From bc983f30186f3c204b1daea57b0057f93b74dde1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Frings-F=C3=BCrst?= Date: Sun, 30 Jun 2024 16:13:02 +0200 Subject: New upstream version 0.9.8+dfsg --- .github/workflows/build-and-test.yml | 16 ++++++++-------- CMakeLists.txt | 24 ++++++++++++++++++------ ChangeLog | 27 +++++++++++++++++++++++++++ README.md | 8 ++++---- THANKS | 3 ++- cmake/test_find_package/CMakeLists.txt | 2 +- include/uriparser/Uri.h | 32 +++++++++++++++++++++++++++----- include/uriparser/UriBase.h | 2 +- src/UriQuery.c | 16 ++++++++++------ 9 files changed, 98 insertions(+), 32 deletions(-) diff --git a/.github/workflows/build-and-test.yml b/.github/workflows/build-and-test.yml index 168fa2b..f330d27 100644 --- a/.github/workflows/build-and-test.yml +++ b/.github/workflows/build-and-test.yml @@ -17,14 +17,14 @@ jobs: include: - name: Native Linux cmake_args: >- - -DCMAKE_C_COMPILER=clang-15 - -DCMAKE_CXX_COMPILER=clang++-15 + -DCMAKE_C_COMPILER=clang-18 + -DCMAKE_CXX_COMPILER=clang++-18 cflags: >- -fsanitize=address,undefined,leak -fno-sanitize-recover=all -fno-omit-frame-pointer ldflags: >- - -fsanitize=address + -fsanitize=address,undefined,leak - name: MingGW on Linux cmake_args: >- -DCMAKE_C_COMPILER=i686-w64-mingw32-gcc @@ -34,7 +34,7 @@ jobs: -DMINGW=ON runs-on: ubuntu-20.04 steps: - - uses: actions/checkout@v3.0.2 + - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 - name: Add Clang/LLVM repositories (Non-MinGW) if: "${{ ! contains(matrix.cmake_args, 'mingw') }}" @@ -42,7 +42,7 @@ jobs: set -x source /etc/os-release wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key | sudo apt-key add - - sudo add-apt-repository "deb http://apt.llvm.org/${UBUNTU_CODENAME}/ llvm-toolchain-${UBUNTU_CODENAME}-15 main" + sudo add-apt-repository "deb http://apt.llvm.org/${UBUNTU_CODENAME}/ llvm-toolchain-${UBUNTU_CODENAME}-18 main" - name: Install build dependencies run: |- @@ -86,8 +86,8 @@ jobs: if: "${{ ! contains(matrix.cmake_args, 'mingw') }}" run: |- sudo apt-get install --yes --no-install-recommends -V \ - clang-15 \ - llvm-15 + clang-18 \ + libclang-rt-18-dev - name: Build, test and install run: |- @@ -104,7 +104,7 @@ jobs: cd googletest-release-${GTEST_VERSION}/ # Silence warning "Compatibility with CMake < 2.8.12 will be removed" - find -name CMakeLists.txt -print -exec sed 's/cmake_minimum_required.*/cmake_minimum_required(VERSION 3.0.2)/' -i {} \; + find -name CMakeLists.txt -print -exec sed 's/cmake_minimum_required.*/cmake_minimum_required(VERSION 3.5.0)/' -i {} \; cmake \ -DBUILD_SHARED_LIBS=ON \ diff --git a/CMakeLists.txt b/CMakeLists.txt index 313092a..77f8ada 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -34,18 +34,18 @@ # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED # OF THE POSSIBILITY OF SUCH DAMAGE. # -cmake_minimum_required(VERSION 3.3) +cmake_minimum_required(VERSION 3.5.0) project(uriparser VERSION - 0.9.7 + 0.9.8 LANGUAGES C ) # See https://verbump.de/ for what these numbers do set(URIPARSER_SO_CURRENT 1) -set(URIPARSER_SO_REVISION 30) +set(URIPARSER_SO_REVISION 31) set(URIPARSER_SO_AGE 0) include(CheckCCompilerFlag) @@ -58,7 +58,12 @@ include(GNUInstallDirs) # # Configuration # -option(BUILD_SHARED_LIBS "Build shared libraries (rather than static ones)" ON) +if(DEFINED BUILD_SHARED_LIBS) + set(_URIPARSER_SHARED_LIBS_DEFAULT ${BUILD_SHARED_LIBS}) +else() + set(_URIPARSER_SHARED_LIBS_DEFAULT ON) +endif() +option(URIPARSER_SHARED_LIBS "Build shared libraries (rather than static ones)" ${_URIPARSER_SHARED_LIBS_DEFAULT}) option(URIPARSER_BUILD_DOCS "Build API documentation (requires Doxygen, Graphviz, and (optional) Qt's qhelpgenerator)" ON) option(URIPARSER_BUILD_TESTS "Build test suite (requires GTest >=1.8.0)" ON) option(URIPARSER_BUILD_TOOLS "Build tools (e.g. CLI \"uriparse\")" ON) @@ -83,6 +88,12 @@ if(URIPARSER_BUILD_TESTS) enable_language(CXX) endif() +if(URIPARSER_SHARED_LIBS) + set(_URIPARSER_STATIC_OR_SHARED SHARED) +else() + set(_URIPARSER_STATIC_OR_SHARED STATIC) +endif() + macro(uriparser_apply_msvc_runtime_to ref) string(REGEX REPLACE "/M[DT]d?" ${URIPARSER_MSVC_RUNTIME} ${ref} "${${ref}}") endmacro() @@ -151,6 +162,7 @@ set(LIBRARY_CODE_FILES ) add_library(uriparser + ${_URIPARSER_STATIC_OR_SHARED} ${API_HEADER_FILES} ${LIBRARY_CODE_FILES} ) @@ -175,7 +187,7 @@ set_property( ) target_compile_definitions(uriparser PRIVATE URI_LIBRARY_BUILD) -if (NOT BUILD_SHARED_LIBS) +if (NOT URIPARSER_SHARED_LIBS) target_compile_definitions(uriparser PUBLIC URI_STATIC_BUILD) endif() if(NOT URIPARSER_BUILD_CHAR) @@ -464,7 +476,7 @@ message(STATUS "================================================================ message(STATUS "") message(STATUS "Configuration") message(STATUS " Build type ............. ${CMAKE_BUILD_TYPE}") -message(STATUS " Shared libraries ....... ${BUILD_SHARED_LIBS}") +message(STATUS " Shared libraries ....... ${URIPARSER_SHARED_LIBS}") message(STATUS " Compiler flags") message(STATUS " C .................... ${CMAKE_C_FLAGS}") message(STATUS " C++ .................. ${CMAKE_CXX_FLAGS}") diff --git a/ChangeLog b/ChangeLog index 7cf421b..8f19bbf 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,33 @@ NOTE: uriparser is looking for help with a few things: https://github.com/uriparser/uriparser/labels/help%20wanted If you can help, please get in touch. Thanks! +2024-05-05 -- 0.9.8 + +>>>>>>>>>>>>> SECURITY >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + * Fixed: [CVE-2024-34402] + Protect against integer overflow in ComposeQueryEngine + (GitHub #183, GitHub #185) + * Fixed: [CVE-2024-34403] + Protect against integer overflow in ComposeQueryMallocExMm + (GitHub #183, GitHub #186) +>>>>>>>>>>>>> SECURITY >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + * Changed: Require CMake >=3.5.0 (GitHub #172) + * Added: CMake option URIPARSER_SHARED_LIBS=(ON|OFF) to control, + whether to produce a shared or static library for uriparser + and that alone, falls back to standard BUILD_SHARED_LIBS + if available, else defaults to "ON" (GitHub #169, GitHub #170) + * Improved: Document that scheme-based normalization a la + section 6.2.3 of RFC 3986 is a responsibility of the application + using uriparser (GitHub #173, GitHub #174) + * Improved: Document supported code points for functions uriEscape(Ex)W + (GitHub #171, GitHub #175) + * Infrastructure: Update Clang from 15 to 18 (GitHub #161, GitHub #187) + * Infrastructure: Adapt to breaking changes in Clang packaging (GitHub #160) + * Infrastructure: Get sanitizer CFLAGS and LDFLAGS back in sync (GitHub #161) + * Infrastructure: Pin GitHub Actions to specific commits for security + (GitHub #165) + * Soname: 1:31:0 — see https://verbump.de/ for what these numbers do + 2022-10-05 -- 0.9.7 * Fixed: Multiple issues with IPv6 and IPvFuture literal parsing diff --git a/README.md b/README.md index 2846e9d..d399ca2 100644 --- a/README.md +++ b/README.md @@ -20,7 +20,7 @@ please check out [https://uriparser.github.io/](https://uriparser.github.io/). # Example use from an existing CMake project ```cmake -cmake_minimum_required(VERSION 3.3) +cmake_minimum_required(VERSION 3.5.0) project(hello VERSION 1.0.0) @@ -49,9 +49,6 @@ target_link_libraries(hello PUBLIC uriparser::uriparser) ## Available CMake options (and defaults) ```console # rm -f CMakeCache.txt ; cmake -LH . | grep -B1 ':.*=' | sed 's,--,,' -// Build shared libraries (rather than static ones) -BUILD_SHARED_LIBS:BOOL=ON - // Choose the type of build, options are: None Debug Release RelWithDebInfo MinSizeRel ... CMAKE_BUILD_TYPE:STRING= @@ -82,6 +79,9 @@ URIPARSER_ENABLE_INSTALL:BOOL=ON // Use of specific runtime library (/MT /MTd /MD /MDd) with MSVC URIPARSER_MSVC_RUNTIME:STRING= +// Build shared libraries (rather than static ones) +URIPARSER_SHARED_LIBS:BOOL=ON + // Treat all compiler warnings as errors URIPARSER_WARNINGS_AS_ERRORS:BOOL=OFF ``` diff --git a/THANKS b/THANKS index 3213f9b..a394948 100644 --- a/THANKS +++ b/THANKS @@ -67,7 +67,8 @@ Shehzan Mohammed SpaceIm Valentin Haenel Vitaly Lipatov -Yang Yu Wouter Beek +Yan Li +Yang Yu Zachary Lund Zane van Iperen diff --git a/cmake/test_find_package/CMakeLists.txt b/cmake/test_find_package/CMakeLists.txt index a9609c5..77527cd 100644 --- a/cmake/test_find_package/CMakeLists.txt +++ b/cmake/test_find_package/CMakeLists.txt @@ -34,7 +34,7 @@ # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED # OF THE POSSIBILITY OF SUCH DAMAGE. # -cmake_minimum_required(VERSION 3.0) +cmake_minimum_required(VERSION 3.5.0) project(test-find-package VERSION 1.0) diff --git a/include/uriparser/Uri.h b/include/uriparser/Uri.h index d2c8610..b80ac6c 100644 --- a/include/uriparser/Uri.h +++ b/include/uriparser/Uri.h @@ -1,4 +1,4 @@ -/* 4bf720e0ca97527a28e4c30f1c35b36a0b5f2697265c5ddc81080eaab4344ef2 (0.9.7+) +/* e8e2c75d033ddfe256fe87c3fd5a330a6f2c9cbb376ebd83a1b3263e804c766a (0.9.8+) * * uriparser - RFC 3986 URI parsing library * @@ -352,10 +352,19 @@ URI_PUBLIC int URI_FUNC(FreeUriMembersMm)(URI_TYPE(Uri) * uri, /** * Percent-encodes all unreserved characters from the input string and * writes the encoded version to the output string. - * Be sure to allocate 3 times the space of the input buffer for + * + * NOTE: Be sure to allocate 3 times the space of the input buffer for * the output buffer for normalizeBreaks == URI_FALSE and 6 times * the space for normalizeBreaks == URI_TRUE - * (since e.g. "\x0d" becomes "%0D%0A" in that case) + * (since e.g. "\x0d" becomes "%0D%0A" in that case). + * + * NOTE: The implementation treats (both char and) wchar_t units + * as code point integers, which works well for code points U+0001 to U+00ff + * in host-native endianness but nothing more; + * in particular, using uriEscapeExW with arbitrary Unicode input will + * not produce healthy results. + * Passing UTF-8 input to uriEscapeExA may be useful in some scenarios. + * Keep in mind that uriparser is about %URI (RFC 3986) not %IRI (RFC 3987). * * @param inFirst IN: Pointer to first character of the input text * @param inAfterLast IN: Pointer after the last character of the input text @@ -377,10 +386,19 @@ URI_PUBLIC URI_CHAR * URI_FUNC(EscapeEx)(const URI_CHAR * inFirst, /** * Percent-encodes all unreserved characters from the input string and * writes the encoded version to the output string. - * Be sure to allocate 3 times the space of the input buffer for + * + * NOTE: Be sure to allocate 3 times the space of the input buffer for * the output buffer for normalizeBreaks == URI_FALSE and 6 times * the space for normalizeBreaks == URI_TRUE - * (since e.g. "\x0d" becomes "%0D%0A" in that case) + * (since e.g. "\x0d" becomes "%0D%0A" in that case). + * + * NOTE: The implementation treats (both char and) wchar_t units + * as code point integers, which works well for code points U+0001 to U+00ff + * in host-native endianness but nothing more; + * in particular, using uriEscapeW with arbitrary Unicode input will + * not produce healthy results. + * Passing UTF-8 input to uriEscapeA may be useful in some scenarios. + * Keep in mind that uriparser is about %URI (RFC 3986) not %IRI (RFC 3987). * * @param in IN: Text source * @param out OUT: Encoded text destination @@ -608,6 +626,10 @@ URI_PUBLIC int URI_FUNC(ToStringCharsRequired)(const URI_TYPE(Uri) * uri, * Converts a %URI structure back to text as described in * section 5.3 of RFC 3986. * + * NOTE: Scheme-based normalization + * (section 6.2.3 of RFC 3986) + * is not applied and is considered a responsibility of the application using uriparser. + * * @param dest OUT: Output destination * @param uri IN: %URI to convert * @param maxChars IN: Maximum number of characters to copy including terminator diff --git a/include/uriparser/UriBase.h b/include/uriparser/UriBase.h index 5216b1d..dc3883e 100644 --- a/include/uriparser/UriBase.h +++ b/include/uriparser/UriBase.h @@ -55,7 +55,7 @@ /* Version */ #define URI_VER_MAJOR 0 #define URI_VER_MINOR 9 -#define URI_VER_RELEASE 7 +#define URI_VER_RELEASE 8 #define URI_VER_SUFFIX_ANSI "" #define URI_VER_SUFFIX_UNICODE URI_ANSI_TO_UNICODE(URI_VER_SUFFIX_ANSI) diff --git a/src/UriQuery.c b/src/UriQuery.c index b2734bc..bbc1548 100644 --- a/src/UriQuery.c +++ b/src/UriQuery.c @@ -70,6 +70,7 @@ #include +#include /* size_t */ @@ -177,10 +178,13 @@ int URI_FUNC(ComposeQueryMallocExMm)(URI_CHAR ** dest, if (res != URI_SUCCESS) { return res; } + if (charsRequired == INT_MAX) { + return URI_ERROR_MALLOC; + } charsRequired++; /* Allocate space */ - queryString = memory->malloc(memory, charsRequired * sizeof(URI_CHAR)); + queryString = memory->calloc(memory, charsRequired, sizeof(URI_CHAR)); if (queryString == NULL) { return URI_ERROR_MALLOC; } @@ -218,16 +222,16 @@ int URI_FUNC(ComposeQueryEngine)(URI_CHAR * dest, const URI_CHAR * const key = queryList->key; const URI_CHAR * const value = queryList->value; const int worstCase = (normalizeBreaks == URI_TRUE ? 6 : 3); - const int keyLen = (key == NULL) ? 0 : (int)URI_STRLEN(key); + const size_t keyLen = (key == NULL) ? 0 : URI_STRLEN(key); int keyRequiredChars; - const int valueLen = (value == NULL) ? 0 : (int)URI_STRLEN(value); + const size_t valueLen = (value == NULL) ? 0 : URI_STRLEN(value); int valueRequiredChars; - if ((keyLen >= INT_MAX / worstCase) || (valueLen >= INT_MAX / worstCase)) { + if ((keyLen >= (size_t)INT_MAX / worstCase) || (valueLen >= (size_t)INT_MAX / worstCase)) { return URI_ERROR_OUTPUT_TOO_LARGE; } - keyRequiredChars = worstCase * keyLen; - valueRequiredChars = worstCase * valueLen; + keyRequiredChars = worstCase * (int)keyLen; + valueRequiredChars = worstCase * (int)valueLen; if (dest == NULL) { (*charsRequired) += ampersandLen + keyRequiredChars + ((value == NULL) -- cgit v1.2.3