Newlines in header values will now be replaced with spaces when being
written to strings or to sockets. This prevents headers that are built
from user data to smuggle unintended headers or requests/responses.
Thanks to @skylerberg for the responsible reporting of this issue, and
helping to keep us all safe!
BREAKING CHANGE: This technically will cause code that a calls
`SetCookie.fmt_header` to panic, as it is no longer to properly write
that method. Most people should not be doing this at all, and all
other ways of printing headers should work just fine.
The breaking change must occur in a patch version because of the
security nature of the fix.
Improve parse_authority safety with match, replace unwrap.
Also, refactor code in contains("://") block using result from the
parse_authority to also use match.
https://github.com/hyperium/hyper/issues/1022
Add default path ("/") for absolute-form, even if not included.
This change assumes self.scheme().is_some() indicates that the Uri
is in absolute-form.
Issue:
https://github.com/hyperium/hyper/issues/1022
Parsing "http://host:80" caused panic (index out of bound) because the
authority end index was computed with the original uri but the uri
stored for later used was sanitized by `Url::parse()` to "http://host"
The fix computes the autority end index with the actual uri used (the
one from `Url::parse()`). Two tests have been added.
The main changes are:
* The entry point is how `Http`, the implementation of `ServerProto`.
This type has a `new` constructor as well as builder methods to
configure it.
* A high-level entry point of `Http::bind` was added which returns a
`Server`. Binding a protocol to a port requires a socket address
(where to bind) as well as the instance of `NewService`. Internally
this creates a core and a TCP listener.
* The returned `Server` has a few methods to learn about itself, e.g.
`local_addr` and `handle`, but mainly has two methods: `run` and
`run_until`.
* The `Server::run` entry point will execute a server infinitely, never
having it exit.
* The `Server::run_until` method is intended as a graceful shutdown
mechanism. When the provided future resolves the server stops
accepting connections immediately and then waits for a fixed period of
time for all active connections to get torn down, after which the
whole server is torn down anyway.
* Finally a `Http::bind_connection` method exists as a low-level entry
point to spawning a server connection. This is used by `Server::run`
as is intended for external use in other event loops if necessary or
otherwise low-level needs.
BREAKING CHANGE: `Server` is no longer the pimary entry point. Instead,
an `Http` type is created and then either `bind` to receiver a `Server`,
or it can be passed to other Tokio things.
This allows us to improve the performance. For now, a Cow is used
internally, so clients can set the host to a static value and no longer
need copies.
Later, we can change it to also possibly have a MemSlice.
BREAKING CHANGE: The fields of the `Host` header are no longer
available. Use the getter methods instead.
This removes the cookie crate, since it has an optional dependency on
openssl, which can cause massive breakage if toggled on. Instead, the
`Cookie` and `SetCookie` headers now just use a `String`. Anyone can
create any typed header, so it is easy to plug in different
implementations.
BREAKING CHANGE: The `Cookie` and `SetCookie` headers no longer use the
cookie crate. New headers can be written for any header, or the ones
provided in hyper can be accessed as strings.
There are many changes involved with this, but let's just talk about
user-facing changes.
- Creating a `Client` and `Server` now needs a Tokio `Core` event loop
to attach to.
- `Request` and `Response` both no longer implement the
`std::io::{Read,Write}` traits, but instead represent their bodies as a
`futures::Stream` of items, where each item is a `Chunk`.
- The `Client.request` method now takes a `Request`, instead of being
used as a builder, and returns a `Future` that resolves to `Response`.
- The `Handler` trait for servers is no more, and instead the Tokio
`Service` trait is used. This allows interoperability with generic
middleware.
BREAKING CHANGE: A big sweeping set of breaking changes.
