{{ message }}
Tags: AsyncHttpClient/async-http-client
Tags
Stabilize HTTP/2: fix resource leaks and RFC conformance (#2197) Motivation: The HTTP/2 path is newer and less hardened than HTTP/1.1. Bring its resource lifecycle, RFC 9113/9110 conformance, and connection/stream management to parity, covering flow control, multiplexing, and GOAWAY/RST/SETTINGS edge cases. Modification: Bind stream-slot and request-body release to the channel lifecycle, stream request bodies under flow-control backpressure, enforce RFC 9113/9110 conformance (RST_STREAM codes, 1xx interim, Expect 100-continue, TE, :authority, MAX_CONCURRENT_STREAMS=min), gate WebSocket off HTTP/2, drain pendingOpeners on GOAWAY/SETTINGS, and restore Http2ConnectionState binary compatibility. HTTP/1.1 behaviour and public API are unchanged. Result: Stablize HTTP/2 even futher for edge cases Fixes #2160
Release 2.14.5: Security fixes and dependency upgrades Security: - Backport GHSA-cmxv-58fp-fm3g: strip Authorization and Proxy-Authorization headers on cross-origin, scheme-downgrade, or port-mismatch redirects. - Add stripAuthorizationOnRedirect config flag (default false) for users who need to always strip credentials even on same-origin redirects. - Clear realm and proxyRealm on future when stripping to prevent NettyRequestFactory from regenerating auth headers on redirect. Tests: - New RedirectCredentialSecurityTest for cross-origin redirect scenarios. - New HttpsDowngradeRedirectTest for HTTPS-to-HTTP scheme downgrade. - New StripAuthorizationOnRedirectHttpTest for the new config flag. - New DefaultAsyncHttpClientConfigTest for config default coverage. Dependencies: - netty 4.1.65.Final -> 4.1.121.Final (CVE fixes) - slf4j 1.7.30 -> 1.7.36 - netty-reactive-streams 2.0.4 -> 2.0.17 - rxjava2 2.2.10 -> 2.2.21 - logback 1.2.3 -> 1.2.13 - testng 7.1.0 -> 7.5.1 (last Java 8 compatible) - commons-io 2.6 -> 2.21.0 - commons-fileupload 1.4 -> 1.6.0 - hamcrest-core -> hamcrest 2.2 - jetty pinned at 9.4.18.v20190429 (9.4.58 changes 401 socket behavior) - tomcat pinned at 9.0.31 (9.0.117 changes WebDAV response format) CI: - Add release.yml workflow for Maven Central publishing. - Update maven.yml to trigger on 2.14.5 branch with Corretto JDK 8. Test fixes: - InputStreamTest.available() now honors InputStream contract by returning 0 after EOF (Netty 4.1.65+ correctly rejects always-1). - CookieStoreTest replaces Guava Sets.newHashSet with HashSet (TestNG 7.5+ no longer pulls transitive Guava). - TestUtils uses SslContextFactory.Server (base class deprecated).
PreviousNext
