From 8e6cbe4963b3b493ca66fd6575e0cd0ed52b83b9 Mon Sep 17 00:00:00 2001 From: starlet-dx <15929766099@163.com> Date: Fri, 7 Feb 2025 11:30:28 +0800 Subject: [PATCH] Fix CVE-2025-0825 (cherry picked from commit 13e33e0f825d315e136ee3772d6a3493454a02fb) --- CVE-2025-0825.patch | 104 ++++++++++++++++++++++++++++++++++++++++++++ cpp-httplib.spec | 7 ++- 2 files changed, 110 insertions(+), 1 deletion(-) create mode 100644 CVE-2025-0825.patch diff --git a/CVE-2025-0825.patch b/CVE-2025-0825.patch new file mode 100644 index 0000000..0a30d07 --- /dev/null +++ b/CVE-2025-0825.patch @@ -0,0 +1,104 @@ +From 9c36aae4b73e2b6e493f4133e4173103c9266289 Mon Sep 17 00:00:00 2001 +From: yhirose +Date: Thu, 16 Jan 2025 00:04:17 -0500 +Subject: [PATCH] Fix HTTP Response Splitting Vulnerability + +--- + httplib.h | 62 ++++++++++++++++++++++++++++++++++++++++++++++++++++--- + 1 file changed, 59 insertions(+), 3 deletions(-) + +diff --git a/httplib.h b/httplib.h +index e055dd4..cc9924f 100644 +--- a/httplib.h ++++ b/httplib.h +@@ -1972,6 +1972,60 @@ private: + std::string glowable_buffer_; + }; + ++// NOTE: https://www.rfc-editor.org/rfc/rfc9110#section-5 ++namespace fields { ++ ++inline bool is_token_char(char c) { ++ return std::isalnum(c) || c == '!' || c == '#' || c == '$' || c == '%' || ++ c == '&' || c == '\'' || c == '*' || c == '+' || c == '-' || ++ c == '.' || c == '^' || c == '_' || c == '`' || c == '|' || c == '~'; ++} ++ ++inline bool is_token(const std::string &s) { ++ if (s.empty()) { return false; } ++ for (auto c : s) { ++ if (!is_token_char(c)) { return false; } ++ } ++ return true; ++} ++ ++inline bool is_field_name(const std::string &s) { return is_token(s); } ++ ++inline bool is_vchar(char c) { return c >= 33 && c <= 126; } ++ ++inline bool is_obs_text(char c) { return 128 <= static_cast(c); } ++ ++inline bool is_field_vchar(char c) { return is_vchar(c) || is_obs_text(c); } ++ ++inline bool is_field_content(const std::string &s) { ++ if (s.empty()) { return false; } ++ ++ if (s.size() == 1) { ++ return is_field_vchar(s[0]); ++ } else if (s.size() == 2) { ++ return is_field_vchar(s[0]) && is_field_vchar(s[1]); ++ } else { ++ size_t i = 0; ++ ++ if (!is_field_vchar(s[i])) { return false; } ++ i++; ++ ++ while (i < s.size() - 1) { ++ auto c = s[i++]; ++ if (c == ' ' || c == '\t' || is_field_vchar(c)) { ++ } else { ++ return false; ++ } ++ } ++ ++ return is_field_vchar(s[i]); ++ } ++} ++ ++inline bool is_field_value(const std::string &s) { return is_field_content(s); } ++ ++}; // namespace fields ++ + } // namespace detail + + // ---------------------------------------------------------------------------- +@@ -4848,7 +4902,8 @@ inline size_t Request::get_header_value_count(const std::string &key) const { + + inline void Request::set_header(const std::string &key, + const std::string &val) { +- if (!detail::has_crlf(key) && !detail::has_crlf(val)) { ++ if (detail::fields::is_field_name(key) && ++ detail::fields::is_field_value(val)) { + headers.emplace(key, val); + } + } +@@ -4913,13 +4968,14 @@ inline size_t Response::get_header_value_count(const std::string &key) const { + + inline void Response::set_header(const std::string &key, + const std::string &val) { +- if (!detail::has_crlf(key) && !detail::has_crlf(val)) { ++ if (detail::fields::is_field_name(key) && ++ detail::fields::is_field_value(val)) { + headers.emplace(key, val); + } + } + + inline void Response::set_redirect(const std::string &url, int stat) { +- if (!detail::has_crlf(url)) { ++ if (detail::fields::is_field_value(url)) { + set_header("Location", url); + if (300 <= stat && stat < 400) { + this->status = stat; +-- +2.43.0 + diff --git a/cpp-httplib.spec b/cpp-httplib.spec index 1f18d97..674c4cb 100644 --- a/cpp-httplib.spec +++ b/cpp-httplib.spec @@ -2,11 +2,13 @@ Name: cpp-httplib Version: 0.12.4 -Release: 2 +Release: 3 Summary: A C++ header-only HTTP/HTTPS server and client library License: MIT URL: https://github.com/yhirose/cpp-httplib Source0: https://github.com/yhirose/cpp-httplib/archive/v%{version}/%{name}-%{version}.tar.gz +# https://build.opensuse.org/request/show/1243613 +Patch0: CVE-2025-0825.patch BuildRequires: gcc-c++ meson >= 0.47.0 openssl openssl-devel brotli-devel gtest-devel zlib-devel @@ -43,6 +45,9 @@ export GTEST_FILTER='_Online$' %{_libdir}/pkgconfig/%{name}.pc %changelog +* Fri Feb 07 2025 yaoxin <1024769339@qq.com> - 0.12.4-3 +- Fix CVE-2025-0825 + * Wed Sep 27 2023 Chenxi Mao - 0.12.4-2 - Add openssl to build require list to fix build error -- Gitee