1.19.1 (August 24, 2021)

Minor behavior changes

Changes that may cause incompatibilities for some users, but should not for most

  • http: reject requests with #fragment in the URI path. The fragment is not allowed to be part of request URI according to RFC3986 (3.5), RFC7230 (5.1) and RFC 7540 ( Rejection of requests can be changed to stripping the #fragment instead by setting the runtime guard envoy.reloadable_features.http_reject_path_with_fragment to false. This behavior can further be changed to the deprecated behavior of keeping the fragment by setting the runtime guard envoy.reloadable_features.http_strip_fragment_from_path_unsafe_if_disabled. This runtime guard must only be set to false when existing non-compliant traffic relies on #fragment in URI. When this option is enabled, Envoy request authorization extensions may be bypassed. This override and its associated behavior will be decommissioned after the standard deprecation period.

  • http: stop processing pending H/2 frames if connection transitioned to the closed state. This behavior can be temporarily reverted by setting the envoy.reloadable_features.skip_dispatching_frames_for_closed_connection to false.

Bug fixes

Changes expected to improve the state of the world and are unlikely to have negative effects

  • ext_authz: fix the ext_authz filter to correctly merge multiple same headers using the , as separator in the check request to the external authorization service.

  • http: limit use of deferred resets in the http2 codec to server-side connections. Use of deferred reset for client connections can result in incorrect behavior and performance problems.