Security dependency updates and patches

Security

• Upgrade curl-sys to 0.4.55 to pull in libcurl 7.83.1, which contains security patches for the below vulnerabilities. (#394) @sagebind
  • CVE-2022-27778: curl removes wrong file on error
  • CVE-2022-27779: cookie for trailing dot TLD
  • CVE-2022-27780: percent-encoded path separator in URL host
  • CVE-2022-27781: CERTINFO never-ending busy-loop
  • CVE-2022-27782: TLS and SSH connection too eager reuse
  • CVE-2022-30115: HSTS bypass via trailing dot
• Fix several bugs with the auto_referer option (disabled by default) which could potentially result in sensitive headers being passed to redirect targets unintentionally. (#393) @sagebind
  • Fix multiple Referer headers being included when two or more redirects are followed in a request
  • URL fragments and userinfo parts of the URL authority should not be included in the Referer header
  • Don't include a Referer header when redirecting from an HTTPS URL to an HTTP URL, as per RFC 7231 recommendation
  • Scrub sensitive headers when redirecting to a different authority

Dependency Updates

• Update Public Suffix List to 172bbfd (#395) @teto-bot

Curl security updates

Security

• Update curl-sys to 0.4.54 to pull in libcurl 7.83.0, which contains security patches for CVE-2022-22576, CVE-2022-27774, CVE-2022-27775, and CVE-2022-27776. (#391) @david-perez

HTTP version support detection

Added

• Add new is_http_version_supported function which allows you to check whether support for a particular HTTP version is available at runtime. When statically linking this will be entirely dependent on your build configuration, but if you are dynamically linking to libcurl then it will vary from system to system. (#368) @sagebind

Changed

• Preallocate buffer for async JSON decoding to improve performance. (#367) @michalmuskala
• Re-enable content-length request test (#383) @sagebind
• Add minimal versions test to CI (#373) @sagebind
• Refactor test server to support writing raw response data. (#366) @sagebind

Dependency Updates

• Update test-case requirement from 1.1 to 2.0 (#376) @dependabot

New cookie APIs

Added

• Expose new APIs for cookie construction, updating, and adding to cookie jar. You can now create your own cookies with Cookie::builder and put arbitrary cookies into the cookie jar with CookieJar::set. (#264, #349) @jacobmischka
• Add bytes() convenience methods to ReadResponseExt and AsyncReadResponseExt which read the entire response body into a Vec<u8>. (#352) @sagebind
• Speed up CI by adding caching to CI (#358) @sagebind

Security

• Replace trivial internal usage of chrono with httpdate to avoid any potential reference to CVE-2020-26235 in time 0.2. (#361) @sagebind

Dependency Updates

• Replace chrono with httpdate internally (#361) @sagebind
• Update tracing-subscriber requirement from 0.2.12 to 0.3.0 (#360) @dependabot
• Update Tarpaulin and re-enable doctest coverage (#357) @sagebind
• Update tiny_http requirement from 0.8 to 0.9 (#356) @dependabot

Stirring performance, boys.

Fixed

• Greatly reduce CPU usage, particularly when receiving long-running or large responses. This was caused by a bug where timeout timers were not being cleared once they expired, effectively creating a repeating timer that would cause repeated extra polls. Huge thanks to @jacobmischka for finding and fixing this bug! (#348, #350)
• Return true for Body::is_empty for HEAD responses (#341, #343)
• Fix code coverage analysis failing to run in CI. (#351)

Expect configurability and connection info in errors

Added

• Expose connection info in errors with the addition of Error::local_addr and Error::remote_addr. This allows you to get the local & remote addresses involved in a request, if any, even if an error occurs. (#336, #337) @sagebind
• Allow use of the Expect header to be configured via Configurable::expect_continue. (#303, #311, #340) @sagebind

Dependency Updates

• Update env_logger requirement from 0.8 to 0.9 (#330) @dependabot

Error docs and log improvements

Added

• Improve the documentation on Error and ErrorKind and add Error::is_timeout.

Fixed

• Improve connection reuse log message and fix some false positives around its emission. The warning about connection reuse will now point users to the wiki page which explains the message in depth. (#335) @sagebind

Dependency Updates

• Update Public Suffix List to bc5d64d (#328) @teto-bot

Trailers and in-memory certs

Added

• Add support for using in-memory client certificates. (#89, #320)
• Add API for accessing trailer headers in responses. (#157, #256)

Changed

• Isahc's MSRV has been increased from 1.41.0 to 1.46.0. (#321)

Fixed

• Fix wrong link to request type in docs. (#323) @humb1t

Dependency Updates

• Update Public Suffix List to 598c638 (#325) @teto-bot

Dependency updates

Dependency Updates

• Update Public Suffix List to 5cb7ed8 (#319) @teto-bot
• Update curl version constraint to ensure MSRV.

Low speed timeouts

Added

• Allow configuring low speed timeouts for transfers, either per-request or as a client default. (#316) @MoSal

Fixed

• Handle raw UTF-8 bytes in redirect headers (#315, #317) @sagebind
• Fix agent IDs for tracing always 0. @sagebind

Changed

• Replace flume with async-channel internally to maintain MSRV contract. (#318) @sagebind