diff --git a/CHANGELOG.md b/CHANGELOG.md index c77b4da9a..2448ea48d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,11 +1,24 @@ Change Log ========== +## Version 4.9.2 + +_2021-09-30_ + + * Fix: Don't include potentially-sensitive header values in `Headers.toString()` or exceptions. + This applies to `Authorization`, `Cookie`, `Proxy-Authorization`, and `Set-Cookie` headers. + * Fix: Don't crash with an `InaccessibleObjectException` when running on JDK17+ with strong + encapsulation enabled. + * Fix: Strictly verify hostnames used with OkHttp's `HostnameVerifier`. Programs that make direct + manual calls to `HostnameVerifier` could be defeated if the hostnames they pass in are not + strictly ASCII. This issue is tracked as [CVE-2021-0341]. + + ## Version 5.0.0-alpha.2 _2021-01-30_ -**In this release MockWebServer has a new Maven coordinate and package name.** A longstanding +**In this release MockWebServer has a new Maven coordinate and package name.** A longstanding problem with MockWebServer has been its API dependency on JUnit 4. We've reorganized things to remove that dependency while preserving backwards compatibility. @@ -17,14 +30,14 @@ remove that dependency while preserving backwards compatibility. | com.squareup.okhttp3:mockwebserver:5.0.0-alpha.2 | okhttp3.mockwebserver | Obsolete. Depends on JUnit 4. | The new APIs use `mockwebserver3` in both the Maven coordinate and package name. This new API is -**not stable** and will likely change before the final 5.0.0 release. +**not stable** and will likely change before the final 5.0.0 release. If you have code that subclasses `okhttp3.mockwebserver.QueueDispatcher`, this update is not source or binary compatible. Migrating to the new `mockwebserver3` package will fix this problem. - * New: DNS over HTTPS is now a stable feature of OkHttp. We introduced this as an experimental + * New: DNS over HTTPS is now a stable feature of OkHttp. We introduced this as an experimental module in 2018. We are confident in its stable API and solid implementation. - * Fix: Work around a crash in Android 10 and 11 that may be triggered when two threads + * Fix: Work around a crash in Android 10 and 11 that may be triggered when two threads concurrently close an SSL socket. This would have appeared in crash logs as `NullPointerException: bio == null`. * Fix: Use plus `+` instead of `%20` to encode space characters in `FormBody`. This was a @@ -46,7 +59,7 @@ _2021-01-30_ GraalVM is an exciting new platform and we're eager to adopt it. The startup time improvements over the JVM are particularly impressive. Try it with okcurl: - + ``` $ ./gradlew okcurl:nativeImage $ ./okcurl/build/graal/okcurl https://cash.app/robots.txt @@ -57,7 +70,7 @@ and Android! Please report any issues you encounter: we'll fix them urgently. * Fix: Attempt to read the response body even if the server canceled the request. This will cause some calls to return nice error codes like `HTTP/1.1 429 Too Many Requests` instead of transport - errors like `SocketException: Connection reset` and `StreamResetException: stream was reset: + errors like `SocketException: Connection reset` and `StreamResetException: stream was reset: CANCEL`. * New: Support OSGi metadata. * Upgrade: [Okio 2.9.0][okio_2_9_0]. @@ -84,7 +97,7 @@ _2021-01-30_ _2020-09-11_ **With this release, `okhttp-tls` no longer depends on Bouncy Castle and doesn't install the -Bouncy Castle security provider.** If you still need it, you can do it yourself: +Bouncy Castle security provider.** If you still need it, you can do it yourself: ``` Security.addProvider(BouncyCastleProvider()) @@ -117,14 +130,14 @@ _2020-08-06_ _2020-07-11_ * New: Change `HeldCertificate.Builder` to use its own ASN.1 certificate encoder. This is part - of our effort to remove the okhttp-tls module's dependency on Bouncy Castle. We think Bouncy - Castle is great! But it's a large dependency (6.5 MiB) and its security provider feature + of our effort to remove the okhttp-tls module's dependency on Bouncy Castle. We think Bouncy + Castle is great! But it's a large dependency (6.5 MiB) and its security provider feature impacts VM-wide behavior. * New: Reduce contention for applications that make a very high number of concurrent requests. Previously OkHttp used its connection pool as a lock when making changes to connections and calls. With this change each connection is locked independently. - + * Upgrade: [Okio 2.7.0][okio_2_7_0]. ```kotlin @@ -133,8 +146,8 @@ _2020-07-11_ * Fix: Avoid log messages like "Didn't find class org.conscrypt.ConscryptHostnameVerifier" when detecting the TLS capabilities of the host platform. - - * Fix: Don't crash in `HttpUrl.topPrivateDomain()` when the hostname is malformed. + + * Fix: Don't crash in `HttpUrl.topPrivateDomain()` when the hostname is malformed. * Fix: Don't attempt Brotli decompression if the response body is empty. @@ -359,8 +372,8 @@ _2020-01-07_ * Fix: Don't crash with a `NullPointerException` when a web socket is closed before it connects. This regression was introduced in OkHttp 4.3.0. - * Fix: Don't crash with an `IllegalArgumentException` when using custom trust managers on - Android 10. Android uses reflection to look up a magic `checkServerTrusted()` method and we + * Fix: Don't crash with an `IllegalArgumentException` when using custom trust managers on + Android 10. Android uses reflection to look up a magic `checkServerTrusted()` method and we didn't have it. * Fix: Explicitly specify the remote server name when making HTTPS connections on Android 5. In 4.3.0 we introduced a regression where server name indication (SNI) was broken on Android 5. @@ -371,7 +384,7 @@ _2020-01-07_ _2019-12-31_ * Fix: Degrade HTTP/2 connections after a timeout. When an HTTP/2 stream times out it may impact - the stream only or the entire connection. With this fix OkHttp will now send HTTP/2 pings after + the stream only or the entire connection. With this fix OkHttp will now send HTTP/2 pings after a stream timeout to determine whether the connection should remain eligible for pooling. * Fix: Don't call `EventListener.responseHeadersStart()` or `responseBodyStart()` until bytes have @@ -380,16 +393,16 @@ _2019-12-31_ event always used to follow one of these events; now it may be sent without them. * New: Upgrade to Kotlin 1.3.61. - - * New: Match any number of subdomains with two asterisks in `CertificatePinner`. For example, + + * New: Match any number of subdomains with two asterisks in `CertificatePinner`. For example, `**.squareup.com` matches `us-west.www.squareup.com`, `www.squareup.com` and `squareup.com`. - * New: Share threads more aggressively between OkHttp's HTTP/2 connections, connection pool, + * New: Share threads more aggressively between OkHttp's HTTP/2 connections, connection pool, web sockets, and cache. OkHttp has a new internal task runner abstraction for managed task scheduling. In your debugger you will see new thread names and more use of daemon threads. - * Fix: Don't drop callbacks on unexpected exceptions. When an interceptor throws an unchecked - exception the callback is now notified that the call was canceled. The exception is still sent + * Fix: Don't drop callbacks on unexpected exceptions. When an interceptor throws an unchecked + exception the callback is now notified that the call was canceled. The exception is still sent to the uncaught exception handler for reporting and recovery. * Fix: Un-deprecate `MockResponse.setHeaders()` and other setters. These were deprecated in OkHttp @@ -403,7 +416,7 @@ _2019-12-31_ * Fix: Undo a performance regression introduced in OkHttp 4.0 caused by differences in behavior between Kotlin's `assert()` and Java's `assert()`. (Kotlin always evaluates the argument; Java - only does when assertions are enabled.) + only does when assertions are enabled.) * Fix: Honor `RequestBody.isOneShot()` in `HttpLoggingInterceptor`. @@ -571,6 +584,7 @@ _2019-06-03_ [bom]: https://docs.gradle.org/6.2/userguide/platforms.html#sub:bom_import [bouncy_castle_releases]: https://www.bouncycastle.org/releasenotes.html [dev_server]: https://github.com/square/okhttp/blob/482f88300f78c3419b04379fc26c3683c10d6a9d/samples/guide/src/main/java/okhttp3/recipes/kt/DevServer.kt + [CVE-2021-0341]: https://nvd.nist.gov/vuln/detail/CVE-2021-0341 [fun_interface]: https://kotlinlang.org/docs/reference/fun-interfaces.html [graalvm]: https://www.graalvm.org/ [graalvm_21]: https://www.graalvm.org/release-notes/21_0/ diff --git a/README.md b/README.md index 6b41ef659..21692eae0 100644 --- a/README.md +++ b/README.md @@ -99,10 +99,10 @@ Releases Our [change log][changelog] has release history. -The latest release is available on [Maven Central](https://search.maven.org/artifact/com.squareup.okhttp3/okhttp/4.9.1/jar). +The latest release is available on [Maven Central](https://search.maven.org/artifact/com.squareup.okhttp3/okhttp/4.9.2/jar). ```kotlin -implementation("com.squareup.okhttp3:okhttp:4.9.1") +implementation("com.squareup.okhttp3:okhttp:4.9.2") ``` Snapshot builds are [available][snap]. [R8 and ProGuard][r8_proguard] rules are available. @@ -112,7 +112,7 @@ Also, we have a [bill of materials (BOM)][bom] available to help you keep OkHttp ```kotlin dependencies { // define a BOM and its version - implementation(platform("com.squareup.okhttp3:okhttp-bom:4.9.1")) + implementation(platform("com.squareup.okhttp3:okhttp-bom:4.9.2")) // define any required OkHttp artifacts without version implementation("com.squareup.okhttp3:okhttp") @@ -125,10 +125,10 @@ MockWebServer OkHttp includes a library for testing HTTP, HTTPS, and HTTP/2 clients. -The latest release is available on [Maven Central](https://search.maven.org/artifact/com.squareup.okhttp3/mockwebserver/4.9.1/jar). +The latest release is available on [Maven Central](https://search.maven.org/artifact/com.squareup.okhttp3/mockwebserver/4.9.2/jar). ```kotlin -testImplementation("com.squareup.okhttp3:mockwebserver:4.9.1") +testImplementation("com.squareup.okhttp3:mockwebserver:4.9.2") ``` GraalVM Native Image diff --git a/mockwebserver-junit4/README.md b/mockwebserver-junit4/README.md index dd4e7ce95..44ead2d17 100644 --- a/mockwebserver-junit4/README.md +++ b/mockwebserver-junit4/README.md @@ -6,7 +6,7 @@ This module integrates mockwebserver3.MockWebServer with JUnit 4. To use, first add this library as a test dependency: ``` -testImplementation("com.squareup.okhttp3:mockwebserver3-junit4:4.9.1") +testImplementation("com.squareup.okhttp3:mockwebserver3-junit4:4.9.2") ``` Then in tests annotated `@org.junit.Test`, you may declare a field with the `@Rule` annotation: diff --git a/mockwebserver-junit5/README.md b/mockwebserver-junit5/README.md index 5f5f3ab4a..cfa0bc529 100644 --- a/mockwebserver-junit5/README.md +++ b/mockwebserver-junit5/README.md @@ -6,7 +6,7 @@ This module integrates mockwebserver3.MockWebServer with JUnit 5. To use, first add this library as a test dependency: ``` -testRuntimeOnly("com.squareup.okhttp3:mockwebserver3-junit5:4.9.1") +testRuntimeOnly("com.squareup.okhttp3:mockwebserver3-junit5:4.9.2") ``` Then in tests annotated `@org.junit.jupiter.api.Test`, you may add a [MockWebServer] as a test diff --git a/mockwebserver/README.md b/mockwebserver/README.md index c89ebfac8..1bddc329f 100644 --- a/mockwebserver/README.md +++ b/mockwebserver/README.md @@ -142,7 +142,7 @@ server.setDispatcher(dispatcher); ### Download ```kotlin -testImplementation("com.squareup.okhttp3:mockwebserver:4.9.1") +testImplementation("com.squareup.okhttp3:mockwebserver:4.9.2") ``` ### License diff --git a/okhttp-brotli/README.md b/okhttp-brotli/README.md index cb9dd45ec..44cd13bc9 100644 --- a/okhttp-brotli/README.md +++ b/okhttp-brotli/README.md @@ -14,7 +14,7 @@ OkHttpClient client = new OkHttpClient.Builder() ``` ```kotlin -implementation("com.squareup.okhttp3:okhttp-brotli:4.9.1") +implementation("com.squareup.okhttp3:okhttp-brotli:4.9.2") ``` [1]: https://github.com/google/brotli diff --git a/okhttp-dnsoverhttps/README.md b/okhttp-dnsoverhttps/README.md index 510c86f8d..e78d8d863 100644 --- a/okhttp-dnsoverhttps/README.md +++ b/okhttp-dnsoverhttps/README.md @@ -6,7 +6,7 @@ This module is an implementation of [DNS over HTTPS][1] using OkHttp. ### Download ```kotlin -testImplementation("com.squareup.okhttp3:okhttp-dnsoverhttps:4.9.1") +testImplementation("com.squareup.okhttp3:okhttp-dnsoverhttps:4.9.2") ``` ### Usage diff --git a/okhttp-logging-interceptor/README.md b/okhttp-logging-interceptor/README.md index e62d6a5da..0603ade9f 100644 --- a/okhttp-logging-interceptor/README.md +++ b/okhttp-logging-interceptor/README.md @@ -37,7 +37,7 @@ Download -------- ```kotlin -implementation("com.squareup.okhttp3:logging-interceptor:4.9.1") +implementation("com.squareup.okhttp3:logging-interceptor:4.9.2") ``` diff --git a/okhttp-sse/README.md b/okhttp-sse/README.md index c485b66cf..a9f07b46d 100644 --- a/okhttp-sse/README.md +++ b/okhttp-sse/README.md @@ -7,5 +7,5 @@ API is not considered stable and may change at any time. ### Download ```kotlin -testImplementation("com.squareup.okhttp3:okhttp-sse:4.9.1") +testImplementation("com.squareup.okhttp3:okhttp-sse:4.9.2") ``` diff --git a/okhttp-tls/README.md b/okhttp-tls/README.md index 7994482f1..91dfe3cf3 100644 --- a/okhttp-tls/README.md +++ b/okhttp-tls/README.md @@ -227,7 +227,7 @@ Download -------- ```kotlin -implementation("com.squareup.okhttp3:okhttp-tls:4.9.1") +implementation("com.squareup.okhttp3:okhttp-tls:4.9.2") ``` [held_certificate]: https://square.github.io/okhttp/4.x/okhttp-tls/okhttp3.tls/-held-certificate/ diff --git a/okhttp-urlconnection/README.md b/okhttp-urlconnection/README.md index 3e9412df3..c71fc8f3b 100644 --- a/okhttp-urlconnection/README.md +++ b/okhttp-urlconnection/README.md @@ -6,5 +6,5 @@ This module integrates OkHttp with `Authenticator` and `CookieHandler` from `jav ### Download ```kotlin -testImplementation("com.squareup.okhttp3:okhttp-urlconnection:4.9.1") +testImplementation("com.squareup.okhttp3:okhttp-urlconnection:4.9.2") ```