Newlines in header values will now be replaced with spaces when being
written to strings or to sockets. This prevents headers that are built
from user data to smuggle unintended headers or requests/responses.
Thanks to @skylerberg for the responsible reporting of this issue, and
helping to keep us all safe!
BREAKING CHANGE: This technically will cause code that a calls
`SetCookie.fmt_header` to panic, as it is no longer to properly write
that method. Most people should not be doing this at all, and all
other ways of printing headers should work just fine.
The breaking change must occur in a patch version because of the
security nature of the fix.
This allows us to improve the performance. For now, a Cow is used
internally, so clients can set the host to a static value and no longer
need copies.
Later, we can change it to also possibly have a MemSlice.
BREAKING CHANGE: The fields of the `Host` header are no longer
available. Use the getter methods instead.
This removes the cookie crate, since it has an optional dependency on
openssl, which can cause massive breakage if toggled on. Instead, the
`Cookie` and `SetCookie` headers now just use a `String`. Anyone can
create any typed header, so it is easy to plug in different
implementations.
BREAKING CHANGE: The `Cookie` and `SetCookie` headers no longer use the
cookie crate. New headers can be written for any header, or the ones
provided in hyper can be accessed as strings.
There are many changes involved with this, but let's just talk about
user-facing changes.
- Creating a `Client` and `Server` now needs a Tokio `Core` event loop
to attach to.
- `Request` and `Response` both no longer implement the
`std::io::{Read,Write}` traits, but instead represent their bodies as a
`futures::Stream` of items, where each item is a `Chunk`.
- The `Client.request` method now takes a `Request`, instead of being
used as a builder, and returns a `Future` that resolves to `Response`.
- The `Handler` trait for servers is no more, and instead the Tokio
`Service` trait is used. This allows interoperability with generic
middleware.
BREAKING CHANGE: A big sweeping set of breaking changes.
Support for strict-origin and strict-origin-when-cross-origin in referer
policy required for imporving network security. This commit will attempt
to add missing pieces of referrer policy.
The Raw type repesents the raw bytes of a header-value.
Having a special type allows a couple of benefits:
- The exact representation has become private, allowing "uglier"
internals. Specifically, since the common case is for a header to only
have 1 line of bytes, an enum is used to skip allocating a Vec for only
1 line. Additionally, a Cow<'static, [u8]> is used, so static bytes
don't require a copy. Finally, since we can use static bytes, when
parsing, we can compare the incoming bytes against a couple of the most
common header-values, and possibly remove another copy.
- As its own type, the `Headers.set_raw` method can be generic over
`Into<Raw>`, which allows for more ergnomic method calls.
BREAKING CHANGE: `Header::parse_header` now receives `&Raw`, instead of
a `&[Vec<u8>]`. `Raw` provides several methods to ease using it, but
may require some changes to existing code.
Move the extended parameter parser from the Content-Disposition header
implementation into the common header parsing module. This allows crates that
use Hyper to parse RFC 5987-compliant header parameter values.
Add tests based on the examples given in the RFC.
There is only one acceptable value for this header, "true", so
there header struct is unit-like (no fields nor data inside). See
documentation and tests for more info. Case insensitive.
Closes#655
