Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Version 0.19.0 #1641

Merged
merged 4 commits into from Oct 19, 2022
Merged

Version 0.19.0 #1641

merged 4 commits into from Oct 19, 2022

Conversation

Kludex
Copy link
Sponsor Member

@Kludex Kludex commented Sep 11, 2022
edited

@Kludex Kludex added this to the Version 0.19.0 milestone Sep 11, 2022
@nlsj1985
Copy link

@Kludex httptools 5.0.0 just got released with the CVE fixes in llhttp. It seems it will get included in uvicorn automatically when you create a release, but i'm not sure. Perhaps, it's best to bump the version explicitly... thanks for checking it.

@Kludex
Copy link
Sponsor Member Author

Kludex commented Sep 13, 2022

@Kludex httptools 5.0.0 just got released with the CVE fixes in llhttp. It seems it will get included in uvicorn automatically when you create a release, but i'm not sure. Perhaps, it's best to bump the version explicitly... thanks for checking it.

@Kludex
Copy link
Sponsor Member Author

Kludex commented Sep 21, 2022

I'd like to make a release soon. 🙏

@nlsj1985
Copy link

note. I made a PR in the httptools project for the latest llhttp (v6.0.10) update.. but guess it's wise to first proceed with this httptools 0.5.0 in uvicorn 0.19.0 and when we get a new httptools version, queue it for the following uvicorn...

@Kludex
Copy link
Sponsor Member Author

Kludex commented Sep 24, 2022

Would you mind sharing the link?

@Kludex
Copy link
Sponsor Member Author

Kludex commented Sep 25, 2022

note. I made a PR in the httptools project for the latest llhttp (v6.0.10) update.. but guess it's wise to first proceed with this httptools 0.5.0 in uvicorn 0.19.0 and when we get a new httptools version, queue it for the following uvicorn...

But there's nothing uvicorn needs to do... Unless the bump solved any CVE.

@nlsj1985
Copy link

httptools v5.0.0 contains llhttp release/v6.0.9, this included some fixes for the 3 CVE's that where done in llhttp release/v6.0.7

llhttp release/v6.0.10 seems to update a resolution for CVE-2022-32213:
Disable chunked on obs by @ShogunPanda in nodejs/llhttp#196

nodejs https://github.com/nodejs/node/releases/tag/v18.9.1 has a paragraph about llhttp that mentions a bit more:
bypass via obs-fold mechanic (Medium)(CVE-2022-32213 ): The llhttp parser in the http module does not correctly parse and validate Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).

There are 3 change's in src/llhttp/http.ts:
nodejs/llhttp@f49fbf5

So without reverse engineering the entire llhttp release/v6.0.10 commit it seemed to me there's actual improvements made for the CVE in relation to obs-fold's .. that i guess where missed in the patch for the same CVE. If you want to know more, please check the patch or ask ShokunPanda who makes the patches for the llhttp project.

I'm just a random user that's trying to be instrumental to get fixes into uvicorn asap.

@Kludex
Copy link
Sponsor Member Author

Kludex commented Sep 26, 2022

This is the link I wanted: MagicStack/httptools#86 🙏

I'm just a random user that's trying to be instrumental to get fixes into uvicorn asap.

uvicorn doesn't pin httptools. I've only bumped the minimum requirement of httptools to 0.5.0 to force users to bump it, but it was actually not needed. We are only blocked by httptools here.

@ShogunPanda
Copy link

@nlsj1985 I can confirm folks. All OBS fold CVEs are fixed in 6.0.10

Next week I plan to release llhttp 7 with more features about passable callbacks and chunked encoding parsing, just FYI.

@Kludex
Copy link
Sponsor Member Author

Kludex commented Sep 27, 2022

@nlsj1985 I can confirm folks. All OBS fold CVEs are fixed in 6.0.10

Next week I plan to release llhttp 7 with more features about passable callbacks and chunked encoding parsing, just FYI.

Thanks for coming here, and let us know. Much appreciated! 🙏

@ShogunPanda
Copy link

@nlsj1985 I can confirm folks. All OBS fold CVEs are fixed in 6.0.10

Next week I plan to release llhttp 7 with more features about passable callbacks and chunked encoding parsing, just FYI.

Thanks for coming here, and let us know. Much appreciated! 🙏

You're welcome! 😉

@Kludex
Copy link
Sponsor Member Author

Kludex commented Oct 19, 2022

Kludex
Kludex commented Oct 19, 2022
View reviewed changes
CHANGELOG.md Show resolved Hide resolved
@Kludex
Copy link
Sponsor Member Author

Kludex commented Oct 19, 2022
edited

Ready for release. GitHub release draft ready as well.

Kludex
Kludex commented Oct 19, 2022
View reviewed changes
CHANGELOG.md Outdated Show resolved Hide resolved
tomchristie
tomchristie approved these changes Oct 19, 2022
View reviewed changes
Copy link
Member

@tomchristie tomchristie left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great. 🌟

@Kludex
Copy link
Sponsor Member Author

Kludex commented Oct 19, 2022

I'll release it tonight. Thanks @tomchristie 🙏

@Kludex Kludex merged commit b06cc63 into master Oct 19, 2022
@Kludex Kludex deleted the release/0.19.0 branch October 19, 2022 19:58
Kludex added a commit to sephioh/uvicorn that referenced this pull request Oct 29, 2022
@Kludex
Version 0.19.0 (encode#1641)
286fe6d
Kludex added a commit that referenced this pull request Oct 29, 2022
@Kludex
Version 0.19.0 (#1641)
2bcd745
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tomchristie tomchristie tomchristie approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
Version 0.19.0
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@Kludex @nlsj1985 @ShogunPanda @tomchristie