mirror of
https://github.com/yhirose/cpp-httplib.git
synced 2026-06-10 16:47:14 +00:00
fbb031ed85
parse_header() applied decode_path_component() to every header value except Location and Referer, after is_field_value() validation. Wire sequences like %0D%0A passed the check and expanded into literal CR/LF inside stored values, enabling response splitting, log injection, and proxy smuggling. %3D/%2C/%3B also flipped Cookie and X-Forwarded-For boundaries against WAFs inspecting the wire form. RFC 9110 §5.5 specifies header values as opaque octets. Drop the decoding and the Location/Referer special case (originally workarounds for the same auto-decode misbehavior; redundant once decoding stops). Applications that need URI semantics should call decode_uri_component() or decode_path_component() on the result explicitly. Add regression tests covering CRLF injection, %3D/%2C/%3B boundary characters, UTF-8 and %uXXXX sequences, browser-style Referer URLs containing %0A (issue #2033), and the explicit-decode migration pattern.
