deps: update llhttp to 9.4.0

deps/llhttp/CMakeLists.txt

@@ -1,8 +1,9 @@
 cmake_minimum_required(VERSION 3.25.0)
 cmake_policy(SET CMP0069 NEW)
 
-project(llhttp VERSION 9.3.1)
+project(llhttp VERSION 9.4.0)
 include(GNUInstallDirs)
+include(CMakePackageConfigHelpers)
 
 set(CMAKE_C_STANDARD 99)
 
@@ -66,18 +67,6 @@ function(config_library target)
     ARCHIVE DESTINATION ${CMAKE_INSTALL_LIBDIR}
     PUBLIC_HEADER DESTINATION ${CMAKE_INSTALL_INCLUDEDIR}
   )
-
-  install(FILES
-    ${CMAKE_CURRENT_SOURCE_DIR}/libllhttp.pc
-    DESTINATION ${CMAKE_INSTALL_LIBDIR}/pkgconfig
-  )
-
-  # This is required to work with FetchContent
-  install(EXPORT llhttp
-    FILE llhttp-config.cmake
-    NAMESPACE llhttp::
-    DESTINATION ${CMAKE_INSTALL_LIBDIR}/cmake/llhttp
-  )
 endfunction(config_library target)
 
 if(LLHTTP_BUILD_SHARED_LIBS)
@@ -98,6 +87,36 @@ if(LLHTTP_BUILD_STATIC_LIBS)
   config_library(llhttp_static)
 endif()
 
+if(TARGET llhttp_shared OR TARGET llhttp_static)
+  install(FILES
+    ${CMAKE_CURRENT_SOURCE_DIR}/libllhttp.pc
+    DESTINATION ${CMAKE_INSTALL_LIBDIR}/pkgconfig
+  )
+
+  install(EXPORT llhttp
+    FILE llhttp-targets.cmake
+    NAMESPACE llhttp::
+    DESTINATION ${CMAKE_INSTALL_LIBDIR}/cmake/llhttp
+  )
+
+  configure_package_config_file(
+    ${CMAKE_CURRENT_SOURCE_DIR}/cmake/llhttpConfig.cmake.in
+    ${CMAKE_CURRENT_BINARY_DIR}/llhttpConfig.cmake
+    INSTALL_DESTINATION ${CMAKE_INSTALL_LIBDIR}/cmake/llhttp
+  )
+
+  write_basic_package_version_file(
+    ${CMAKE_CURRENT_BINARY_DIR}/llhttpConfigVersion.cmake
+    COMPATIBILITY AnyNewerVersion
+  )
+
+  install(FILES
+    ${CMAKE_CURRENT_BINARY_DIR}/llhttpConfig.cmake
+    ${CMAKE_CURRENT_BINARY_DIR}/llhttpConfigVersion.cmake
+    DESTINATION ${CMAKE_INSTALL_LIBDIR}/cmake/llhttp
+  )
+endif()
+
 # On windows with Visual Studio, add a debug postfix so that release
 # and debug libraries can coexist.
 if(MSVC)

deps/llhttp/LICENSE

@@ -1,6 +1,6 @@
-This software is licensed under the MIT License.
+MIT License
 
-Copyright Fedor Indutny, 2018.
+Copyright © 2018 Fedor Indutny
 
 Permission is hereby granted, free of charge, to any person obtaining a
 copy of this software and associated documentation files (the

deps/llhttp/README.md

@@ -112,7 +112,7 @@ The following callbacks can return `0` (proceed normally), `-1` (error) or `HPE_
 * `on_message_complete`: Invoked when a request/response has been completedly parsed.
 * `on_url_complete`: Invoked after the URL has been parsed.
 * `on_method_complete`: Invoked after the HTTP method has been parsed.
-* `on_protocol_complete`: Invoked after the HTTP version has been parsed.
+* `on_protocol_complete`: Invoked after the protocol has been parsed.
 * `on_version_complete`: Invoked after the HTTP version has been parsed.
 * `on_status_complete`: Invoked after the status code has been parsed.
 * `on_header_field_complete`: Invoked after a header name has been parsed.
@@ -397,6 +397,16 @@ With this flag this check is disabled.
 
 **Enabling this flag can pose a security issue since you will be exposed to request smuggling attacks. USE WITH CAUTION!**
 
+### `void llhttp_set_lenient_header_value_relaxed(llhttp_t* parser, int enabled)`
+
+Enables/disables relaxed handling of control characters in header values.
+
+Normally `llhttp` would error when header values contain characters not in the valid set (HTAB, SP, VCHAR, OBS_TEXT). With
+this flag, control characters (except for NULL, CR & LF) will be accepted in header values.
+
+This does not create any known security issue, but does allow content considered 'invalid' by
+[RFC 9110](https://www.rfc-editor.org/rfc/rfc9110#name-field-values) and so should be avoided by default.
+
 ## Build Instructions
 
 Make sure you have [Node.js](https://nodejs.org/), npm and npx installed. Then under project directory run:

deps/llhttp/include/llhttp.h

@@ -3,8 +3,8 @@
 #define INCLUDE_LLHTTP_H_
 
 #define LLHTTP_VERSION_MAJOR 9
-#define LLHTTP_VERSION_MINOR 3
-#define LLHTTP_VERSION_PATCH 1
+#define LLHTTP_VERSION_MINOR 4
+#define LLHTTP_VERSION_PATCH 0
 
 #ifndef INCLUDE_LLHTTP_ITSELF_H_
 #define INCLUDE_LLHTTP_ITSELF_H_
@@ -118,7 +118,8 @@ enum llhttp_lenient_flags {
   LENIENT_OPTIONAL_LF_AFTER_CR = 0x40,
   LENIENT_OPTIONAL_CRLF_AFTER_CHUNK = 0x80,
   LENIENT_OPTIONAL_CR_BEFORE_LF = 0x100,
-  LENIENT_SPACES_AFTER_CHUNK_SIZE = 0x200
+  LENIENT_SPACES_AFTER_CHUNK_SIZE = 0x200,
+  LENIENT_HEADER_VALUE_RELAXED = 0x400
 };
 typedef enum llhttp_lenient_flags llhttp_lenient_flags_t;
 
@@ -898,6 +899,23 @@ void llhttp_set_lenient_optional_crlf_after_chunk(llhttp_t* parser, int enabled)
 LLHTTP_EXPORT
 void llhttp_set_lenient_spaces_after_chunk_size(llhttp_t* parser, int enabled);
 
+/* Enables/disables relaxed handling of unusual characters in header values.
+ *
+ * RFC 9110 describes NULL, CR and LF as 'dangerous' and says they MUST be
+ * rejected, while other control characters are merely 'invalid' and discouraged,
+ * and are explicitly allowed by other standards (e.g. WHATWG Fetch) and
+ * in surprisingly common use on the web.
+ *
+ * This flag enables these 'invalid but common' characters, aiming to
+ * maximize compatibility without enabling any potentially dangerous scenarios.
+ *
+ * Unlike `llhttp_set_lenient_headers()`, this does NOT enable any other
+ * potentially unsafe behaviors (like accepting whitespace before colons
+ * or after the start line).
+ */
+LLHTTP_EXPORT
+void llhttp_set_lenient_header_value_relaxed(llhttp_t* parser, int enabled);
+
 #ifdef __cplusplus
 }  /* extern "C" */
 #endif

deps/llhttp/src/api.c

@@ -316,6 +316,14 @@ void llhttp_set_lenient_spaces_after_chunk_size(llhttp_t* parser, int enabled) {
   }
 }
 
+void llhttp_set_lenient_header_value_relaxed(llhttp_t* parser, int enabled) {
+  if (enabled) {
+    parser->lenient_flags |= LENIENT_HEADER_VALUE_RELAXED;
+  } else {
+    parser->lenient_flags &= ~LENIENT_HEADER_VALUE_RELAXED;
+  }
+}
+
 /* Callbacks */