diff --git a/CVE-2025-0825.patch b/CVE-2025-0825.patch new file mode 100644 index 0000000000000000000000000000000000000000..3d4a08b0a798a729c72e1550932ccd0eeca827eb --- /dev/null +++ b/CVE-2025-0825.patch @@ -0,0 +1,104 @@ +From 9c36aae4b73e2b6e493f4133e4173103c9266289 Mon Sep 17 00:00:00 2001 +From: yhirose +Date: Thu, 16 Jan 2025 00:04:17 -0500 +Subject: [PATCH] Fix HTTP Response Splitting Vulnerability + +--- + httplib.h | 62 ++++++++++++++++++++++++++++++++++++++++++++++++++++--- + 1 file changed, 59 insertions(+), 3 deletions(-) + +diff --git a/httplib.h b/httplib.h +index 5a4b64a..86a7452 100644 +--- a/httplib.h ++++ b/httplib.h +@@ -2159,6 +2159,60 @@ private: + void *addr_; + }; + ++// NOTE: https://www.rfc-editor.org/rfc/rfc9110#section-5 ++namespace fields { ++ ++inline bool is_token_char(char c) { ++ return std::isalnum(c) || c == '!' || c == '#' || c == '$' || c == '%' || ++ c == '&' || c == '\'' || c == '*' || c == '+' || c == '-' || ++ c == '.' || c == '^' || c == '_' || c == '`' || c == '|' || c == '~'; ++} ++ ++inline bool is_token(const std::string &s) { ++ if (s.empty()) { return false; } ++ for (auto c : s) { ++ if (!is_token_char(c)) { return false; } ++ } ++ return true; ++} ++ ++inline bool is_field_name(const std::string &s) { return is_token(s); } ++ ++inline bool is_vchar(char c) { return c >= 33 && c <= 126; } ++ ++inline bool is_obs_text(char c) { return 128 <= static_cast(c); } ++ ++inline bool is_field_vchar(char c) { return is_vchar(c) || is_obs_text(c); } ++ ++inline bool is_field_content(const std::string &s) { ++ if (s.empty()) { return false; } ++ ++ if (s.size() == 1) { ++ return is_field_vchar(s[0]); ++ } else if (s.size() == 2) { ++ return is_field_vchar(s[0]) && is_field_vchar(s[1]); ++ } else { ++ size_t i = 0; ++ ++ if (!is_field_vchar(s[i])) { return false; } ++ i++; ++ ++ while (i < s.size() - 1) { ++ auto c = s[i++]; ++ if (c == ' ' || c == '\t' || is_field_vchar(c)) { ++ } else { ++ return false; ++ } ++ } ++ ++ return is_field_vchar(s[i]); ++ } ++} ++ ++inline bool is_field_value(const std::string &s) { return is_field_content(s); } ++ ++}; // namespace fields ++ + } // namespace detail + + // ---------------------------------------------------------------------------- +@@ -5118,7 +5172,8 @@ inline size_t Request::get_header_value_count(const std::string &key) const { + + inline void Request::set_header(const std::string &key, + const std::string &val) { +- if (!detail::has_crlf(key) && !detail::has_crlf(val)) { ++ if (detail::fields::is_field_name(key) && ++ detail::fields::is_field_value(val)) { + headers.emplace(key, val); + } + } +@@ -5183,13 +5238,14 @@ inline size_t Response::get_header_value_count(const std::string &key) const { + + inline void Response::set_header(const std::string &key, + const std::string &val) { +- if (!detail::has_crlf(key) && !detail::has_crlf(val)) { ++ if (detail::fields::is_field_name(key) && ++ detail::fields::is_field_value(val)) { + headers.emplace(key, val); + } + } + + inline void Response::set_redirect(const std::string &url, int stat) { +- if (!detail::has_crlf(url)) { ++ if (detail::fields::is_field_value(url)) { + set_header("Location", url); + if (300 <= stat && stat < 400) { + this->status = stat; +-- +2.43.0 + diff --git a/cpp-httplib.spec b/cpp-httplib.spec index 5981436d6ff3f06f70eef0d4a908b1fcedc21117..316a66a86a9fdcce198ae4d96eeaf11be432b9e1 100644 --- a/cpp-httplib.spec +++ b/cpp-httplib.spec @@ -1,10 +1,11 @@ Name: cpp-httplib Version: 0.14.0 -Release: 2 +Release: 3 Summary: A C++ header-only HTTP/HTTPS server and client library License: MIT URL: https://github.com/yhirose/cpp-httplib Source0: https://github.com/yhirose/cpp-httplib/archive/v%{version}/cpp-httplib-%{version}.tar.gz +Patch0: CVE-2025-0825.patch BuildRequires: gcc-c++ meson >= 0.47.0 openssl openssl-devel brotli-devel gtest-devel zlib-devel Requires: openssl-devel, glibc-devel, zlib-devel @@ -42,6 +43,9 @@ export GTEST_FILTER='_Online$' %{_libdir}/pkgconfig/%{name}.pc %changelog +* Fri Feb 07 2025 yaoxin <1024769339@qq.com> - 0.14.0-3 +- Fix CVE-2025-0825 + * Wed Sep 27 2023 Chenxi Mao - 0.14.0-2 - Add openssl to build require list to fix build error