What's Changed
Security fixes
- Fix CRLF injection in chunked response trailers. Trailer field names and values written via
DataSink::done_with_trailer()were never validated, unlike every other header output path (set_header, WebSocket handshake, client request headers). An application reflecting untrusted input into a trailer could inject CR/LF sequences and achieve HTTP response splitting. Trailer fields with invalid names or values are now silently skipped, matchingset_header()'s existing behavior
Breaking changes
- Add
Get(path, params, progress)overload toClientImpl/Client(#2486). This makes calls that pass a headers argument as a braced initializer list — e.g.cli.Get(path, {{"Accept", "..."}})— ambiguous between the existingGet(path, headers)overload and the newGet(path, params)overload, since{{...}}can construct eitherHeadersorParams. Existing code relying on that implicit conversion will fail to compile with an "ambiguous call" error; disambiguate by wrapping the argument explicitly, e.g.cli.Get(path, Headers{{"Accept", "..."}}). All in-tree call sites (test.cc, test_proxy.cc, README) were updated to do this
Bug fixes
- Fix use-after-free in
SSLClientdestructor with mbedTLS (Fix #2492).SSLClient::~SSLClient()freed the TLS context before shutting down the SSL session. mbedTLS sessions hold a raw pointer into the context'smbedtls_ssl_config, so a live keep-alive session'sclose_notifycould read freed memory. The session is now shut down before the context is freed - Fix
Response::content_length_not reflecting body size inLogger(Fix #2488).Server::apply_rangescomputed the correctContent-Lengthheader for body-based responses but never updatedcontent_length_, so theLoggercallback always saw 0. It now reflects the final body size (post-range/post-compression)
Docs
- Fix README WebSocket example to match actual API (Fix #2493). The quick preview referenced a nonexistent
httplib::ws::Messagetype with.is_text()/.data; the actual API uses a plainstd::stringwithws.read(msg), as already shown in README-websocket.md - Fix broken relative links in cookbook docs (Fix #2490). Cookbook body links referenced sibling pages with a bare slug (e.g.
c14-keep-alive), which 404 under the pretty-URL layout since each page lives in its own directory. Links are now prefixed with../to match convention
Full Changelog: v0.49.0...v0.50.0