1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
|
0.5.48 (22 April 2024)
----------------------
- decompressor: only take erroneous data on first try
- autotools: run autoupdate to modernize build system
0.5.47 (19 March 2024)
----------------------
- request: limit probing after missing protocol
0.5.46 (08 February 2024)
-------------------------
- tx: configurable number of maximum transactions
- htp: offers possibility to remove transactions
- headers: limit the size of folded headers
- request: be more liberal about transfer-encoding value
- request: continue processing even with invalid headers
- http0.9: process headers if there are non-space characters
- htp_util: fix spelling issue
- src: fix -Wshorten-64-to-32 warnings
- uri: normalization removes trailing spaces
0.5.45 (11 July 2023)
---------------------
- log: resist allocation failure
- support HTTP Bearer authentication
0.5.44 (13 June 2023)
---------------------
- response: only trim spaces at headers names end
- response: skips lines before response line
- headers: log a warning for chunks extension
0.5.43 (13 April 2023)
----------------------
- htp: do not log content-encoding: none
- htp: do not error on multiple 100 Continue
- readme: remove note on libhtp not being stable
- uri: fix compile warning strict-prototypes
- bstr: fix compile warning strict-prototypes
- fuzz_diff: Free the rust test object.
- github: add CIFuzz workflow
0.5.42 (27 November 2022)
-------------------------
- github: add initial workflow
- htp: fixes warning about bad delimiter in URI
- fuzz: fix a null dereference in a diff report
- htp: fixes warning about integer
0.5.41 (27 September 2022)
--------------------------
- trim white space of invalid folding for first header
- clear buffered data for body data
- minor optimization for decompression code
0.5.40 (21 April 2022)
----------------------
- uri: optionally allows spaces in uri
- ints: integer handling improvements
- headers: continue on nul byte
- headers: consistent trailing space handling
- list: fix integer overflow
- util: remove unused htp_utf8_decode
- fix 100-continue with CL 0
- lzma: don't do unnecessary realloc
0.5.39 (16 November 2021)
-------------------------
- host: ipv6 address is a valid host
- util: one char is not always empty line
- test and fuzz improvements
0.5.38 (30 June 2021)
---------------------
- consume empty lines when parsing chunks to avoid quadratic complexity
- autotools fix for cygwin
0.5.37 (2 March 2021)
---------------------
- support request body decompression
- several accuracy fixes
- fuzz improvments
0.5.36 (3 December 2020)
------------------------
- fix a http pipelining issue (#304, fixed by #312)
0.5.35 (8 October 2020)
-----------------------
- fix memory leak in tunnel traffoc
- fix case where chunked data causes excessive CPU use
0.5.34 (11 September 2020)
--------------------------
- support data GAP handling
- support 100-continue Expect
- lzma: give more control over settings
0.5.33 (27 April 2020)
----------------------
- compression bomb protection
- memory handling issue found by Oss-Fuzz
- improve handling of anomalies in traffic
0.5.32 (13 December 2019)
--------------------------
- bug fixes around pipelining
0.5.31 (24 September 2019)
--------------------------
- various improvements related to 'HTTP Evader'
- various fixes for issues found by oss-fuzz
- adds optional LZMA decompression
0.5.30 (07 March 2019)
----------------------
- array/list handing optimization by Philippe Antoine for an issue found be oss-fuzz
- improved Windows support
- fuzz targets improvements by Philippe Antoine
- packaging improvements by Fabrice Fontaine
- install doc improved by Wenhui Zhang
0.5.29 (21 December 2018)
-------------------------
- prepare for oss-fuzz integration, by Philippe Antoine
- fix undefined behavior signed int overflow
- make status code parsing more robust
0.5.28 (5 November 2018)
------------------------
- Fix potential memory leaks
- Fix string truncation compile warning
0.5.27 (18 July 2018)
---------------------
- Folded header field can be parsed as separate if there are no data available to peek into [#159]
- libhtp crash at deal multiple decompression [#158]
- Fix configure flag handling
- Fix auth/digist header parsing out of bounds read
0.5.26 (13 February 2018)
-------------------------
- allow missing requests [#128, #163]
- fix memory leak when response line is body [#161]
- fix build on MinGW [#162]
- fix gcc7 compiler warnings [#157]
0.5.25 (28 June 2017)
---------------------
- underscore in htp_validate_hostname [#149]
- fix SONAME issue [#151]
- remove unrelated docbook code from tree [#153]
0.5.24 (07 June 2017)
---------------------
- fix HTTP connect handling issue [#150]
0.5.23 (01 November 2016)
--------------------------
- enable -fPIC by default if supported and enable stack protection options on *BSD [#145]
0.5.22 (06 September 2016)
--------------------------
- on "101 Switching Protocols", treat connection as a tunnel [#141]
- Fix warning on OS X. [#142]
0.5.21 (13 July 2016)
---------------------
- compression: fixed 'response_decompression_enabled' being
ignored in case of multiple encodings [#140]
0.5.20 (7 June 2016)
--------------------
- compression: support multiple layers of compressed content [#133]
- compression: opportunistic decompression [#137]
- compression: implement rfc1950 deflate [#136]
- chunked: handle mismatch between header and body [#135]
- chunked: handle malformed chunked lengths [#134]
0.5.19 (22 March 2016)
----------------------
- configure: improve strlcpy/strlcat checks [Victor Julien]
- Fix uninitialized htp_tx_t::is_last value in htp_decompressors.c [Fedor Sakharov]
- headers: fix memory leak on malformed headers [Victor Julien]
- connect: handle response headers with 200 response [Victor Julien]
0.5.18 (25 September 2015)
--------------------------
- Fixed [#120] Trigger request line parsing on
incomplete request [Victor Julien]
- Fixed [#119] Fix uninitialized htp_tx_t::is_last value
in in htp_tx_res_process_body_data_ex() [Fedor Sakharov]
- Fixed [#118] Coverity-identified missing break in switch [Sam Baskinger]
- Fixed [#117] Coverity-identified issue of not checking
malloc() return value [Sam Baskinger]
- Fixed [#116] Fix coverity-identified leaked file descriptors
in unit test [Sam Baskinger]
- Fixed [#113] fix pkgconfig include dir [Eric Leblond]
- Fixed [#111] Connect plain http [Victor Julien]
- Fixed [#105] Do not invoke callbacks in htp_req_run_hook_body_data()
when there is no tx running. [Sam Baskinger]
- Fixed [#104] Modifiying HTTP methods to be rfc3253 compliant [Andreas Moe]
- Fixed [#103] Fixes [Victor Julien]
- Fixed [#101] Make including the autoconf config header safer [Brian Rectanus]
0.5.17 (25 February 2015)
-------------------------
- Fix URI parsing for non-std 'space' chars
[Fixed by Victor Julien / Reported by Darien Huss from Emerging Threats]
- Fixing buffer overrun that was failing clang
-fsanitize=address checks [Sam Baskinger]
- Replace strcat/sprintf by strlcat/snprintf [Giuseppe Longo]
- Fix autogen on CentOS 5.11 [Victor Julien]
- Fix dereferencing type-punned pointer on CentOS 5.11 [Giuseppe Longo]
- Fix warning on OpenBSD [Giuseppe Longo]
0.5.16 (11 December 2014)
-------------------------
- Per personality requestline leading whitespace handling [Victor Julien]
- Improve request line parsing with leading spaces [Victor Julien]
- Harden decompress code against memory stress [Victor Julien]
0.5.15 (1 August 2014)
----------------------
- Fixed [#78] Make a case-insensitive comparision for the pattern "chunked"
for "Transfer-Encoding" [Anoop Saldanha]
0.5.14 (22 July 2014)
---------------------
- Fixed the tests sometimes not returning the correct status code. Increased the
the compiler warnings for the tests.
- Fixed [#77] Fix compiler warnings in the tests
0.5.13 (16 July 2014)
---------------------
- Fixed [#56] Investigate clean-up performance with a large number of transactions
on a single connection
0.5.12 (25 June 2014)
---------------------
- Fixed [#73] Fix double Content-Length issue [Wesley Shields]
0.5.11 (5 April 2014)
---------------------
- Fixed [#72] On CONNECT requests inbound tx progress prematurely set to complete
- Fixed [#71] Fix missing files in distribution target [Pierre Chifflier]
0.5.10 (3 March 2014)
--------------------
- Fixed [#63] Final response body data callback missing on compressed responses.
- Do not consume the byte that comes after an invalid UTF-8 character.
- Use case insensitive comparison for content-coding values. Warn if unknown
response content encoding is encountered.
- Small fixes. [#66, #69] [Victor Julien]
0.5.9 (19 November 2013)
------------------------
- Fixed an HTP_HOST_AMBIGUOUS false positive.
- Fixed the tests not compiling on OS X 10.9.
0.5.8 (21 October 2013)
-----------------------
- Fixed [#54] Compression and base64 tests failing on some architectures.
- Fixed [#55] Incorrect ambiguous host warning on some CONNECT requests.
0.5.7 (18 September 2013)
-------------------------
- Use umask() with mkstemp() to ensure that temporary files are created with correct
permissions. This addresses the potential security problem, but creates another, because
umask() is not thread safe. For this and other reasons (see #52), file extraction will be
removed in a future release.
- Fix copying hook_response_complete instead of hook_transaction_complete.
- Fix several small memory leaks that occur when memory allocation fails.
0.5.6 (22 July 2013)
-------------------
- Fix memory leaks in htp_tx_t::request_auth_username and htp_tx_t::request_auth_password.
- [#43] When processing the response line, treat stream closure as the end of line.
- Fix normalization when the URL begins with "./".
- Do not fail a stream with an incorrectly formed digest username.
- Do not stop processing request headers on PUT requests.
0.5.5 (18 July 2013)
--------------------
- Tagging for a Suricata beta release.
- [#46] Fix the segfault that occurs under certain conditions when an invalid hostname is supplied.
- [#44] Fix libiconv detection on OpenBSD. [Victor Julien]
0.5.4 (17 July 2013)
--------------------
- Tagging for a Suricata beta release.
- Added htp_get_version(), which returns the complete library name (e.g., "LibHTP v0.5.4").
- Hard field limit is now treated as specifying the maximum amount of memory LibHTP
will use for buffering per stream. Fields (e.g., headers) longer than this limit
will be accepted if they are contained within a single buffer submitted to LibHTP (i.e.,
if LibHTP does not have to do any buffering in order to process them). Soft limits
are currently not creating any warnings. This area will be improved in a future release.
- Invalid headers no longer fail the entire stream. They are now treated as
headers without a name.
- htp_conn_remove_tx() now returns HTP_DECLINED (was HTTP_ERROR) if the
specified transaction cannot be found.
- htp_list_array_replace() now returns HTP_DECLINED (was HTP_ERROR) if the element at the
specified position does not exist.
- New public functions:
htp_status_t htp_urldecode_inplace(htp_cfg_t *cfg, enum htp_decoder_ctx_t ctx, bstr *input, uint64_t *flags);
htp_status_t htp_urldecode_inplace_ex(htp_cfg_t *cfg, enum htp_decoder_ctx_t ctx, bstr *input, uint64_t *flags, int *expected_status_code);
- Improved test coverage (84.1% lines, 91.3% functions).
0.5.3 (14 June 2013)
--------------------
- Fix stream error when valid Basic Authentication information is provided.
- Do not fail the entire stream if the Authorization header is invalid. Raise HTP_AUTH_INVALID instead.
- When a request does not contain the request URI, leave htp_tx_t::request_uri NULL.
|