Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package cpp-httplib for openSUSE:Factory checked in at 2026-03-26 21:07:24 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/cpp-httplib (Old) and /work/SRC/openSUSE:Factory/.cpp-httplib.new.8177 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cpp-httplib" Thu Mar 26 21:07:24 2026 rev:16 rq:1342181 version:0.38.0 Changes: -------- --- /work/SRC/openSUSE:Factory/cpp-httplib/cpp-httplib.changes 2025-12-24 13:15:47.333163553 +0100 +++ /work/SRC/openSUSE:Factory/.cpp-httplib.new.8177/cpp-httplib.changes 2026-03-27 06:37:57.925436981 +0100 @@ -1,0 +2,108 @@ +Wed Mar 18 11:52:46 UTC 2026 - Marius Grossu <[email protected]> + +- Update to 0.38.0: + * Filename sanitization for path traversal prevention — Added sanitize_filename() to prevent path traversal attacks via malicious filenames in multipart uploads + * Symlink protection in static file server — Static file serving now detects and rejects symlinks that point outside the mount directory, preventing symlink-based directory traversal + * Brotli compression support — Added Brotli (br) as a supported content encoding alongside gzip and deflate + * Accept-Encoding quality parameter parsing — The server now parses q= quality values in the Accept-Encoding header and selects the best encoding accordingly + * SSL proxy connection support — SSLClient can now establish connections through HTTPS proxies, with a new setup_proxy_connection method for cleaner proxy handling + * WebSocket ping interval runtime configuration — WebSocket ping interval can now be configured at runtime instead of only at compile time + * Benchmark test suite — Added benchmark tests and configurations for performance evaluation + * Unicode path component decoding tests — Added test coverage for Unicode characters in decode_path_component + * Documentation updates — Enhanced TLS backend documentation with platform-specific certificate handling details; clarified progress callback usage and user data handling in examples + * Fix port conflict in test — Fixed port number in OpenStreamMalformedContentLength test to avoid conflicts + * Removed large data tests for GzipDecompressor and SSLClientServerTest that caused memory issues + * Enabled BindDualStack test +- 0.37.2: + * Fix TLS cert verification bypass on proxy redirect introduced in #2165 by @yhirose in #2396 + * Various security fixes +- 0.37.1: + * Remove 32-bit limitation +- 0.37.0 + * Use doc.yml to generate document site + * Fix problem with alternate file name check +- 0.36.0 + * Documentation Site on GitHub Pages + * [CMake] New compoments MbedTLS and wolfSSL + * Removed unused local variable by @hqo998 + * Fix #2383 +- 0.35.0 + * Make loading system certificates from the Keychain on macOS an opt-out feature +- 0.34.0 + * Added make_file_body function to send file binaries + * Revised description of file upload using make_file_provider + * Updated Crow library version from v1.2.0 to v1.3.1 (for benchmark code) + * Fixed bugs caused by the recent performance improvement +- 0.33.1 + * Fix C++11 compatibility problem +- 0.33.0: + * Offline test (Resolve #2356) + * Use iptables to disable network + * Parallel test on CI by + * Remove macOS select() fallback + * Fix comparison of integers of different signs warning when compiling with BoringSSL + * WebSocket and Dynamic Thread Pool support + * Add wolfSSL support +- 0.32.0: + * Move stream and sse implementations from the decl area to the implementation area + * Add support for mbedtls to meson + * Correct sign comparison error with sk_X509_OBJECT_num + * Fix compilation on BoringSSL by replacing ASN1_TIME_to_tm + * Bypass new 100MB payload limit when a content_receiver +- 0.31.0: + * Abstract TLS API support (Resolve #2309) + * Add C++ modules support + * Fix memory leak + * Old: std::numeric_limits<size_t>::max() (effectively unlimited) + * New: 100 * 1024 * 1024 (100MB) + * Code that receives payloads larger than 100MB will now fail with ExceedMaxPayloadSize error + * Mbed TLS can now be used by defining CPPHTTPLIB_MBEDTLS_SUPPORT + * Request::ssl (SSL* type) has been removed and replaced with Request::ssl (tls::const_session_t type) + * ClientConnection::ssl has similarly been changed to tls::session_t + * Constructors and methods that directly use OpenSSL types (X509*, EVP_PKEY*, etc.) are now deprecated + * SSLServer: X509*/EVP_PKEY* constructors → migrate to SSLServer(PemMemory) or SSLServer(ContextSetupCallback) + * SSLClient: ssl_context() → use tls_context() instead + * Client: set_server_certificate_verifier(std::function<SSLVerifierResponse(SSL*)>) → use set_server_certificate_verifier(tls::VerifyCallback) instead + * Result: ssl_openssl_error() → use ssl_backend_error() instead + * Request: req.ssl (OpenSSL SSL*) → req.ssl (tls::const_session_t) + use req.peer_cert() / req.sni() +- 0.30.2: + * Problem with CI test on Windows without OpenSSL + * Fix zstd detection when zstd_FOUND is true but target is missing + * timegm api absent in AIX + * Fix set_ca_cert_store() to skip system certs like set_ca_cert_path() + * case insensitive hostname validation + Prevent redefinition of ssize_t +- 0.30.0: + * Apple frameworks: match CoreFoundation and CFNetwork linkage +- 0.29.0: + * chore: fix some typos in comments + * Optimize ThreadPool and MatcherBase constructors + * New Stream API Support + * Implement ETag and Last-Modified support for static file responses and If-Range requests + * Update split.py file + * Use std::move for content_provider in adapter + * Use std::move for boundary in set_boundary method + * Fix linker error on macOS when using CMake + * Remove unnecessary copies for AcceptEntry + * Change single char string literals to chars + * Remove another unnecessary string copy + * Use move semantics for auth key and value + * Replace httpbin.org with httpcan.org + * Add Zstd support through meson + * Verify Host header omits default ports per RFC 7230 + * Implement SSEClient + * Avoid unnecessary copying of request and response in proxy/redirect + * Use std::move for request redirection + * Add another missing std::move for base_dirs_ vector +- Skip arch-specific test failures in %check: 32-bit time_t/size_t overflow + on ix86/arm (ETagTest, WebSocketIntegrationTest) +- Add OpenStreamMalformedContentLength.patch: Fix out-of-range Content-Length +- Upstream release includes fixes for: + CVE-2026-22776 (bsc#1256518) + CVE-2026-21428 (bsc#1255835) + CVE-2026-29076 (bsc#1259373) + CVE-2026-28435 (bsc#1259220) + CVE-2026-28434 (bsc#1259221) + CVE-2026-32627 (bsc#1259723) + +------------------------------------------------------------------- Old: ---- cpp-httplib-0.28.0.tar.gz New: ---- OpenStreamMalformedContentLength.patch cpp-httplib-0.38.0.tar.gz ----------(New B)---------- New: on ix86/arm (ETagTest, WebSocketIntegrationTest) - Add OpenStreamMalformedContentLength.patch: Fix out-of-range Content-Length - Upstream release includes fixes for: ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ cpp-httplib.spec ++++++ --- /var/tmp/diff_new_pack.Hu0Hds/_old 2026-03-27 06:37:59.801514305 +0100 +++ /var/tmp/diff_new_pack.Hu0Hds/_new 2026-03-27 06:37:59.813514799 +0100 @@ -1,7 +1,7 @@ # # spec file for package cpp-httplib # -# Copyright (c) 2025 SUSE LLC and contributors +# Copyright (c) 2026 SUSE LLC and contributors # Copyright (c) 2025 Andreas Stieger <[email protected]> # # All modifications and additions to the file contributed by third parties @@ -17,16 +17,18 @@ # -%define sover 0.28 -%define libver 0_28 +%define sover 0.38 +%define libver 0_38 Name: cpp-httplib -Version: 0.28.0 +Version: 0.38.0 Release: 0 Summary: A C++11 HTTP/HTTPS server and client library License: MIT URL: https://github.com/yhirose/cpp-httplib Source0: %{url}/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz Source1: %{name}.pc +# FIX-UPSTREAM OpenStreamMalformedContentLength.patch (#dd8071a) +Patch0: OpenStreamMalformedContentLength.patch BuildRequires: c++_compiler BuildRequires: cmake BuildRequires: netcfg @@ -87,7 +89,17 @@ %check # OBS and chroot build environments does not provide internet # connectivity, skip online tests to avoid failures -%ctest --parallel 1 --exclude-regex '(_Online$)' +# Additionally skip tests known to fail on specific architectures: +# - ETagTest date tests: 32-bit time_t overflow (Y2038) on 32-bit arches +# - WebSocketIntegrationTest large payload: 32-bit size_t truncation on i586 +%global ctest_exclude _Online$ +%ifarch %{ix86} +%global ctest_exclude %{ctest_exclude}|ETagTest\.(LastModifiedAndIfModifiedSince|IfRangeWithDate)|WebSocketIntegrationTest\.(LargeMessage|MaxPayloadAtLimit) +%endif +%ifarch %{arm} +%global ctest_exclude %{ctest_exclude}|ETagTest\.(LastModifiedAndIfModifiedSince|IfRangeWithDate) +%endif +%ctest --parallel 1 --exclude-regex '%{ctest_exclude}' %ldconfig_scriptlets -n lib%{name}%{libver} ++++++ OpenStreamMalformedContentLength.patch ++++++ >From dd8071a7d496234847f401fe619b58788d67179e Mon Sep 17 00:00:00 2001 From: yhirose <[email protected]> Date: Tue, 17 Mar 2026 17:07:46 -0400 Subject: [PATCH] Fix #2397 --- test/test.cc | 59 ++++++++++++++++++++++++++++++++-------------------- 1 file changed, 36 insertions(+), 23 deletions(-) diff --git a/test/test.cc b/test/test.cc index 776d704bd5..e7fcac8a83 100644 --- a/test/test.cc +++ b/test/test.cc @@ -13827,9 +13827,9 @@ TEST_F(OpenStreamTest, ProhibitedTrailersAreIgnored_Stream) { EXPECT_EQ(std::string(""), handle.response->get_header_value("X-Allowed")); } -static std::thread serve_single_response(int port, +static std::thread serve_single_response(std::promise<int> &port_promise, const std::string &response) { - return std::thread([port, response] { + return std::thread([&port_promise, response] { auto srv = ::socket(AF_INET, SOCK_STREAM, 0); default_socket_options(srv); detail::set_socket_opt_time(srv, SOL_SOCKET, SO_RCVTIMEO, 5, 0); @@ -13837,7 +13837,7 @@ static std::thread serve_single_response(int port, sockaddr_in addr{}; addr.sin_family = AF_INET; - addr.sin_port = htons(static_cast<uint16_t>(port)); + addr.sin_port = htons(0); // Let OS assign a free port ::inet_pton(AF_INET, "127.0.0.1", &addr.sin_addr); int opt = 1; @@ -13849,8 +13849,16 @@ static std::thread serve_single_response(int port, #endif sizeof(opt)); - ::bind(srv, reinterpret_cast<sockaddr *>(&addr), sizeof(addr)); - ::listen(srv, 1); + if (::bind(srv, reinterpret_cast<sockaddr *>(&addr), sizeof(addr)) != 0 || + ::listen(srv, 1) != 0) { + port_promise.set_value(-1); + detail::close_socket(srv); + return; + } + + socklen_t addr_len = sizeof(addr); + ::getsockname(srv, reinterpret_cast<sockaddr *>(&addr), &addr_len); + port_promise.set_value(static_cast<int>(ntohs(addr.sin_port))); sockaddr_in cli_addr{}; socklen_t cli_len = sizeof(cli_addr); @@ -13880,17 +13888,19 @@ TEST(OpenStreamMalformedContentLength, InvalidArgument) { signal(SIGPIPE, SIG_IGN); #endif + std::promise<int> port_promise; + auto port_future = port_promise.get_future(); auto server_thread = - serve_single_response(PORT + 2, "HTTP/1.1 200 OK\r\n" - "Content-Type: text/plain\r\n" - "Content-Length: not-a-number\r\n" - "Connection: close\r\n" - "\r\n" - "hello"); - - std::this_thread::sleep_for(std::chrono::milliseconds(200)); - - Client cli("127.0.0.1", PORT + 2); + serve_single_response(port_promise, "HTTP/1.1 200 OK\r\n" + "Content-Type: text/plain\r\n" + "Content-Length: not-a-number\r\n" + "Connection: close\r\n" + "\r\n" + "hello"); + + auto port = port_future.get(); + ASSERT_GT(port, 0); + Client cli("127.0.0.1", port); auto handle = cli.open_stream("GET", "/"); EXPECT_FALSE(handle.is_valid()); @@ -13902,21 +13912,24 @@ TEST(OpenStreamMalformedContentLength, OutOfRange) { signal(SIGPIPE, SIG_IGN); #endif + std::promise<int> port_promise; + auto port_future = port_promise.get_future(); auto server_thread = serve_single_response( - PORT + 4, "HTTP/1.1 200 OK\r\n" - "Content-Type: text/plain\r\n" - "Content-Length: 99999999999999999999999999\r\n" - "Connection: close\r\n" - "\r\n" - "hello"); + port_promise, "HTTP/1.1 200 OK\r\n" + "Content-Type: text/plain\r\n" + "Content-Length: 99999999999999999999999999\r\n" + "Connection: close\r\n" + "\r\n" + "hello"); - std::this_thread::sleep_for(std::chrono::milliseconds(200)); + auto port = port_future.get(); + ASSERT_GT(port, 0); // Before the fix, std::stoull would throw std::out_of_range here and // crash the process. After the fix, strtoull silently clamps to // ULLONG_MAX so the stream opens without crashing. The important thing // is that the process does NOT terminate. - Client cli("127.0.0.1", PORT + 4); + Client cli("127.0.0.1", port); auto handle = cli.open_stream("GET", "/"); EXPECT_TRUE(handle.is_valid()); (No newline at EOF) ++++++ cpp-httplib-0.28.0.tar.gz -> cpp-httplib-0.38.0.tar.gz ++++++ ++++ 52705 lines of diff (skipped)
