This release patches more security, security-adjacent, and normal bugs. The FrankenPHP project has collaborated on PHP-adjacent patches, which we are grateful for.
The recent surge of patches is mostly attributed to token predictors. We have had to reject more than 75% of "security" reports because they were AI slop spam (or just lazy/incorrect). Please use LLMs and agents wisely to avoid wasting precious maintainer resources. We have started blocking offending accounts that spam slop reports. Thank you to all who submit responsible reports following our security policy to make the project better. We appreciate that the community deems the Caddy project worthy of contribution to improve the broader ecosystem!
Security-related patches:
- caddyhttp: Normalize Windows backslashes in path matcher (thanks @Vincent550102)
- rewrite: Prevent placeholder re-expansion in injected query (thanks @WhiskerEnt)
- templates: Improved stripHTML action to more reliably remove malformed HTML (thanks to @jmrcsnchz)
- caddyhttp: Ignore header fields with underscores to prevent collisions (thanks @Vincent550102 for the report and @dunglas for the patch)
There are also several other various fixes and enhancements by many other contributors. Thank you everyone who participated!
What's Changed
- reverseproxy: further prevent body closes from dial errors by @jameshartig in #7715
- caddytls: Fix client auth (fix #7724) by @mholt in #7727
- chore: deps upgrade by @mohammed90 in #7751
- caddyhttp: omit Last-Modified for unusable mod times by @bb4242 in #7740
- caddytls: fix TLS state races and ECH rotation retry by @broady in #7756
- chore: clean up wording and typo fixes by @steadytao in #7745
- reverseproxy: Add regression test for DialInfo network override by @eyupcanakman in #7758
- caddyauth: add candidate placeholders for rejected identities by @steadytao in #7698
- cmd: support caddy start on IPv6-only hosts by @steadytao in #7744
- caddyfile: preserve implicit TLS issuer semantics by @steadytao in #7743
- reverseproxy: wraps request body to prevent closing if not read by @WeidiDeng in #7719
- caddytls: match IDN SNI in connection policies by @steadytao in #7742
- build(deps): bump the all-updates group across 1 directory with 9 updates by @dependabot[bot] in #7752
- caddyhttp: normalize Windows backslashes in path matcher by @Vincent550102 in #7763
- go.mod: update x/net by @steadytao in #7767
- rewrite: prevent placeholder re-expansion in injected query by @WhiskerEnt in #7761
- perf(replacer): optimize memory allocation for file placeholders by @Jualhosting in #7773
- caddytls: skip idna.ToASCII for pure ASCII SNI values by @sleet0922 in #7770
- encode: prioritize zstd and br over gzip in content negotiation by @Jualhosting in #7772
- httpcaddyfile: fix incorrect error message on duplicate matchers by @Brunotlps in #7780
- Patch for GHSA-vcc4-2c75-vc9v by @jmrcsnchz in #7785
New Contributors
- @jameshartig made their first contribution in #7715
- @bb4242 made their first contribution in #7740
- @broady made their first contribution in #7756
- @eyupcanakman made their first contribution in #7758
- @Vincent550102 made their first contribution in #7763
- @WhiskerEnt made their first contribution in #7761
- @Jualhosting made their first contribution in #7773
- @sleet0922 made their first contribution in #7770
- @Brunotlps made their first contribution in #7780
- @jmrcsnchz made their first contribution in #7785
