packages/cpp-httplib
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!33 [sync] PR-31: Fix CVE-2025-46728

Browse Source 
From: @openeuler-sync-bot 
Reviewed-by: @wk333 
Signed-off-by: @wk333
This commit is contained in:
openeuler-ci-bot 2025-05-08 01:17:52 +00:00 committed by Gitee
commit 2f7d811b28
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 112 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

107
CVE-2025-46728.patch Normal file
View File

@ -0,0 +1,107 @@
From 7b752106ac42bd5b907793950d9125a0972c8e8e Mon Sep 17 00:00:00 2001
From: Ville Vesilehto <ville@vesilehto.fi>
Date: Sat, 3 May 2025 11:39:01 +0300
Subject: [PATCH] Merge commit from fork
* fix(parser): Limit line length in getline
Prevents potential infinite loop and memory exhaustion in
stream_line_reader::getline by enforcing max line length.
Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
* fix: increase default max line length to 32k
LONG_QUERY_VALUE test is set at 25k.
Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
* test(client): expect read error with too long query
Adds a test case (`TooLongQueryValue`) to verify client behavior
when the request URI is excessively long, exceeding
`CPPHTTPLIB_MAX_LINE_LENGTH`. In this scenario, the server is
expected to reset the connection.
Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
---------
Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
Origin: https://github.com/yhirose/cpp-httplib/commit/7b752106ac42bd5b907793950d9125a0972c8e8e
---
httplib.h | 9 +++++++++
test/test.cc | 15 +++++++++++++++
2 files changed, 24 insertions(+)
diff --git a/httplib.h b/httplib.h
index 86a7452..b13f7b6 100644
--- a/httplib.h
+++ b/httplib.h
@@ -113,6 +113,10 @@
#define CPPHTTPLIB_LISTEN_BACKLOG 5
#endif
+#ifndef CPPHTTPLIB_MAX_LINE_LENGTH
+#define CPPHTTPLIB_MAX_LINE_LENGTH 32768
+#endif
+
/*
* Headers
*/
@@ -2559,6 +2563,11 @@ inline bool stream_line_reader::getline() {
glowable_buffer_.clear();
for (size_t i = 0;; i++) {
+ if (size() >= CPPHTTPLIB_MAX_LINE_LENGTH) {
+ // Treat exceptionally long lines as an error to
+ // prevent infinite loops/memory exhaustion
+ return false;
+ }
char byte;
auto n = strm_.read(&byte, 1);
diff --git a/test/test.cc b/test/test.cc
index e702e36..eefa33b 100644
--- a/test/test.cc
+++ b/test/test.cc
@@ -33,6 +33,9 @@ const int PORT = 1234;
const string LONG_QUERY_VALUE = string(25000, '@');
const string LONG_QUERY_URL = "/long-query-value?key=" + LONG_QUERY_VALUE;
+const string TOO_LONG_QUERY_VALUE = string(35000, '@');
+const string TOO_LONG_QUERY_URL = "/too-long-query-value?key=" + TOO_LONG_QUERY_VALUE;
+
const std::string JSON_DATA = "{\"hello\":\"world\"}";
const string LARGE_DATA = string(1024 * 1024 * 100, '@'); // 100MB
@@ -1991,6 +1994,11 @@ protected:
EXPECT_EQ(LONG_QUERY_URL, req.target);
EXPECT_EQ(LONG_QUERY_VALUE, req.get_param_value("key"));
})
+ .Get("/too-long-query-value",
+ [&](const Request &req, Response & /*res*/) {
+ EXPECT_EQ(TOO_LONG_QUERY_URL, req.target);
+ EXPECT_EQ(TOO_LONG_QUERY_VALUE, req.get_param_value("key"));
+ })
.Get("/array-param",
[&](const Request &req, Response & /*res*/) {
EXPECT_EQ(3u, req.get_param_value_count("array"));
@@ -2697,6 +2705,13 @@ TEST_F(ServerTest, LongQueryValue) {
EXPECT_EQ(414, res->status);
}
+TEST_F(ServerTest, TooLongQueryValue) {
+ auto res = cli_.Get(TOO_LONG_QUERY_URL.c_str());
+
+ ASSERT_FALSE(res);
+ EXPECT_EQ(Error::Read, res.error());
+}
+
TEST_F(ServerTest, TooLongHeader) {
Request req;
req.method = "GET";
--
2.49.0

6
cpp-httplib.spec
View File

@ -1,11 +1,12 @@
Name: cpp-httplib Name: cpp-httplib
Version: 0.14.0 Version: 0.14.0
Release: 3 Release: 4
Summary: A C++ header-only HTTP/HTTPS server and client library Summary: A C++ header-only HTTP/HTTPS server and client library
License: MIT License: MIT
URL: https://github.com/yhirose/cpp-httplib URL: https://github.com/yhirose/cpp-httplib
Source0: https://github.com/yhirose/cpp-httplib/archive/v%{version}/cpp-httplib-%{version}.tar.gz Source0: https://github.com/yhirose/cpp-httplib/archive/v%{version}/cpp-httplib-%{version}.tar.gz
Patch0: CVE-2025-0825.patch Patch0: CVE-2025-0825.patch
Patch1: CVE-2025-46728.patch
BuildRequires: gcc-c++ meson >= 0.47.0 openssl openssl-devel brotli-devel gtest-devel zlib-devel BuildRequires: gcc-c++ meson >= 0.47.0 openssl openssl-devel brotli-devel gtest-devel zlib-devel
Requires: openssl-devel, glibc-devel, zlib-devel Requires: openssl-devel, glibc-devel, zlib-devel
@ -43,6 +44,9 @@ export GTEST_FILTER='_Online$'
%{_libdir}/pkgconfig/%{name}.pc %{_libdir}/pkgconfig/%{name}.pc
%changelog %changelog
* Wed May 07 2025 yaoxin <1024769339@qq.com> - 0.14.0-4
- Fix CVE-2025-46728
* Fri Feb 07 2025 yaoxin <1024769339@qq.com> - 0.14.0-3 * Fri Feb 07 2025 yaoxin <1024769339@qq.com> - 0.14.0-3
- Fix CVE-2025-0825 - Fix CVE-2025-0825