Skip to content

chore: release v0.1.1#1

Merged
MagicalTux merged 1 commit into
masterfrom
release-plz-2026-06-25T10-41-37Z
Jun 30, 2026
Merged

chore: release v0.1.1#1
MagicalTux merged 1 commit into
masterfrom
release-plz-2026-06-25T10-41-37Z

Conversation

@MagicalTux

@MagicalTux MagicalTux commented Jun 25, 2026

Copy link
Copy Markdown
Member

🤖 New release

  • httpsd: 0.1.0 -> 0.1.1 (✓ API compatible changes)
Changelog

0.1.1 - 2026-06-30

Fixed

  • (h3) reclaim and cap request-stream state (MEDIUM)
  • (quic) bound connection table against spoofed-source flood (HIGH)

Other

  • Keep Body an opaque struct to preserve the public API (semver)
  • don't stream a body in response to HEAD
  • Serve static files as streaming bodies; keep File bodies uncompressed
  • Stream HTTP/3 file bodies as QUIC send capacity allows
  • Stream HTTP/2 file bodies under flow control without buffering
  • Stream HTTP/1 file bodies in bounded chunks across all runtimes
  • Add file-backed streaming Body with positioned reads
  • CLI + config: privdrop orchestration and Server header control
  • Add privilege-drop core + bind-readiness handshake
  • Fix O(n²) DoS in HTTP/1 parser (incremental header scan + chunked decode)
  • (threadpool) avoid unused_mut warning when acme feature is off
  • harden private-key handling (audit LOW findings)
  • Fix static-file security findings: dotfiles, range reads, nosniff, gzip on 206
  • (gdns) strip control chars from redirect Location (defense in depth)
  • (mio) cap connection map and reap idle / slow-trickle peers
  • (tokio) add connection cap and read/handshake timeouts
  • (threadpool) bound slow-trickle slowloris and fix ACME 1-worker deadlock
  • (manager) bound issuance state and add negative caching
  • (json) cap parse recursion depth and input length
  • (jose) validate SEC1 point in xy() instead of panicking
  • enforce per-connection resource limits (security hardening)
  • Fix HTTP/1.x parser/serializer security findings in conn.rs
  • Include acme in the cli feature so the default binary can issue certs
  • Harden the thread-pool runtime against connection-exhaustion DoS
  • Back off and rate-limit on accept() errors to prevent EMFILE busy-loop
  • drop redundant plain-transport copies and per-route path splits
  • Add http-crate interop behind the http feature
  • Add ergonomic routing layer behind the router feature
  • Format h2 response_fields (rustfmt)
  • Fix CI: move h2 response_fields before its test module; qualify TlsStream doc link


This PR was generated with release-plz.

@MagicalTux MagicalTux changed the title chore: release v0.1.0 chore: release v0.1.1 Jun 25, 2026
@MagicalTux MagicalTux force-pushed the release-plz-2026-06-25T10-41-37Z branch 7 times, most recently from ccba10f to ab90140 Compare June 30, 2026 14:50
MagicalTux added a commit that referenced this pull request Jun 30, 2026
…ip on 206

static_files.rs:
- Reject any decoded path segment starting with `.` (dotfiles/dotdirs
  such as `.git/config`, `.env`); rejected paths now report 404 instead
  of 403 so existence is never confirmed (findings #1).
- Range requests now seek+read only the requested span via `read_span`
  instead of buffering the whole file and copying a slice (finding #3).
  Full-file responses still buffer via `fs::read` (noted as deferred).
- Emit `X-Content-Type-Options: nosniff` on 200 and 206 responses
  (finding #4).

compress.rs:
- Never compress `206 Partial Content` responses or any response
  carrying a `Content-Range` header, which would corrupt range
  semantics and can poison shared caches (finding #2).

Adds tests: dotfile paths resolve to None / serve 404; 206 and
Content-Range bodies are left uncompressed while ordinary bodies are
still compressed.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@MagicalTux MagicalTux force-pushed the release-plz-2026-06-25T10-41-37Z branch 2 times, most recently from dbe9f95 to e265a54 Compare June 30, 2026 15:42
@MagicalTux MagicalTux changed the title chore: release v0.1.1 chore: release v0.2.0 Jun 30, 2026
@MagicalTux MagicalTux force-pushed the release-plz-2026-06-25T10-41-37Z branch from e265a54 to 11d0377 Compare June 30, 2026 16:06
@MagicalTux MagicalTux changed the title chore: release v0.2.0 chore: release v0.1.1 Jun 30, 2026
@MagicalTux MagicalTux force-pushed the release-plz-2026-06-25T10-41-37Z branch from 11d0377 to 5db00b7 Compare June 30, 2026 16:29
@MagicalTux MagicalTux merged commit ea74041 into master Jun 30, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant