Copy changelogs from 0.5.x branch

2025-04-10 08:03:04 +02:00 · 2022-10-10 20:22:24 +02:00 · 2022-10-10 20:22:24 +02:00 · 1681ecf438
commit 1681ecf438
parent d7ba0b1d72
2 changed files with 40 additions and 0 deletions
--- a/axum-core/CHANGELOG.md
+++ b/axum-core/CHANGELOG.md
@ -39,6 +39,23 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 [#1155]: https://github.com/tokio-rs/axum/pull/1155
 [#1272]: https://github.com/tokio-rs/axum/pull/1272

+# 0.2.8 (10. September, 2022)
+
+- **breaking:** Added default limit to how much data `Bytes::from_request` will
+  consume. Previously it would attempt to consume the entire request body
+  without checking its length. This meant if a malicious peer sent an large (or
+  infinite) request body your server might run out of memory and crash.
+
+  The default limit is at 2 MB and can be disabled by adding the new
+  `DefaultBodyLimit::disable()` middleware. See its documentation for more
+  details.
+
+  This also applies to `String` which used `Bytes::from_request` internally.
+
+  ([#1346])
+
+[#1346]: https://github.com/tokio-rs/axum/pull/1346
+
 # 0.2.7 (10. July, 2022)

 - **fix:** Fix typos in `RequestParts` docs ([#1147])
--- a/axum/CHANGELOG.md
+++ b/axum/CHANGELOG.md
@ -475,6 +475,29 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 [#1302]: https://github.com/tokio-rs/axum/pull/1302
 [#924]: https://github.com/tokio-rs/axum/pull/924

+# 0.5.16 (10. September, 2022)
+
+## Security
+
+- **breaking:** Added default limit to how much data `Bytes::from_request` will
+  consume. Previously it would attempt to consume the entire request body
+  without checking its length. This meant if a malicious peer sent an large (or
+  infinite) request body your server might run out of memory and crash.
+
+  The default limit is at 2 MB and can be disabled by adding the new
+  `DefaultBodyLimit::disable()` middleware. See its documentation for more
+  details.
+
+  This also applies to these extractors which used `Bytes::from_request`
+  internally:
+  - `Form`
+  - `Json`
+  - `String`
+
+  ([#1346])
+
+[#1346]: https://github.com/tokio-rs/axum/pull/1346
+
 # 0.5.15 (9. August, 2022)

 - **fixed:** Don't expose internal type names in `QueryRejection` response. ([#1171])