v2.18.3

What's Changed

• fix: small fixup to new /ip test case by @mccutchen in #214
• docs: fix build status badge in README by @mccutchen in #216
• ci: fix OCI image annotations by @mccutchen in #217

Full Changelog: v2.18.2...v2.18.3

v2.18.2

What's Changed

• ci: upgrade & pin github action versions by @mccutchen in #210
• fix: /ip should not include port number by @mccutchen in #212 (thanks to @gowy222 for the report!)
• fix: actually test fix for local port number in /ip response by @mccutchen in #213

Full Changelog: v2.18.1...v2.18.2

v2.18.1

What's Changed

• fix: /response-headers does not need escaping by default by @mccutchen in #208

Full Changelog: v2.18.0...v2.18.1

v2.18.0

🔐 Security fix 🔐

This release fixes a reflected XSS vulnerability (GHSA-528q-4pgm-wvg2) in the following endpoints:

• /base64/{payload} and /base64/decode/{payload}
• /response-headers

When a request to any of those endpoints included a content-type query parameter set to a dangerous value (e.g. ?content-type=text/html).

Warning

Potential Breaking Change

The affected endpoints now HTML-escape their response bodies only if the incoming request explicitly overrides the known-safe content types. The default behavior is unchanged.

If a go-httpbin deployment depends on the previous, vulnerable behavior and reflected XSS is either not a concern or there are other mitigations in place, the previous behavior may be re-enabled via the -unsafe-allow-dangerous-responses/UNSAFE_ALLOW_DANGEROUS_RESPONSES=1 configuration options.

Important

The publicly available go-httpbin instance at https://httpbingo.org has been updated and is no longer vulnerable. All users are encouraged to upgrade to v2.18.0.

🙌 Thanks 🙌

Many thanks to @AyushXtha for responsibly reporting the vulnerability (GHSA-528q-4pgm-wvg2) according to go-httpbin's security policy and collaborating on the fix!

What's Changed

• doc: document ghcr as alternative to docker hub by @mccutchen in #202
• fix(compat): /range supports duration parameter by @mccutchen in #203
• docs: add security policy by @mccutchen in #204
• chore: update and appease linters by @mccutchen in #205
• fix(security): prevent reflected XSS in /response-headers and /base64 endpoints by @mccutchen in 0decfd1

Full Changelog: v2.17.1...v2.18.0

v2.17.1

What's Changed

• ci: push to ghcr.io (again) by @mccutchen in #201

Full Changelog: v2.17.0...v2.17.1

v2.17.0

What's Changed

• feat: allow configuration of underlying http.Server by @mccutchen in #199
• ci: push to ghcr.io in addition to docker hub by @mccutchen in #200

Full Changelog: v2.16.1...v2.17.0

v2.16.1

What's Changed

• feat: allow specifying content-type for /base64 responses by @mccutchen in #198

Full Changelog: v2.16.0...v2.16.1

v2.16.0

What's Changed

• feat: add /env endpoint to allow exposing operator-controlled info from the server by @mloskot in #189

New Contributors

• @mloskot made their first contribution in #189

Full Changelog: v2.15.0...v2.16.0

v2.15.0

Summary

• ⚠️ Minimum Go version is now 1.22 ⚠️ due to use of new stdlib router enhancements
• New /trailers endpoint added
• Server-Timings headers/trailers added to endpoints with client-controlled response times

What's Changed

• chore(build): bump docker image to 1.23 by @mccutchen in #180
• feat: use enhanced stdlib HTTP router by @mccutchen in #181
• chore(ci): fix code coverage uploads by @mccutchen in #183
• refactor: small tweak to template rendering helpers by @mccutchen in #182
• feat: add /trailers endpoint by @mccutchen in #184
• refactor: minor tweaks to /drip implementation by @mccutchen in #185
• feat: add Server-Timing headers/trailers where relevant by @mccutchen in #186

Full Changelog: v2.14.1...v2.15.0

v2.14.1

What's Changed

• feat: support JSON structured log formatting by @pehlicd in #179

New Contributors

• @pehlicd made their first contribution in #179

Full Changelog: v2.14.0...v2.14.1