Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package ghc-wai for openSUSE:Factory checked in at 2021-01-20 18:26:21 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ghc-wai (Old) and /work/SRC/openSUSE:Factory/.ghc-wai.new.28504 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ghc-wai" Wed Jan 20 18:26:21 2021 rev:4 rq:864465 version:3.2.3 Changes: -------- --- /work/SRC/openSUSE:Factory/ghc-wai/ghc-wai.changes 2020-12-22 11:48:54.981981427 +0100 +++ /work/SRC/openSUSE:Factory/.ghc-wai.new.28504/ghc-wai.changes 2021-01-20 18:26:40.295474842 +0100 @@ -1,0 +2,10 @@ +Tue Jan 19 09:01:12 UTC 2021 - [email protected] + +- Update wai to version 3.2.3. + ## 3.2.3 + + * Add documentation recommending streaming request bodies. [#818](https://github.com/yesodweb/wai/pull/818) + * Add two functions, `consumeRequestBodyStrict` and `consumeRequestBodyLazy`, + that are synonyms for `strictRequestBody` and `lazyRequestBody`. [#818](https://github.com/yesodweb/wai/pull/818) + +------------------------------------------------------------------- Old: ---- wai-3.2.2.1.tar.gz New: ---- wai-3.2.3.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ghc-wai.spec ++++++ --- /var/tmp/diff_new_pack.PkYRCU/_old 2021-01-20 18:26:41.187475692 +0100 +++ /var/tmp/diff_new_pack.PkYRCU/_new 2021-01-20 18:26:41.187475692 +0100 @@ -1,7 +1,7 @@ # # spec file for package ghc-wai # -# Copyright (c) 2020 SUSE LLC +# Copyright (c) 2021 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -19,7 +19,7 @@ %global pkg_name wai %bcond_with tests Name: ghc-%{pkg_name} -Version: 3.2.2.1 +Version: 3.2.3 Release: 0 Summary: Web Application Interface License: MIT @@ -31,7 +31,6 @@ BuildRequires: ghc-network-devel BuildRequires: ghc-rpm-macros BuildRequires: ghc-text-devel -BuildRequires: ghc-transformers-devel BuildRequires: ghc-vault-devel ExcludeArch: %{ix86} %if %{with tests} ++++++ wai-3.2.2.1.tar.gz -> wai-3.2.3.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/wai-3.2.2.1/ChangeLog.md new/wai-3.2.3/ChangeLog.md --- old/wai-3.2.2.1/ChangeLog.md 2019-06-20 12:40:22.000000000 +0200 +++ new/wai-3.2.3/ChangeLog.md 2021-01-10 02:00:48.000000000 +0100 @@ -1,5 +1,11 @@ # ChangeLog for wai +## 3.2.3 + +* Add documentation recommending streaming request bodies. [#818](https://github.com/yesodweb/wai/pull/818) +* Add two functions, `consumeRequestBodyStrict` and `consumeRequestBodyLazy`, + that are synonyms for `strictRequestBody` and `lazyRequestBody`. [#818](https://github.com/yesodweb/wai/pull/818) + ## 3.2.2.1 * Fix missing reexport of `getRequestBodyChunk` [#753](https://github.com/yesodweb/wai/issues/753) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/wai-3.2.2.1/Network/Wai.hs new/wai-3.2.3/Network/Wai.hs --- old/wai-3.2.2.1/Network/Wai.hs 2019-06-20 12:40:49.000000000 +0200 +++ new/wai-3.2.3/Network/Wai.hs 2021-01-10 02:00:48.000000000 +0100 @@ -61,8 +61,11 @@ , requestHeaderRange , requestHeaderReferer , requestHeaderUserAgent + -- $streamingRequestBodies , strictRequestBody + , consumeRequestBodyStrict , lazyRequestBody + , consumeRequestBodyLazy -- * Response , Response , StreamingBody @@ -315,11 +318,62 @@ ifRequest rpred middle app req | rpred req = middle app req | otherwise = app req - +-- $streamingRequestBodies +-- +-- == Streaming Request Bodies +-- +-- WAI is designed for streaming in request bodies, which allows you to process them incrementally. +-- You can stream in the request body using functions like 'getRequestBodyChunk', +-- the @wai-conduit@ package, or Yesod's @rawRequestBody@. +-- +-- In the normal case, incremental processing is more efficient, since it +-- reduces maximum total memory usage. +-- In the worst case, it helps protect your server against denial-of-service (DOS) attacks, in which +-- an attacker sends huge request bodies to your server. +-- +-- Consider these tips to avoid reading the entire request body into memory: +-- +-- * Look for library functions that support incremental processing. Sometimes these will use streaming +-- libraries like @conduit@, @pipes@, or @streaming@. +-- * Any attoparsec parser supports streaming input. For an example of this, see the +-- "Data.Conduit.Attoparsec" module in @conduit-extra@. +-- * Consider streaming directly to a file on disk. For an example of this, see the +-- "Data.Conduit.Binary" module in @conduit-extra@. +-- * If you need to direct the request body to multiple destinations, you can stream to both those +-- destinations at the same time. +-- For example, if you wanted to run an HMAC on the request body as well as parse it into JSON, +-- you could use Conduit's @zipSinks@ to send the data to @cryptonite-conduit@'s 'sinkHMAC' and +-- @aeson@'s Attoparsec parser. +-- * If possible, avoid processing large data on your server at all. +-- For example, instead of uploading a file to your server and then to AWS S3, +-- you can have the browser upload directly to S3. +-- +-- That said, sometimes it is convenient, or even necessary to read the whole request body into memory. +-- For these purposes, functions like 'strictRequestBody' or 'lazyRequestBody' can be used. +-- When this is the case, consider these strategies to mitigating potential DOS attacks: +-- +-- * Set a limit on the request body size you allow. +-- If certain endpoints need larger bodies, whitelist just those endpoints for the large size. +-- Be especially cautious about endpoints that don't require authentication, since these are easier to DOS. +-- You can accomplish this with @wai-extra@'s @requestSizeLimitMiddleware@ or Yesod's @maximumContentLength@. +-- * Consider rate limiting not just on total requests, but also on total bytes sent in. +-- * Consider using services that allow you to identify and blacklist attackers. +-- * Minimize the amount of time the request body stays in memory. +-- * If you need to share request bodies across middleware and your application, you can do so using Wai's 'vault'. +-- If you do this, remove the request body from the vault as soon as possible. +-- +-- Warning: Incremental processing will not always be sufficient to prevent a DOS attack. +-- For example, if an attacker sends you a JSON body with a 2MB long string inside, +-- even if you process the body incrementally, you'll still end up with a 2MB-sized 'Text'. +-- +-- To mitigate this, employ some of the countermeasures listed above, +-- and try to reject such payloads as early as possible in your codebase. -- | Get the request body as a lazy ByteString. However, do /not/ use any lazy -- I\/O, instead reading the entire body into memory strictly. -- +-- Note: Since this function consumes the request body, future calls to it will return the empty string. +-- -- Since 3.0.1 strictRequestBody :: Request -> IO L.ByteString strictRequestBody req = @@ -331,9 +385,18 @@ then return $ front LI.Empty else loop (front . LI.Chunk bs) +-- | Synonym for 'strictRequestBody'. +-- This function name is meant to signal the non-idempotent nature of 'strictRequestBody'. +-- +-- @since 3.2.3 +consumeRequestBodyStrict :: Request -> IO L.ByteString +consumeRequestBodyStrict = strictRequestBody + -- | Get the request body as a lazy ByteString. This uses lazy I\/O under the -- surface, and therefore all typical warnings regarding lazy I/O apply. -- +-- Note: Since this function consumes the request body, future calls to it will return the empty string. +-- -- Since 1.4.1 lazyRequestBody :: Request -> IO L.ByteString lazyRequestBody req = @@ -346,3 +409,10 @@ else do bss <- loop return $ LI.Chunk bs bss + +-- | Synonym for 'lazyRequestBody'. +-- This function name is meant to signal the non-idempotent nature of 'lazyRequestBody'. +-- +-- @since 3.2.3 +consumeRequestBodyLazy :: Request -> IO L.ByteString +consumeRequestBodyLazy = lazyRequestBody diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/wai-3.2.2.1/wai.cabal new/wai-3.2.3/wai.cabal --- old/wai-3.2.2.1/wai.cabal 2019-06-20 12:42:48.000000000 +0200 +++ new/wai-3.2.3/wai.cabal 2021-01-18 15:43:11.000000000 +0100 @@ -1,5 +1,6 @@ +Cabal-Version: >=1.10 Name: wai -Version: 3.2.2.1 +Version: 3.2.3 Synopsis: Web Application Interface. Description: Provides a common protocol for communication between web applications and web servers. . @@ -11,7 +12,6 @@ Homepage: https://github.com/yesodweb/wai Category: Web Build-Type: Simple -Cabal-Version: >=1.8 Stability: Stable extra-source-files: README.md ChangeLog.md @@ -20,18 +20,19 @@ location: git://github.com/yesodweb/wai.git Library - Build-Depends: base >= 4.8 && < 5 + default-language: Haskell2010 + Build-Depends: base >= 4.10 && < 5 , bytestring >= 0.10.4 , network >= 2.2.1.5 , http-types >= 0.7 , text >= 0.7 - , transformers >= 0.0 , vault >= 0.3 && < 0.4 Exposed-modules: Network.Wai Network.Wai.Internal ghc-options: -Wall test-suite test + default-language: Haskell2010 hs-source-dirs: test main-is: Spec.hs type: exitcode-stdio-1.0
