In the spirit of Postel's law, ignore invalid cookies rather than
completely discard the entire Cookie header, which is what the current
code does, and which will lead to confusion when dealing with headers
with invalid cookies injected by proxies and intermediate apps servers.
The `Cookie` header now has 'set' and `get` methods, to treat the list of
cookies as a map.
Closes#1145
BREAKING CHANGE: The `Cookie` header is no longer a wrapper over a
`Vec<String>`. It must be accessed via its `get` and `append` methods.
This makes the `u16` in `Quality` private, since it only has a valid
range of 0-1000, and can't be enforced in public. The `q` function now
allows both `f32`s and `u16`s to construct a `Quality`.
BREAKING CHANGE: Any use of `Quality(num)` should change to `q(num)`.
This removes the need for someone to use the `time` crate to create a
date compatible with HTTP headers. It now works with the `SystemTime`
type from the standard library.
BREAKING CHANGE: `HttpDate` no longer has public fields. Convert between
`HttpDate` and `SystemTime` as needed.
They can be re-added later, removing now prevents that fix from being a
breaking change.
BREAKING CHANGE: The `link_extensions` methods of the `Link` header are
removed until fixed.
The `header::Formatter` ensures that a formatted header is written to a
line, and allows for headers that require multiple lines. The only
header to specifically require this is `Set-Cookie`.
BREAKING CHANGE: The `fmt_header` method has changed to take a different
formatter. In most cases, if your header also implements
`fmt::Display`, you can just call `f.fmt_line(self)`.
The `TE` header is used by a client to specify which
transfer encodings other than `chunked` it will accept.
It also specifies whether HTTP trailers are acceptable.
This commit also adds a `Trailers` variant to the
`hyper::header::shared::Encoding` enum.
Closes#1109
BREAKING CHANGE: The `Encoding` enum has an additional
variant, `Trailers`.
Change the internal representation of Origin to be more allocator
friendly. The internals of the Origin header are now private to allow
changing them in the future.
BREAKING CHANGES:
- Old code that accesses the Origin struct directly will stop working.
Change the internal implementation of some simple headers to make them
more allocator friendly. Also add a constructor method to allow changing
the implementation in the future again.
The headers are:
- Location
- Referrer
- Server
- UserAgent
This change was suggested in [#1104].
BREAKING CHANGES:
- Old code that creates the header structs directly will stop working.
- It's not possible to implement DerefMut for a Cow<'static,str>. Code
that needs to modify header after creation will stop working.
BREAKING CHANGE: The `Url` type is no longer used. Any instance in the
`Client` API has had it replaced with `hyper::Uri`.
This also means `Error::Uri` has changed types to
`hyper::error::UriError`.
The type `hyper::header::parsing::HTTP_VALUE` has been made private,
as an implementation detail. The function `http_percent_encoding`
should be used instead.
1. index out of bounds if semicolon is the last character
2. not a char boundary on non-ASCII input (only allow ASCII now)
Bugs found using `cargo fuzz`
BREAKING CHANGE: The `Preference` header had a typo in a variant and it's string representation,
change `Preference::HandlingLeniant` to `Preference::HandlingLenient`.
Newlines in header values will now be replaced with spaces when being
written to strings or to sockets. This prevents headers that are built
from user data to smuggle unintended headers or requests/responses.
Thanks to @skylerberg for the responsible reporting of this issue, and
helping to keep us all safe!
BREAKING CHANGE: This technically will cause code that a calls
`SetCookie.fmt_header` to panic, as it is no longer to properly write
that method. Most people should not be doing this at all, and all
other ways of printing headers should work just fine.
The breaking change must occur in a patch version because of the
security nature of the fix.
This allows us to improve the performance. For now, a Cow is used
internally, so clients can set the host to a static value and no longer
need copies.
Later, we can change it to also possibly have a MemSlice.
BREAKING CHANGE: The fields of the `Host` header are no longer
available. Use the getter methods instead.
This removes the cookie crate, since it has an optional dependency on
openssl, which can cause massive breakage if toggled on. Instead, the
`Cookie` and `SetCookie` headers now just use a `String`. Anyone can
create any typed header, so it is easy to plug in different
implementations.
BREAKING CHANGE: The `Cookie` and `SetCookie` headers no longer use the
cookie crate. New headers can be written for any header, or the ones
provided in hyper can be accessed as strings.
There are many changes involved with this, but let's just talk about
user-facing changes.
- Creating a `Client` and `Server` now needs a Tokio `Core` event loop
to attach to.
- `Request` and `Response` both no longer implement the
`std::io::{Read,Write}` traits, but instead represent their bodies as a
`futures::Stream` of items, where each item is a `Chunk`.
- The `Client.request` method now takes a `Request`, instead of being
used as a builder, and returns a `Future` that resolves to `Response`.
- The `Handler` trait for servers is no more, and instead the Tokio
`Service` trait is used. This allows interoperability with generic
middleware.
BREAKING CHANGE: A big sweeping set of breaking changes.
Support for strict-origin and strict-origin-when-cross-origin in referer
policy required for imporving network security. This commit will attempt
to add missing pieces of referrer policy.
The Raw type repesents the raw bytes of a header-value.
Having a special type allows a couple of benefits:
- The exact representation has become private, allowing "uglier"
internals. Specifically, since the common case is for a header to only
have 1 line of bytes, an enum is used to skip allocating a Vec for only
1 line. Additionally, a Cow<'static, [u8]> is used, so static bytes
don't require a copy. Finally, since we can use static bytes, when
parsing, we can compare the incoming bytes against a couple of the most
common header-values, and possibly remove another copy.
- As its own type, the `Headers.set_raw` method can be generic over
`Into<Raw>`, which allows for more ergnomic method calls.
BREAKING CHANGE: `Header::parse_header` now receives `&Raw`, instead of
a `&[Vec<u8>]`. `Raw` provides several methods to ease using it, but
may require some changes to existing code.
