From 006271f6a782141a7c9cef17e6d76f080c022add Mon Sep 17 00:00:00 2001 From: Charlie Barto Date: Mon, 4 Dec 2023 19:58:39 -0800 Subject: [PATCH 1/4] make Uri.is_host_loopback() only return true for localhost and 127.0.0.1 exactly --- Release/include/cpprest/base_uri.h | 5 +++-- Release/tests/functional/uri/constructor_tests.cpp | 5 +++++ Release/tests/functional/uri/diagnostic_tests.cpp | 2 +- 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/Release/include/cpprest/base_uri.h b/Release/include/cpprest/base_uri.h index 7c6943119c..7e96b6c016 100644 --- a/Release/include/cpprest/base_uri.h +++ b/Release/include/cpprest/base_uri.h @@ -296,13 +296,14 @@ class uri /// A loopback URI is one which refers to a hostname or ip address with meaning only on the local machine. /// /// - /// Examples include "localhost", or ip addresses in the loopback range (127.0.0.0/24). + /// Examples include "localhost", or "127.0.0.1". The only URIs for which this method returns true are "127.0.0.1", and "localhost", + /// all other URIs return false /// /// true if this URI references the local host, false otherwise. bool is_host_loopback() const { return !is_empty() && - ((host() == _XPLATSTR("localhost")) || (host().size() > 4 && host().substr(0, 4) == _XPLATSTR("127."))); + ((host() == _XPLATSTR("localhost")) || (host() == _XPLATSTR("127.0.0.1"))); } /// diff --git a/Release/tests/functional/uri/constructor_tests.cpp b/Release/tests/functional/uri/constructor_tests.cpp index ea6041c26a..ffcf5ada27 100644 --- a/Release/tests/functional/uri/constructor_tests.cpp +++ b/Release/tests/functional/uri/constructor_tests.cpp @@ -24,6 +24,11 @@ namespace uri_tests { SUITE(constructor_tests) { + TEST(not_really_a_loopback_uri) + { + uri u(uri::encode_uri(U("https://127.evil.com"))); + VERIFY_IS_FALSE(u.is_host_loopback()); + } TEST(parsing_constructor_char) { uri u(uri::encode_uri(U("net.tcp://steve:@testname.com:81/bleh%?qstring#goo"))); diff --git a/Release/tests/functional/uri/diagnostic_tests.cpp b/Release/tests/functional/uri/diagnostic_tests.cpp index d8fb45d91c..3271898f60 100644 --- a/Release/tests/functional/uri/diagnostic_tests.cpp +++ b/Release/tests/functional/uri/diagnostic_tests.cpp @@ -82,7 +82,7 @@ SUITE(diagnostic_tests) VERIFY_IS_FALSE(uri(U("http://bleh/?qstring")).is_host_loopback()); VERIFY_IS_FALSE(uri(U("http://+*/?qstring")).is_host_loopback()); VERIFY_IS_TRUE(uri(U("http://127.0.0.1/")).is_host_loopback()); - VERIFY_IS_TRUE(uri(U("http://127.155.0.1/")).is_host_loopback()); + VERIFY_IS_FALSE(uri(U("http://127.155.0.1/")).is_host_loopback()); VERIFY_IS_FALSE(uri(U("http://128.0.0.1/")).is_host_loopback()); } From 411a109150b270f23c8c97fa4ec9a0a4a98cdecf Mon Sep 17 00:00:00 2001 From: Charlie Barto Date: Mon, 4 Dec 2023 20:23:31 -0800 Subject: [PATCH 2/4] mint 2.10.19 --- Release/CMakeLists.txt | 2 +- Release/include/cpprest/version.h | 2 +- changelog.md | 9 +++++++++ 3 files changed, 11 insertions(+), 2 deletions(-) diff --git a/Release/CMakeLists.txt b/Release/CMakeLists.txt index b8f3809dbc..14e43cedcd 100644 --- a/Release/CMakeLists.txt +++ b/Release/CMakeLists.txt @@ -11,7 +11,7 @@ endif() set(CPPREST_VERSION_MAJOR 2) set(CPPREST_VERSION_MINOR 10) -set(CPPREST_VERSION_REVISION 18) +set(CPPREST_VERSION_REVISION 19) enable_testing() diff --git a/Release/include/cpprest/version.h b/Release/include/cpprest/version.h index d8771581ad..3f86f141fb 100644 --- a/Release/include/cpprest/version.h +++ b/Release/include/cpprest/version.h @@ -5,6 +5,6 @@ */ #define CPPREST_VERSION_MINOR 10 #define CPPREST_VERSION_MAJOR 2 -#define CPPREST_VERSION_REVISION 18 +#define CPPREST_VERSION_REVISION 19 #define CPPREST_VERSION (CPPREST_VERSION_MAJOR * 100000 + CPPREST_VERSION_MINOR * 100 + CPPREST_VERSION_REVISION) diff --git a/changelog.md b/changelog.md index c547665912..7a9b6dfe04 100644 --- a/changelog.md +++ b/changelog.md @@ -1,3 +1,12 @@ +cpprestsdk (2.10.19) +* PR#1982 make Uri.is_host_loopback() only return true for localhost and 127.0.0.1 exactly. + The old behavior could potentially return "true" for URLs that were not, in fact, local, + and this could cause security issues if is_host_loopback was used in certain ways. +* PR#1711 Fix likely typo in SafeInt3.hpp, that results in error with clang 15 +* PR#1496 Support for oauth2 with "client_credentials" grant type. +* PR#1429 Add constructor from all integer types for json value. +* PR#1577 export http_exception for non Windows builds using visibility macros. + cpprestsdk (2.10.18) * PR#1571 Add ability to parse and emit the NT Epoch 1601-01-01T00:00:00Z * PR#1571 Update vcpkg submodule From 0b1ce318a757bbfb89bdb0fffb61ca4e38dc3b33 Mon Sep 17 00:00:00 2001 From: "Stephan T. Lavavej" Date: Fri, 22 Nov 2024 17:52:57 -0800 Subject: [PATCH 3/4] Include `` for `system_clock` (#1811) --- Release/tests/common/UnitTestpp/src/TestRunner.cpp | 1 + 1 file changed, 1 insertion(+) diff --git a/Release/tests/common/UnitTestpp/src/TestRunner.cpp b/Release/tests/common/UnitTestpp/src/TestRunner.cpp index 807a0e3b10..69551f3e2e 100644 --- a/Release/tests/common/UnitTestpp/src/TestRunner.cpp +++ b/Release/tests/common/UnitTestpp/src/TestRunner.cpp @@ -39,6 +39,7 @@ #include #include #else +#include #include #endif From 1df8d747a04e2e9855bddd15ca045107796fb6c6 Mon Sep 17 00:00:00 2001 From: Mahmoud Saleh <12202790+MahmoudGSaleh@users.noreply.github.com> Date: Tue, 21 Apr 2026 15:46:37 -0700 Subject: [PATCH 4/4] Update maintenance status message in README --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index c2e8f3cbdb..a8cbab9a0b 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,5 @@ -**cpprestsdk is in maintenance mode and we do not recommend its use in new projects. We will continue to fix critical bugs and address security issues.** +**The C++ REST SDK is in maintenance-only mode and we do not recommend its use in new projects. +We will continue to fix critical security issues only.** ## Welcome!