github yhirose/cpp-httplib v0.44.0
on GitHub

6 hours ago

What's Changed

Breaking change (behavioral)

  • Stop percent-decoding HTTP request header values. parse_header() previously applied decode_path_component() to every header value (except Location / Referer) after is_field_value() validation, so wire sequences like %0D%0A passed validation and expanded into literal CR/LF inside stored values — enabling response splitting, log injection, and proxy smuggling. %3D / %2C / %3B likewise flipped Cookie and X-Forwarded-For boundaries against WAFs inspecting the wire form. RFC 9110 §5.5 specifies header values as opaque octets, so the auto-decode (and the Location / Referer workarounds for the same misbehavior) has been removed. Applications that need URI semantics on a header value should now call decode_uri_component() or decode_path_component() on the result explicitly. Fixes the long-standing Referer-with-%0A issue (#2033) (fbb031e)

Bug fixes

  • Make ThreadPool constructor exception-safe on partial thread creation. If std::thread construction throws partway through (e.g. pthread_create returns EAGAIN under thread-resource pressure), the partially-built threads_ vector would destruct joinable std::thread objects and call std::terminate(). The spawn loop now signals shutdown to the workers already created, joins them, and rethrows. Fix #2444 (#2445)

Tooling

  • scripts/release.sh gains a --minor flag to force a minor bump even when abidiff reports no ABI break, for behavioral breaking changes like the header-decoding fix above (e8e6528)
Check out latest releases or
releases around yhirose/cpp-httplib v0.44.0

Don't miss a new cpp-httplib release

NewReleases is sending notifications on new releases.

Get notifications