We released nghttp2 v1.7.0.
This release contains the more strict error handling in libnghttp2 code to provide more diagnostics to applications. We made many improvements to h2load, and nghttpx in this release.
For libnghttp2, we now validate important header fields,
:scheme, strictly by checking the characters used in
them. These header fields are usually used by server as routing
purpose, and they may appear in different header fields when
forwarded. It is better to basic error handling here so that we can
reduce possible attack vectors.
functions did not return error when self dependency was made. Now it
returns error code when such argument is passed.
Previously, when linking OpenSSL library statically, build was failed
-ldl was not passed to linker, so we had to add it using
LIBS. Now it is automatically added to linker options.
In libnghttp2_asio library,
nghttp2::asio_http2::server::http2::get_io_services() has been
follow nameing convention. Previously, calling
nghttp2::asio_http2::server::stop() did not stop acceptor. Now it
stops acceptor too.
h2load now support UNIX domain socket to connect to server.
-m option of h2load was
auto, which defaulted to the
number of URIs passed in command-line. Now it is removed, and the
default value is 1. This is because
-m option specifies the number
of pipelined requests in HTTP/1, and disabling HTTP pipelining more
reflects the practical usage of HTTP/1. The statistics calculation of
h2load is now sampling based, instead of taking into account of all
requets/clients to reduce memory consumption.
nghttpd now gets
--no-content-length option to omit content-length
nghttpx now interleaves pushed streams with the associated stream if
content-type response header field. The initial value of
request/response buffer size (
--backend-response-buffer options) is now increased to 128K. We
have fixed the bug that
--listener-disable-timeout option is not
used. Now nghttpx does not emit
:authority if request does not
contain authority information. This happens when
field is missing in HTTP/2 request, and origin or asterisk form is
used in HTTP/1.1 request. nghttpx now supports
RFC 7239 Forwarded header
field. By default,
Forwarded header field is not added. When it is
instructed to be added, nghttpx emits obfuscated strings for
for parameters. Vernon Tang fixed the bug which causes crash at
start up when running on IPv6 only. Now nghttpx does not apply
--header-field-buffer to response header
fields, since they are meant to be applied to request header fields
only. ayanamist fixed the bug that nghttpx wrongly lower-cased header
field value supplied via