Skip to content

v0.50.0

Latest

Choose a tag to compare

@yhirose yhirose released this 11 Jul 20:05

What's Changed

Security fixes

  • Fix CRLF injection in chunked response trailers. Trailer field names and values written via DataSink::done_with_trailer() were never validated, unlike every other header output path (set_header, WebSocket handshake, client request headers). An application reflecting untrusted input into a trailer could inject CR/LF sequences and achieve HTTP response splitting. Trailer fields with invalid names or values are now silently skipped, matching set_header()'s existing behavior

Breaking changes

  • Add Get(path, params, progress) overload to ClientImpl/Client (#2486). This makes calls that pass a headers argument as a braced initializer list — e.g. cli.Get(path, {{"Accept", "..."}}) — ambiguous between the existing Get(path, headers) overload and the new Get(path, params) overload, since {{...}} can construct either Headers or Params. Existing code relying on that implicit conversion will fail to compile with an "ambiguous call" error; disambiguate by wrapping the argument explicitly, e.g. cli.Get(path, Headers{{"Accept", "..."}}). All in-tree call sites (test.cc, test_proxy.cc, README) were updated to do this

Bug fixes

  • Fix use-after-free in SSLClient destructor with mbedTLS (Fix #2492). SSLClient::~SSLClient() freed the TLS context before shutting down the SSL session. mbedTLS sessions hold a raw pointer into the context's mbedtls_ssl_config, so a live keep-alive session's close_notify could read freed memory. The session is now shut down before the context is freed
  • Fix Response::content_length_ not reflecting body size in Logger (Fix #2488). Server::apply_ranges computed the correct Content-Length header for body-based responses but never updated content_length_, so the Logger callback always saw 0. It now reflects the final body size (post-range/post-compression)

Docs

  • Fix README WebSocket example to match actual API (Fix #2493). The quick preview referenced a nonexistent httplib::ws::Message type with .is_text()/.data; the actual API uses a plain std::string with ws.read(msg), as already shown in README-websocket.md
  • Fix broken relative links in cookbook docs (Fix #2490). Cookbook body links referenced sibling pages with a bare slug (e.g. c14-keep-alive), which 404 under the pretty-URL layout since each page lives in its own directory. Links are now prefixed with ../ to match convention

Full Changelog: v0.49.0...v0.50.0