!28 [sync] PR-26: Fix CVE-2025-0825

From: @openeuler-sync-bot Reviewed-by: @wk333 Signed-off-by: @wk333
2025-02-07 03:15:51 +00:00 · 2025-02-07 03:15:51 +00:00 · 4226caefd4
commit 4226caefd4
parent 921b8247b5 71728ab942
2 changed files with 109 additions and 1 deletions
--- a/CVE-2025-0825.patch
+++ b/CVE-2025-0825.patch
@ -0,0 +1,104 @@
+From 9c36aae4b73e2b6e493f4133e4173103c9266289 Mon Sep 17 00:00:00 2001
+From: yhirose <yuji.hirose.bug@gmail.com>
+Date: Thu, 16 Jan 2025 00:04:17 -0500
+Subject: [PATCH] Fix HTTP Response Splitting Vulnerability
+
+---
+ httplib.h | 62 ++++++++++++++++++++++++++++++++++++++++++++++++++++---
+ 1 file changed, 59 insertions(+), 3 deletions(-)
+
+diff --git a/httplib.h b/httplib.h
+index 5a4b64a..86a7452 100644
+--- a/httplib.h
+++ b/httplib.h
+@@ -2159,6 +2159,60 @@ private:
+   void *addr_;
+ };
+ 
+// NOTE: https://www.rfc-editor.org/rfc/rfc9110#section-5
+namespace fields {
+
+inline bool is_token_char(char c) {
+  return std::isalnum(c) || c == '!' || c == '#' || c == '$' || c == '%' ||
+         c == '&' || c == '\'' || c == '*' || c == '+' || c == '-' ||
+         c == '.' || c == '^' || c == '_' || c == '`' || c == '|' || c == '~';
+}
+
+inline bool is_token(const std::string &s) {
+  if (s.empty()) { return false; }
+  for (auto c : s) {
+    if (!is_token_char(c)) { return false; }
+  }
+  return true;
+}
+
+inline bool is_field_name(const std::string &s) { return is_token(s); }
+
+inline bool is_vchar(char c) { return c >= 33 && c <= 126; }
+
+inline bool is_obs_text(char c) { return 128 <= static_cast<unsigned char>(c); }
+
+inline bool is_field_vchar(char c) { return is_vchar(c) || is_obs_text(c); }
+
+inline bool is_field_content(const std::string &s) {
+  if (s.empty()) { return false; }
+
+  if (s.size() == 1) {
+    return is_field_vchar(s[0]);
+  } else if (s.size() == 2) {
+    return is_field_vchar(s[0]) && is_field_vchar(s[1]);
+  } else {
+    size_t i = 0;
+
+    if (!is_field_vchar(s[i])) { return false; }
+    i++;
+
+    while (i < s.size() - 1) {
+      auto c = s[i++];
+      if (c == ' ' || c == '\t' || is_field_vchar(c)) {
+      } else {
+        return false;
+      }
+    }
+
+    return is_field_vchar(s[i]);
+  }
+}
+
+inline bool is_field_value(const std::string &s) { return is_field_content(s); }
+
+}; // namespace fields
+
+ } // namespace detail
+ 
+ // ----------------------------------------------------------------------------
+@@ -5118,7 +5172,8 @@ inline size_t Request::get_header_value_count(const std::string &key) const {
+ 
+ inline void Request::set_header(const std::string &key,
+                                 const std::string &val) {
+-  if (!detail::has_crlf(key) && !detail::has_crlf(val)) {
+  if (detail::fields::is_field_name(key) &&
+      detail::fields::is_field_value(val)) {
+     headers.emplace(key, val);
+   }
+ }
+@@ -5183,13 +5238,14 @@ inline size_t Response::get_header_value_count(const std::string &key) const {
+ 
+ inline void Response::set_header(const std::string &key,
+                                  const std::string &val) {
+-  if (!detail::has_crlf(key) && !detail::has_crlf(val)) {
+  if (detail::fields::is_field_name(key) &&
+      detail::fields::is_field_value(val)) {
+     headers.emplace(key, val);
+   }
+ }
+ 
+ inline void Response::set_redirect(const std::string &url, int stat) {
+-  if (!detail::has_crlf(url)) {
+  if (detail::fields::is_field_value(url)) {
+     set_header("Location", url);
+     if (300 <= stat && stat < 400) {
+       this->status = stat;
+-- 
+2.43.0
+
--- a/cpp-httplib.spec
+++ b/cpp-httplib.spec
@ -1,10 +1,11 @@
 Name:    cpp-httplib
 Version: 0.14.0
-Release: 2
+Release: 3
 Summary: A C++ header-only HTTP/HTTPS server and client library 
 License: MIT
 URL:	 https://github.com/yhirose/cpp-httplib
 Source0: https://github.com/yhirose/cpp-httplib/archive/v%{version}/cpp-httplib-%{version}.tar.gz
+Patch0:  CVE-2025-0825.patch

 BuildRequires:  gcc-c++ meson >= 0.47.0 openssl openssl-devel brotli-devel gtest-devel zlib-devel
 Requires:       openssl-devel, glibc-devel, zlib-devel
@ -42,6 +43,9 @@ export GTEST_FILTER='_Online$'
 %{_libdir}/pkgconfig/%{name}.pc

 %changelog
+* Fri Feb 07 2025 yaoxin <1024769339@qq.com> - 0.14.0-3
+- Fix CVE-2025-0825
+
 * Wed Sep 27 2023 Chenxi Mao <chenxi.mao@suse.com> - 0.14.0-2
 - Add openssl to build require list to fix build error