search

yhirose / cpp-httplib

A C++ header-only HTTP/HTTPS server and client library
MIT License
12.91k stars 2.28k forks source link

detail::is_valid_path returns true for paths with embedded NULs #1763

Closed wandernauta closed 8 months ago

wandernauta commented 8 months ago

The detail::is_valid_path function judges std::strings that contain embedded NUL bytes ('\0') as valid paths. At least on Linux, this is not the case: paths are NUL-terminated and cannot contain NULs. The interpretation difference means that the file request handler can be tricked into serving static files with an unexpected Content-Type:

% ~ › curl -I http://localhost:3456/style.css      
HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 4862
Content-Type: text/css
Keep-Alive: timeout=5, max=5

% ~ › curl -I http://localhost:3456/style.css%00.js
HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 4862
Content-Type: text/javascript
Keep-Alive: timeout=5, max=5

Tested on Linux with httplib 0.13.1.

yhirose commented 8 months ago

@wandernauta thanks for the report. Do you have time to fix this problem and make a pull request?