diff --git a/CHANGELOG b/CHANGELOG deleted file mode 100644 index 2d378e367..000000000 --- a/CHANGELOG +++ /dev/null @@ -1,1094 +0,0 @@ -Unreleased: mitmproxy next - -** Full Changelog ** - - * Support for Python 3.9 (@mhils) - * Add MsgPack content viewer (@tasn) - * Use `@charset` to decode CSS files if available (@prinzhorn) - * Fix links to anticache docs in mitmweb and use HTTPS for links to documentation (@rugk) - * Updated typing for WebsocketMessage.content (@prinzhorn) - * Add option `console_strip_trailing_newlines`, and no longer strip trailing newlines by default (@capt8bit) - * Prevent transparent mode from connecting to itself in the basic cases (@prinzhorn) - * Display HTTP trailers in mitmweb (@sanlengjingvv) - * Revamp onboarding app (@mhils) - * Add ASGI support for embedded apps (@mhils) - * Updated raw exports to not remove headers (@wchasekelley) - * Fix file unlinking before external viewer finishes loading (@wchasekelley) - * Add --cert-passphrase command line argument (@mirosyn) - * Add interactive tutorials to the documentation (@mplattner) - * Support `deflateRaw` `Content-Encoding`s (@kjoconnor) - * Fix broken requests without body on HTTP/2 (@Kriechi) - * Add support for sending (but not parsing) HTTP Trailers to the HTTP/1.1 protocol (@bburky) - * Add support to echo http trailers in dumper addon (@shiv6146) - - * --- TODO: add new PRs above this line --- - - * ... and various other fixes, documentation improvements, dependency version bumps, etc. - -18 July 2020: mitmproxy 5.2 - - * Add Filter message to mitmdump (@sarthak212) - * Display TCP flows at flow list (@Jessonsotoventura, @nikitastupin, @mhils) - * Colorize JSON Contentview (@sarthak212) - * Fix console crash when entering regex escape character in half-open string (@sarthak212) - * Integrate contentviews to TCP flow details (@nikitastupin) - * Added add-ons that enhance the performance of web application scanners (@anneborcherding) - * Increase WebSocket message timestamp precision (@JustAnotherArchivist) - * Fix HTTP reason value on HTTP/2 reponses (@rbdixon) - * mitmweb: support wslview to open a web browser (@G-Rath) - * Fix dev version detection with parent git repo (@JustAnotherArchivist) - * Restructure examples and supported addons (@mhils) - * Certificate generation: mark SAN as critical if no CN is set (@mhils) - * Simplify Replacements with new ModifyBody addon (@mplattner) - * Rename SetHeaders addon to ModifyHeaders (@mplattner) - * mitmweb: "New -> File" menu option has been renamed to "Clear All" (@yogeshojha) - * Add new MapRemote addon to rewrite URLs of requests (@mplattner) - * Add support for HTTP Trailers to the HTTP/2 protocol (@sanlengjingvv and @Kriechi) - * Fix certificate runtime error during expire cleanup (@gorogoroumaru) - * Fixed the DNS Rebind Protection for secure support of IPv6 addresses (@tunnelpr0) - * WebSockets: match the HTTP-WebSocket flow for the ~websocket filter (@Kriechi) - * Fix deadlock caused by the "replay.client.stop" command (@gorogoroumaru) - * Add new MapLocal addon to serve local files instead of remote resources (@mplattner and @mhils) - * Add minimal TCP interception and modification (@nikitastupin) - * Add new CheckSSLPinning addon to check SSL-Pinning on client (@su-vikas) - * Add a JSON dump script: write data into a file or send to an endpoint as JSON (@emedvedev) - * Fix console output formatting (@sarthak212) - * Add example for proxy authentication using selenium (@anneborcherding and @weichweich) - -13 April 2020: mitmproxy 5.1.1 - - * Fixed Docker images not starting due to missing shell - -13 April 2020: mitmproxy 5.1 - - ** Major Changes ** - * Initial Support for TLS 1.3 - - ** Full Changelog ** - * Reduce leaf certificate validity to one year due to upcoming browser changes (@mhils) - * Rename mitmweb's web_iface option to web_host for consistency (@oxr463) - * Sending a SIGTERM now exits mitmproxy without prompt, SIGINT still asks (@ThinkChaos) - * Don't force host header on outgoing requests (@mhils) - * Additional documentation and examples for WebSockets (@Kriechi) - * Gracefully handle hyphens in domain names (@matosconsulting) - * Fix header replacement count (@naivekun) - * Emit serverconnect event only after a connection has been established (@Prinzhorn) - * Fix ValueError in table mode of server replay flow (@ylmrx) - * HTTP/2: send all stream reset types to other connection (@rohfle) - * HTTP/2: fix WINDOW_UPDATE swallowed on closed streams (@Kriechi) - * Fix wrong behavior of --allow-hosts options (@BlownSnail) - * Additional and updated documentation for examples, WebSockets, Getting Started (@Kriechi) - -27 December 2019: mitmproxy 5.0.1 - - * Fixed precompiled Linux binaries to not crash in table mode - * Display webp images in mitmweb (@cixtor) - -16 December 2019: mitmproxy 5.0 - - ** Major Changes ** - * Added new Table UI (@Jessonsotoventura) - * Added EKU extension to certificates. This fixes support for macOS Catalina (@vin01) - - ** Security Fixes ** - * Fixed command injection vulnerabilities when exporting flows as curl/httpie commands (@cript0nauta) - * Do not echo unsanitized user input in HTTP error responses (@fimad) - - ** Full Changelog ** - * Moved to Github CI for Continuous Integration, dropping support for old Linux and macOS releases. (#3728) - * Vastly improved command parsing, in particular for setting flow filters (@typoon) - * Added a new flow export for raw responses (@mckeimic) - * URLs are now edited in an external editor (@Jessonsotoventura) - * mitmproxy now has a command history (@typoon) - * Added terminal like keyboard shortcuts for the command bar (ctrl+w, ctrl+a, ctrl+f, ...) (@typoon) - * Fixed issue with improper handling of non-ascii characters in URLs (@rjt-gupta) - * Filtering can now use unicode characters (@rjt-gupta) - * Fixed issue with user keybindings not being able to override default keybindings - * Improved installation instructions - * Added support for IPV6-only environments (@sethb157) - * Fixed bug with server replay (@rjt-gupta) - * Fixed issue with duplicate error responses (@ccssrryy) - * Users can now set a specific external editor using $MITMPROXY_EDITOR (@rjt-gupta) - * Config file can now be called `config.yml` or `config.yaml` (@ylmrx) - * Fixed crash on `view.focus.[next|prev]` (@ylmrx) - * Updated documentation to help using mitmproxy certificate on Android (@jannst) - * Added support to parse IPv6 entries from `pfctl` on MacOS. (@tomlabaude) - * Fixed instructions on how to build the documentation (@jannst) - * Added a new `--allow-hosts` option (@pierlon) - * Added support for zstd content-encoding (@tsaaristo) - * Fixed issue where the replay server would corrupt the Date header (@tonyb486) - * Improve speed for WebSocket interception (@MathieuBordere) - * Fixed issue with parsing JPEG files. (@lusceu) - * Improve example code style (@BoboTiG) - * Fixed issue converting void responses to HAR (@worldmind) - * Color coded http status codes in mitmweb (@arun-94) - * Added organization to generated certificates (@Abcdefghijklmnopqrstuvwxyzxyz) - * Errors are now displayed on sys.stderr (@JessicaFavin) - * Fixed issue with replay timestamps (@rjt-gupta) - * Fixed copying in mitmweb on macOS (@XZzYassin) - -31 July 2018: mitmproxy 4.0.4 - - * Security: Protect mitmweb against DNS rebinding. (CVE-2018-14505, @atx) - * Reduce certificate lifetime to two years to be conformant with - the current CA/Browser Forum Baseline Requirements. (@muffl0n) - (https://cabforum.org/2017/03/17/ballot-193-825-day-certificate-lifetimes/) - * Update cryptography to version 2.3. - -15 June 2018: mitmproxy 4.0.3 - - * Add support for IPv6 transparent mode on Windows (#3174) - * Add Docker images for ARMv7 - Raspberry Pi (#3190) - * Major overhaul of our release workflow - you probably won't notice it, but for us it's a big thing! - * Fix the Python version detection on Python 3.5, we now show a more intuitive error message (#3188) - * Fix application shutdown on Windows (#3172) - * Fix IPv6 scope suffixes in block addon (#3164) - * Fix options update when added (#3157) - * Fix "Edit Flow" button in mitmweb (#3136) - -15 June 2018: mitmproxy 4.0.2 - * Skipped! - - -17 May 2018: mitmproxy 4.0.1 - - ** Bugfixes ** - * The previous release had a packaging issue, so we bumped it to v4.0.1 and re-released it. - * This contains no actual bugfixes or new features. - -17 May 2018: mitmproxy 4.0 - - ** Features ** - * mitmproxy now requires Python 3.6! - * Moved the core to asyncio - which gives us a very significant performance boost! - * Reduce memory consumption by using `SO_KEEPALIVE` (#3076) - * Export request as httpie command (#3031) - * Configure mitmproxy console keybindings with the keys.yaml file. See docs for more. - - ** Breaking Changes ** - * The --conf command-line flag is now --confdir, and specifies the mitmproxy configuration - directory, instead of the options yaml file (which is at `config.yaml` under the configuration directory). - * `allow_remote` got replaced by `block_global` and `block_private` (#3100) - * No more custom events (#3093) - * The `cadir` option has been renamed to `confdir` - * We no longer magically capture print statements in addons and translate - them to logs. Please use `ctx.log.info` explicitly. - - ** Bugfixes ** - * Correctly block connections from remote clients with IPv4-mapped IPv6 client addresses (#3099) - * Expand `~` in paths during the `cut` command (#3078) - * Remove socket listen backlog constraint - * Improve handling of user script exceptions (#3050, #2837) - * Ignore signal errors on windows - * Fix traceback for commands with un-terminated escape characters (#2810) - * Fix request replay when proxy is bound to local interface (#2647) - * Fix traceback when running scripts on a flow twice (#2838) - * Fix traceback when killing intercepted flow (#2879) - * And lots of typos, docs improvements, revamped examples, and general fixes! - -05 April 2018: mitmproxy 3.0.4 - - * Fix an issue that caused mitmproxy to not retry HTTP requests on timeout. - - * Various other fixes (@kira0204, @fenilgandhi, @tran-tien-dat, @smonami, - @luzpaz, @fristonio, @kajojify, @Oliver-Fish, @hcbarry, @jplochocki, @MikeShi42, - @ghillu, @emilstahl) - -25 February 2018: mitmproxy 3.0.3 - - * Fix an issue that caused mitmproxy to lose keyboard control after spawning an external editor. - -23 February 2018: mitmproxy 3.0.1 - - * Fix a quote-related issue affecting the mitmproxy console command prompt. - -22 February 2018: mitmproxy 3.0 - - ** Major Changes ** - - * Commands: A consistent, typed mechanism that allows addons to expose actions - to users. - - * Options: A typed settings store for use by mitmproxy and addons. - - * Shift most of mitmproxy's own functionality into addons. - - * Major improvements to mitmproxy console, including an almost complete - rewrite of the user interface, integration of commands, key bindings, and - multi-pane layouts. - - * Major Improvements to mitmproxy’s web interface, mitmweb. (Matthew Shao, - Google Summer of Code 2017) - - * Major Improvements to mitmproxy’s content views and protocol layers (Ujjwal - Verma, Google Summer of Code 2017) - - * Faster JavaScript and CSS beautifiers. (Ujjwal Verma) - - - ** Minor Changes ** - - * Vastly improved JavaScript test coverage (Matthew Shao) - - * Options editor for mitmweb (Matthew Shao) - - * Static web-based flow viewer (Matthew Shao) - - * Request streaming for HTTP/1.x and HTTP/2 (Ujjwal Verma) - - * Implement more robust content views using Kaitai Struct (Ujjwal Verma) - - * Protobuf decoding now works without protoc being installed on the host - system (Ujjwal Verma) - - * PNG, GIF, and JPEG can now be parsed without Pillow, which simplifies - mitmproxy installation and moves parsing from unsafe C to pure Python (Ujjwal Verma) - - * Add parser for ICO files (Ujjwal Verma) - - * Migrate WebSockets implementation to wsproto. This reduces code size and - adds WebSocket compression support. (Ujjwal Verma) - - * Add “split view” to split mitmproxy’s UI into two separate panes. - - * Add key binding viewer and editor - - * Add a command to spawn a preconfigured Chrome browser instance from - mitmproxy - - * Fully support mitmproxy under the Windows Subsystem for Linux (WSL), work - around display errors - - * Add XSS scanner addon (@ddworken) - - * Add ability to toggle interception (@mattweidner) - - * Numerous documentation improvements (@pauloromeira, @rst0git, @rgerganov, - @fulldecent, @zhigang1992, @F1ashhimself, @vinaydargar, @jonathanrfisher1, - @BasThomas, @LuD1161, @ayamamori, @TomTasche) - - * Add filters for websocket flows (@s4chin) - - * Make it possible to create a response to CONNECT requests in http_connect - (@mengbiping) - - * Redirect stdout in scripts to ctx.log.warn (@nikofil) - - * Fix a crash when clearing the event log (@krsoninikhil) - - * Store the generated certificate for each flow (@dlenski) - - * Add --keep-host-header to retain the host header in reverse proxy mode - (@krsoninikhil) - - * Fix setting palette options (@JordanLoehr) - - * Fix a crash with brotli encoding (@whackashoe) - - * Provide certificate installation instructions on mitm.it (@ritiek) - - * Fix a bug where we did not properly fall back to IPv4 when IPv6 is unavailable (@titeuf87) - - * Fix transparent mode on IPv6-enabled macOS systems (@Ga-ryo) - - * Fix handling of HTTP messages with multiple Content-Length headers (@surajt97) - - * Fix IPv6 authority form parsing in CONNECT requests (@r1b) - - * Fix event log display in mitmweb (@syahn) - - * Remove private key from PKCS12 file in ~/.mitmproxy (@ograff). - - * Add LDAP as a proxy authentication backend (@charlesdhdt) - - * Use mypy to check the whole codebase (@iharsh234) - - * Fix a crash when duplicating flows (@iharsh234) - - * Fix testsuite when the path contains a “.” (@felixonmars) - - * Store proxy authentication with flows (@lymanZerga11) - - * Match ~d and ~u filters against pretty_host (@dequis) - - * Update WBXML content view (@davidpshaw) - - * Handle HEAD requests for mitm.it to support Chrome in transparent mode on - iOS (@tomlabaude) - - * Update dns spoofing example to use --keep-host-header (@krsoninikhil) - - * Call error handler on HTTPException (@tarnacious) - - * Make it possible to remove TLS from upstream HTTP connections - - * Update to pyOpenSSL 17.5, cryptography 2.1.4, and OpenSSL 1.1.0g - - * Make it possible to retroactively increase log verbosity. - - * Make logging from addons thread-safe - - * Tolerate imports in user scripts that match hook names (`from mitmproxy - import log`) - - * Update mitmweb to React 16, which brings performance improvements - - * Fix a bug where reverting duplicated flows crashes mitmproxy - - * Fix a bug where successive requests are sent to the wrong host after a - request has been redirected. - - * Fix a bug that binds outgoing connections to the wrong interface - - * Fix a bug where custom certificates are ignored in reverse proxy mode - - * Fix import of flows that have been created with mitmproxy 0.17 - - * Fix formatting of (IPv6) IP addresses in a number of places - - * Fix replay for HTTP/2 flows - - * Decouple mitmproxy version and flow file format version - - * Fix a bug where “mitmdump -nr” does not exit automatically - - * Fix a crash when exporting flows to curl - - * Fix formatting of sticky cookies - - * Improve script reloading reliability by polling the filesystem instead of using watchdog - - * Fix a crash when refreshing Set-Cookie headers - - * Add connection indicator to mitmweb to alert users when the proxy server stops running - - * Add support for certificates with cyrillic domains - - * Simplify output of mitmproxy --version - - * Add Request.make to simplify request creation in scripts - - * Pathoc: Include a host header on CONNECT requests - - * Remove HTML outline contentview (#2572) - - * Remove Python and Locust export (#2465) - - * Remove emojis from tox.ini because flake8 cannot parse that. :( - - - -28 April 2017: mitmproxy 2.0.2 - - * Fix mitmweb's Content-Security-Policy to work with Chrome 58+ - - * HTTP/2: actually use header normalization from hyper-h2 - - -15 March 2017: mitmproxy 2.0.1 - - * bump cryptography dependency - - * bump pyparsing dependency - - * HTTP/2: use header normalization from hyper-h2 - - -21 February 2017: mitmproxy 2.0 - - * HTTP/2 is now enabled by default. - - * Image ContentView: Parse images with Kaitai Struct (kaitai.io) instead of Pillow. - This simplifies installation, reduces binary size, and allows parsing in pure Python. - - * Web: Add missing flow filters. - - * Add transparent proxy support for OpenBSD. - - * Check the mitmproxy CA for expiration and warn the user to regenerate it if necessary. - - * Testing: Tremendous improvements, enforced 100% coverage for large parts of the - codebase, increased overall coverage. - - * Enforce individual coverage: one source file -> one test file with 100% coverage. - - * A myriad of other small improvements throughout the project. - - * Numerous bugfixes. - - -26 December 2016: mitmproxy 1.0 - - * All mitmproxy tools are now Python 3 only! We plan to support Python 3.5 and higher. - - * Web-Based User Interface: Mitmproxy now officially has a web-based user interface - called mitmweb. We consider it stable for all features currently exposed - in the UI, but it still misses a lot of mitmproxy’s options. - - * Windows Compatibility: With mitmweb, mitmproxy is now usable on Windows. - We are also introducing an installer (kindly sponsored by BitRock) that - simplifies setup. - - * Configuration: The config file format is now a single YAML file. In most cases, - converting to the new format should be trivial - please see the docs for - more information. - - * Console: Significant UI improvements - including sorting of flows by - size, type and url, status bar improvements, much faster indentation for - HTTP views, and more. - - * HTTP/2: Significant improvements, but is temporarily disabled by default - due to wide-spread protocol implementation errors on some large website - - * WebSocket: The protocol implementation is now mature, and is enabled by - default. Complete UI support is coming in the next release. Hooks for - message interception and manipulation are available. - - * A myriad of other small improvements throughout the project. - - -16 October 2016: mitmproxy 0.18 - - * Python 3 Compatibility for mitmproxy and pathod (Shadab Zafar, GSoC 2016) - - * Major improvements to mitmweb (Clemens Brunner & Jason Hao, GSoC 2016) - - * Internal Core Refactor: Separation of most features into isolated Addons - - * Initial Support for WebSockets - - * Improved HTTP/2 Support - - * Reverse Proxy Mode now automatically adjusts host headers and TLS Server Name Indication - - * Improved HAR export - - * Improved export functionality for curl, python code, raw http etc. - - * Flow URLs are now truncated in the console for better visibility - - * New filters for TCP, HTTP and marked flows. - - * Mitmproxy now handles comma-separated Cookie headers - - * Merge mitmproxy and pathod documentation - - * Mitmdump now sanitizes its console output to not include control characters - - * Improved message body handling for HTTP messages: - .raw_content provides the message body as seen on the wire - .content provides the decompressed body (e.g. un-gzipped) - .text provides the body decompressed and decoded body - - * New HTTP Message getters/setters for cookies and form contents. - - * Add ability to view only marked flows in mitmproxy - - * Improved Script Reloader (Always use polling, watch for whole directory) - - * Use tox for testing - - * Unicode support for tnetstrings - - * Add dumpfile converters for mitmproxy versions 0.11 and 0.12 - - * Numerous bugfixes - - -9 April 2016: mitmproxy 0.17 - - * Simplify repository and release structure. mitmproxy now comes as a single package, including netlib and pathod. - - * Rename the Python package from libmproxy to mitmproxy. - - * New option to add server certs to client chain (CVE-2016-2402, John Kozyrakis) - - * Enable HTTP/2 by default (Thomas Kriechbaumer) - - * Improved HAR extractor (Shadab Zafar) - - * Add icon for OSX and Windows binaries - - * Add content view for query parameters (Will Coster) - - * Initial work on Python 3 compatibility - - * locust.io export (Zohar Lorberbaum) - - * Fix XSS vulnerability in HTTP errors (Will Coster) - - * Numerous bugfixes and minor improvements - - -15 February 2016: mitmproxy 0.16 - - * Completely revised HTTP2 implementation based on hyper-h2 (Thomas Kriechbaumer) - - * Export flows as cURL command, Python code or raw HTTP (Shadab Zafar) - - * Fixed compatibility with the Android Emulator (Will Coster) - - * Script Reloader: Inline scripts are reloaded automatically if modified (Matthew Shao) - - * Inline script hooks for TCP mode (Michael J. Bazzinotti) - - * Add default ciphers to support iOS9 App Transport Security (Jorge Villacorta) - - * Basic Authentication for mitmweb (Guillem Anguera) - - * Exempt connections from interception based on TLS Server Name Indication (David Weinstein) - - * Provide Python Wheels for faster installation - - * Numerous bugfixes and minor improvements - - -4 December 2015: mitmproxy 0.15 - - * Support for loading and converting older dumpfile formats (0.13 and up) - - * Content views for inline script (@chrisczub) - - * Better handling of empty header values (Benjamin Lee/@bltb) - - * Fix a gnarly memory leak in mitmdump - - * A number of bugfixes and small improvements - - -6 November 2015: mitmproxy 0.14 - - * Statistics: 399 commits, 13 contributors, 79 closed issues, 37 closed - PRs, 103 days - - * Docs: Greatly updated docs now hosted on ReadTheDocs! - http://docs.mitmproxy.org - - * Docs: Fixed Typos, updated URLs etc. (Nick Badger, Ben Lerner, Choongwoo - Han, onlywade, Jurriaan Bremer) - - * mitmdump: Colorized TTY output - - * mitmdump: Use mitmproxy's content views for human-readable output (Chris - Czub) - - * mitmproxy and mitmdump: Support for displaying UTF8 contents - - * mitmproxy: add command line switch to disable mouse interaction (Timothy - Elliott) - - * mitmproxy: bug fixes (Choongwoo Han, sethp-jive, FreeArtMan) - - * mitmweb: bug fixes (Colin Bendell) - - * libmproxy: Add ability to fall back to TCP passthrough for non-HTTP - connections. - - * libmproxy: Avoid double-connect in case of TLS Server Name Indication. - This yields a massive speedup for TLS handshakes. - - * libmproxy: Prevent unnecessary upstream connections (macmantrl) - - * Inline Scripts: New API for HTTP Headers: - http://docs.mitmproxy.org/en/latest/dev/models.html#netlib.http.Headers - - * Inline Scripts: Properly handle exceptions in `done` hook - - * Inline Scripts: Allow relative imports, provide `__file__` - - * Examples: Add probabilistic TLS passthrough as an inline script - - * netlib: Refactored HTTP protocol handling code - - * netlib: ALPN support - - * netlib: fixed a bug in the optional certificate verification. - - * netlib: Initial Python 3.5 support (this is the first prerequisite for - 3.x support in mitmproxy) - - -24 July 2015: mitmproxy 0.13 - - * Upstream certificate validation. See the --verify-upstream-cert, - --upstream-trusted-confdir and --upstream-trusted-ca parameters. Thanks to - Kyle Morton (github.com/kyle-m) for his work on this. - - * Add HTTP transparent proxy mode. This uses the host headers from HTTP - traffic (rather than SNI and IP address information from the OS) to - implement perform transparent proxying. Thanks to github.com/ijiro123 for - this feature. - - * Add ~src and ~dst REGEX filters, allowing matching on source and - destination addresses in the form of : - - * mitmproxy console: change g/G keyboard shortcuts to match less. Thanks to - Jose Luis Honorato (github.com/jlhonora). - - * mitmproxy console: Flow marking and unmarking. Marked flows are not - deleted when the flow list is cleared. Thanks to Jake Drahos - (github.com/drahosj). - - * mitmproxy console: add marking of flows - - * Remove the certforward feature. It was added to allow exploitation of - #gotofail, which is no longer a common vulnerability. Permitting this - hugely increased the complexity of packaging and distributing mitmproxy. - - - - -3 June 2015: mitmproxy 0.12.1 - - * mitmproxy console: mouse interaction - scroll in the flow list, click on - flow to view, click to switch between tabs. - - * Update our crypto defaults: SHA256, 2048 bit RSA, 4096 bit DH parameters. - - * BUGFIX: crash under some circumstances when copying to clipboard. - - * BUGFIX: occasional crash when deleting flows. - - -18 May 2015: mitmproxy 0.12 - - * mitmproxy console: Significant revamp of the UI. The major changes are - listed below, and in addition almost every aspect of the UI has - been tweaked, and performance has improved significantly. - - * mitmproxy console: A new options screen has been created ("o" shortcut), - and many options that were previously manipulated directly via a - keybinding have been moved there. - - * mitmproxy console: Big improvement in palettes. This includes improvements - to all colour schemes. Palettes now set the terminal background colour by - default, and a new --palette-transparent option has been added to disable - this. - - * mitmproxy console: g/G shortcuts throughout mitmproxy console to jump - to the beginning/end of the current view. - - * mitmproxy console: switch palettes on the fly from the options screen. - - * mitmproxy console: A cookie editor has been added for mitmproxy console - at long last. - - * mitmproxy console: Various components of requests and responses can be - copied to the clipboard from mitmproxy - thanks to @marceloglezer. - - * Support for creating new requests from scratch in mitmproxy console (@marceloglezer). - - * SSLKEYLOGFILE environment variable to specify a logging location for TLS - master keys. This can be used with tools like Wireshark to allow TLS - decoding. - - * Server facing SSL cipher suite specification (thanks to Jim Shaver). - - * Official support for transparent proxying on FreeBSD - thanks to Mike C - (http://github.com/mike-pt). - - * Many other small bugfixes and improvemenets throughout the project. - - -29 Dec 2014: mitmproxy 0.11.2: - - * Configuration files - mitmproxy.conf, mitmdump.conf, common.conf in the - .mitmproxy directory. - * Better handling of servers that reject connections that are not SNI. - * Many other small bugfixes and improvements. - - -15 November 2014: mitmproxy 0.11.1: - - * Bug fixes: connection leaks some crashes - - -7 November 2014: mitmproxy 0.11: - - * Performance improvements for mitmproxy console - - * SOCKS5 proxy mode allows mitmproxy to act as a SOCKS5 proxy server - - * Data streaming for response bodies exceeding a threshold - (bradpeabody@gmail.com) - - * Ignore hosts or IP addresses, forwarding both HTTP and HTTPS traffic - untouched - - * Finer-grained control of traffic replay, including options to ignore - contents or parameters when matching flows (marcelo.glezer@gmail.com) - - * Pass arguments to inline scripts - - * Configurable size limit on HTTP request and response bodies - - * Per-domain specification of interception certificates and keys (see - --cert option) - - * Certificate forwarding, relaying upstream SSL certificates verbatim (see - --cert-forward) - - * Search and highlighting for HTTP request and response bodies in - mitmproxy console (pedro@worcel.com) - - * Transparent proxy support on Windows - - * Improved error messages and logging - - * Support for FreeBSD in transparent mode, using pf (zbrdge@gmail.com) - - * Content view mode for WBXML (davidshaw835@air-watch.com) - - * Better documentation, with a new section on proxy modes - - * Generic TCP proxy mode - - * Countless bugfixes and other small improvements - - * pathod: Hugely improved SSL support, including dynamic generation of certificates - using the mitproxy cacert - -7 November 2014: pathod 0.11: - - * Hugely improved SSL support, including dynamic generation of certificates - using the mitproxy cacert - - * pathoc -S dumps information on the remote SSL certificate chain - - * Big improvements to fuzzing, including random spec selection and memoization to avoid repeating randomly generated patterns - - * Reflected patterns, allowing you to embed a pathod server response specification in a pathoc request, resolving both on client side. This makes fuzzing proxies and other intermediate systems much better. - - -28 January 2014: mitmproxy 0.10: - - * Support for multiple scripts and multiple script arguments - - * Easy certificate install through the in-proxy web app, which is now - enabled by default - - * Forward proxy mode, that forwards proxy requests to an upstream HTTP server - - * Reverse proxy now works with SSL - - * Search within a request/response using the "/" and "n" shortcut keys - - * A view that beatifies CSS files if cssutils is available - - * Bug fix, documentation improvements, and more. - - -25 August 2013: mitmproxy 0.9.2: - - * Improvements to the mitmproxywrapper.py helper script for OSX. - - * Don't take minor version into account when checking for serialized file - compatibility. - - * Fix a bug causing resource exhaustion under some circumstances for SSL - connections. - - * Revamp the way we store interception certificates. We used to store these - on disk, they're now in-memory. This fixes a race condition related to - cert handling, and improves compatibility with Windows, where the rules - governing permitted file names are weird, resulting in errors for some - valid IDNA-encoded names. - - * Display transfer rates for responses in the flow list. - - * Many other small bugfixes and improvements. - - -25 August 2013: pathod 0.9.2: - - * Adapt to interface changes in netlib - - -16 June 2013: mitmproxy 0.9.1: - - * Use "correct" case for Content-Type headers added by mitmproxy. - - * Make UTF environment detection more robust. - - * Improved MIME-type detection for viewers. - - * Always read files in binary mode (Windows compatibility fix). - - * Some developer documentation. - - -15 May 2013: mitmproxy 0.9: - - * Upstream certs mode is now the default. - - * Add a WSGI container that lets you host in-proxy web applications. - - * Full transparent proxy support for Linux and OSX. - - * Introduce netlib, a common codebase for mitmproxy and pathod - (http://github.com/cortesi/netlib). - - * Full support for SNI. - - * Color palettes for mitmproxy, tailored for light and dark terminal - backgrounds. - - * Stream flows to file as responses arrive with the "W" shortcut in - mitmproxy. - - * Extend the filter language, including ~d domain match operator, ~a to - match asset flows (js, images, css). - - * Follow mode in mitmproxy ("F" shortcut) to "tail" flows as they arrive. - - * --dummy-certs option to specify and preserve the dummy certificate - directory. - - * Server replay from the current captured buffer. - - * Huge improvements in content views. We now have viewers for AMF, HTML, - JSON, Javascript, images, XML, URL-encoded forms, as well as hexadecimal - and raw views. - - * Add Set Headers, analogous to replacement hooks. Defines headers that are set - on flows, based on a matching pattern. - - * A graphical editor for path components in mitmproxy. - - * A small set of standard user-agent strings, which can be used easily in - the header editor. - - * Proxy authentication to limit access to mitmproxy - - * pathod: Proxy mode. You can now configure clients to use pathod as an - HTTP/S proxy. - - * pathoc: Proxy support, including using CONNECT to tunnel directly to - targets. - - * pathoc: client certificate support. - - * pathod: API improvements, bugfixes. - - -15 May 2013: pathod 0.9 (version synced with mitmproxy): - - * Pathod proxy mode. You can now configure clients to use pathod as an - HTTP/S proxy. - - * Pathoc proxy support, including using CONNECT to tunnel directly to - targets. - - * Pathoc client certificate support. - - * API improvements, bugfixes. - - -16 November 2012: pathod 0.3: - - A release focusing on shoring up our fuzzing capabilities, especially with - pathoc. - - * pathoc -q and -r options, output full request and response text. - - * pathod -q and -r options, add full request and response text to pathod's - log buffer. - - * pathoc and pathod -x option, makes -q and -r options log in hex dump - format. - - * pathoc -C option, specify response codes to ignore. - - * pathoc -T option, instructs pathoc to ignore timeouts. - - * pathoc -o option, a one-shot mode that exits after the first non-ignored - response. - - * pathoc and pathod -e option, which explains the resulting message by - expanding random and generated portions, and logging a reproducible - specification. - - * Streamline the specification language. HTTP response message is now - specified using the "r" mnemonic. - - * Add a "u" mnemonic for specifying User-Agent strings. Add a set of - standard user-agent strings accessible through shortcuts. - - * Major internal refactoring and cleanup. - - * Many bugfixes. - - -22 August 2012: pathod 0.2: - - * Add pathoc, a pathological HTTP client. - - * Add libpathod.test, a truss for using pathod in unit tests. - - * Add an injection operator to the specification language. - - * Allow Python escape sequences in value literals. - - * Allow execution of requests and responses from file, using the new + operator. - - * Add daemonization to Pathod, and make it more robust for public-facing use. - - * Let pathod pick an arbitrary open port if -p 0 is specified. - - * Move from Tornado to netlib, the network library written for mitmproxy. - - * Move the web application to Flask. - - * Massively expand the documentation. - - -5 April 2012: mitmproxy 0.8: - - * Detailed tutorial for Android interception. Some features that land in - this release have finally made reliable Android interception possible. - - * Upstream-cert mode, which uses information from the upstream server to - generate interception certificates. - - * Replacement patterns that let you easily do global replacements in flows - matching filter patterns. Can be specified on the command-line, or edited - interactively. - - * Much more sophisticated and usable pretty printing of request bodies. - Support for auto-indentation of Javascript, inspection of image EXIF - data, and more. - - * Details view for flows, showing connection and SSL cert information (X - keyboard shortcut). - - * Server certificates are now stored and serialized in saved traffic for - later analysis. This means that the 0.8 serialization format is NOT - compatible with 0.7. - - * Many other improvements, including bugfixes, and expanded scripting API, - and more sophisticated certificate handling. - - -20 February 2012: mitmproxy 0.7: - - * New built-in key/value editor. This lets you interactively edit URL query - strings, headers and URL-encoded form data. - - * Extend script API to allow duplication and replay of flows. - - * API for easy manipulation of URL-encoded forms and query strings. - - * Add "D" shortcut in mitmproxy to duplicate a flow. - - * Reverse proxy mode. In this mode mitmproxy acts as an HTTP server, - forwarding all traffic to a specified upstream server. - - * UI improvements - use unicode characters to make GUI more compact, - improve spacing and layout throughout. - - * Add support for filtering by HTTP method. - - * Add the ability to specify an HTTP body size limit. - - * Move to typed netstrings for serialization format - this makes 0.7 - backwards-incompatible with serialized data from 0.6! - - * Significant improvements in speed and responsiveness of UI. - - * Many minor bugfixes and improvements. - - -7 August 2011: mitmproxy 0.6: - - * New scripting API that allows much more flexible and fine-grained - rewriting of traffic. See the docs for more info. - - * Support for gzip and deflate content encodings. A new "z" - keybinding in mitmproxy to let us quickly encode and decode content, plus - automatic decoding for the "pretty" view mode. - - * An event log, viewable with the "v" shortcut in mitmproxy, and the - "-e" command-line flag in mitmdump. - - * Huge performance improvements: mitmproxy interface, loading - large numbers of flows from file. - - * A new "replace" convenience method for all flow objects, that does a - universal regex-based string replacement. - - * Header management has been rewritten to maintain both case and order. - - * Improved stability for SSL interception. - - * Default expiry time on generated SSL certs has been dropped to avoid an - OpenSSL overflow bug that caused certificates to expire in the distant - past on some systems. - - * A "pretty" view mode for JSON and form submission data. - - * Expanded documentation and examples. - - * Countless other small improvements and bugfixes. - - -27 June 2011: mitmproxy 0.5: - - * An -n option to start the tools without binding to a proxy port. - - * Allow scripts, hooks, sticky cookies etc. to run on flows loaded from - save files. - - * Regularize command-line options for mitmproxy and mitmdump. - - * Add an "SSL exception" to mitmproxy's license to remove possible - distribution issues. - - * Add a --cert-wait-time option to make mitmproxy pause after a new SSL - certificate is generated. This can pave over small discrepancies in - system time between the client and server. - - * Handle viewing big request and response bodies more elegantly. Only - render the first 100k of large documents, and try to avoid running the - XML indenter on non-XML data. - - * BUGFIX: Make the "revert" keyboard shortcut in mitmproxy work after a - flow has been replayed. - - * BUGFIX: Repair a problem that sometimes caused SSL connections to consume - 100% of CPU. - - -30 March 2011: mitmproxy 0.4 - - * Full serialization of HTTP conversations - - * Client and server replay - - * On-the-fly generation of dummy SSL certificates - - * mitmdump has "grown up" into a powerful tcpdump-like tool for HTTP/S - - * Dozens of improvements to the mitmproxy console interface - - * Python scripting hooks for programmatic modification of traffic - - -1 March 2010: mitmproxy 0.2 - - * Big speed and responsiveness improvements, thanks to Thomas Roth - - * Support urwid 0.9.9 - - * Terminal beeping based on filter expressions - - * Filter expressions for terminal beeps, limits, interceptions and sticky - cookies can now be passed on the command line. - - * Save requests and responses to file - - * Split off non-interactive dump functionality into a new tool called - mitmdump - - * "A" will now accept all intercepted connections - - * Lots of bugfixes diff --git a/CHANGELOG.rst b/CHANGELOG.rst new file mode 100644 index 000000000..39fc4cc22 --- /dev/null +++ b/CHANGELOG.rst @@ -0,0 +1,844 @@ +Release History +############### + +Unreleased: mitmproxy next +========================== + +* --- TODO: add new PRs above this line --- + +* ... and various other fixes, documentation improvements, dependency version bumps, etc. + +01 November 2020: mitmproxy 5.3 +=============================== + +Full Changelog +-------------- + +* Support for Python 3.9 (@mhils) +* Add MsgPack content viewer (@tasn) +* Use `@charset` to decode CSS files if available (@prinzhorn) +* Fix links to anticache docs in mitmweb and use HTTPS for links to documentation (@rugk) +* Updated typing for WebsocketMessage.content (@prinzhorn) +* Add option `console_strip_trailing_newlines`, and no longer strip trailing newlines by default (@capt8bit) +* Prevent transparent mode from connecting to itself in the basic cases (@prinzhorn) +* Display HTTP trailers in mitmweb (@sanlengjingvv) +* Revamp onboarding app (@mhils) +* Add ASGI support for embedded apps (@mhils) +* Updated raw exports to not remove headers (@wchasekelley) +* Fix file unlinking before external viewer finishes loading (@wchasekelley) +* Add --cert-passphrase command line argument (@mirosyn) +* Add interactive tutorials to the documentation (@mplattner) +* Support `deflateRaw` for `Content-Encoding`'s (@kjoconnor) +* Fix broken requests without body on HTTP/2 (@Kriechi) +* Add support for sending (but not parsing) HTTP Trailers to the HTTP/1.1 protocol (@bburky) +* Add support to echo http trailers in dumper addon (@shiv6146) +* Fix OpenSSL requiring different CN for root and leaf certificates (@mhils) +* ... and various other fixes, documentation improvements, dependency version bumps, etc. + +18 July 2020: mitmproxy 5.2 +=========================== + +* Add Filter message to mitmdump (@sarthak212) +* Display TCP flows at flow list (@Jessonsotoventura, @nikitastupin, @mhils) +* Colorize JSON Contentview (@sarthak212) +* Fix console crash when entering regex escape character in half-open string (@sarthak212) +* Integrate contentviews to TCP flow details (@nikitastupin) +* Added add-ons that enhance the performance of web application scanners (@anneborcherding) +* Increase WebSocket message timestamp precision (@JustAnotherArchivist) +* Fix HTTP reason value on HTTP/2 reponses (@rbdixon) +* mitmweb: support wslview to open a web browser (@G-Rath) +* Fix dev version detection with parent git repo (@JustAnotherArchivist) +* Restructure examples and supported addons (@mhils) +* Certificate generation: mark SAN as critical if no CN is set (@mhils) +* Simplify Replacements with new ModifyBody addon (@mplattner) +* Rename SetHeaders addon to ModifyHeaders (@mplattner) +* mitmweb: "New -> File" menu option has been renamed to "Clear All" (@yogeshojha) +* Add new MapRemote addon to rewrite URLs of requests (@mplattner) +* Add support for HTTP Trailers to the HTTP/2 protocol (@sanlengjingvv and @Kriechi) +* Fix certificate runtime error during expire cleanup (@gorogoroumaru) +* Fixed the DNS Rebind Protection for secure support of IPv6 addresses (@tunnelpr0) +* WebSockets: match the HTTP-WebSocket flow for the ~websocket filter (@Kriechi) +* Fix deadlock caused by the "replay.client.stop" command (@gorogoroumaru) +* Add new MapLocal addon to serve local files instead of remote resources (@mplattner and @mhils) +* Add minimal TCP interception and modification (@nikitastupin) +* Add new CheckSSLPinning addon to check SSL-Pinning on client (@su-vikas) +* Add a JSON dump script: write data into a file or send to an endpoint as JSON (@emedvedev) +* Fix console output formatting (@sarthak212) +* Add example for proxy authentication using selenium (@anneborcherding and @weichweich) + +13 April 2020: mitmproxy 5.1.1 +============================== + +* Fixed Docker images not starting due to missing shell + +13 April 2020: mitmproxy 5.1 +============================ + +Major Changes +------------- + +* Initial Support for TLS 1.3 + +Full Changelog +-------------- + +* Reduce leaf certificate validity to one year due to upcoming browser changes (@mhils) +* Rename mitmweb's `web_iface` option to `web_host` for consistency (@oxr463) +* Sending a SIGTERM now exits mitmproxy without prompt, SIGINT still asks (@ThinkChaos) +* Don't force host header on outgoing requests (@mhils) +* Additional documentation and examples for WebSockets (@Kriechi) +* Gracefully handle hyphens in domain names (@matosconsulting) +* Fix header replacement count (@naivekun) +* Emit serverconnect event only after a connection has been established (@Prinzhorn) +* Fix ValueError in table mode of server replay flow (@ylmrx) +* HTTP/2: send all stream reset types to other connection (@rohfle) +* HTTP/2: fix WINDOW_UPDATE swallowed on closed streams (@Kriechi) +* Fix wrong behavior of --allow-hosts options (@BlownSnail) +* Additional and updated documentation for examples, WebSockets, Getting Started (@Kriechi) + +27 December 2019: mitmproxy 5.0.1 +================================= + +* Fixed precompiled Linux binaries to not crash in table mode +* Display webp images in mitmweb (@cixtor) + +16 December 2019: mitmproxy 5.0 +=============================== + +Major Changes +------------- + +* Added new Table UI (@Jessonsotoventura) +* Added EKU extension to certificates. This fixes support for macOS Catalina (@vin01) + +Security Fixes +-------------- + +* Fixed command injection vulnerabilities when exporting flows as curl/httpie commands (@cript0nauta) +* Do not echo unsanitized user input in HTTP error responses (@fimad) + +Full Changelog +-------------- + +* Moved to Github CI for Continuous Integration, dropping support for old Linux and macOS releases. (#3728) +* Vastly improved command parsing, in particular for setting flow filters (@typoon) +* Added a new flow export for raw responses (@mckeimic) +* URLs are now edited in an external editor (@Jessonsotoventura) +* mitmproxy now has a command history (@typoon) +* Added terminal like keyboard shortcuts for the command bar (ctrl+w, ctrl+a, ctrl+f, ...) (@typoon) +* Fixed issue with improper handling of non-ascii characters in URLs (@rjt-gupta) +* Filtering can now use unicode characters (@rjt-gupta) +* Fixed issue with user keybindings not being able to override default keybindings +* Improved installation instructions +* Added support for IPV6-only environments (@sethb157) +* Fixed bug with server replay (@rjt-gupta) +* Fixed issue with duplicate error responses (@ccssrryy) +* Users can now set a specific external editor using $MITMPROXY_EDITOR (@rjt-gupta) +* Config file can now be called `config.yml` or `config.yaml` (@ylmrx) +* Fixed crash on `view.focus.[next|prev]` (@ylmrx) +* Updated documentation to help using mitmproxy certificate on Android (@jannst) +* Added support to parse IPv6 entries from `pfctl` on MacOS. (@tomlabaude) +* Fixed instructions on how to build the documentation (@jannst) +* Added a new `--allow-hosts` option (@pierlon) +* Added support for zstd content-encoding (@tsaaristo) +* Fixed issue where the replay server would corrupt the Date header (@tonyb486) +* Improve speed for WebSocket interception (@MathieuBordere) +* Fixed issue with parsing JPEG files. (@lusceu) +* Improve example code style (@BoboTiG) +* Fixed issue converting void responses to HAR (@worldmind) +* Color coded http status codes in mitmweb (@arun-94) +* Added organization to generated certificates (@Abcdefghijklmnopqrstuvwxyzxyz) +* Errors are now displayed on sys.stderr (@JessicaFavin) +* Fixed issue with replay timestamps (@rjt-gupta) +* Fixed copying in mitmweb on macOS (@XZzYassin) + +31 July 2018: mitmproxy 4.0.4 +============================= + +* Security: Protect mitmweb against DNS rebinding. (CVE-2018-14505, @atx) +* Reduce certificate lifetime to two years to be conformant with + the current CA/Browser Forum Baseline Requirements. (@muffl0n) + (https://cabforum.org/2017/03/17/ballot-193-825-day-certificate-lifetimes/) +* Update cryptography to version 2.3. + +15 June 2018: mitmproxy 4.0.3 +============================= + +* Add support for IPv6 transparent mode on Windows (#3174) +* Add Docker images for ARMv7 - Raspberry Pi (#3190) +* Major overhaul of our release workflow - you probably won't notice it, but for us it's a big thing! +* Fix the Python version detection on Python 3.5, we now show a more intuitive error message (#3188) +* Fix application shutdown on Windows (#3172) +* Fix IPv6 scope suffixes in block addon (#3164) +* Fix options update when added (#3157) +* Fix "Edit Flow" button in mitmweb (#3136) + +15 June 2018: mitmproxy 4.0.2 +============================= + +* Skipped! + +17 May 2018: mitmproxy 4.0.1 +============================ + +Bugfixes +----------- + +* The previous release had a packaging issue, so we bumped it to v4.0.1 and re-released it. +* This contains no actual bugfixes or new features. + +17 May 2018: mitmproxy 4.0 +========================== + +Features +-------- + +* mitmproxy now requires Python 3.6! +* Moved the core to asyncio - which gives us a very significant performance boost! +* Reduce memory consumption by using `SO_KEEPALIVE` (#3076) +* Export request as httpie command (#3031) +* Configure mitmproxy console keybindings with the keys.yaml file. See docs for more. + +Breaking Changes +---------------- + +* The --conf command-line flag is now --confdir, and specifies the mitmproxy configuration + directory, instead of the options yaml file (which is at `config.yaml` under the configuration directory). +* `allow_remote` got replaced by `block_global` and `block_private` (#3100) +* No more custom events (#3093) +* The `cadir` option has been renamed to `confdir` +* We no longer magically capture print statements in addons and translate + them to logs. Please use `ctx.log.info` explicitly. + +Bugfixes +-------- + +* Correctly block connections from remote clients with IPv4-mapped IPv6 client addresses (#3099) +* Expand `~` in paths during the `cut` command (#3078) +* Remove socket listen backlog constraint +* Improve handling of user script exceptions (#3050, #2837) +* Ignore signal errors on windows +* Fix traceback for commands with un-terminated escape characters (#2810) +* Fix request replay when proxy is bound to local interface (#2647) +* Fix traceback when running scripts on a flow twice (#2838) +* Fix traceback when killing intercepted flow (#2879) +* And lots of typos, docs improvements, revamped examples, and general fixes! + +05 April 2018: mitmproxy 3.0.4 +============================== + +* Fix an issue that caused mitmproxy to not retry HTTP requests on timeout. +* Various other fixes (@kira0204, @fenilgandhi, @tran-tien-dat, @smonami, + @luzpaz, @fristonio, @kajojify, @Oliver-Fish, @hcbarry, @jplochocki, @MikeShi42, + @ghillu, @emilstahl) + +25 February 2018: mitmproxy 3.0.3 +================================= + +* Fix an issue that caused mitmproxy to lose keyboard control after spawning an external editor. + +23 February 2018: mitmproxy 3.0.1 +================================= + +* Fix a quote-related issue affecting the mitmproxy console command prompt. + +22 February 2018: mitmproxy 3.0 +=============================== + +Major Changes +------------- + +* Commands: A consistent, typed mechanism that allows addons to expose actions + to users. +* Options: A typed settings store for use by mitmproxy and addons. +* Shift most of mitmproxy's own functionality into addons. +* Major improvements to mitmproxy console, including an almost complete + rewrite of the user interface, integration of commands, key bindings, and + multi-pane layouts. +* Major Improvements to mitmproxy’s web interface, mitmweb. (Matthew Shao, + Google Summer of Code 2017) +* Major Improvements to mitmproxy’s content views and protocol layers (Ujjwal + Verma, Google Summer of Code 2017) +* Faster JavaScript and CSS beautifiers. (Ujjwal Verma) + +Minor Changes +------------- + +* Vastly improved JavaScript test coverage (Matthew Shao) +* Options editor for mitmweb (Matthew Shao) +* Static web-based flow viewer (Matthew Shao) +* Request streaming for HTTP/1.x and HTTP/2 (Ujjwal Verma) +* Implement more robust content views using Kaitai Struct (Ujjwal Verma) +* Protobuf decoding now works without protoc being installed on the host + system (Ujjwal Verma) +* PNG, GIF, and JPEG can now be parsed without Pillow, which simplifies + mitmproxy installation and moves parsing from unsafe C to pure Python (Ujjwal Verma) +* Add parser for ICO files (Ujjwal Verma) +* Migrate WebSockets implementation to wsproto. This reduces code size and + adds WebSocket compression support. (Ujjwal Verma) +* Add “split view” to split mitmproxy’s UI into two separate panes. +* Add key binding viewer and editor +* Add a command to spawn a preconfigured Chrome browser instance from + mitmproxy +* Fully support mitmproxy under the Windows Subsystem for Linux (WSL), work + around display errors +* Add XSS scanner addon (@ddworken) +* Add ability to toggle interception (@mattweidner) +* Numerous documentation improvements (@pauloromeira, @rst0git, @rgerganov, + @fulldecent, @zhigang1992, @F1ashhimself, @vinaydargar, @jonathanrfisher1, + @BasThomas, @LuD1161, @ayamamori, @TomTasche) +* Add filters for websocket flows (@s4chin) +* Make it possible to create a response to CONNECT requests in http_connect + (@mengbiping) +* Redirect stdout in scripts to ctx.log.warn (@nikofil) +* Fix a crash when clearing the event log (@krsoninikhil) +* Store the generated certificate for each flow (@dlenski) +* Add --keep-host-header to retain the host header in reverse proxy mode + (@krsoninikhil) +* Fix setting palette options (@JordanLoehr) +* Fix a crash with brotli encoding (@whackashoe) +* Provide certificate installation instructions on mitm.it (@ritiek) +* Fix a bug where we did not properly fall back to IPv4 when IPv6 is unavailable (@titeuf87) +* Fix transparent mode on IPv6-enabled macOS systems (@Ga-ryo) +* Fix handling of HTTP messages with multiple Content-Length headers (@surajt97) +* Fix IPv6 authority form parsing in CONNECT requests (@r1b) +* Fix event log display in mitmweb (@syahn) +* Remove private key from PKCS12 file in ~/.mitmproxy (@ograff). +* Add LDAP as a proxy authentication backend (@charlesdhdt) +* Use mypy to check the whole codebase (@iharsh234) +* Fix a crash when duplicating flows (@iharsh234) +* Fix testsuite when the path contains a “.” (@felixonmars) +* Store proxy authentication with flows (@lymanZerga11) +* Match ~d and ~u filters against pretty_host (@dequis) +* Update WBXML content view (@davidpshaw) +* Handle HEAD requests for mitm.it to support Chrome in transparent mode on + iOS (@tomlabaude) +* Update dns spoofing example to use --keep-host-header (@krsoninikhil) +* Call error handler on HTTPException (@tarnacious) +* Make it possible to remove TLS from upstream HTTP connections +* Update to pyOpenSSL 17.5, cryptography 2.1.4, and OpenSSL 1.1.0g +* Make it possible to retroactively increase log verbosity. +* Make logging from addons thread-safe +* Tolerate imports in user scripts that match hook names + (`from mitmproxy import log`) +* Update mitmweb to React 16, which brings performance improvements +* Fix a bug where reverting duplicated flows crashes mitmproxy +* Fix a bug where successive requests are sent to the wrong host after a + request has been redirected. +* Fix a bug that binds outgoing connections to the wrong interface +* Fix a bug where custom certificates are ignored in reverse proxy mode +* Fix import of flows that have been created with mitmproxy 0.17 +* Fix formatting of (IPv6) IP addresses in a number of places +* Fix replay for HTTP/2 flows +* Decouple mitmproxy version and flow file format version +* Fix a bug where “mitmdump -nr” does not exit automatically +* Fix a crash when exporting flows to curl +* Fix formatting of sticky cookies +* Improve script reloading reliability by polling the filesystem instead of using watchdog +* Fix a crash when refreshing Set-Cookie headers +* Add connection indicator to mitmweb to alert users when the proxy server stops running +* Add support for certificates with cyrillic domains +* Simplify output of mitmproxy --version +* Add Request.make to simplify request creation in scripts +* Pathoc: Include a host header on CONNECT requests +* Remove HTML outline contentview (#2572) +* Remove Python and Locust export (#2465) +* Remove emojis from tox.ini because flake8 cannot parse that. :( + +28 April 2017: mitmproxy 2.0.2 +============================== + +* Fix mitmweb's Content-Security-Policy to work with Chrome 58+ +* HTTP/2: actually use header normalization from hyper-h2 + +15 March 2017: mitmproxy 2.0.1 +============================== + +* bump cryptography dependency +* bump pyparsing dependency +* HTTP/2: use header normalization from hyper-h2 + +21 February 2017: mitmproxy 2.0 +=============================== + +* HTTP/2 is now enabled by default. +* Image ContentView: Parse images with Kaitai Struct (kaitai.io) instead of Pillow. + This simplifies installation, reduces binary size, and allows parsing in pure Python. +* Web: Add missing flow filters. +* Add transparent proxy support for OpenBSD. +* Check the mitmproxy CA for expiration and warn the user to regenerate it if necessary. +* Testing: Tremendous improvements, enforced 100% coverage for large parts of the + codebase, increased overall coverage. +* Enforce individual coverage: one source file -> one test file with 100% coverage. +* A myriad of other small improvements throughout the project. +* Numerous bugfixes. + +26 December 2016: mitmproxy 1.0 +=============================== + +* All mitmproxy tools are now Python 3 only! We plan to support Python 3.5 and higher. +* Web-Based User Interface: Mitmproxy now officially has a web-based user interface + called mitmweb. We consider it stable for all features currently exposed + in the UI, but it still misses a lot of mitmproxy’s options. +* Windows Compatibility: With mitmweb, mitmproxy is now usable on Windows. + We are also introducing an installer (kindly sponsored by BitRock) that + simplifies setup. +* Configuration: The config file format is now a single YAML file. In most cases, + converting to the new format should be trivial - please see the docs for + more information. +* Console: Significant UI improvements - including sorting of flows by + size, type and url, status bar improvements, much faster indentation for + HTTP views, and more. +* HTTP/2: Significant improvements, but is temporarily disabled by default + due to wide-spread protocol implementation errors on some large website +* WebSocket: The protocol implementation is now mature, and is enabled by + default. Complete UI support is coming in the next release. Hooks for + message interception and manipulation are available. +* A myriad of other small improvements throughout the project. + +16 October 2016: mitmproxy 0.18 +=============================== + +* Python 3 Compatibility for mitmproxy and pathod (Shadab Zafar, GSoC 2016) +* Major improvements to mitmweb (Clemens Brunner & Jason Hao, GSoC 2016) +* Internal Core Refactor: Separation of most features into isolated Addons +* Initial Support for WebSockets +* Improved HTTP/2 Support +* Reverse Proxy Mode now automatically adjusts host headers and TLS Server Name Indication +* Improved HAR export +* Improved export functionality for curl, python code, raw http etc. +* Flow URLs are now truncated in the console for better visibility +* New filters for TCP, HTTP and marked flows. +* Mitmproxy now handles comma-separated Cookie headers +* Merge mitmproxy and pathod documentation +* Mitmdump now sanitizes its console output to not include control characters +* Improved message body handling for HTTP messages: + `.raw_content` provides the message body as seen on the wire + `.content` provides the decompressed body (e.g. un-gzipped) + `.text` provides the body decompressed and decoded body +* New HTTP Message getters/setters for cookies and form contents. +* Add ability to view only marked flows in mitmproxy +* Improved Script Reloader (Always use polling, watch for whole directory) +* Use tox for testing +* Unicode support for tnetstrings +* Add dumpfile converters for mitmproxy versions 0.11 and 0.12 +* Numerous bugfixes + +9 April 2016: mitmproxy 0.17 +============================ + +* Simplify repository and release structure. mitmproxy now comes as a single package, including netlib and pathod. +* Rename the Python package from libmproxy to mitmproxy. +* New option to add server certs to client chain (CVE-2016-2402, John Kozyrakis) +* Enable HTTP/2 by default (Thomas Kriechbaumer) +* Improved HAR extractor (Shadab Zafar) +* Add icon for OSX and Windows binaries +* Add content view for query parameters (Will Coster) +* Initial work on Python 3 compatibility +* locust.io export (Zohar Lorberbaum) +* Fix XSS vulnerability in HTTP errors (Will Coster) +* Numerous bugfixes and minor improvements + + +15 February 2016: mitmproxy 0.16 +================================ + +* Completely revised HTTP2 implementation based on hyper-h2 (Thomas Kriechbaumer) +* Export flows as cURL command, Python code or raw HTTP (Shadab Zafar) +* Fixed compatibility with the Android Emulator (Will Coster) +* Script Reloader: Inline scripts are reloaded automatically if modified (Matthew Shao) +* Inline script hooks for TCP mode (Michael J. Bazzinotti) +* Add default ciphers to support iOS9 App Transport Security (Jorge Villacorta) +* Basic Authentication for mitmweb (Guillem Anguera) +* Exempt connections from interception based on TLS Server Name Indication (David Weinstein) +* Provide Python Wheels for faster installation +* Numerous bugfixes and minor improvements + +4 December 2015: mitmproxy 0.15 +=============================== + +* Support for loading and converting older dumpfile formats (0.13 and up) +* Content views for inline script (@chrisczub) +* Better handling of empty header values (Benjamin Lee/@bltb) +* Fix a gnarly memory leak in mitmdump +* A number of bugfixes and small improvements + +6 November 2015: mitmproxy 0.14 +=============================== + +* Statistics: 399 commits, 13 contributors, 79 closed issues, 37 closed + PRs, 103 days +* Docs: Greatly updated docs now hosted on ReadTheDocs! + http://docs.mitmproxy.org +* Docs: Fixed Typos, updated URLs etc. (Nick Badger, Ben Lerner, Choongwoo + Han, onlywade, Jurriaan Bremer) +* mitmdump: Colorized TTY output +* mitmdump: Use mitmproxy's content views for human-readable output (Chris + Czub) +* mitmproxy and mitmdump: Support for displaying UTF8 contents +* mitmproxy: add command line switch to disable mouse interaction (Timothy + Elliott) +* mitmproxy: bug fixes (Choongwoo Han, sethp-jive, FreeArtMan) +* mitmweb: bug fixes (Colin Bendell) +* libmproxy: Add ability to fall back to TCP passthrough for non-HTTP + connections. +* libmproxy: Avoid double-connect in case of TLS Server Name Indication. + This yields a massive speedup for TLS handshakes. +* libmproxy: Prevent unnecessary upstream connections (macmantrl) +* Inline Scripts: New API for HTTP Headers: + http://docs.mitmproxy.org/en/latest/dev/models.html#netlib.http.Headers +* Inline Scripts: Properly handle exceptions in `done` hook +* Inline Scripts: Allow relative imports, provide `__file__` +* Examples: Add probabilistic TLS passthrough as an inline script +* netlib: Refactored HTTP protocol handling code +* netlib: ALPN support +* netlib: fixed a bug in the optional certificate verification. +* netlib: Initial Python 3.5 support (this is the first prerequisite for + 3.x support in mitmproxy) + +24 July 2015: mitmproxy 0.13 +============================ + +* Upstream certificate validation. See the --verify-upstream-cert, + --upstream-trusted-confdir and --upstream-trusted-ca parameters. Thanks to + Kyle Morton (github.com/kyle-m) for his work on this. +* Add HTTP transparent proxy mode. This uses the host headers from HTTP + traffic (rather than SNI and IP address information from the OS) to + implement perform transparent proxying. Thanks to github.com/ijiro123 for + this feature. +* Add ~src and ~dst REGEX filters, allowing matching on source and + destination addresses in the form of : +* mitmproxy console: change g/G keyboard shortcuts to match less. Thanks to + Jose Luis Honorato (github.com/jlhonora). +* mitmproxy console: Flow marking and unmarking. Marked flows are not + deleted when the flow list is cleared. Thanks to Jake Drahos + (github.com/drahosj). +* mitmproxy console: add marking of flows +* Remove the certforward feature. It was added to allow exploitation of + #gotofail, which is no longer a common vulnerability. Permitting this + hugely increased the complexity of packaging and distributing mitmproxy. + +3 June 2015: mitmproxy 0.12.1 +============================= + +* mitmproxy console: mouse interaction - scroll in the flow list, click on + flow to view, click to switch between tabs. +* Update our crypto defaults: SHA256, 2048 bit RSA, 4096 bit DH parameters. +* BUGFIX: crash under some circumstances when copying to clipboard. +* BUGFIX: occasional crash when deleting flows. + +18 May 2015: mitmproxy 0.12 +=========================== + +* mitmproxy console: Significant revamp of the UI. The major changes are + listed below, and in addition almost every aspect of the UI has + been tweaked, and performance has improved significantly. +* mitmproxy console: A new options screen has been created ("o" shortcut), + and many options that were previously manipulated directly via a + keybinding have been moved there. +* mitmproxy console: Big improvement in palettes. This includes improvements + to all colour schemes. Palettes now set the terminal background colour by + default, and a new --palette-transparent option has been added to disable + this. +* mitmproxy console: g/G shortcuts throughout mitmproxy console to jump + to the beginning/end of the current view. +* mitmproxy console: switch palettes on the fly from the options screen. +* mitmproxy console: A cookie editor has been added for mitmproxy console + at long last. +* mitmproxy console: Various components of requests and responses can be + copied to the clipboard from mitmproxy - thanks to @marceloglezer. +* Support for creating new requests from scratch in mitmproxy console (@marceloglezer). +* SSLKEYLOGFILE environment variable to specify a logging location for TLS + master keys. This can be used with tools like Wireshark to allow TLS + decoding. +* Server facing SSL cipher suite specification (thanks to Jim Shaver). +* Official support for transparent proxying on FreeBSD - thanks to Mike C + (http://github.com/mike-pt). +* Many other small bugfixes and improvemenets throughout the project. + +29 Dec 2014: mitmproxy 0.11.2 +============================= + +* Configuration files - mitmproxy.conf, mitmdump.conf, common.conf in the + .mitmproxy directory. +* Better handling of servers that reject connections that are not SNI. +* Many other small bugfixes and improvements. + +15 November 2014: mitmproxy 0.11.1 +================================== + +* Bug fixes: connection leaks some crashes + +7 November 2014: mitmproxy 0.11 +=============================== + +* Performance improvements for mitmproxy console +* SOCKS5 proxy mode allows mitmproxy to act as a SOCKS5 proxy server +* Data streaming for response bodies exceeding a threshold + (bradpeabody@gmail.com) +* Ignore hosts or IP addresses, forwarding both HTTP and HTTPS traffic + untouched +* Finer-grained control of traffic replay, including options to ignore + contents or parameters when matching flows (marcelo.glezer@gmail.com) +* Pass arguments to inline scripts +* Configurable size limit on HTTP request and response bodies +* Per-domain specification of interception certificates and keys (see + --cert option) +* Certificate forwarding, relaying upstream SSL certificates verbatim (see + --cert-forward) +* Search and highlighting for HTTP request and response bodies in + mitmproxy console (pedro@worcel.com) +* Transparent proxy support on Windows +* Improved error messages and logging +* Support for FreeBSD in transparent mode, using pf (zbrdge@gmail.com) +* Content view mode for WBXML (davidshaw835@air-watch.com) +* Better documentation, with a new section on proxy modes +* Generic TCP proxy mode +* Countless bugfixes and other small improvements +* pathod: Hugely improved SSL support, including dynamic generation of certificates + using the mitproxy cacert + +7 November 2014: pathod 0.11 +============================ + +* Hugely improved SSL support, including dynamic generation of certificates + using the mitproxy cacert +* pathoc -S dumps information on the remote SSL certificate chain +* Big improvements to fuzzing, including random spec selection and memoization to avoid repeating randomly generated patterns +* Reflected patterns, allowing you to embed a pathod server response specification in a pathoc request, resolving both on client side. This makes fuzzing proxies and other intermediate systems much better. + + +28 January 2014: mitmproxy 0.10 +=============================== + +* Support for multiple scripts and multiple script arguments +* Easy certificate install through the in-proxy web app, which is now + enabled by default +* Forward proxy mode, that forwards proxy requests to an upstream HTTP server +* Reverse proxy now works with SSL +* Search within a request/response using the "/" and "n" shortcut keys +* A view that beatifies CSS files if cssutils is available +* Bug fix, documentation improvements, and more. + +25 August 2013: mitmproxy 0.9.2 +=============================== + +* Improvements to the mitmproxywrapper.py helper script for OSX. +* Don't take minor version into account when checking for serialized file + compatibility. +* Fix a bug causing resource exhaustion under some circumstances for SSL + connections. +* Revamp the way we store interception certificates. We used to store these + on disk, they're now in-memory. This fixes a race condition related to + cert handling, and improves compatibility with Windows, where the rules + governing permitted file names are weird, resulting in errors for some + valid IDNA-encoded names. +* Display transfer rates for responses in the flow list. +* Many other small bugfixes and improvements. + +25 August 2013: pathod 0.9.2 +============================ + +* Adapt to interface changes in netlib + +16 June 2013: mitmproxy 0.9.1 +============================= + +* Use "correct" case for Content-Type headers added by mitmproxy. +* Make UTF environment detection more robust. +* Improved MIME-type detection for viewers. +* Always read files in binary mode (Windows compatibility fix). +* Some developer documentation. + +15 May 2013: mitmproxy 0.9 +========================== + +* Upstream certs mode is now the default. +* Add a WSGI container that lets you host in-proxy web applications. +* Full transparent proxy support for Linux and OSX. +* Introduce netlib, a common codebase for mitmproxy and pathod + (http://github.com/cortesi/netlib). +* Full support for SNI. +* Color palettes for mitmproxy, tailored for light and dark terminal + backgrounds. +* Stream flows to file as responses arrive with the "W" shortcut in + mitmproxy. +* Extend the filter language, including ~d domain match operator, ~a to + match asset flows (js, images, css). +* Follow mode in mitmproxy ("F" shortcut) to "tail" flows as they arrive. +* --dummy-certs option to specify and preserve the dummy certificate + directory. +* Server replay from the current captured buffer. +* Huge improvements in content views. We now have viewers for AMF, HTML, + JSON, Javascript, images, XML, URL-encoded forms, as well as hexadecimal + and raw views. +* Add Set Headers, analogous to replacement hooks. Defines headers that are set + on flows, based on a matching pattern. +* A graphical editor for path components in mitmproxy. +* A small set of standard user-agent strings, which can be used easily in + the header editor. +* Proxy authentication to limit access to mitmproxy +* pathod: Proxy mode. You can now configure clients to use pathod as an + HTTP/S proxy. +* pathoc: Proxy support, including using CONNECT to tunnel directly to + targets. +* pathoc: client certificate support. +* pathod: API improvements, bugfixes. + +15 May 2013: pathod 0.9 (version synced with mitmproxy) +======================================================= + +* Pathod proxy mode. You can now configure clients to use pathod as an + HTTP/S proxy. +* Pathoc proxy support, including using CONNECT to tunnel directly to + targets. +* Pathoc client certificate support. +* API improvements, bugfixes. + + +16 November 2012: pathod 0.3 +============================ + +A release focusing on shoring up our fuzzing capabilities, especially with +pathoc. + +* pathoc -q and -r options, output full request and response text. +* pathod -q and -r options, add full request and response text to pathod's + log buffer. +* pathoc and pathod -x option, makes -q and -r options log in hex dump + format. +* pathoc -C option, specify response codes to ignore. +* pathoc -T option, instructs pathoc to ignore timeouts. +* pathoc -o option, a one-shot mode that exits after the first non-ignored + response. +* pathoc and pathod -e option, which explains the resulting message by + expanding random and generated portions, and logging a reproducible + specification. +* Streamline the specification language. HTTP response message is now + specified using the "r" mnemonic. +* Add a "u" mnemonic for specifying User-Agent strings. Add a set of + standard user-agent strings accessible through shortcuts. +* Major internal refactoring and cleanup. +* Many bugfixes. + +22 August 2012: pathod 0.2 +========================== + +* Add pathoc, a pathological HTTP client. +* Add libpathod.test, a truss for using pathod in unit tests. +* Add an injection operator to the specification language. +* Allow Python escape sequences in value literals. +* Allow execution of requests and responses from file, using the new + operator. +* Add daemonization to Pathod, and make it more robust for public-facing use. +* Let pathod pick an arbitrary open port if -p 0 is specified. +* Move from Tornado to netlib, the network library written for mitmproxy. +* Move the web application to Flask. +* Massively expand the documentation. + +5 April 2012: mitmproxy 0.8 +=========================== + +* Detailed tutorial for Android interception. Some features that land in + this release have finally made reliable Android interception possible. +* Upstream-cert mode, which uses information from the upstream server to + generate interception certificates. +* Replacement patterns that let you easily do global replacements in flows + matching filter patterns. Can be specified on the command-line, or edited + interactively. +* Much more sophisticated and usable pretty printing of request bodies. + Support for auto-indentation of Javascript, inspection of image EXIF + data, and more. +* Details view for flows, showing connection and SSL cert information (X + keyboard shortcut). +* Server certificates are now stored and serialized in saved traffic for + later analysis. This means that the 0.8 serialization format is NOT + compatible with 0.7. +* Many other improvements, including bugfixes, and expanded scripting API, + and more sophisticated certificate handling. + +20 February 2012: mitmproxy 0.7 +=============================== + +* New built-in key/value editor. This lets you interactively edit URL query + strings, headers and URL-encoded form data. +* Extend script API to allow duplication and replay of flows. +* API for easy manipulation of URL-encoded forms and query strings. +* Add "D" shortcut in mitmproxy to duplicate a flow. +* Reverse proxy mode. In this mode mitmproxy acts as an HTTP server, + forwarding all traffic to a specified upstream server. +* UI improvements - use unicode characters to make GUI more compact, + improve spacing and layout throughout. +* Add support for filtering by HTTP method. +* Add the ability to specify an HTTP body size limit. +* Move to typed netstrings for serialization format - this makes 0.7 + backwards-incompatible with serialized data from 0.6! + +* Significant improvements in speed and responsiveness of UI. +* Many minor bugfixes and improvements. + +7 August 2011: mitmproxy 0.6 +============================ + +* New scripting API that allows much more flexible and fine-grained + rewriting of traffic. See the docs for more info. +* Support for gzip and deflate content encodings. A new "z" + keybinding in mitmproxy to let us quickly encode and decode content, plus + automatic decoding for the "pretty" view mode. +* An event log, viewable with the "v" shortcut in mitmproxy, and the + "-e" command-line flag in mitmdump. +* Huge performance improvements: mitmproxy interface, loading + large numbers of flows from file. +* A new "replace" convenience method for all flow objects, that does a + universal regex-based string replacement. +* Header management has been rewritten to maintain both case and order. +* Improved stability for SSL interception. +* Default expiry time on generated SSL certs has been dropped to avoid an + OpenSSL overflow bug that caused certificates to expire in the distant + past on some systems. +* A "pretty" view mode for JSON and form submission data. +* Expanded documentation and examples. +* Countless other small improvements and bugfixes. + +27 June 2011: mitmproxy 0.5 +=========================== + +* An -n option to start the tools without binding to a proxy port. +* Allow scripts, hooks, sticky cookies etc. to run on flows loaded from + save files. +* Regularize command-line options for mitmproxy and mitmdump. +* Add an "SSL exception" to mitmproxy's license to remove possible + distribution issues. +* Add a --cert-wait-time option to make mitmproxy pause after a new SSL + certificate is generated. This can pave over small discrepancies in + system time between the client and server. +* Handle viewing big request and response bodies more elegantly. Only + render the first 100k of large documents, and try to avoid running the + XML indenter on non-XML data. +* BUGFIX: Make the "revert" keyboard shortcut in mitmproxy work after a + flow has been replayed. +* BUGFIX: Repair a problem that sometimes caused SSL connections to consume + 100% of CPU. + +30 March 2011: mitmproxy 0.4 +============================ + +* Full serialization of HTTP conversations +* Client and server replay +* On-the-fly generation of dummy SSL certificates +* mitmdump has "grown up" into a powerful tcpdump-like tool for HTTP/S +* Dozens of improvements to the mitmproxy console interface +* Python scripting hooks for programmatic modification of traffic + +01 March 2010: mitmproxy 0.2 +============================ + +* Big speed and responsiveness improvements, thanks to Thomas Roth +* Support urwid 0.9.9 +* Terminal beeping based on filter expressions +* Filter expressions for terminal beeps, limits, interceptions and sticky + cookies can now be passed on the command line. +* Save requests and responses to file +* Split off non-interactive dump functionality into a new tool called + mitmdump +* "A" will now accept all intercepted connections +* Lots of bugfixes