diff --git a/README.md b/README.md
index e7d91abeaa..a8cbab9a0b 100644
--- a/README.md
+++ b/README.md
@@ -1,4 +1,5 @@
-**cpprestsdk is in maintenance mode and we do not recommend its use in new projects. We will continue to fix critical bugs and address security issues.**
+**The C++ REST SDK is in maintenance-only mode and we do not recommend its use in new projects.
+We will continue to fix critical security issues only.**
## Welcome!
@@ -61,7 +62,7 @@ target_link_libraries(main PRIVATE cpprestsdk::cpprest)
Is there a feature missing that you'd like to see, or found a bug that you have a fix for? Or do you have an idea or just interest in helping out in building the library? Let us know and we'd love to work with you. For a good starting point on where we are headed and feature ideas, take a look at our [requested features and bugs](https://github.com/Microsoft/cpprestsdk/issues).
-Big or small we'd like to take your [contributions](https://github.com/Microsoft/cpprestsdk/wiki/Make-a-contribution-and-report-issues) back to help improve the C++ Rest SDK for everyone. If interested contact us askcasablanca at Microsoft dot com.
+Big or small we'd like to take your [contributions](https://github.com/Microsoft/cpprestsdk/wiki/Make-a-contribution-and-report-issues) back to help improve the C++ Rest SDK for everyone.
## Having Trouble?
diff --git a/Release/CMakeLists.txt b/Release/CMakeLists.txt
index b8f3809dbc..14e43cedcd 100644
--- a/Release/CMakeLists.txt
+++ b/Release/CMakeLists.txt
@@ -11,7 +11,7 @@ endif()
set(CPPREST_VERSION_MAJOR 2)
set(CPPREST_VERSION_MINOR 10)
-set(CPPREST_VERSION_REVISION 18)
+set(CPPREST_VERSION_REVISION 19)
enable_testing()
diff --git a/Release/include/cpprest/base_uri.h b/Release/include/cpprest/base_uri.h
index 7c6943119c..7e96b6c016 100644
--- a/Release/include/cpprest/base_uri.h
+++ b/Release/include/cpprest/base_uri.h
@@ -296,13 +296,14 @@ class uri
/// A loopback URI is one which refers to a hostname or ip address with meaning only on the local machine.
///
///
- /// Examples include "localhost", or ip addresses in the loopback range (127.0.0.0/24).
+ /// Examples include "localhost", or "127.0.0.1". The only URIs for which this method returns true are "127.0.0.1", and "localhost",
+ /// all other URIs return false
///
/// true if this URI references the local host, false otherwise.
bool is_host_loopback() const
{
return !is_empty() &&
- ((host() == _XPLATSTR("localhost")) || (host().size() > 4 && host().substr(0, 4) == _XPLATSTR("127.")));
+ ((host() == _XPLATSTR("localhost")) || (host() == _XPLATSTR("127.0.0.1")));
}
///
diff --git a/Release/include/cpprest/details/SafeInt3.hpp b/Release/include/cpprest/details/SafeInt3.hpp
index 950ac80172..e6276f949b 100644
--- a/Release/include/cpprest/details/SafeInt3.hpp
+++ b/Release/include/cpprest/details/SafeInt3.hpp
@@ -1574,7 +1574,7 @@ class SafeCastHelper
}
template
- static void CastThrow(bool b, T& t) SAFEINT_CPP_THROW
+ static void CastThrow(T t, bool& b) SAFEINT_CPP_THROW
{
b = !!t;
}
diff --git a/Release/include/cpprest/producerconsumerstream.h b/Release/include/cpprest/producerconsumerstream.h
index 28463372e4..3487c4606f 100644
--- a/Release/include/cpprest/producerconsumerstream.h
+++ b/Release/include/cpprest/producerconsumerstream.h
@@ -584,7 +584,7 @@ class basic_producer_consumer_buffer : public streams::details::streambuf_state_
// If front block is not empty - we are done
if (m_blocks.front()->rd_chars_left() > 0) break;
- // The block has no more data to be read. Relase the block
+ // The block has no more data to be read. Release the block
m_blocks.pop_front();
}
}
diff --git a/Release/include/cpprest/version.h b/Release/include/cpprest/version.h
index d8771581ad..3f86f141fb 100644
--- a/Release/include/cpprest/version.h
+++ b/Release/include/cpprest/version.h
@@ -5,6 +5,6 @@
*/
#define CPPREST_VERSION_MINOR 10
#define CPPREST_VERSION_MAJOR 2
-#define CPPREST_VERSION_REVISION 18
+#define CPPREST_VERSION_REVISION 19
#define CPPREST_VERSION (CPPREST_VERSION_MAJOR * 100000 + CPPREST_VERSION_MINOR * 100 + CPPREST_VERSION_REVISION)
diff --git a/Release/tests/common/UnitTestpp/src/TestRunner.cpp b/Release/tests/common/UnitTestpp/src/TestRunner.cpp
index 807a0e3b10..69551f3e2e 100644
--- a/Release/tests/common/UnitTestpp/src/TestRunner.cpp
+++ b/Release/tests/common/UnitTestpp/src/TestRunner.cpp
@@ -39,6 +39,7 @@
#include
#include
#else
+#include
#include
#endif
diff --git a/Release/tests/functional/uri/constructor_tests.cpp b/Release/tests/functional/uri/constructor_tests.cpp
index ea6041c26a..ffcf5ada27 100644
--- a/Release/tests/functional/uri/constructor_tests.cpp
+++ b/Release/tests/functional/uri/constructor_tests.cpp
@@ -24,6 +24,11 @@ namespace uri_tests
{
SUITE(constructor_tests)
{
+ TEST(not_really_a_loopback_uri)
+ {
+ uri u(uri::encode_uri(U("https://127.evil.com")));
+ VERIFY_IS_FALSE(u.is_host_loopback());
+ }
TEST(parsing_constructor_char)
{
uri u(uri::encode_uri(U("net.tcp://steve:@testname.com:81/bleh%?qstring#goo")));
diff --git a/Release/tests/functional/uri/diagnostic_tests.cpp b/Release/tests/functional/uri/diagnostic_tests.cpp
index d8fb45d91c..3271898f60 100644
--- a/Release/tests/functional/uri/diagnostic_tests.cpp
+++ b/Release/tests/functional/uri/diagnostic_tests.cpp
@@ -82,7 +82,7 @@ SUITE(diagnostic_tests)
VERIFY_IS_FALSE(uri(U("http://bleh/?qstring")).is_host_loopback());
VERIFY_IS_FALSE(uri(U("http://+*/?qstring")).is_host_loopback());
VERIFY_IS_TRUE(uri(U("http://127.0.0.1/")).is_host_loopback());
- VERIFY_IS_TRUE(uri(U("http://127.155.0.1/")).is_host_loopback());
+ VERIFY_IS_FALSE(uri(U("http://127.155.0.1/")).is_host_loopback());
VERIFY_IS_FALSE(uri(U("http://128.0.0.1/")).is_host_loopback());
}
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000000..869fdfe2b2
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,41 @@
+
+
+## Security
+
+Microsoft takes the security of our software products and services seriously, which includes all source code repositories managed through our GitHub organizations, which include [Microsoft](https://github.com/Microsoft), [Azure](https://github.com/Azure), [DotNet](https://github.com/dotnet), [AspNet](https://github.com/aspnet), [Xamarin](https://github.com/xamarin), and [our GitHub organizations](https://opensource.microsoft.com/).
+
+If you believe you have found a security vulnerability in any Microsoft-owned repository that meets [Microsoft's definition of a security vulnerability](https://aka.ms/opensource/security/definition), please report it to us as described below.
+
+## Reporting Security Issues
+
+**Please do not report security vulnerabilities through public GitHub issues.**
+
+Instead, please report them to the Microsoft Security Response Center (MSRC) at [https://msrc.microsoft.com/create-report](https://aka.ms/opensource/security/create-report).
+
+If you prefer to submit without logging in, send email to [secure@microsoft.com](mailto:secure@microsoft.com). If possible, encrypt your message with our PGP key; please download it from the [Microsoft Security Response Center PGP Key page](https://aka.ms/opensource/security/pgpkey).
+
+You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your original message. Additional information can be found at [microsoft.com/msrc](https://aka.ms/opensource/security/msrc).
+
+Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue:
+
+ * Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
+ * Full paths of source file(s) related to the manifestation of the issue
+ * The location of the affected source code (tag/branch/commit or direct URL)
+ * Any special configuration required to reproduce the issue
+ * Step-by-step instructions to reproduce the issue
+ * Proof-of-concept or exploit code (if possible)
+ * Impact of the issue, including how an attacker might exploit the issue
+
+This information will help us triage your report more quickly.
+
+If you are reporting for a bug bounty, more complete reports can contribute to a higher bounty award. Please visit our [Microsoft Bug Bounty Program](https://aka.ms/opensource/security/bounty) page for more details about our active programs.
+
+## Preferred Languages
+
+We prefer all communications to be in English.
+
+## Policy
+
+Microsoft follows the principle of [Coordinated Vulnerability Disclosure](https://aka.ms/opensource/security/cvd).
+
+
diff --git a/changelog.md b/changelog.md
index c547665912..7a9b6dfe04 100644
--- a/changelog.md
+++ b/changelog.md
@@ -1,3 +1,12 @@
+cpprestsdk (2.10.19)
+* PR#1982 make Uri.is_host_loopback() only return true for localhost and 127.0.0.1 exactly.
+ The old behavior could potentially return "true" for URLs that were not, in fact, local,
+ and this could cause security issues if is_host_loopback was used in certain ways.
+* PR#1711 Fix likely typo in SafeInt3.hpp, that results in error with clang 15
+* PR#1496 Support for oauth2 with "client_credentials" grant type.
+* PR#1429 Add constructor from all integer types for json value.
+* PR#1577 export http_exception for non Windows builds using visibility macros.
+
cpprestsdk (2.10.18)
* PR#1571 Add ability to parse and emit the NT Epoch 1601-01-01T00:00:00Z
* PR#1571 Update vcpkg submodule