aboutsummaryrefslogtreecommitdiffstats
AgeCommit message (Collapse)Author
2019-10-10Don't log stray messages for lingering HTTP/2 streamsLoïc Hoguin
2019-10-10Cowboy 2.7.0Loïc Hoguin
2019-10-10Fix a number of low hanging todosLoïc Hoguin
2019-10-10Newly documented cow_cookie:cookie_opts() is now a mapLoïc Hoguin
2019-10-10Add shutdown_reason Websocket commandLoïc Hoguin
This allows changing the normal exit reason of Websocket processes, providing a way to signal other processes of why the exit occurred.
2019-10-09Implement flow control for HTTP/1.1Loïc Hoguin
We now stop reading from the socket unless asked to, when we reach the request body. The option initial_stream_flow_size controls how much data we read without being asked, as an optimization. We may also have received additional data along with the request headers. This commit also reworks the timeout handling for HTTP/1.1 because the stray timeout message was easily reproducible after implementing the flow control. The issue should be gone for good this time.
2019-10-07Add migration guide for Cowboy 2.7Loïc Hoguin
2019-10-07Add new stream handlers to the guideLoïc Hoguin
Also link from the guide to manual pages.
2019-10-07Document no date/server headers from response/headers commandsLoïc Hoguin
2019-10-07Add cowboy_req:cast/2Loïc Hoguin
Better than sending messages manually.
2019-10-07Fix an intermittent test issueLoïc Hoguin
2019-10-07Document the set_options stream handler commandLoïc Hoguin
2019-10-07Document the log stream handler commandLoïc Hoguin
2019-10-07Document the logger optionLoïc Hoguin
2019-10-07Document cowboy_tracer_hLoïc Hoguin
2019-10-07Document cowboy_metrics_hLoïc Hoguin
2019-10-06Document the commands based Websocket interfaceLoïc Hoguin
The old interface with ok|reply|stop tuples is deprecated.
2019-10-06Fix PUT when resource doesn't exist in flowchartLoïc Hoguin
This required moving around a lot of things so hopefully I did not add errors while doing so. Only time will tell. Also add the 415 that can result from content_types_accepted.
2019-10-06Document how to recover from cookie parsing errorsLoïc Hoguin
2019-10-05Add Websocket option validate_utf8Loïc Hoguin
This allows disabling the UTF-8 validation check for text and close frames.
2019-10-05Don't discard data following a Websocket upgrade requestLoïc Hoguin
While the protocol does not allow sending data before receiving a successful Websocket upgrade response, we do not want to discard that data if it does come in.
2019-10-05Fix REST flowchart around 201 response for PUTLoïc Hoguin
When the method is PUT we do not check the location header.
2019-10-05Add cowboy_req:filter_cookies/2Loïc Hoguin
2019-10-04Make cowboy_compress_h add vary: accept-encodingLoïc Hoguin
2019-10-04Improve some early_error testsLoïc Hoguin
2019-10-03Document media type wildcard in content_types_acceptedLoïc Hoguin
2019-10-03Make stream_error early_error reasons consistentLoïc Hoguin
Now both HTTP/1.1 and HTTP/2 follow the documented format. HTTP/1.1 was including an extra element containing the StreamID before, which was unnecessary because it is also given as argument to the callback. HTTP/2 early_error will now include headers in its PartialReq.
2019-10-03Add HTTP/2 tests with responses with HTTP/1.1 specific headersLoïc Hoguin
2019-10-03Document stopping the listener in App:stop/1Loïc Hoguin
2019-10-02Fix another Dialyzer warningLoïc Hoguin
2019-10-02Ensure we can stream the response body from any processLoïc Hoguin
2019-10-02Ensure we can read the request body from any processLoïc Hoguin
2019-10-02Make sure cowboy_http doesn't receive stray timeout messagesLoïc Hoguin
2019-10-02Add {set_options, #{metrics_user_data := Map}}Loïc Hoguin
This allows giving custom metadata to the metrics stream handler. This can be useful to for example provide the name of the module handling the request which is only known after routing. But any user data is allowed. When called multiple times the user data maps are merged.
2019-10-02Add more HTTP/1.1 header parsing testsLoïc Hoguin
Fix a case where Cowboy was waiting for more data that simply did not come. Now Cowboy will generate an error immediately when a header line has no colon separator. These test cases come from known request smuggling attack vectors. Cowboy was not vulnerable to any of them.
2019-10-02Fix a Dialyzer warning and improve some typesLoïc Hoguin
2019-10-02Fix HTTP/2 CVEsLoïc Hoguin
A number of HTTP/2 CVEs were documented recently: https://www.kb.cert.org/vuls/id/605641/ This commit, along with a few changes and additions in Cowlib, fix or improve protection against all of them. For CVE-2019-9511, also known as Data Dribble, the new option stream_window_data_threshold can be used to control how little the DATA frames that Cowboy sends can get. For CVE-2019-9516, also known as 0-Length Headers Leak, Cowboy will now simply reject streams containing 0-length header names. For CVE-2019-9517, also known as Internal Data Buffering, the backpressure changes were already pretty good at preventing this issue, but a new option max_connection_buffer_size was added for even better control over how much memory we are willing to allocate. For CVE-2019-9512, also known as Ping Flood; CVE-2019-9515, also known as Settings Flood; CVE-2019-9518, also known as Empty Frame Flooding; and similar undocumented scenarios, a frame rate limiting mechanism was added. By default Cowboy will now allow 1000 frames every 10 seconds. This can be configured via max_received_frame_rate. For CVE-2019-9514, also known as Reset Flood, another rate limiting mechanism was added and can be configured via max_reset_stream_rate. By default Cowboy will do up to 10 stream resets every 10 seconds. Finally, nothing was done for CVE-2019-9513, also known as Resource Loop, because Cowboy does not currently implement the HTTP/2 priority mechanism (in parts because these issues were well known from the start). Tests were added for all cases except Internal Data Buffering, which I'm not sure how to test, and Resource Loop, which is not currently relevant.
2019-10-02Update gun_down messages in test suitesLoïc Hoguin
2019-10-02Remove lingering_data tuple handlingLoïc Hoguin
2019-09-28Add persistent_term support to the routerLoïc Hoguin
2019-09-18Only test on the latest release per OTP major version by defaultLoïc Hoguin
2019-09-16Fix closing of connection on response_body_too_smallLoïc Hoguin
2019-09-15Split up urlencoded tests to speed up req_SUITELoïc Hoguin
2019-09-15Skip req_SUITE:read_body_mtu on WindowsLoïc Hoguin
On Windows the loopback MTU seems to be set to 0xFFFFFFFF (basically no limit) which makes the test irrelevant.
2019-09-15Increase the period for req_SUITE:read_body_periodLoïc Hoguin
This should increase the likelihood of the test succeeding on slower systems when run over TLS.
2019-09-15Fix h2spec_SUITE init_per_suite return valuesLoïc Hoguin
2019-09-15Fix intermittent failures in sys_SUITELoïc Hoguin
2019-09-14Implement backpressure on cowboy_req:stream_bodyLoïc Hoguin
This should limit the amount of memory that Cowboy is using when a handler is sending data much faster than the network. The new max_stream_buffer_size is a soft limit and only has an effect when the cowboy_stream_h handler is used.
2019-09-07Improve the cowboy_static consistency across platformsLoïc Hoguin
As a result we explictly reject path_info components that include a forward slash, backward slash or NUL character. This only applies to the [...] part of the path for dir/priv_dir configuration. Also improve the tests so that they work on Windows.
2019-09-06Fix tests failing following Gun update to masterLoïc Hoguin