Crystal 1.19.2 is a patch release fixing two regressions and a security vulnerability. The security fix addresses HTTP request smuggling (CWE-444): HTTP::Server previously accepted requests with both Content-Length and Transfer-Encoding headers, prioritizing Content-Length, which could allow smuggling attacks when behind a vulnerable frontend. The fix rejects such requests and ignores Content-Length when Transfer-Encoding is present. Additionally, a regression in Range#sample that could lose randomness is fixed. The release includes 3 changes from 2 contributors.
Sort: