1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
|
0.5.17 (25 February 2015)
-------------------------
- Fix URI parsing for non-std 'space' chars
[Fixed by Victor Julien / Reported by Darien Huss from Emerging Threats]
- Fixing buffer overrun that was failing clang
-fsanitize=address checks [Sam Baskinger]
- Replace strcat/sprintf by strlcat/snprintf [Giuseppe Longo]
- Fix autogen on CentOS 5.11 [Victor Julien]
- Fix dereferencing type-punned pointer on CentOS 5.11 [Giuseppe Longo]
- Fix warning on OpenBSD [Giuseppe Longo]
0.5.16 (11 December 2014)
-------------------------
- Per personality requestline leading whitespace handling [Victor Julien]
- Improve request line parsing with leading spaces [Victor Julien]
- Harden decompress code against memory stress [Victor Julien]
0.5.15 (1 August 2014)
----------------------
- Fixed [#78] Make a case-insensitive comparision for the pattern "chunked"
for "Transfer-Encoding" [Anoop Saldanha]
0.5.14 (22 July 2014)
---------------------
- Fixed the tests sometimes not returning the correct status code. Increased the
the compiler warnings for the tests.
- Fixed [#77] Fix compiler warnings in the tests
0.5.13 (16 July 2014)
---------------------
- Fixed [#56] Investigate clean-up performance with a large number of transactions
on a single connection
0.5.12 (25 June 2014)
---------------------
- Fixed [#73] Fix double Content-Length issue [Wesley Shields]
0.5.11 (5 April 2014)
---------------------
- Fixed [#72] On CONNECT requests inbound tx progress prematurely set to complete
- Fixed [#71] Fix missing files in distribution target [Pierre Chifflier]
0.5.10 (3 March 2014)
--------------------
- Fixed [#63] Final response body data callback missing on compressed responses.
- Do not consume the byte that comes after an invalid UTF-8 character.
- Use case insensitive comparison for content-coding values. Warn if unknown
response content encoding is encountered.
- Small fixes. [#66, #69] [Victor Julien]
0.5.9 (19 November 2013)
------------------------
- Fixed an HTP_HOST_AMBIGUOUS false positive.
- Fixed the tests not compiling on OS X 10.9.
0.5.8 (21 October 2013)
-----------------------
- Fixed [#54] Compression and base64 tests failing on some architectures.
- Fixed [#55] Incorrect ambiguous host warning on some CONNECT requests.
0.5.7 (18 September 2013)
-------------------------
- Use umask() with mkstemp() to ensure that temporary files are created with correct
permissions. This addresses the potential security problem, but creates another, because
umask() is not thread safe. For this and other reasons (see #52), file extraction will be
removed in a future release.
- Fix copying hook_response_complete instead of hook_transaction_complete.
- Fix several small memory leaks that occur when memory allocation fails.
0.5.6 (22 July 2013)
-------------------
- Fix memory leaks in htp_tx_t::request_auth_username and htp_tx_t::request_auth_password.
- [#43] When processing the response line, treat stream closure as the end of line.
- Fix normalization when the URL begins with "./".
- Do not fail a stream with an incorrectly formed digest username.
- Do not stop processing request headers on PUT requests.
0.5.5 (18 July 2013)
--------------------
- Tagging for a Suricata beta release.
- [#46] Fix the segfault that occurs under certain conditions when an invalid hostname is supplied.
- [#44] Fix libiconv detection on OpenBSD. [Victor Julien]
0.5.4 (17 July 2013)
--------------------
- Tagging for a Suricata beta release.
- Added htp_get_version(), which returns the complete library name (e.g., "LibHTP v0.5.4").
- Hard field limit is now treated as specifying the maximum amount of memory LibHTP
will use for buffering per stream. Fields (e.g., headers) longer than this limit
will be accepted if they are contained within a single buffer submitted to LibHTP (i.e.,
if LibHTP does not have to do any buffering in order to process them). Soft limits
are currently not creating any warnings. This area will be improved in a future release.
- Invalid headers no longer fail the entire stream. They are now treated as
headers without a name.
- htp_conn_remove_tx() now returns HTP_DECLINED (was HTTP_ERROR) if the
specified transaction cannot be found.
- htp_list_array_replace() now returns HTP_DECLINED (was HTP_ERROR) if the element at the
specified position does not exist.
- New public functions:
htp_status_t htp_urldecode_inplace(htp_cfg_t *cfg, enum htp_decoder_ctx_t ctx, bstr *input, uint64_t *flags);
htp_status_t htp_urldecode_inplace_ex(htp_cfg_t *cfg, enum htp_decoder_ctx_t ctx, bstr *input, uint64_t *flags, int *expected_status_code);
- Improved test coverage (84.1% lines, 91.3% functions).
0.5.3 (14 June 2013)
--------------------
- Fix stream error when valid Basic Authentication information is provided.
- Do not fail the entire stream if the Authorization header is invalid. Raise HTP_AUTH_INVALID instead.
- When a request does not contain the request URI, leave htp_tx_t::request_uri NULL.
|
