What's Changed
Security fixes
- Complete the IP-host certificate identity fix from v0.47.0 for the Mbed TLS and wolfSSL backends. An IP-literal host is now authenticated only via a matching
iPAddressSAN, never via the certificate's Common Name (RFC 9110) — matching what the OpenSSL backend already enforces throughX509_check_ip. Previously these backends fell back to the CN when no IP SAN matched, and recognized IPv4 only; now IPv6 (16-byte)iPAddressSANs are matched as well, and the CN fallback is skipped for both IPv4 and IPv6 literal hosts (#2476)
Improvements
- Replace the
strtod-basedfrom_charsfordoublewith a hand-written, locale-independent parser. The only double parsed by the library is the HTTP quality value;strtodreads the decimal separator from the global C locale, so an embedder callingsetlocale(LC_ALL, "")into a comma-decimal locale would mis-parse q-values. The new parser always treats.as the decimal separator and is allocation-free (Fix #2475) - Fix OpenSSL 4.0 deprecation warnings: fetch CA store objects via the thread-safe
X509_STORE_get1_objects()(OpenSSL 3.3+) and extract the subject CN viaX509_NAME_get_index_by_NID()/X509_NAME_get_entry()instead of the deprecatedX509_STORE_get0_objects()andX509_NAME_get_text_by_NID(). Older OpenSSL, BoringSSL, and LibreSSL keep using theget0path. Verified warning-free against OpenSSL 4.0.1, 3.6.2, and 3.0
Behavior changes
decode_query_component()now uses strict hex parsing for percent-escapes, consistent withdecode_uri_component()anddecode_path_component(). A%followed by non-hex characters (e.g. a sign or whitespace such as%-1,%+5,% 5) is passed through literally instead of being accepted as a valid escape (#2472)
Internal
- OSS-Fuzz: add new fuzzer targets for multipart parsing (#2473)
Full Changelog: v0.47.0...v0.48.0