Skip to content
This repository has been archived by the owner on Mar 29, 2022. It is now read-only.

Latest commit

 

History

History
361 lines (296 loc) · 14.2 KB

CHANGELOG.rst

File metadata and controls

361 lines (296 loc) · 14.2 KB

History of changes

0.9.0 - 2019-06-27

Added

  • Basic checks for most of the headers defined by WHATWG Fetch, such as Access-Control-Allow-Origin.
  • Updated workarounds for HAR files exported from Chrome and Firefox. More checks are now skipped on such files, which means fewer false positives due to missing or mangled data.
  • Notice 1282 is now reported on application/text.

Fixed

  • Notice 1276 is now a comment, not an error.
  • Notice 1277 is no longer reported on X-Real-IP.
  • Notice 1029 (TE requires Connection: TE) is now only reported on HTTP/1.1 requests.

0.8.0 - 2019-03-03

  • Dropped Python 2 support. If you need it, use the older versions.
  • HTTPolice no longer requires six nor singledispatch.
  • HTTPolice now pulls in Google’s Brotli instead of brotlipy, but this is merely a packaging change; it can work with either.
  • Notices 1299 and 1300 are no longer reported on Alt-Svc.

0.7.0 - 2018-03-31

Changed

  • Reflecting changes in RFC 8187 and RFC 8259, notices 1253 (bad charset) and 1281 (bad encoding for JSON) are now reported for all encodings other than UTF-8, and notice 1255 (ISO-8859-1 in Content-Disposition) has been removed.

Added

  • Checks for quoted commas and semicolons that might confuse a naive parser (notices 1299, 1300).
  • New checks for Link headers according to RFC 8288 (notices 1307, 1308, 1309).
  • Checks for immutable responses (notices 1301, 1302, 1303).
  • Early hints are now recognized (due to their idiosyncratic semantics, they avoid many checks that are applied to all other responses).
  • Checks for the Accept-Post header (notice 1310).
  • Check for no Transfer-Encoding in response to HTTP/1.0 (notice 1306).
  • Check for 100 (Continue) before switching protocols (notice 1305).
  • Check that the sequence of responses to a request makes sense (notice 1304).
  • HAR files exported from Chrome and Insomnia are handled slightly better.

Fixed

  • Headers like Allow and Accept are now parsed more correctly (RFC Errata 5257).
  • gzip-encoded payloads are now decompressed more reliably.
  • When analyzing TCP streams, HTTPolice now uses a stricter heuristic for detecting HTTP/1.x streams, producing fewer spurious 1006/1009 notices.
  • Notice 1291 (Preference-Applied needs Vary) is no longer reported on responses to POST.

0.6.0 - 2017-08-02

Changed

  • Notice 1277 (obsolete 'X-' prefix) is now reported only once per message.
  • When parsing TCP streams, HTTPolice no longer attempts to process very long header lines (currently 16K; they will fail with notice 1006/1009) and message bodies (currently 1G; notice 1298).
  • Notice 1259 (malformed parameter in Alt-Svc) has been removed: the same problem is now reported as notice 1158.
  • The syntax of chunk extensions is no longer checked.

Added

Fixed

  • Fixed a few bugs and design problems that caused HTTPolice to use more time and memory than necessary in various cases (sometimes much more).
  • Fixed some Unicode errors under Python 2.
  • Notice 1013 is no longer wrongly reported for some headers such as Vary.
  • Fixed a crash on some pathological values of 'charset' in Content-Type.

0.5.2 - 2017-03-24

  • Fixed a few rare crashing bugs found with american fuzzy lop.
  • Fixed a couple cosmetic bugs in HTML reports.
  • When parsing a message with an unknown transfer coding, HTTPolice now correctly skips any checks on its payload body (such as notice 1038).

0.5.1 - 2017-03-15

0.5.0 - 2017-03-12

Added

  • When analyzing TCP streams, HTTPolice now reorders exchanges based on the Date header. In other words, messages sent at the same time on different connections are now close to each other in the report.
  • Checks for the Prefer mechanism (notices 1285 through 1291).
  • The syntax of method and header names and reason phrases is now checked for all messages, not only for those parsed from TCP streams (notices 1292, 1293, 1294).
  • Check for method names that are not uppercase (notice 1295).
  • The XML-related features removed in 0.4.0 have been restored.
  • Check for cacheable 421 (Misdirected Request) responses (notice 1283).
  • Check for 202 (Accepted) responses with no body (notice 1284).
  • HTML reports have been optimized to load slightly faster in browsers.

Changed

  • Titles of many notices were changed to make more sense when viewed alone (as in text reports). If you depend on their wording (which you shouldn't), you may need to adjust.

Fixed

  • Notice 1021 is no longer reported on HTTP/2 requests.

Meanwhile

0.4.0 - 2017-01-14

Added

  • Python 3.6 compatibility.
  • Decompression of brotli compressed payloads (Content-Encoding: br).
  • Checks for JSON charsets (notices 1280 and 1281).
  • Checks for some wrong media types, currently plain/text and text/json (notice 1282).

Removed

  • The deprecated constants httpolice.ERROR, httpolice.COMMENT, httpolice.DEBUG have been removed. Use httpolice.Severity instead.
  • When checking XML payloads, HTTPolice no longer takes precautions against denial-of-service attacks, because the defusedxml module does not currently work with Python 3.6. DoS attacks against HTTPolice are considered unlikely and non-critical.
  • Notice 1275 ("XML with entity declarations") has been removed for the same reason.

Other

0.3.0 - 2016-08-14

Added

  • HTTPolice now caches more intermediate values in memory, which makes it significantly faster in many cases.
  • HTTPolice now works correctly under PyPy (the 2.7 variant), which, too, can make it faster on large inputs. You will probably need a recent version of PyPy (5.3.1 is OK).
  • HTML reports now have an "options" menu to filter exchanges and notices on the fly.
  • The httpolice command-line tool now has a --fail-on option to exit with a non-zero status if any notices with a given severity have been reported.
  • Work around various problems in HAR files exported by Firefox and Fiddler.
  • HTML reports can now display a remark before every request and response (enabled with the Show remarks checkbox in the "options" menu). The httpolice command-line tool puts the input filename in this remark. With the Python API, you can put anything there using the remark argument to Request and Response constructors.
  • Notices about HTTP/1.x framing errors (such as 1006) now include the input filename as well.
  • Check for missing scheme name in authorization headers (notice 1274).
  • Check for missing quality values in headers like Accept (notice 1276).
  • Check for obsolete 'X-' prefix in experimental headers (notice 1277).
  • Notice 1093 recognizes a few more product names as client libraries.

Changed

  • For the tcpick and tcpflow input modes, you now have to use different options to tcpick/tcpflow (consult the manual).
  • Text reports no longer show request/response numbers. If you parse these reports, you may need to adjust.
  • Styles in HTML reports have been tweaked to make them more readable.

Deprecated

  • In the Python API, the constants httpolice.ERROR, httpolice.COMMENT, httpolice.DEBUG have been replaced with a single httpolice.Severity enumeration, and will be removed in the next release.

Fixed

  • The tcpick and tcpflow input modes should now be more reliable, although they still suffer from certain problems.
  • CONNECT requests in HAR files are now handled correctly.
  • Notices 1053 and 1066 are no longer reported on requests with bodies of length 0.

0.2.0 - 2016-05-08

Added

Changed

Fixed

  • Input files from tcpick are sorted correctly.
  • Notice 1108 doesn't crash in non-English locales.
  • Notices such as 1038 are not reported on responses to HEAD.

0.1.0 - 2016-04-25

  • Initial release.