diff options
| -rw-r--r-- | Makefile | 2 | ||||
| -rw-r--r-- | doc/src/guide/book.asciidoc | 2 | ||||
| -rw-r--r-- | doc/src/guide/migrating_from_1.3.asciidoc | 14 | ||||
| -rw-r--r-- | ebin/gun.app | 2 | ||||
| -rw-r--r-- | src/gun_http.erl | 28 |
5 files changed, 31 insertions, 17 deletions
@@ -2,7 +2,7 @@ PROJECT = gun PROJECT_DESCRIPTION = HTTP/1.1, HTTP/2 and Websocket client for Erlang/OTP. -PROJECT_VERSION = 1.3.0 +PROJECT_VERSION = 1.3.1 # Options. diff --git a/doc/src/guide/book.asciidoc b/doc/src/guide/book.asciidoc index b374c7a..a9d3868 100644 --- a/doc/src/guide/book.asciidoc +++ b/doc/src/guide/book.asciidoc @@ -20,6 +20,8 @@ include::websocket.asciidoc[Using Websocket] = Additional information +include::migrating_from_1.3.asciidoc[Changes since Gun 1.3] + include::migrating_from_1.2.asciidoc[Migrating from Gun 1.2 to 1.3] include::migrating_from_1.1.asciidoc[Migrating from Gun 1.1 to 1.2] diff --git a/doc/src/guide/migrating_from_1.3.asciidoc b/doc/src/guide/migrating_from_1.3.asciidoc new file mode 100644 index 0000000..e33430d --- /dev/null +++ b/doc/src/guide/migrating_from_1.3.asciidoc @@ -0,0 +1,14 @@ +[appendix] +== Changes since Gun 1.3 + +The following patch versions were released since Gun 1.3: + +=== Gun 1.3.1 + +This release backports a fix that will be included in the +upcoming Gun 2.0 release: + +* *POTENTIAL SECURITY VULNERABILITY*: Fix transfer-encoding + precedence over content-length in responses. This bug may + contribute to a response smuggling security vulnerability + when Gun is used inside a proxy. diff --git a/ebin/gun.app b/ebin/gun.app index d21abcf..407d919 100644 --- a/ebin/gun.app +++ b/ebin/gun.app @@ -1,6 +1,6 @@ {application, 'gun', [ {description, "HTTP/1.1, HTTP/2 and Websocket client for Erlang/OTP."}, - {vsn, "1.3.0"}, + {vsn, "1.3.1"}, {modules, ['gun','gun_app','gun_content_handler','gun_data_h','gun_http','gun_http2','gun_sse_h','gun_sup','gun_tcp','gun_tls','gun_ws','gun_ws_h']}, {registered, [gun_sup]}, {applications, [kernel,stdlib,ssl,cowlib]}, diff --git a/src/gun_http.erl b/src/gun_http.erl index e2b37d1..abd4fc5 100644 --- a/src/gun_http.erl +++ b/src/gun_http.erl @@ -519,22 +519,20 @@ response_io_from_headers(<<"HEAD">>, _, _, _) -> response_io_from_headers(_, _, Status, _) when (Status =:= 204) or (Status =:= 304) -> head; response_io_from_headers(_, Version, _Status, Headers) -> - case lists:keyfind(<<"content-length">>, 1, Headers) of - {_, <<"0">>} -> - head; - {_, Length} -> - {body, cow_http_hd:parse_content_length(Length)}; - _ when Version =:= 'HTTP/1.0' -> - body_close; + case lists:keyfind(<<"transfer-encoding">>, 1, Headers) of + {_, TE} when Version =:= 'HTTP/1.1' -> + case cow_http_hd:parse_transfer_encoding(TE) of + [<<"chunked">>] -> body_chunked; + [<<"identity">>] -> body_close + end; _ -> - case lists:keyfind(<<"transfer-encoding">>, 1, Headers) of - false -> - body_close; - {_, TE} -> - case cow_http_hd:parse_transfer_encoding(TE) of - [<<"chunked">>] -> body_chunked; - [<<"identity">>] -> body_close - end + case lists:keyfind(<<"content-length">>, 1, Headers) of + {_, <<"0">>} -> + head; + {_, Length} -> + {body, cow_http_hd:parse_content_length(Length)}; + _ -> + body_close end end. |