1 files changed, 473 insertions, 0 deletions

diff --git a/ChangeLog b/ChangeLog
new file mode 100644
index 0000000..d1d2396
--- /dev/null
+++ b/ChangeLog
@@ -0,0 +1,473 @@
+0.5.47 (19 March 2024)
+----------------------
+
+- request: limit probing after missing protocol
+
+0.5.46 (08 February 2024)
+-------------------------
+
+- tx: configurable number of maximum transactions
+
+- htp: offers possibility to remove transactions
+
+- headers: limit the size of folded headers
+
+- request: be more liberal about transfer-encoding value
+
+- request: continue processing even with invalid headers
+
+- http0.9: process headers if there are non-space characters
+
+- htp_util: fix spelling issue
+
+- src: fix -Wshorten-64-to-32 warnings
+
+- uri: normalization removes trailing spaces
+
+0.5.45 (11 July 2023)
+---------------------
+
+- log: resist allocation failure
+
+- support HTTP Bearer authentication
+
+0.5.44 (13 June 2023)
+---------------------
+
+- response: only trim spaces at headers names end
+
+- response: skips lines before response line
+
+- headers: log a warning for chunks extension
+
+0.5.43 (13 April 2023)
+----------------------
+
+- htp: do not log content-encoding: none
+
+- htp: do not error on multiple 100 Continue
+
+- readme: remove note on libhtp not being stable
+
+- uri: fix compile warning strict-prototypes
+
+- bstr: fix compile warning strict-prototypes
+
+- fuzz_diff: Free the rust test object.
+
+- github: add CIFuzz workflow
+
+0.5.42 (27 November 2022)
+-------------------------
+
+- github: add initial workflow
+
+- htp: fixes warning about bad delimiter in URI
+
+- fuzz: fix a null dereference in a diff report
+
+- htp: fixes warning about integer
+
+0.5.41 (27 September 2022)

+--------------------------

+

+- trim white space of invalid folding for first header

+

+- clear buffered data for body data

+

+- minor optimization for decompression code

+

+0.5.40 (21 April 2022)

+----------------------

+

+- uri: optionally allows spaces in uri

+

+- ints: integer handling improvements

+

+- headers: continue on nul byte

+

+- headers: consistent trailing space handling

+

+- list: fix integer overflow

+

+- util: remove unused htp_utf8_decode

+

+- fix 100-continue with CL 0

+

+- lzma: don't do unnecessary realloc

+

+0.5.39 (16 November 2021)

+-------------------------

+

+- host: ipv6 address is a valid host

+

+- util: one char is not always empty line

+

+- test and fuzz improvements

+

+0.5.38 (30 June 2021)

+---------------------

+

+- consume empty lines when parsing chunks to avoid quadratic complexity

+

+- autotools fix for cygwin

+

+0.5.37 (2 March 2021)

+---------------------

+

+- support request body decompression

+

+- several accuracy fixes

+

+- fuzz improvments 

+

+0.5.36 (3 December 2020)

+------------------------

+

+- fix a http pipelining issue (#304, fixed by #312)

+

+0.5.35 (8 October 2020)

+-----------------------

+

+- fix memory leak in tunnel traffoc

+

+- fix case where chunked data causes excessive CPU use

+

+0.5.34 (11 September 2020)

+--------------------------

+

+- support data GAP handling

+

+- support 100-continue Expect

+

+- lzma: give more control over settings

+

+0.5.33 (27 April 2020)

+----------------------

+

+- compression bomb protection

+

+- memory handling issue found by Oss-Fuzz

+

+- improve handling of anomalies in traffic

+

+0.5.32 (13 December 2019)

+--------------------------

+

+- bug fixes around pipelining

+

+0.5.31 (24 September 2019)

+--------------------------

+

+- various improvements related to 'HTTP Evader'

+

+- various fixes for issues found by oss-fuzz

+

+- adds optional LZMA decompression

+

+0.5.30 (07 March 2019)

+----------------------

+

+- array/list handing optimization by Philippe Antoine for an issue found be oss-fuzz

+

+- improved Windows support

+

+- fuzz targets improvements by Philippe Antoine

+

+- packaging improvements by Fabrice Fontaine

+

+- install doc improved by Wenhui Zhang

+

+0.5.29 (21 December 2018)

+-------------------------

+

+- prepare for oss-fuzz integration, by Philippe Antoine

+

+- fix undefined behavior signed int overflow

+

+- make status code parsing more robust

+

+0.5.28 (5 November 2018)

+------------------------

+

+- Fix potential memory leaks

+

+- Fix string truncation compile warning

+

+0.5.27 (18 July 2018)

+---------------------

+

+- Folded header field can be parsed as separate if there are no data available to peek into [#159]

+

+- libhtp crash at deal multiple decompression [#158]

+

+- Fix configure flag handling

+

+- Fix auth/digist header parsing out of bounds read

+

+0.5.26 (13 February 2018)

+-------------------------

+

+- allow missing requests [#128, #163]

+

+- fix memory leak when response line is body [#161]

+

+- fix build on MinGW [#162]

+

+- fix gcc7 compiler warnings [#157]

+

+0.5.25 (28 June 2017)

+---------------------

+

+- underscore in htp_validate_hostname [#149]

+

+- fix SONAME issue [#151]

+

+- remove unrelated docbook code from tree [#153]

+

+0.5.24 (07 June 2017)

+---------------------

+

+- fix HTTP connect handling issue [#150]

+

+0.5.23 (01 November 2016)

+--------------------------

+

+- enable -fPIC by default if supported and enable stack protection options on *BSD [#145]

+

+0.5.22 (06 September 2016)

+--------------------------

+

+- on "101 Switching Protocols", treat connection as a tunnel [#141]

+

+-  Fix warning on OS X. [#142]

+

+0.5.21 (13 July 2016)

+---------------------

+

+- compression: fixed 'response_decompression_enabled' being

+  ignored in case of multiple encodings [#140]

+

+0.5.20 (7 June 2016)

+--------------------

+

+- compression: support multiple layers of compressed content [#133]

+

+- compression: opportunistic decompression [#137]

+

+- compression: implement rfc1950 deflate [#136]

+

+- chunked: handle mismatch between header and body [#135]

+

+- chunked: handle malformed chunked lengths [#134]

+

+0.5.19 (22 March 2016)

+----------------------

+

+- configure: improve strlcpy/strlcat checks [Victor Julien]

+

+- Fix uninitialized htp_tx_t::is_last value in htp_decompressors.c [Fedor Sakharov]

+

+- headers: fix memory leak on malformed headers [Victor Julien]

+

+- connect: handle response headers with 200 response [Victor Julien]

+

+0.5.18 (25 September 2015)

+--------------------------

+

+- Fixed [#120] Trigger request line parsing on

+  incomplete request [Victor Julien]

+

+- Fixed [#119] Fix uninitialized htp_tx_t::is_last value

+  in in htp_tx_res_process_body_data_ex() [Fedor Sakharov]

+

+- Fixed [#118] Coverity-identified missing break in switch [Sam Baskinger]

+

+- Fixed [#117] Coverity-identified issue of not checking

+  malloc() return value [Sam Baskinger]

+

+- Fixed [#116] Fix coverity-identified leaked file descriptors

+  in unit test [Sam Baskinger]

+

+- Fixed [#113] fix pkgconfig include dir [Eric Leblond]

+

+- Fixed [#111] Connect plain http [Victor Julien]

+

+- Fixed [#105] Do not invoke callbacks in htp_req_run_hook_body_data()

+  when there is no tx running. [Sam Baskinger]

+

+- Fixed [#104] Modifiying HTTP methods to be rfc3253 compliant [Andreas Moe]

+

+- Fixed [#103] Fixes [Victor Julien]

+

+- Fixed [#101] Make including the autoconf config header safer [Brian Rectanus]

+

+0.5.17 (25 February 2015)

+-------------------------

+

+- Fix URI parsing for non-std 'space' chars

+  [Fixed by Victor Julien / Reported by Darien Huss from Emerging Threats]

+

+- Fixing buffer overrun that was failing clang

+  -fsanitize=address checks [Sam Baskinger]

+

+- Replace strcat/sprintf by strlcat/snprintf [Giuseppe Longo]

+

+- Fix autogen on CentOS 5.11 [Victor Julien]

+

+- Fix dereferencing type-punned pointer on CentOS 5.11 [Giuseppe Longo]

+

+- Fix warning on OpenBSD [Giuseppe Longo]

+

+

+0.5.16 (11 December 2014)

+-------------------------

+

+- Per personality requestline leading whitespace handling [Victor Julien]

+

+- Improve request line parsing with leading spaces [Victor Julien]

+

+- Harden decompress code against memory stress [Victor Julien]

+

+

+0.5.15 (1 August 2014)

+----------------------

+

+- Fixed [#78] Make a case-insensitive comparision for the pattern "chunked"

+  for "Transfer-Encoding" [Anoop Saldanha]

+

+

+0.5.14 (22 July 2014)

+---------------------

+

+- Fixed the tests sometimes not returning the correct status code. Increased the

+  the compiler warnings for the tests.

+

+- Fixed [#77] Fix compiler warnings in the tests

+

+

+0.5.13 (16 July 2014)

+---------------------

+

+- Fixed [#56] Investigate clean-up performance with a large number of transactions

+  on a single connection

+

+

+0.5.12 (25 June 2014)

+---------------------

+

+- Fixed [#73] Fix double Content-Length issue [Wesley Shields]

+

+

+0.5.11 (5 April 2014)

+---------------------

+

+- Fixed [#72] On CONNECT requests inbound tx progress prematurely set to complete

+

+- Fixed [#71] Fix missing files in distribution target [Pierre Chifflier]

+

+

+0.5.10 (3 March 2014)

+--------------------

+

+- Fixed [#63] Final response body data callback missing on compressed responses.

+

+- Do not consume the byte that comes after an invalid UTF-8 character.

+

+- Use case insensitive comparison for content-coding values. Warn if unknown

+  response content encoding is encountered.

+

+- Small fixes. [#66, #69] [Victor Julien]

+

+

+0.5.9 (19 November 2013)

+------------------------

+

+- Fixed an HTP_HOST_AMBIGUOUS false positive.

+

+- Fixed the tests not compiling on OS X 10.9.

+

+

+0.5.8 (21 October 2013)

+-----------------------

+

+- Fixed [#54] Compression and base64 tests failing on some architectures.

+

+- Fixed [#55] Incorrect ambiguous host warning on some CONNECT requests.

+

+

+0.5.7 (18 September 2013)

+-------------------------

+

+- Use umask() with mkstemp() to ensure that temporary files are created with correct

+  permissions. This addresses the potential security problem, but creates another, because

+  umask() is not thread safe. For this and other reasons (see #52), file extraction will be

+  removed in a future release.

+

+- Fix copying hook_response_complete instead of hook_transaction_complete.

+

+- Fix several small memory leaks that occur when memory allocation fails.

+

+

+0.5.6 (22 July 2013)

+-------------------

+

+- Fix memory leaks in htp_tx_t::request_auth_username and htp_tx_t::request_auth_password.

+

+- [#43] When processing the response line, treat stream closure as the end of line.

+

+- Fix normalization when the URL begins with "./".

+

+- Do not fail a stream with an incorrectly formed digest username.

+

+- Do not stop processing request headers on PUT requests.

+

+

+0.5.5 (18 July 2013)

+--------------------

+

+- Tagging for a Suricata beta release.

+

+- [#46] Fix the segfault that occurs under certain conditions when an invalid hostname is supplied.

+

+- [#44] Fix libiconv detection on OpenBSD. [Victor Julien]

+

+

+0.5.4 (17 July 2013)

+--------------------

+

+- Tagging for a Suricata beta release.

+

+- Added htp_get_version(), which returns the complete library name (e.g., "LibHTP v0.5.4").

+

+- Hard field limit is now treated as specifying the maximum amount of memory LibHTP

+  will use for buffering per stream. Fields (e.g., headers) longer than this limit

+  will be accepted if they are contained within a single buffer submitted to LibHTP (i.e.,

+  if LibHTP does not have to do any buffering in order to process them). Soft limits

+  are currently not creating any warnings. This area will be improved in a future release.

+

+- Invalid headers no longer fail the entire stream. They are now treated as

+  headers without a name.

+

+- htp_conn_remove_tx() now returns HTP_DECLINED (was HTTP_ERROR) if the

+  specified transaction cannot be found.

+

+- htp_list_array_replace() now returns HTP_DECLINED (was HTP_ERROR) if the element at the

+  specified position does not exist.

+

+- New public functions:

+

+  htp_status_t htp_urldecode_inplace(htp_cfg_t *cfg, enum htp_decoder_ctx_t ctx, bstr *input, uint64_t *flags);

+  htp_status_t htp_urldecode_inplace_ex(htp_cfg_t *cfg, enum htp_decoder_ctx_t ctx, bstr *input, uint64_t *flags, int *expected_status_code);

+

+- Improved test coverage (84.1% lines, 91.3% functions).

+

+

+0.5.3 (14 June 2013)

+--------------------

+

+- Fix stream error when valid Basic Authentication information is provided.

+

+- Do not fail the entire stream if the Authorization header is invalid. Raise HTP_AUTH_INVALID instead.

+

+- When a request does not contain the request URI, leave htp_tx_t::request_uri NULL.