This commit fixes GHSA-gcx2-gvj7-pxv3 by making mitmproxy
reject header names that contain whitespace characters by default.
A new `validate_inbound_headers` option is provided to turn this behavior
off at the expense of allowing HTTP smuggling vulnerabilities.
* Example addon for saving streamed data including a small bug fix to make it work.
* Revert "Example addon for saving streamed data including a small bug fix to make it work."
This reverts commit 02ab78def9a52eaca1a89d0757cd9475ce250eaa.
* Add support for rotating stream files every hour or day
* Added tests
* Modified to change the stream file every time the formating string changes as time moves on.
* Update to more compact version
* simplify save addon logic
* make mypy happy
* fix compatibility with Python 3.8
Co-authored-by: Maximilian Hils <git@maximilianhils.com>
* changes for custom port number
* indent correction
* test coverage
* coverage correction
* simplify LDAP auth
* make mypy hapy
Co-authored-by: Maximilian Hils <git@maximilianhils.com>
We previously relied on the state of `Flow.reply` to check if a flow can be killed,
but this doesn't work anymore with `Flow.reply` being removed. Instead, we now
reintroduce the `Flow.live` attribute, which signals if we are on a live connection.
Killing still is not ideal (see comment in `Flow.killable`), but this paves the way.
The major, breaking change is that it is no longer possible to "take" a reply in
order to block the effect of a later addon hook.
This is patch 4/4 of the reply-ectomy.
In principle, a flow is killable as long as the connection handler is still
checking the error status of the flow.
This is patch 2/4 of the reply-ectomy.
This should improve behaviour, since calls to @concurrent will now be serialized
relative to other hooks on the same flow (but will still run in parallel with
hooks on different flows). Unlike a plain async hook, @concurrent allows blocking
sync APIs to run concurrently (e.g. requests).
This is patch 1/4 of the reply-ectomy.
* await server_connected hook before doing something with the connection
* refine changelog wording
Co-authored-by: Maximilian Hils <github@maximilianhils.com>
