v5.2.0 - Static encoded-separator route bypass fix (GHSA-vfp3-v2gw-7wfq)

Security

• fix(static): reject encoded path separators that bypass route-level middleware by @vishr in #3009
• fix(middleware/static): don't double-unescape request path (#2599) by @vishr in #3006

Fixes GHSA-vfp3-v2gw-7wfq: an encoded path separator (%2F or %5C) in a static file URL could bypass route-level middleware (e.g. authentication on a sibling route) and disclose static files. Both StaticDirectoryHandler/StaticFS and the Static middleware are affected. Thanks to @a-tt-om and @oran-gugu for reporting.

Enhancements

• feat(middleware): optional RateLimiterStoreContext for response headers (#2961) by @vishr in #3007
• perf: optimize core hot paths (chain, context, binding, responses) by @vishr in #3008
• fix(binder): include field name in bind conversion errors (#2629) by @vishr in #3005
• fix(binder): serialize BindingError to structured JSON (#2771) by @vishr in #3004
• fix(binder): MustUnixTime docs say time.Time, not time.Duration by @c-tonneslan in #2988
• fix(middleware): reset ContentLength after gzip decompression by @shblue21 in #3000
• fix(middleware/proxy): append RealIP to X-Forwarded-For for WebSocket requests by @kawaway in #2994
• Fix proxy panic when balancer has no targets by @shblue21 in #2977
• fix(middleware): correct documented KeyAuth KeyLookup default by @leestana01 in #2992
• test: lock in v5 group route method-handling (405 + OPTIONS) by @vishr in #3003
• docs: liveness signals in README + public ROADMAP by @vishr in #3002
• Fix typos in CSRFConfig comments by @shblue21 in #2979
• refactor: modernize code usage using gofix by @kumapower17 in #2970
• refactor: replace Split in loops with more efficient SplitSeq by @box4wangjing in #2969
• refactor: use the built-in max/min to simplify the code by @criciss in #2966
• Update GitHub actions deps versions by @aldas in #2971

New Contributors

• @criciss made their first contribution in #2966
• @box4wangjing made their first contribution in #2969
• @shblue21 made their first contribution in #2977
• @c-tonneslan made their first contribution in #2988
• @leestana01 made their first contribution in #2992
• @kawaway made their first contribution in #2994

Full Changelog: v5.1.1...v5.2.0

v4.15.3 - Static encoded-separator route bypass fix (GHSA-vfp3-v2gw-7wfq)

Security

• fix(static): reject encoded path separators that bypass route-level middleware by @vishr in #3011

Fixes GHSA-vfp3-v2gw-7wfq: an encoded path separator (%2F or %5C) in a static file URL could bypass route-level middleware (e.g. authentication on a sibling route) and disclose static files. Both StaticDirectoryHandler (used by Static/StaticFS) and the Static middleware are affected. Backport of the v5 fix (#3009, released in v5.2.0). Thanks to @a-tt-om and @oran-gugu for reporting.

Full Changelog: v4.15.2...v4.15.3

v5.1.1 - Context.Scheme() should validate header values

Security

• Context.Scheme() should validate values taken from header by @aldas in #2953

Thanks to @shblue21 for reporting this issue - Context.Scheme accepts malformed forwarded scheme values used by host redirects.

Enhancements

• Add golangci linter configuration by @aldas in #2930
• Make StartConfig listener creation context-aware by @EricGusmao in #2936
• fix(lint): resolve staticcheck issues and improve code quality by @itsllyaz in #2941
• Context.Scheme should validate values taken from header by @aldas in #2953
• chore: fix typos in httperror.go by @tisonkun in #2958
• Context.Json should not unwrap response by @aldas in #2964

New Contributors

• @EricGusmao made their first contribution in #2936
• @itsllyaz made their first contribution in #2941
• @tisonkun made their first contribution in #2958

Full Changelog: v5.1.0...v5.1.1

v4.15.2 - Context.Scheme() header validation

Security

• Context.Scheme() should validate values taken from header by @aldas in #2962

Thanks to @shblue21 for reporting this issue.

Full Changelog: v4.15.1...v4.15.2

v5.1.0

Security

This change does not break the API contract, but it does introduce breaking changes in logic/behavior.
If your application is using c.RealIP() beware and read https://echo.labstack.com/docs/ip-address

In v5 the c.RealIP() will now return request.RemoteAddr unless e.IPExtractor has been configured. No potentially spoofable headers are used by default anymore.

Configure IPExtractor with proper trust options when you want to read IP from headers. See:

• https://pkg.go.dev/github.com/labstack/echo/v5#ExtractIPFromRealIPHeader
• https://pkg.go.dev/github.com/labstack/echo/v5#ExtractIPFromXFFHeader

v4 behavior can be restored with:

e := echo.New()
e.IPExtractor = echo.LegacyIPExtractor()

Related PR: Remove legacy IP extraction logic from context.RealIP method by @aldas in #2933

What's Changed

• Add echo-opentelemetry to the README.md by @aldas in #2908
• fix: correct spelling mistakes in comments and field name by @crawfordxx in #2916
• Add https://github.com/labstack/echo-prometheus to the middleware list in README.md by @aldas in #2919
• Add StartConfig.Listener so server with custom Listener is easier to create by @aldas in #2920
• Fix rate limiter documentation for default burst value by @karesansui-u in #2925
• Add doc comments to clarify usage of File related methods and leading slash handling by @aldas in #2928
• Add NewDefaultFS function to help create filesystem that allows absolute paths by @aldas in #2931
• Do not set http.Server.WriteTimeout in StartConfig by @aldas in #2932
• Remove legacy IP extraction logic from context.RealIP method by @aldas in #2933

New Contributors

• @crawfordxx made their first contribution in #2916
• @karesansui-u made their first contribution in #2925

Full Changelog: v5.0.4...v5.1.0

v4.15.1

What's Changed

• CSRF: support older token-based CSRF protection handler that want to render token into template by @aldas in #2905

Full Changelog: v4.15.0...v4.15.1

v5.0.4 small fixes and improvements

What's Changed

• Remove unused import 'errors' from README example by @kumapower17 in #2889
• Fix Graceful shutdown: after http.Server.Serve returns we need to wait for graceful shutdown goroutine to finish by @aldas in #2898
• Update location of oapi-codegen in README by @mromaszewicz in #2896
• Add Go 1.26 to CI flow by @aldas in #2899
• Add new function echo.StatusCode by @suwakei in #2892
• CSRF: support older token-based CSRF protection handler that want to render token into template by @aldas in #2894
• Add echo.ResolveResponseStatus function to help middleware/handlers determine HTTP status code and echo.Response by @aldas in #2900

New Contributors

• @mromaszewicz made their first contribution in #2896
• @suwakei made their first contribution in #2892

Full Changelog: v5.0.3...v5.0.4

v5.0.3 security (static middleware directory traversal under Windows)

Fix directory traversal vulnerability under Windows in Static middleware when default Echo filesystem is used. Reported by @shblue21 (#2891).

This applies to cases when:

• Windows is used as OS
• middleware.StaticConfig.Filesystem is nil (default)
• echo.Filesystem is has not been set explicitly (default)

Full Changelog: v5.0.2...v5.0.3

v5.0.2 security (static middleware folder browsing)

Security

• Fix Static middleware when folder browsing is enabled (config.Browse=true , defaults to false) lists all files/subfolders from config.Filesystem root folder and not starting from config.Root and requested folder in #2887 . Reported by @shblue21 in #2886

Full Changelog: v5.0.1...v5.0.2

v5.0.1 small fixes

What's Changed

• Panic MW: will now return a custom PanicStackError with stack trace by @aldas in #2871
• Docs: add missing err parameter to DenyHandler example by @cgalibern in #2878
• Context: improve websocket checks in IsWebSocket() [per RFC 6455] by @raju-mechatronics in #2875
• Fix: Context.Json() should not send status code before serialization is complete by @aldas in #2877

New Contributors

• @cgalibern made their first contribution in #2878
• @raju-mechatronics made their first contribution in #2875

Full Changelog: v5.0.0...v5.0.1