Release v0.2.5

arman-bd · arman-bd · commit 012214b6a016 · 2025-11-10T13:40:08.000+01:00
## Security Fixes This release addresses 9 critical security vulnerabilities discovered during code analysis: ### 1. HTTP/1.1 Body Reallocation Bug - **Severity**: HIGH - Data loss during response handling - **Impact**: Response body data was being discarded when buffer needed to grow - **Fix**: Corrected realloc_body_buffer() to track actual data size - **File**: src/core/http1.c:31 ### 2. Integer Overflow Protection (8 locations) - **Severity**: CRITICAL - Heap overflow vulnerability - **Impact**: Buffer doubling operations could overflow on large responses - **Locations**: HTTP/2 data callback, HTTP/1.1 body buffer, gzip decompression, response/request headers, async requests - **Fix**: Added overflow checks using SIZE_MAX/2 before all buffer doubling ### 3. DNS Cache Memory Leak - **Severity**: MEDIUM - Memory leak on allocation failure - **Fix**: Proper cleanup on all error paths in addrinfo_deep_copy() - **File**: src/core/network.c:78-123 ## Improvements ### Async HTTP Proxy - Use absolute URI for HTTP requests through proxy - Add Proxy-Authorization header for authenticated proxies - Proper HTTP vs HTTPS proxy distinction - **File**: src/core/async_request.c:1012-1064 ### CI/CD - Enhanced test configuration with proper secret handling - Improved workflow environment variable passing ## Changed Files **Core Security Fixes**: - src/core/http1.c - Body reallocation + overflow checks - src/core/http2_logic.c - Integer overflow protection - src/core/compression.c - Decompression overflow check - src/core/response.c - Header array overflow check - src/core/request.c - Header array overflow check - src/core/async_request_manager.c - Request array overflow check - src/core/async_request.c - HTTP proxy improvements - src/core/network.c - DNS cache memory leak fix **Infrastructure**: - .github/workflows/_test.yml - Enhanced test configuration - .github/workflows/ci.yml - Improved workflow secrets - tests/* - Comprehensive security test coverage ## Impact - **Security**: All 9 vulnerabilities patched - **Performance**: No regression - O(1) overflow checks - **Compatibility**: No breaking changes ## Upgrade Recommendation ⚠️ **Immediate upgrade recommended** to prevent: - Data loss during large response handling - Heap overflow from malicious or large responses - Memory leaks during DNS operations
diff --git a/pyproject.toml b/pyproject.toml
@@ -9,7 +9,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "httpmorph"
-version = "0.2.4"
+version = "0.2.5"
 description = "A Python HTTP client focused on mimicking browser fingerprints."
 readme = "README.md"
 requires-python = ">=3.8"
