------------------------------------------------------------------- Mon Feb 10 04:57:07 UTC 2025 - Steve Kowalik - Update to 11.1.2: * CVE-2025-23217: mitmweb's API now requires an authentication token by default. The mitmweb API is bound to localhost only, but @gronke found that an attacker can circumvent that restriction by tunneling requests through the proxy server itself in an SSRF-style attack. (fa89055, @mhils) (bsc#1236890) * Add (optional) password protection for mitmweb. The web_password option replaces the randomly-generated token authentication with a fixed secret that survives mitmproxy restarts. (0bd573a, @mhils) * mitmweb can now be hosted under arbitrary domains, the previously-used DNS rebind protection is not required anymore. (62693af, @mhils) * Security Hardening: mitmweb's xsrf_token cookie is now HttpOnly; SameSite=Strict. (#7491, @mhils) * Fix console freezing due to DNS queries with an empty question section. (#7497, @sujaldev) * Fixed a bug that caused mitmproxy to crash when loading prior knowledge h2 flows. (#7514, @sujaldev) * Fix a bug where mitmproxy would get stuck in secure web proxy mode when using ignore_hosts or allow_hosts. (#7519, @mhils) * Copy request/response data to the clipboard in mitmweb (#7352, @lups2000) * Fix a bug where exporting a curl or httpie command with escaped characters would lead to different data being sent. (#7520, @proteusvacuum) * Local Capture Mode is now available on Linux as well. (#7440, @mhils) * mitmproxy now requires Python 3.12 or above. (#7440, @mhils) * Add cache-busting for mitmweb's front end code. (#7386, @mhils) * Clicking the URL in mitmweb now places the cursor at the current position instead of selecting the entire URL. (#7385, @lups2000) * Add missing status codes (#7455, @jwadolowski) * All filter expressions are now case-insensitive by default. Users can opt into case-sensitive filters by setting MITMPROXY_CASE_SENSITIVE_FILTERS=1 as an environment variable. (#7458, @mhils, @AdityaPatadiya) * Remove filter expression lowercasing in block_list addon (#7456, @jwadolowski) * Remove check for status codes in the blocklist add-on. (#7453, @lups2000, @AdityaPatadiya) * Prompt user before clearing screen (#7445, @errorxyz) * Stop sorting keys in JSON contentview (#7346, @injust) * Fix a bug where a custom CA would raise an error. (#7355, @nneonneo) * Fix a bug where the mitmproxy UI would crash on negative durations. (#7358, @mhils) * Allow technically invalid HTTP transfer encodings in requests if validate_inbound_headers is disabled. (#7361, #7373, @mhils) * Fix a bug in windows management in mitmproxy TUI whereby the help window does not appear if "?" is pressed within the overlay (#6500, @emanuele-em) * Tighten HTTP detection heuristic to better support custom TCP-based protocols. (#7228, @fatanugraha) * Implement stricter validation of HTTP headers to harden against request smuggling attacks. (#7345, @mhils) * Increase HTTP/2 default flow control window size, fixing performance issues. (#7317, @sujaldev) * Fix a bug where mitmproxy would incorrectly report that TLS 1.0 and 1.1 are not supported with the current OpenSSL build. (#7241, @mhils) * Add a tun proxy mode that creates a virtual network device on Linux for transparent proxying. (#7278, @mhils) * browser.start command now supports Firefox. (#7239, @sujaldev) * Fix interaction of the modify_headers and stream_large_bodies options. This may break users of modify_headers that rely on filters referencing the message body. We expect this to be uncommon, but please make yourself heard if that's not the case. (#7286, @lukant) * Fix a crash when handling corrupted compressed body in savehar addon and its tests. (#7320, @8192bytes) * Remove dependency on protobuf library as it was no longer being used. (#7327, @matthew16550) ------------------------------------------------------------------- Fri Oct 18 00:32:15 UTC 2024 - Joshua Smith - Update to version 11.0.0: * mitmproxy now supports transparent HTTP/3 proxying. * Add HTTP3 support in HTTPS reverse-proxy mode. * mitmproxy now officially supports Python 3.13. * Tighten HTTP detection heuristic to better support custom TCP-based protocols. * Add show_ignored_hosts option to display ignored flows in the UI. This option is implemented as a temporary workaround and will be removed in the future. * Fix slow tnetstring parsing in case of very large tnetstring. * Add getaddrinfo-based fallback for DNS resolution if we are unable to determine the operating system's name servers. * Improve the error message when users specify the certs option without a matching private key. * Fix a bug where intermediate certificates would not be transmitted when using QUIC. * Fix a bug where fragmented QUIC client hellos were not handled properly. * Emit a warning when users configure a TLS version that is not supported by the current OpenSSL build. * Fix a bug where mitmproxy would crash when receiving STOP_SENDING QUIC frames. * Fix error when unmarking all flows. * Add addon to update the alt-svc header in reverse mode. * Do not send unnecessary empty data frames when streaming HTTP/2. * Fix of measurement unit in HAR import, duration is in milliseconds. * Connection.tls_version now is QUICv1 instead of QUIC for QUIC. * Add support for full mTLS with client certs between client and mitmproxy. * Update documentation adding a list of all possibile web_columns. - Updates from version 10.4.2: * Fix a crash on startup when mitmproxy is unable to determine the OS' DNS servers - Updates from version 10.4.1: * Fix a bug where macOS local mode would not start up on macOS. * Fix UDP error handling when we learn that the remote has disconnected. - Updates from version 10.4.0: * Add support for DNS over TCP. * Add first MVP new Capture Tab in mitmweb * Add HttpConnectedHook and HttpConnectErrorHook. * Fix non-linear growth in processing time for large HTTP bodies. * Fix a bug where connections would be incorrectly ignored with allow_hosts. * Fix zstd decompression to read across frames. * Handle certificates we cannot parse more gracefully. * Parse compressed domain names in ResourceRecord data. * Fix a bug where mitmweb's flow list would not stay at the bottom. * Fix a bug where SSH connections would be incorrectly handled as HTTP. * Skip UTF-8 byte-order marks (BOM) when loading HAR files. * Allow typing.Sequence[str] to be an editable option. * Add Host header to CONNECT requests. * Support all query types in DNS mode. * Fix a bug where mitmproxy would crash for pipelined HTTP flows. * Add an optional "index" column for mitmweb. - Updates from version 10.3.1: * Release tags are now prefixed with v again. * Fix a bug where mitmproxy would not exit when -n is passed. * Set the unbuffered (stdout/stderr) flag for the mitmdump PyInstaller build. * Fix a bug where client replay would not work with proxyauth. * Fix slowdown when sending large amounts of data over HTTP/2. * Add an option to strip HTTPS records from DNS responses to block encrypted ClientHellos. * Add an API to parse HTTPS records from DNS RDATA. * Releases now come with a Sigstore attestations file to demonstrate build provenance. - Updates from version 10.3.0: * Add support for editing non text files in a hex editor * Add server_connect_error hook that is triggered when connection establishment fails. * Add section in mitmweb for rendering, adding and removing a comment * Fix multipart form content view being unusable. * Documentation Improvements on CA Certificate Generation * Make it possible to read flows from stdin with mitmweb. * Update aioquic dependency to >= 1.0.0, < 2.0.0. * Fix a bug where async client_connected handlers would crash mitmproxy. * Add button to close flow details panel * Ignore SIGPIPE signals when there is lots of traffic. Socket errors are handled directly and do not require extra signals that generate noise. * Add primitive websocket interception and modification * Add support for exporting websocket messages when using "raw" export. * The "save body" feature now also includes WebSocket messages. * Fix compatibility with older cryptography versions and silence a DeprecationWarning on Python <3.11. * Fix a bug when proxying unicode domains. - Updates from version 10.2.4: * Fix a bug where errors during startup would not be displayed when running mitmproxy. * Use newer cryptography APIs to avoid CryptographyDeprecationWarnings. This bumps the minimum required version to cryptography 42.0. - Updates from version 10.2.3: * Fix a regression where allow_hosts/ignore_hosts would break with IPv6 connections. * Fix bug where failed CONNECT request URLs are saved to HAR files incorrectly. * Add an arm64 variant for the precompiled macOS app. * Fix duplicate answers being returned in DNS queries. * Fix bug where wireguard config is generated with incorrect endpoint when two or more NICs are active. * Fix a regression when leaf cert creation would fail with intermediate CAs in ca_file. * Add content_view_lines_cutoff option to mitmdump * Allow runtime modifications of HTTP flow filters for server replays * Fix bug view options menu in case of overflow * Allow --allow-hosts and --ignore-hosts to work together ------------------------------------------------------------------- Tue Feb 27 14:37:10 UTC 2024 - Markéta Machová - Update to version 10.2.2: * The onboarding_port option has been removed. The onboarding app now responds to all requests for the hostname specified in onboarding_host. * connection.Client and connection.Server now accept keyword arguments only. This is a breaking change for custom addons that use these classes directly. * Add experimental support for HTTP/3 and QUIC. * ASGI/WSGI apps can now listen on all ports for a specific hostname. * Add replay.server.add command for adding flows to server replay buffer. * Remove string escaping in raw view. * mitmproxy now requires Python 3.10 or above. * Add support for reading and writing HAR files. * UDP streams are now backed by a new implementation in mitmproxy_rs. * ignore_hosts now waits for the entire HTTP headers if it suspects the connection to be HTTP. ------------------------------------------------------------------- Mon Jan 29 21:27:19 UTC 2024 - Dirk Müller - switch to python311 build ------------------------------------------------------------------- Thu Dec 15 17:32:53 UTC 2022 - Daniel Garcia - Skip broken tests in different architectures ------------------------------------------------------------------- Thu Dec 15 17:17:36 UTC 2022 - Daniel Garcia - Remove fix-big-integer.patch - Update to version 9.0.1: - The precompiled binaries now ship with OpenSSL 3.0.7, which resolves CVE-2022-3602 and CVE-2022-3786. - Performance and stability improvements for WireGuard mode. (#5694, @mhils, @decathorpe) - Fix a bug where the standalone Linux binaries would require libffi to be installed. (#5699, @mhils) - Hard exit when mitmproxy cannot write logs, fixes endless loop when parent process exits. (#4669, @Prinzhorn) - Fix a permission error affecting the Docker images. (#5700, @mhils) - 9.0.0 # Major Features - Add Raw UDP support. (#5414, @meitinger) - Add WireGuard mode to enable transparent proxying via WireGuard. (#5562, @decathorpe, @mhils) - Add DTLS support. (#5397, @kckeiks). - Add a quick help bar to mitmproxy. (#5381, #5652, @kckeiks, @mhils). # Deprecations - Deprecate add_log event hook. Users should use the builtin logging module instead. See the docs for details and upgrade instructions. (#5590, @mhils) - Deprecate mitmproxy.ctx.log in favor of Python's builtin logging module. See the docs for details and upgrade instructions. (#5590, @mhils) # Breaking Changes - The mode option is now a list of server specs instead of a single spec. The CLI interface is unaffected, but users may need to update their config.yaml. (#5393, @mhils) # Full Changelog - Mitmproxy binaries now ship with Python 3.11. (#5678, @mhils) - One mitmproxy instance can now spawn multiple proxy servers. (#5393, @mhils) - Add syntax highlighting to JSON and msgpack content view. (#5623, @SapiensAnatis) - Add MQTT content view. (#5588, @nikitastupin, @abbbe) - Setting connection_strategy to lazy now also disables early upstream connections to fetch TLS certificate details. (#5487, @mhils) - Fix order of event hooks on startup. (#5376, @meitinger) - Include server information in bind/listen errors. (#5495, @meitinger) - Include information about lazy connection_strategy in related errors. (#5465, @meitinger, @mhils) - Fix tls_version_server_min and tls_version_server_max options. (#5546, @mhils) - Added Magisk module generation for Android onboarding. (#5547, @jorants) - Update Linux binary builder to Ubuntu 20.04, bumping the minimum glibc version to 2.31. (#5547, @jorants) - Add "Save filtered" button in mitmweb. (#5531, @rnbwdsh, @mhils) - Render application/prpc content as gRPC/Protocol Buffers (#5568, @selfisekai) - Mitmweb now supports content_view_lines_cutoff. (#5548, @sanlengjingvv) - Fix a mitmweb crash when scrolling down the flow list. (#5507, @LIU-shuyi) - Add HTTP/3 binary frame content view. (#5582, @mhils) - Fix mitmweb not properly opening a browser and being stuck on some Linux. (#5522, @Prinzhorn) - Fix race condition when updating mitmweb WebSocket connections that are closing. (#5405, #5686, @mhils) - Fix mitmweb crash when using filters. (#5658, #5661, @LIU-shuyi, @mhils) - Fix missing default port when starting a browser. (#5687, @rbdixon) - Add docs for transparent mode on Windows. (#5402, @stephenspol) ------------------------------------------------------------------- Fri Oct 7 11:01:46 UTC 2022 - Daniel Garcia - Update to version 8.1.1: * Support specifying the local address for outgoing connections (#5364, @meitinger) * Fix a bug where an excess empty chunk has been sent for chunked HEAD request. (#5372, @jixunmoe) * Drop pkg_resources dependency. (#5401, @PavelICS) * Fix huge (>65kb) http2 responses corrupted. (#5428, @dhabensky) * Remove overambitious assertions in the HTTP state machine, fix some error handling. (#5383, @mhils) * Use default_factory for parser_options. (#5474, @rathann) - mitmproxy 8.1.0 * DNS support (#5232, @meitinger) * Mitmproxy now requires Python 3.9 or above. (#5233, @mhils) * Fix a memory leak in mitmdump where flows were kept in memory. (#4786, @mhils) * Replayed flows retain their current position in the flow list. (#5227, @mhils) * Periodically send HTTP/2 ping frames to keep connections alive. (#5046, @EndUser509) * Console Performance Improvements (#3427, @BkPHcgQL3V) * Warn users if server side event responses are received without streaming. (#4469, @mhils) * Add flatpak support to the browser addon (#5200, @pauloromeira) * Add example addon to dump contents to files based on a filter expression (#5190, @redraw) * Fix a bug where the wrong SNI is sent to an upstream HTTPS proxy (#5109, @mhils) * Make sure that mitmproxy displays error messages on startup. (#5225, @mhils) * Add example addon for domain fronting. (#5217, @randomstuff) * Improve cut addon to better handle binary contents (#3965, @mhils) * Fix text truncation for full-width characters (#4278, @kjy00302) * Fix mitmweb export copy failed in non-secure domain. (#5264, @Pactortester) * Add example script for manipulating cookies. (#5278, @WillahScott) * When opening an external viewer for message contents, mailcap files are not considered anymore. * This preempts the upcoming deprecation of Python's mailcap module. (#5297, @KORraNpl) * Fix hostname encoding for IDNA domains in upstream mode. (#5316, @nneonneo) * Fix hot reloading of contentviews. (#5319, @nneonneo) * Ignore HTTP/2 information responses instead of raising an error. (#5332, @mhils) * Improve performance and memory usage by reusing OpenSSL contexts. (#5339, @mhils) * Fix handling of multiple Cookie headers when proxying HTTP/2 to HTTP/1 (#5337, @rinsuki) * Improve http_manipulate_cookies.py example. (#5578, @insilications) - Add fix-big-integer.patch to fix tests with modern python versions based on gh#mitmproxy/mitmproxy@780adbaf9b13 ------------------------------------------------------------------- Tue Mar 22 16:01:32 UTC 2022 - Ferdinand Thiessen - Update to 8.0.0 * mitmweb improvements * Now renders TCP and WebSocket flows * Offers direct cURL/HTTPie/raw HTTP export * Added Experimental command bar * Added Async Event Hooks * Added event hooks to signal TLS handshake success and failure for client and server connections * Support proxy authentication for SOCKS v5 mode * CVE-2022-24766: Fix request smuggling vulnerability, boo#1197381 ------------------------------------------------------------------- Thu Jan 6 13:33:12 UTC 2022 - Ben Greiner - Register obs hypothesis profile for slow test executions ------------------------------------------------------------------- Wed Dec 8 21:07:48 UTC 2021 - Ferdinand Thiessen - Update to 7.0.4 * Compatibility with Python 3.10 * Supports proxying raw TCP connections * Support TCP connections that start with a server-side greeting * Support SMTP * Accept HTTP/2 requests from the client and forward them to an HTTP/1 server * Displays WebSocket messages also in a dedicated UI tab * Clients can now establish TLS with the proxy right from the start, which can add a significant layer of defense in public networks. * Removed pathoc and pathod, see https://github.com/mitmproxy/mitmproxy/issues/4273 ------------------------------------------------------------------- Wed Jan 27 14:37:07 UTC 2021 - Markéta Machová - Update to 6.0.2 * Mitmproxy now requires Python 3.8 or above. * Deprecation of pathod and pathoc tools and modules. Future releases will not contain them! * SSLKEYLOGFILE now supports TLS 1.3 secrets * Tests: Replace asynctest with stdlib mock * Many smaller improvements and bugfixes - Drop unpin.patch and replace it with a sed script - Drop merged replace-asynctest.patch ------------------------------------------------------------------- Tue Aug 11 10:05:06 UTC 2020 - Benjamin Greiner - Update to v5.2 * Add Filter message to mitmdump (@sarthak212) * Display TCP flows at flow list (@Jessonsotoventura, @nikitastupin, @mhils) * Colorize JSON Contentview (@sarthak212) * Fix console crash when entering regex escape character in half-open string (@sarthak212) * Integrate contentviews to TCP flow details (@nikitastupin) * Added add-ons that enhance the performance of web application scanners (@anneborcherding) * Increase WebSocket message timestamp precision (@JustAnotherArchivist) * Fix HTTP reason value on HTTP/2 reponses (@rbdixon) * mitmweb: support wslview to open a web browser (@G-Rath) * Fix dev version detection with parent git repo (@JustAnotherArchivist) * Restructure examples and supported addons (@mhils) * Certificate generation: mark SAN as critical if no CN is set (@mhils) * Simplify Replacements with new ModifyBody addon (@mplattner) * Rename SetHeaders addon to ModifyHeaders (@mplattner) * mitmweb: "New -> File" menu option has been renamed to "Clear All" (@yogeshojha) * Add new MapRemote addon to rewrite URLs of requests (@mplattner) * Add support for HTTP Trailers to the HTTP/2 protocol (@sanlengjingvv and @Kriechi) * Fix certificate runtime error during expire cleanup (@gorogoroumaru) * Fixed the DNS Rebind Protection for secure support of IPv6 addresses (@tunnelpr0) * WebSockets: match the HTTP-WebSocket flow for the ~websocket filter (@Kriechi) * Fix deadlock caused by the "replay.client.stop" command (@gorogoroumaru) * Add new MapLocal addon to serve local files instead of remote resources (@mplattner and @mhils) * Add minimal TCP interception and modification (@nikitastupin) * Add new CheckSSLPinning addon to check SSL-Pinning on client (@su-vikas) * Add a JSON dump script: write data into a file or send to an endpoint as JSON (@emedvedev) * Fix console output formatting (@sarthak212) * Add example for proxy authentication using selenium (@anneborcherding and @weichweich) - refresh unpin.patch - replace unmaintained asynctest by native python 3.8 unittest calls * replace-asynctest.patch * gh#mitmproxy/mitmproxy#4020 ------------------------------------------------------------------- Mon Jun 15 10:39:50 UTC 2020 - Marketa Calabkova - initial packaging (v5.1.1)