forked from envoyproxy/envoy
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy path1.16.5.yaml
17 lines (15 loc) · 1.11 KB
/
1.16.5.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
date: August 24, 2021
minor_behavior_changes:
- area: http
change: |
reject requests with \#fragment in the URI path. The fragment is not allowed to be part of request
URI according to RFC3986 (3.5), RFC7230 (5.1) and RFC 7540 (8.1.2.3). Rejection of requests can be changed
to stripping the \#fragment instead by setting the runtime guard ``envoy.reloadable_features.http_reject_path_with_fragment``
to false. This behavior can further be changed to the deprecated behavior of keeping the fragment by setting the runtime guard
``envoy.reloadable_features.http_strip_fragment_from_path_unsafe_if_disabled``. This runtime guard must only be set
to false when existing non-compliant traffic relies on \#fragment in URI. When this option is enabled, Envoy request
authorization extensions may be bypassed. This override and its associated behavior will be decommissioned after the standard deprecation period.
bug_fixes:
- area: ext_authz
change: |
fix the ext_authz filter to correctly merge multiple same headers using the ',' as separator in the check request to the external authorization service.