Releases: arman-bd/httpmorph
Releases · arman-bd/httpmorph
v0.2.8
httpmorph v0.2.8 Release Notes
Highlights
This release focuses on perfect Chrome 143 fingerprint matching and includes critical bug fixes for Windows stability.
New Features
Perfect Chrome 143 TLS Fingerprint Matching
- JA4:
t13d1516h2_8daaf6152771_d8a2da3f94cd(exact match) - JA4_r: Full cipher suite and extension match
- Peetprint hash:
1d4ffe9b0e34acac0bd883fa7f79d7b5(exact match) - Akamai HTTP/2:
1:65536;2:0;4:6291456;6:262144|15663105|0|m,a,s,p(exact match)
Chrome 127-143 Browser Profiles
- Added support for multiple Chrome versions (127-143)
- Chrome 143 is now the default profile
- Each profile includes version-specific User-Agent strings
HTTP/2 by Default
- Both
ClientandSessionnow default tohttp2=True - Matches Chrome's default behavior for realistic fingerprinting
- Per-request override available with
http2=False
Chrome-like Default Headers
Sessions now automatically include Chrome-like headers:
v0.2.7
Release Notes - httpmorph 0.2.7
Release Date: 2025-11-17
Type: Security & Stability Release
Overview
This release focuses on security hardening and proxy reliability improvements. We've fixed 9 critical bugs including memory safety issues and async SSL handling, plus added intelligent retry logic for network-dependent tests.
🔒 Security Fixes (9 Total)
Critical Vulnerabilities Fixed
1. HTTP/2 NULL Pointer Dereference (CRITICAL)
- File: src/core/http2_logic.c:103-146
- Issue: Missing NULL check after stream_data fallback in
on_frame_recv_callback - Impact: Potential crash when handling HTTP/2 frames
- Fix: Added safety checks after fallback operations
2. HTTP/2 Stream Data NULL Pointer (CRITICAL)
- File: src/core/http2_logic.c:103-146
- Issue: Missing NULL check in
on_data_chunk_recv_callback - Impact: Crash on malformed HTTP/2 streams
- Fix: Return
NGHTTP2_ERR_CALLBACK_FAILUREwhen stream_data is NULL
3. Cookie Buffer Overflow (CRITICAL)
- File: src/core/cookies.c:115-153
- Issue: Unsafe
strcat()usage without bounds checking - Impact: Buffer overflow with many/large cookies
- Fix: Replaced with bounds-checked
snprintf()and size tracking
High Severity Vulnerabilities Fixed
4. TLS Cipher Buffer Overflow (HIGH)
- File: src/core/tls.c:126-160
- Issue: No bounds checking before cipher string concatenation
- Impact: Buffer overflow with many cipher suites
- Fix: Added space calculation and overflow detection
5. Connection Pool Use-After-Free (HIGH)
- File: src/core/core.c:163-190
- Issue: Accessing TLS info after connection destruction
- Impact: Use-after-free leading to crashes or memory corruption
- Fix: Copy TLS info before destroying connection
6. Request Builder Integer Overflow (HIGH)
- File: src/core/request_builder.c:24-49
- Issue: Capacity calculation without overflow detection
- Impact: Memory corruption on very large requests
- Fix: Added overflow checks before arithmetic operations
Medium Severity Vulnerabilities Fixed
7. DNS Cache Memory Leak (MEDIUM)
- File: src/core/network.c:217-248
- Issue: Missing cleanup on failed allocations
- Impact: Memory leak in error paths
- Fix: Added proper error handling and resource cleanup
8. Connection Pool TLS Info Leak (MEDIUM)
- File: src/core/core.c:478-501
- Issue: Memory leak in connection pool TLS info storage
- Impact: Slow memory leak over time
- Fix: Proper cleanup of TLS info on connection destruction
Async Proxy Bug Fixed
9. Async SSL EOF Handling (BUG)
- File: src/core/async_request.c:1342-1400
- Issue:
SSL_ERROR_SYSCALLwith errno=0 treated as error instead of clean EOF - Impact: Async proxy requests failing with "SSL read failed: system error 0"
- Fix: Special case handling for clean connection close (EOF)
v0.2.6
Release v0.2.6
🎉 Platform Support Expansion
This release significantly expands platform support with 28 pre-built wheels covering 99%+ of Python users!
New Platform Support
- ✨ Linux ARM64 (aarch64) - Native support for ARM64 Linux servers and devices
- ✨ Python 3.14 - Full support for the latest Python release (including free-threaded builds)
Complete Platform Matrix
| Platform | Architectures | Python Versions |
|---|---|---|
| Linux | x86_64, aarch64 (ARM64) | 3.8, 3.9, 3.10, 3.11, 3.12, 3.13, 3.14 |
| macOS | Intel (x86_64), Apple Silicon (arm64)* | 3.8, 3.9, 3.10, 3.11, 3.12, 3.13, 3.14 |
| Windows | x64 (AMD64) | 3.8, 3.9, 3.10, 3.11, 3.12, 3.13, 3.14 |
*macOS wheels are universal2 binaries supporting both Intel and Apple Silicon
Total: 28 pre-built wheels (7 Linux x86_64 + 7 Linux aarch64 + 7 macOS universal2 + 7 Windows AMD64)
🐛 Bug Fixes
- Fixed response text decoding issues that could return junk data (#31)
🔧 Infrastructure Improvements
- Upgraded to cibuildwheel v3.3 for Python 3.14 support
- Split Linux builds into separate x86_64 and aarch64 workflows for faster CI
- Added Native ARM64 runners for faster Linux aarch64 builds
- Disabled BoringSSL assembly optimizations on macOS to avoid CET instruction compatibility issues
- Improved CI caching strategy with architecture-specific vendor caches
v0.2.5
What's Changed
- fix: critical security vulnerabilities and improve proxy test coverage
This commit addresses multiple security issues discovered during edge case
analysis and improves test infrastructure for better reliability.
Security Fixes:
-
Fix HTTP/1.1 body reallocation bug causing data loss (#1)
- Modified realloc_body_buffer() to use current_data_size parameter
- Fixes issue where response->body_len was 0 during receive
- Prevents data loss when buffer needs to grow during receive
-
Add integer overflow protection in 8 critical locations (#7, #8)
- HTTP/2 data callback buffer doubling (http2_logic.c:140)
- HTTP/1.1 body buffer reallocation (http1.c:417, 549, 606)
- Gzip decompression buffer expansion (compression.c:55)
- Response header array growth (response.c:123)
- Request header array growth (request.c:112)
- Async request array growth (async_request_manager.c:171)
- All checks use SIZE_MAX/2 to prevent integer overflow
-
Fix memory leak in DNS cache deep copy (#13)
- Added proper cleanup on allocation failures in addrinfo_deep_copy()
- Prevents memory leaks when malloc/strdup fails mid-operation
Async HTTP Proxy Improvements:
- Fix async HTTP proxy to use absolute URI for proxy requests
- Add Proxy-Authorization header support for authenticated HTTP proxies
- Properly distinguish between HTTP (uses absolute URI) and HTTPS (uses path)
Test Infrastructure:
-
Add comprehensive edge case security tests (25 test cases)
- Integer overflow protection tests
- Memory leak prevention tests
- Thread safety tests
- Boundary condition tests
-
Add buffer reallocation regression tests (11 test cases)
- Large response handling
- Gzip decompression
- Chunked transfer encoding
- Multiple buffer doubling scenarios
-
Update proxy tests to use httpmorph-bin.bytetunnels.com
- Added fixtures for both HTTP and HTTPS testing
- HTTPS uses verify=False for self-signed certificates
- Improved test reliability by using dedicated test server
Results: All 371 tests pass with 14 expected skips
-
chore: more test cases
-
[FIX] Make dotenv import optional in test files for CI compatibility
Fix ModuleNotFoundError in CI environments where python-dotenv is not installed.
Changes:
- Wrap dotenv import in try/except block in test_buffer_reallocation.py
- Wrap dotenv import in try/except block in test_edge_cases_security.py
- Follow same pattern as conftest.py for optional dependency handling
Impact:
- Tests now work in CI without requiring python-dotenv installation
- Local development still benefits from .env file loading when dotenv is available
- Environment variables can be set directly in CI/CD pipelines
Fixes CI failures across all workflows with:
ModuleNotFoundError: No module named 'dotenv'
- [FIX] Pass TEST_HTTPBIN_HOST secret to CI test workflows
Add TEST_HTTPBIN_HOST environment variable to CI workflows to fix test failures.
Changes:
- Add TEST_HTTPBIN_HOST to workflow secrets in _test.yml
- Pass TEST_HTTPBIN_HOST to test environment in _test.yml
- Pass TEST_HTTPBIN_HOST from ci.yml to _test.yml workflow
Impact:
- Edge case security tests can now access httpmorph-bin test server in CI
- Buffer reallocation tests can run in CI environment
- Fixes collection errors: "TEST_HTTPBIN_HOST environment variable is not set"
Related:
- Works together with previous commit making dotenv import optional
- TEST_HTTPBIN_HOST must be configured as repository secret in GitHub
- Release v0.2.5
Security Fixes
This release addresses 9 critical security vulnerabilities discovered during code analysis:
1. HTTP/1.1 Body Reallocation Bug
- Severity: HIGH - Data loss during response handling
- Impact: Response body data was being discarded when buffer needed to grow
- Fix: Corrected realloc_body_buffer() to track actual data size
- File: src/core/http1.c:31
2. Integer Overflow Protection (8 locations)
- Severity: CRITICAL - Heap overflow vulnerability
- Impact: Buffer doubling operations could overflow on large responses
- Locations: HTTP/2 data callback, HTTP/1.1 body buffer, gzip decompression,
response/request headers, async requests - Fix: Added overflow checks using SIZE_MAX/2 before all buffer doubling
3. DNS Cache Memory Leak
- Severity: MEDIUM - Memory leak on allocation failure
- Fix: Proper cleanup on all error paths in addrinfo_deep_copy()
- File: src/core/network.c:78-123
Improvements
Async HTTP Proxy
- Use absolute URI for HTTP requests through proxy
- Add Proxy-Authorization header for authenticated proxies
- Proper HTTP vs HTTPS proxy distinction
- File: src/core/async_request.c:1012-1064
CI/CD
- Enhanced test configuration with proper secret handling
- Improved workflow environment variable passing
Changed Files
Core Security Fixes:
- src/core/http1.c - Body reallocation + overflow checks
- src/core/http2_logic.c - Integer overflow protection
- src/core/compression.c - Decompression overflow check
- src/core/response.c - Header array overflow check
- src/core/request.c - Header array overflow check
- src/core/async_request_manager.c - Request array overflow check
- src/core/async_request.c - HTTP proxy improvements
- src/core/network.c - DNS cache memory leak fix
Infrastructure:
- .github/workflows/_test.yml - Enhanced test configuration
- .github/workflows/ci.yml - Improved workflow secrets
- tests/* - Comprehensive security test coverage
Impact
- Security: All 9 vulnerabilities patched
- Performance: No regression - O(1) overflow checks
- Compatibility: No breaking changes
Upgrade Recommendation
- Data loss during large response handling
- Heap overflow from malicious or large responses
- Memory leaks during DNS operations
v0.2.4
httpmorph v0.2.4
What's New
🌐 OS-Specific User Agents
- Automatically detects and uses appropriate user agents for macOS, Windows, and Linux
- Improves fingerprint accuracy by matching TLS/HTTP/2 fingerprints with OS-specific browser metadata
- Reduces detection risk in anti-bot systems
🔐 Chrome 142 Support
- Latest Chrome fingerprint with certificate compression
- ECH (Encrypted Client Hello) support
- JA4 fingerprint compatibility
📊 Cross-Platform Benchmarks
- Added comprehensive benchmarks for macOS and Windows
- Performance comparison across 8 HTTP libraries
- httpmorph remains competitive with the fastest Python HTTP clients
🏗️ Windows Build Improvements
- Intelligent MSVC detection
- Parallel compilation for faster builds
- Build cache optimization
Installation
pip install httpmorph==0.2.4Example
import httpmorph
# Automatically uses the correct user agent for your OS
response = httpmorph.get("https://httpbin.org/headers")
print(response.json()['headers']['User-Agent'])v0.2.3
v0.2.2
v0.2.1
Release Notes - v0.2.1
Overview
This release includes major performance improvements, async support, Windows compatibility, and enhanced documentation. PR #20 initially attempted to release version 0.2.0 but encountered a release error, which was subsequently fixed in PR #21.
What's Changed
Async Architecture
- AsyncClient: Native asyncio support with event-driven architecture
- Non-blocking I/O: Complete async request manager with buffer pooling
- Windows IOCP: Full I/O Completion Ports implementation for Windows async support
- Async convenience functions (
async_get,async_post, etc.)
Platform Support
- Windows Compatibility: Full MSVC support with POSIX compatibility layer
- Cross-platform Threading: Windows-native synchronization primitives
- All Tests Passing: tests pass on Linux, macOS, and Windows
Architecture Refactor
- Modular core split from monolithic
httpmorph.cinto specialized modules:client.c,network.c,tls.c,http1.c,http2.cproxy.c,cookies.c,compression.casync_request_manager.c,buffer_pool.c
Documentation
- ReadTheDocs Integration: Sphinx-based documentation with Read the Docs theme
- Added
quickstart.rstandapi.rstwith examples - Version centralization in
pyproject.tomlas single source of truth
Bug Fixes
- Fixed SSL_shutdown blocking on proxy/stale connections
- Added automatic retry for stale pooled connections
- Fixed async HTTP state transitions preventing "Send failed" errors
- Improved proxy connection handling and error detection
- Fixed TLS information capture for reused connections
Build System
- Centralized version management in
pyproject.toml - Enhanced CI/CD workflows with proper secret handling
- Docker build fixes for nghttp2 library detection
Code Quality
- Applied ruff formatting across all Python files
- Fixed all linting errors
- Improved type hints and error handling
Technical Details
Files Changed: 40+ files, 615 additions, 322 deletions
Test Coverage: 323 tests passing (8 skipped), 0 failures
Notes
- PR #20 encountered a release error during the initial 0.2.0 release attempt
- PR #21 successfully fixed the release issue and completed the v0.2.1 deployment
Contributors
Contributors
arman-bd
Assets 20
v0.2.0
Release Changelog v0.2.0
🚀 Major Features
HTTP/2 Support
- Added native HTTP/2 support with
http2=Trueparameter for Client() and Session() - Per-request HTTP/2 override capability
- Full httpx-compatible API design
- 35 comprehensive test cases covering HTTP/2 functionality
Async API (Native asyncio)
- Complete async/await support with AsyncClient class
- Event-driven async request manager with buffer pooling
- Async convenience functions (async_get, async_post, etc.)
- Windows IOCP implementation for true async I/O on Windows
- Linux/Mac non-blocking socket support
Windows Platform Support
- Full Windows compatibility with MSVC compiler
- Comprehensive POSIX-to-Windows compatibility layer
- IOCP (I/O Completion Ports) dispatcher for async operations
- All 323 tests passing on Windows
Connection Pooling Optimizations
- Removed expensive validation overhead (eliminates 4+ system calls per request)
- Simplified pool validation to reduce fcntl() and recv() overhead
- TLS fingerprint persistence for pooled connections
- Automatic retry for stale pooled connections
Architecture Refactor
- Split monolithic core into specialized modules (client, network, TLS, HTTP1/2, proxy, cookies, compression)
- Added buffer pooling for improved concurrency
- Centralized version management in pyproject.toml
🔧 Bug Fixes
- Fixed SSL_shutdown blocking on proxy/stale connections
- Fixed async HTTP connection state transitions under concurrent load
- Fixed TLS information returning None on connection reuse
- Fixed BoringSSL MD5 compatibility
- Fixed Windows C++ compilation with explicit type casts
- Fixed Docker build issues with nghttp2 detection
- Improved connection error detection (30s → 100ms)
- Fixed proxy routing to distinguish HTTP vs HTTPS destinations
📚 Documentation
- Added ReadTheDocs documentation with Sphinx
- Created quickstart guide and API reference
- Added comprehensive benchmark results
- Debug output control with HTTPMORPH_DEBUG flag
🧪 Testing
- 311+ tests passing (8 skipped as expected)
- Added real proxy integration tests
- Added async test suite
- CI improvements with proper timeout handling
Files Changed: 40+ files | Additions: 4,000+ lines | Deletions: 380+ lines