Mongoose 6.18

• Allow OpenSSL session reuse on 2-way SSL
• Updated certs for OpenSSL tests
• Fixed OpenSSL error status issue
• Added HTTP proxy client example
• Fixed deferencing mg_http_free_proto_data_endpoints
• Fixed typedef bool for MSC

Mongoose 6.17

Bug fixes

• An integer overflow bug in parse_mqtt(), CVE-2019-19307
• MQTT ping logic improved
• Leak fix for invalid CA
• Make SSL and non-SSL build binary compatible
• Make 30x replies keep opened HTTP/1.1 connection

Mongoose 6.16

Bug fixes

• A critical issue in mg_http_parse() is fixed. Associated fuzzer test added.
  This is a fix for the CVE-2019-13503 in the Common Vulnerability and Exposure database: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13503

Mongoose 6.15

Bug fixes

• A critical MQTT heap-based overflow in parse_mqtt() fixed - credit goes to Yakun Zhang and Zheng Huang of Baidu Security Labs for discovering and reporting the issue
• mg_resolve2() incorrect memory init fixed
• Fixed locking in lwip_net_if
• Fixed callback invocation in mg_net_if_lwip

Features

• Added new platform rs14100, a multi-protocol wireless chip from Redpine Signals
• Deliver EV_CLOSE to the last endpoint handler
• Allow NULL handler for mg_bind and mg_connect

Mongoose 6.14

API changes

• Added MG_MK_STR_N(), mg_str_starts_with(), mg_strfree()
• Added mbuf_clear(), mbuf_append_and_free(), mbuf_move()
• Added ability for multipart data handler to provide pushback
• Made MG_CTL_MSG_MESSAGE_SIZE overridable

Bug fixes

• Fixed digest auth result comparison
• Read all available data during recv poll
• Ensure that user sees all the data before connection is closed
• Check for NULL in tcp_recved_tcpip()
• Send extra options with OPTIONS
• Properly support MQTT wildcards when matching topics
• Fix handling of WS handshake error response

Other changes

• Log file:line instead of function; add cs_log_set_file_level()

Mongoose 6.13

• When processing chunked response, make sure chunk size is reasonable
• Open uploaded file in binary mode (Windows)
• Refactored polling, cleaned up net_if interface somewhat
• LwIP: Trim recv_mbuf when we know the size of the data
• Fix unused variable warnings when build w/o logging
• Added net_if_null
• Minor doc updates

Mongoose 6.12

Security fix

This release fixes a security issue, reported at https://www.cvedetails.com/cve/CVE-2018-10945/

( Fix body length calculation in mg_handle_cgi)

Change List:

• Add mg_url_encode_opt() - a parametrized version of mg_url_encode()

• Add MG_HIDE_SERVER_INFO

• mg_file_upload_handler: Support multiple files

• Add host name verification for OpenSSL

• Add mg_strstrip: trims whitespace at both ends of a string

• Fix http pipelining

• Fix buffer size passed to inet_ntop()

• Fix an edge case in multipart HTTP upload parsing

• Fix mg_http_parse_header (treat ; as a delimiter)

• mg_lwip: Fix race during clean connection teardown

• Fix a bug in mg_mgr_init_opt with opts.num_ifaces

• Fix build with CS_ENABLE_STDIO=0

• Fix warnings on newer versions of GCC

• Fix body length calculation in mg_handle_cgi

• Don't touch send_mbuf when sending MQTT messages

Mongoose 6.11

• Fix socket leak when there are too many open file descriptors
• Fix publish-subscribe example
• Fix mg_parse_multipart in case of malformed request
• Websocket: Respond to Ping with Pong
• Websocket: Properly close a connection with Close frame (in response to a client's close and when protocol failure is detected)
• Websocket: Fix support of fragmented messages
• Websocket: Add support for control frames interjected in the middle of a fragmented message
• Digest authentication: Fix nonce validity check (expired nonce or nonce from the future did not cause the the check to fail)
• Digest authentication: Fix nonce request value; it worked before because nonce validity check was broken as well
• Digest authentication: Add nonce argument to mg_http_create_digest_auth_header(): clients should use the value received from the server's authentication request.
• Fail if passed a NULL handler to mg_bind or mg_bind_opt.
• Publish sources and tests
• Remove tunneling functionality which was used by nobody
• Add UDP client example
• Don't use user_data in mqtt server
• Deprecate mg_http_parse_header() and implement mg_http_parse_header2() instead, which allocates a new buffer if the client-provided one is not large enough (similarly to asprintf).
• Fix limitations of header value lengths, e.g. when parsing authentication headers such as nonce, etc.

Mongoose 6.10

API changes

• SOCKS5 client and server support
• Timer value is no longer cleared after MG_EV_TIMER event if it was not changed. User's handler must set it to 0 explicitly to avoid repeated invocation.

FIxes

• SSL/TLS listener fix for TI SimpleLink networking interface
• Double-counting of recved bytes in LWIP interface caused issues
• MQTT SUBSCRIBE command parsing in the broker code could cause crashes
• FIxed CGI script connection lifetime management

Mongoose 6.9

API changes:

• MG_ENABLE_CALLBACK_USERDATA - if set, changes signature of event handler function to include user_data argument. Disabled by default for now, in the future this will become the default.
• mg_set_nameserver() - specify DNS server to use
• mg_assemble_uri() - assemble a URI from parts
• mg_connect_ws() now accepts http:// URLs

Bug fixes:

• Fix parsing of MQTT QoS > 0 PUBLISH messages
• Fix MQTT PUB{ACK,REC,REL,COMP} and UNSUBACK flags
• Properly shut down the SSL connection (send "close notify" TLS message)
• Fix mg_get_http_var() return value
• Fix MQTT handshake; change client protocol to version 3.1.1
• Fix Handling of multiple MQTT messages per RECV event
• Update to make lwip_net_if thread-safe
• Use DhcpNameServer on Windows
• Fix MQTT message parsing issues
• Fix DNS name uncompression that could lead to infinite loop
• Fix WS frame reassembly issues

#855