Hpack

------------------

**API Changes (Backward Incompatible)**

- Support for Python 2.7 has been removed.
- Support for Python 3.4 has been removed.
- Support for Python 3.5 has been removed.
- Support for PyPy (Python 2.7 compatible) has been removed.
- Support for Python 3.8 has been added.

**Bugfixes**

- Performance improvement of static header search. Use dict search instead
of linear search.
- Fix debug output of headers during encoding.

------------------

**API Changes (Backward Incompatible)**

- Removed nghttp2 support. This support had rotted and was essentially
non-functional, so it has now been removed until someone has time to re-add
the support in a functional form.
- Attempts by the encoder to exceed the maximum allowed header table size via
dynamic table size updates (or the absence thereof) are now forbidden.

**API Changes (Backward Compatible)**

- Added a new ``InvalidTableSizeError`` thrown when the encoder does not
respect the maximum table size set by the user.
- Added a ``Decoder.max_allowed_table_size`` field that sets the maximum
allowed size of the decoder header table. See the documentation for an
indication of how this should be used.

**Bugfixes**

- Up to 25% performance improvement decoding HPACK-packed integers, depending
on the platform.
- HPACK now tolerates receiving multiple header table size changes in sequence,
rather than only one.
- HPACK now forbids header table size changes anywhere but first in a header
block, as required by RFC 7541 § 4.2.
- Other miscellaneous performance improvements.

------------------

**Security Fixes**

- CVE-2016-6581: HPACK Bomb. This release now enforces a maximum value of the
decompressed size of the header list. This is to avoid the so-called "HPACK
Bomb" vulnerability, which is caused when a malicious peer sends a compressed
HPACK body that decompresses to a gigantic header list size.

This also adds a ``OversizedHeaderListError``, which is thrown by the
``decode`` method if the maximum header list size is being violated. This
places the HPACK decoder into a broken state: it must not be used after this
exception is thrown.

This also adds a ``max_header_list_size`` to the ``Decoder`` object. This
controls the maximum allowable decompressed size of the header list. By
default this is set to 64kB.

------------------

**API Changes (Backward Compatible)**

- Added ``HeaderTuple`` and ``NeverIndexedHeaderTuple`` classes that signal
whether a given header field may ever be indexed in HTTP/2 header
compression.
- Changed ``Decoder.decode()`` to return the newly added ``HeaderTuple`` class
and subclass. These objects behave like two-tuples, so this change does not
break working code.

**Bugfixes**

- Improve Huffman decoding speed by 4x using an approach borrowed from nghttp2.
- Improve HPACK decoding speed by 10% by caching header table sizes.

------------------

**Bugfixes**

- When passing a dictionary or dictionary subclass to ``Encoder.encode``, HPACK
now ensures that HTTP/2 special headers (headers whose names begin with
``:`` characters) appear first in the header block.

------------------

**API Changes (Backward Compatible)**

- Added new ``InvalidTableIndex`` exception, a subclass of
``HPACKDecodingError``.
- Instead of throwing ``IndexError`` when encountering invalid encoded integers
HPACK now throws ``HPACKDecodingError``.
- Instead of throwing ``UnicodeDecodeError`` when encountering headers that are
not UTF-8 encoded, HPACK now throws ``HPACKDecodingError``.
- Instead of throwing ``IndexError`` when encountering invalid table offsets,
HPACK now throws ``InvalidTableIndex``.
- Added ``raw`` flag to ``decode``, allowing ``decode`` to return bytes instead
of attempting to decode the headers as UTF-8.

**Bugfixes**

- ``memoryview`` objects are now used when decoding HPACK, improving the
performance by avoiding unnecessary data copies.