1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
|
[appendix]
== Migrating from Cowboy 2.6 to 2.7
Cowboy 2.7 improves the HTTP/2 code with optimizations
around the sending of DATA and WINDOW_UPDATE frames;
graceful shutdown of the connection when the client is
going away; and rate limiting mechanisms. New options
and mechanisms have also been added to control the
amount of memory Cowboy ends up using with both HTTP/1.1
and HTTP/2. Much, but not all, of this work was done
to address HTTP/2 CVEs about potential denial of service.
In addition, many of the experimental features introduced
in previous releases have been marked stable and are now
documented.
Cowboy 2.7 requires Erlang/OTP 20.0 or greater.
=== Features added
* Cowboy is now compatible with both Ranch 1.7 and the
upcoming Ranch 2.0.
* The number of HTTP/2 WINDOW_UPDATE frames Cowboy sends
has been greatly reduced. Cowboy now applies heuristics
to determine whether it is necessary to update the window,
based on the current window size and the amount of data
requested by streams (the `cowboy_req:read_body/2` length
for example). Six new options have been added to control
this behavior: `connection_window_margin_size`,
`connection_window_update_threshold`,
`max_connection_window_size`, `max_stream_window_size`,
`stream_window_margin_size` and
`stream_window_update_threshold`.
* HTTP/2 connections will now be shut down gracefully
when receiving a GOAWAY frame. Cowboy will simply
wait for existing streams to finish before closing
the connection.
* Functions that stream the response body now have
backpressure applied. They now wait for a message
to be sent back. The message will be held off when
using HTTP/2 and the buffer sizes exceed either
`max_connection_buffer_size` or `max_stream_buffer_size`.
For HTTP/1.1 the data is sent synchronously and we
rely instead on the TCP backpressure.
* A new HTTP/2 option `stream_window_data_threshold`
can be used to control how little the DATA frames that
Cowboy sends can get. By default Cowboy will wait for
the window to be large enough to send either everything
queued or to reach the default maximum frame size of
16384 bytes.
* A new HTTP/2 option `max_receive_frame_rate` can be
used to control how fast the server is willing to receive
frames. By default it will accept 1000 frames every 10
seconds.
* A new HTTP/2 option `max_reset_stream_rate` can be
used to control the rate of errors the server is
willing to accept. By default it will accept 10
stream resets every 10 seconds.
* Flow control for incoming data has been implemented
for HTTP/1.1. Cowboy will now wait for the user code
to ask for the request body before reading it from
the socket. The option `initial_stream_flow_size`
controls how much data Cowboy will read without
being asked.
* The HTTP/1.1 and HTTP/2 option `logger` is now
documented.
* The Websocket option `validate_utf8` has been
added. It can be used to disable the expensive UTF-8
validation for incoming text and close frames.
* The experimental commands based Websocket interface
is now considered stable and has been documented.
The old interface is now deprecated.
* A new Websocket handler command `shutdown_reason`
can be used to change the normal exit reason of
Websocket processes. By default `normal` is used;
with this command the exit reason can be changed
to `{shutdown, ShutdownReason}`.
* The experimental stream handlers `cowboy_metrics_h`
and `cowboy_tracer_h` are now considered stable and
have been documented.
* The stream handler commands `set_options` and `log`
are now considered stable and have been documented.
* The router is now capable of retrieving dispatch
rules directly from the `persistent_term` storage
(available starting from Erlang/OTP 21.2).
* Support for the status codes 208 and 508 has been
added.
* Update Ranch to 1.7.1.
* Update Cowlib to 2.8.0.
=== Experimental features added
* It is now possible to read the response body from any
process, as well as doing any other `cowboy_req`
operations. Since this is not recommended due to
race condition concerns this feature will always
remain experimental.
=== New functions
* The function `cowboy_req:filter_cookies/2` has been
added. It can be called before parsing/matching
cookies in order to filter out undesirables. The
main reason for doing this is to avoid most parse
errors that may occur when dealing with Web browsers
(which have a string-based Javascript interface to
cookies that is very permissive of invalid content)
and to be able to recover in other cases.
* The function `cowboy_req:cast/2` has been added.
It can be used to send events to stream handlers.
=== Bugs fixed
* A number of fixes and additions were made to address the
HTTP/2 CVEs CVE-2019-9511 through CVE-2019-9518, except
for CVE-2019-9513 which required no intervention as the
relevant protocol feature is not implemented by Cowboy.
* The HTTP/2 connection window could become larger than the
protocol allows, leading to errors. This has been corrected.
* The presence of empty header names in HTTP/2 requests now
results in the request to be rejected.
* Cowboy will now remove headers specific to HTTP/1.1
(the hop by hop headers such as connection or upgrade)
when building an HTTP/2 response.
* A bug in the HTTP/2 code that resulted in the failure to
fully send iolist response bodies has been fixed. Cowboy
would just wait indefinitely in those cases.
* It was possible for a final empty HTTP/2 DATA frame to get
stuck and never sent when the window reached 0 and the remote
end did not increase the window anymore. This has been
corrected.
* Cowboy now uses the host header when the HTTP/2
:authority pseudo header is missing. A common scenario
where this occurs is when proxies translate incoming
HTTP/1.1 requests to HTTP/2.
* HTTP/1.1 connections are now properly closed when the
user code sends less data than advertised in the response
headers.
* Cowboy will now close HTTP/1.1 connections immediately when
a header line is missing a colon separator. Previously it
was waiting for more data.
* It was possible for Cowboy to receive stray timeout messages
for HTTP/1.1 connections, resulting in crashes. The timeout
handling in HTTP/1.1 has been reworked and the issue should
no longer occur.
* The type for the Req object has been updated to accept
custom fields as was already documented.
* The authentication scheme returned when parsing the
authorization header is now case insensitive, which
means it will be returned as lowercase.
* Cowboy no longer discards data that follows a Websocket
upgrade request. Note that the protocol does not allow
sending data before receiving a successful Websocket
upgrade response, so this fix is more out of principle
rather than to fix a real world issue.
* The `cowboy_static` handler will now properly detect
the type of files that have an uppercase or mixed
extension component.
* The `cowboy_static` handler is now consistent across all
supported platforms. It now explicitly rejects `path_info`
components that include a forward slash, backward slash
or NUL character.
* The update to Ranch 1.7.1 fixes an issue with the PROXY
protocol that would cause checksum verification to fail.
* The HTTP/1.1 error reason for `stream_error` mistakenly
contained an extra element. It has now been removed.
* The `PartialReq` given to the `early_error` stream handler
callback now includes headers when the protocol is HTTP/2.
* A bug where the stacktrace was incorrect in error messages
has been fixed. The problem occurred when an exception
occurred in the handler's terminate callback.
* The REST flowchart for POST, PATCH and PUT has received
a number of fixes and had to be greatly reworked as a
result. When the method is PUT, we do not check for
the location header in the response. When the resource
doesn't exist and the method was PUT the flowchart was
largely incorrect. A 415 response may occur after the
`content_types_accepted` callback and was missing from
the flowchart.
* The documentation for `content_types_accepted` now
includes the media type wildcard that was previously
missing.
* The documentation for a type found in `cow_cookie`
was missing. A manual page for `cow_cookie` was added
and can be found in the Cowlib documentation.
|
