- optimized memory allocations, by allocating Nodes in bulk, and being
smarter about when we need to free/reallocate content buffers in Nodes
- optimize whitespace collapsing
- GH#3 / RT#108682; fix whitespace reduction at end of preserved line
comment. Thanks to Dan Goodliffe
- GH#6; fix unescaped slash in character set, inside of a regex, with thanks
to @faf
0.13 2020-12-30 21:46:29-08:00 America/Vancouver
- POD cleanups; spelling, SYNOPSIS
- Switch to DZil Author Bundle
0.12 2020-12-28 08:31:31-08:00 America/Vancouver
- Switch to GitHub Actions, from Travis-CI.
- Add META links to GitHub repository and issue tracker
- Switch to Dist::Zilla
- Bump minimum required Perl to 5.8.1
- RT #130347; handle ES6 template literals.
Thanks to Robert Rothenberg.
Upstream changes:
@section v2_16 Changes with libapreq2-2.16 (released 17 March, 2021)
- Build [Steve Hay]
Fix file attribute for modules listed as provided in META.yml.
@section v2_15 Changes with libapreq2-2.15 (released 17 November, 2020)
- SECURITY: CVE-2019-12412 (cve.mitre.org)
C API [Max Kellermann]
Fix a NULL pointer dereference when parsing malformed
multipart data in apreq_parse_multipart().
- C API [Yann Ylavic]
In apreq_brigade_concat(), fix memory handling and create
the FILE bucket correctly.
- Build [Petr Pisar]
Fix "make release" on Unix.
@section v2_14 Changes with libapreq2-2.14 (not released)
- Build [stevehay]
Fix httpd-2.4.x build for Win32.
- Build [Richard M Kandarian]
Fix debug build for Win32.
- C API [joes]
Fix mod_apreq2's config merging.
- Perl glue
Updated license info in META.yml
Updated documentation for Apache2::Cookie
Upstream changes:
6.56 2021-08-17 13:57:12Z
- Update the CONTRIBUTING doc to no longer reference TravisCI. (GH #384) (Slaven Rezić)
- Increase test coverage for env_proxy() (GH#383) (Slaven Rezić)
- When a truthy Content-Type is provided, override the default (GH#385)
(Matthew Horsfall (alh))
6.55 2021-06-17 13:57:06Z
- Attempt to avoid rare fails in redirect.t (GH#380) (Arne Johannessen)
6.54 2021-05-06 17:53:56Z
- Be explicit in the prerequisite of HTTP::Status (GH#378) (Max Maischein)
- Remove Authority section from dist.ini (GH#377) (Olaf Alders)
1.4.0 (2021-08-18)
* Processing Instructions are no longer allowed by Rails::Html::PermitScrubber
Previously, a PI with a name (or "target") matching an allowed tag name
was not scrubbed. There are no known security issues associated with these
PIs, but similar to comments it's preferred to omit these nodes when
possible from sanitized output.
Fixes#115.
Mike Dalessio
1.4.1 (2021-08-18)
* Fix regression in v1.4.0 that did not pass comment nodes to the scrubber.
Some scrubbers will want to override the default behavior and allow
comments, but v1.4.0 only passed through elements to the scrubber's
keep_node? method.
This change once again allows the scrubber to make the decision on comment
nodes, but still skips other non-elements like processing instructions
(see #115).
Mike Dalessio
1.4.2 (2021-08-23)
* Slightly improve performance.
Assuming elements are more common than comments, make one less method call
per node.
1.2.0 (2021-07-12)
Features
* Adding support for streamed responses (#6, @MikeRogers0)
Documentation
* README: Fix a broken link (#4, @olleolleolle)
* README: Fix a Markdown link (f7408a8, @olleolleolle)