Security
This change does not break the API contract, but it does introduce breaking changes in logic/behavior.
If your application is using c.RealIP() beware and read https://echo.labstack.com/docs/ip-address
In v5 the c.RealIP() will now return request.RemoteAddr unless e.IPExtractor has been configured. No potentially spoofable headers are used by default anymore.
Configure IPExtractor with proper trust options when you want to read IP from headers. See:
- https://pkg.go.dev/github.com/labstack/echo/v5#ExtractIPFromRealIPHeader
- https://pkg.go.dev/github.com/labstack/echo/v5#ExtractIPFromXFFHeader
v4 behavior can be restored with:
e := echo.New()
e.IPExtractor = echo.LegacyIPExtractor()Related PR: Remove legacy IP extraction logic from context.RealIP method by @aldas in #2933
What's Changed
- Add echo-opentelemetry to the README.md by @aldas in #2908
- fix: correct spelling mistakes in comments and field name by @crawfordxx in #2916
- Add https://github.com/labstack/echo-prometheus to the middleware list in README.md by @aldas in #2919
- Add StartConfig.Listener so server with custom Listener is easier to create by @aldas in #2920
- Fix rate limiter documentation for default burst value by @karesansui-u in #2925
- Add doc comments to clarify usage of File related methods and leading slash handling by @aldas in #2928
- Add NewDefaultFS function to help create filesystem that allows absolute paths by @aldas in #2931
- Do not set http.Server.WriteTimeout in StartConfig by @aldas in #2932
- Remove legacy IP extraction logic from context.RealIP method by @aldas in #2933
New Contributors
- @crawfordxx made their first contribution in #2916
- @karesansui-u made their first contribution in #2925
Full Changelog: v5.0.4...v5.1.0