diff options
author | robot-contrib <robot-contrib@yandex-team.com> | 2024-05-20 07:58:58 +0300 |
---|---|---|
committer | robot-contrib <robot-contrib@yandex-team.com> | 2024-05-20 08:06:48 +0300 |
commit | 685fde8e2a4228200a88a5987a061329f7c59323 (patch) | |
tree | 8175b25d08a1c42a7d89d90478021a26954df5ba | |
parent | bcd5bcc390793791d293d386b2ebefbe683fb4e1 (diff) | |
download | ydb-685fde8e2a4228200a88a5987a061329f7c59323.tar.gz |
Update contrib/restricted/uriparser to 0.9.8
13a17d4e90a208dbf899efe8b92134d3ae98631d
-rw-r--r-- | contrib/restricted/uriparser/ChangeLog | 27 | ||||
-rw-r--r-- | contrib/restricted/uriparser/README.md | 8 | ||||
-rw-r--r-- | contrib/restricted/uriparser/UriConfig.h | 2 | ||||
-rw-r--r-- | contrib/restricted/uriparser/include/uriparser/Uri.h | 32 | ||||
-rw-r--r-- | contrib/restricted/uriparser/include/uriparser/UriBase.h | 2 | ||||
-rw-r--r-- | contrib/restricted/uriparser/src/UriQuery.c | 16 | ||||
-rw-r--r-- | contrib/restricted/uriparser/ya.make | 6 |
7 files changed, 73 insertions, 20 deletions
diff --git a/contrib/restricted/uriparser/ChangeLog b/contrib/restricted/uriparser/ChangeLog index 7cf421bd31..8f19bbfc2b 100644 --- a/contrib/restricted/uriparser/ChangeLog +++ b/contrib/restricted/uriparser/ChangeLog @@ -2,6 +2,33 @@ NOTE: uriparser is looking for help with a few things: https://github.com/uriparser/uriparser/labels/help%20wanted If you can help, please get in touch. Thanks! +2024-05-05 -- 0.9.8 + +>>>>>>>>>>>>> SECURITY >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + * Fixed: [CVE-2024-34402] + Protect against integer overflow in ComposeQueryEngine + (GitHub #183, GitHub #185) + * Fixed: [CVE-2024-34403] + Protect against integer overflow in ComposeQueryMallocExMm + (GitHub #183, GitHub #186) +>>>>>>>>>>>>> SECURITY >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + * Changed: Require CMake >=3.5.0 (GitHub #172) + * Added: CMake option URIPARSER_SHARED_LIBS=(ON|OFF) to control, + whether to produce a shared or static library for uriparser + and that alone, falls back to standard BUILD_SHARED_LIBS + if available, else defaults to "ON" (GitHub #169, GitHub #170) + * Improved: Document that scheme-based normalization a la + section 6.2.3 of RFC 3986 is a responsibility of the application + using uriparser (GitHub #173, GitHub #174) + * Improved: Document supported code points for functions uriEscape(Ex)W + (GitHub #171, GitHub #175) + * Infrastructure: Update Clang from 15 to 18 (GitHub #161, GitHub #187) + * Infrastructure: Adapt to breaking changes in Clang packaging (GitHub #160) + * Infrastructure: Get sanitizer CFLAGS and LDFLAGS back in sync (GitHub #161) + * Infrastructure: Pin GitHub Actions to specific commits for security + (GitHub #165) + * Soname: 1:31:0 — see https://verbump.de/ for what these numbers do + 2022-10-05 -- 0.9.7 * Fixed: Multiple issues with IPv6 and IPvFuture literal parsing diff --git a/contrib/restricted/uriparser/README.md b/contrib/restricted/uriparser/README.md index 2846e9d042..d399ca2f54 100644 --- a/contrib/restricted/uriparser/README.md +++ b/contrib/restricted/uriparser/README.md @@ -20,7 +20,7 @@ please check out [https://uriparser.github.io/](https://uriparser.github.io/). # Example use from an existing CMake project ```cmake -cmake_minimum_required(VERSION 3.3) +cmake_minimum_required(VERSION 3.5.0) project(hello VERSION 1.0.0) @@ -49,9 +49,6 @@ target_link_libraries(hello PUBLIC uriparser::uriparser) ## Available CMake options (and defaults) ```console # rm -f CMakeCache.txt ; cmake -LH . | grep -B1 ':.*=' | sed 's,--,,' -// Build shared libraries (rather than static ones) -BUILD_SHARED_LIBS:BOOL=ON - // Choose the type of build, options are: None Debug Release RelWithDebInfo MinSizeRel ... CMAKE_BUILD_TYPE:STRING= @@ -82,6 +79,9 @@ URIPARSER_ENABLE_INSTALL:BOOL=ON // Use of specific runtime library (/MT /MTd /MD /MDd) with MSVC URIPARSER_MSVC_RUNTIME:STRING= +// Build shared libraries (rather than static ones) +URIPARSER_SHARED_LIBS:BOOL=ON + // Treat all compiler warnings as errors URIPARSER_WARNINGS_AS_ERRORS:BOOL=OFF ``` diff --git a/contrib/restricted/uriparser/UriConfig.h b/contrib/restricted/uriparser/UriConfig.h index d1c07bab7c..2b67bd31ee 100644 --- a/contrib/restricted/uriparser/UriConfig.h +++ b/contrib/restricted/uriparser/UriConfig.h @@ -41,7 +41,7 @@ -#define PACKAGE_VERSION "0.9.7" +#define PACKAGE_VERSION "0.9.8" #define HAVE_WPRINTF #define HAVE_REALLOCARRAY diff --git a/contrib/restricted/uriparser/include/uriparser/Uri.h b/contrib/restricted/uriparser/include/uriparser/Uri.h index d2c86103ec..b80ac6cab7 100644 --- a/contrib/restricted/uriparser/include/uriparser/Uri.h +++ b/contrib/restricted/uriparser/include/uriparser/Uri.h @@ -1,4 +1,4 @@ -/* 4bf720e0ca97527a28e4c30f1c35b36a0b5f2697265c5ddc81080eaab4344ef2 (0.9.7+) +/* e8e2c75d033ddfe256fe87c3fd5a330a6f2c9cbb376ebd83a1b3263e804c766a (0.9.8+) * * uriparser - RFC 3986 URI parsing library * @@ -352,10 +352,19 @@ URI_PUBLIC int URI_FUNC(FreeUriMembersMm)(URI_TYPE(Uri) * uri, /** * Percent-encodes all unreserved characters from the input string and * writes the encoded version to the output string. - * Be sure to allocate <b>3 times</b> the space of the input buffer for + * + * NOTE: Be sure to allocate <b>3 times</b> the space of the input buffer for * the output buffer for <c>normalizeBreaks == URI_FALSE</c> and <b>6 times</b> * the space for <c>normalizeBreaks == URI_TRUE</c> - * (since e.g. "\x0d" becomes "%0D%0A" in that case) + * (since e.g. "\x0d" becomes "%0D%0A" in that case). + * + * NOTE: The implementation treats (both <c>char</c> and) <c>wchar_t</c> units + * as code point integers, which works well for code points <c>U+0001</c> to <c>U+00ff</c> + * in host-native endianness but nothing more; + * in particular, using <c>uriEscapeExW</c> with arbitrary Unicode input will + * not produce healthy results. + * Passing UTF-8 input to <c>uriEscapeExA</c> may be useful in some scenarios. + * Keep in mind that uriparser is about %URI (RFC 3986) not %IRI (RFC 3987). * * @param inFirst <b>IN</b>: Pointer to first character of the input text * @param inAfterLast <b>IN</b>: Pointer after the last character of the input text @@ -377,10 +386,19 @@ URI_PUBLIC URI_CHAR * URI_FUNC(EscapeEx)(const URI_CHAR * inFirst, /** * Percent-encodes all unreserved characters from the input string and * writes the encoded version to the output string. - * Be sure to allocate <b>3 times</b> the space of the input buffer for + * + * NOTE: Be sure to allocate <b>3 times</b> the space of the input buffer for * the output buffer for <c>normalizeBreaks == URI_FALSE</c> and <b>6 times</b> * the space for <c>normalizeBreaks == URI_TRUE</c> - * (since e.g. "\x0d" becomes "%0D%0A" in that case) + * (since e.g. "\x0d" becomes "%0D%0A" in that case). + * + * NOTE: The implementation treats (both <c>char</c> and) <c>wchar_t</c> units + * as code point integers, which works well for code points <c>U+0001</c> to <c>U+00ff</c> + * in host-native endianness but nothing more; + * in particular, using <c>uriEscapeW</c> with arbitrary Unicode input will + * not produce healthy results. + * Passing UTF-8 input to <c>uriEscapeA</c> may be useful in some scenarios. + * Keep in mind that uriparser is about %URI (RFC 3986) not %IRI (RFC 3987). * * @param in <b>IN</b>: Text source * @param out <b>OUT</b>: Encoded text destination @@ -608,6 +626,10 @@ URI_PUBLIC int URI_FUNC(ToStringCharsRequired)(const URI_TYPE(Uri) * uri, * Converts a %URI structure back to text as described in * <a href="http://tools.ietf.org/html/rfc3986#section-5.3">section 5.3 of RFC 3986</a>. * + * NOTE: Scheme-based normalization + * (<a href="http://tools.ietf.org/html/rfc3986#section-6.2.3">section 6.2.3 of RFC 3986</a>) + * is not applied and is considered a responsibility of the application using uriparser. + * * @param dest <b>OUT</b>: Output destination * @param uri <b>IN</b>: %URI to convert * @param maxChars <b>IN</b>: Maximum number of characters to copy <b>including</b> terminator diff --git a/contrib/restricted/uriparser/include/uriparser/UriBase.h b/contrib/restricted/uriparser/include/uriparser/UriBase.h index 76a746cb1f..8a130e3e37 100644 --- a/contrib/restricted/uriparser/include/uriparser/UriBase.h +++ b/contrib/restricted/uriparser/include/uriparser/UriBase.h @@ -55,7 +55,7 @@ /* Version */ #define URI_VER_MAJOR 0 #define URI_VER_MINOR 9 -#define URI_VER_RELEASE 7 +#define URI_VER_RELEASE 8 #define URI_VER_SUFFIX_ANSI "" #define URI_VER_SUFFIX_UNICODE URI_ANSI_TO_UNICODE(URI_VER_SUFFIX_ANSI) diff --git a/contrib/restricted/uriparser/src/UriQuery.c b/contrib/restricted/uriparser/src/UriQuery.c index b2734bc2c8..bbc1548877 100644 --- a/contrib/restricted/uriparser/src/UriQuery.c +++ b/contrib/restricted/uriparser/src/UriQuery.c @@ -70,6 +70,7 @@ #include <limits.h> +#include <stddef.h> /* size_t */ @@ -177,10 +178,13 @@ int URI_FUNC(ComposeQueryMallocExMm)(URI_CHAR ** dest, if (res != URI_SUCCESS) { return res; } + if (charsRequired == INT_MAX) { + return URI_ERROR_MALLOC; + } charsRequired++; /* Allocate space */ - queryString = memory->malloc(memory, charsRequired * sizeof(URI_CHAR)); + queryString = memory->calloc(memory, charsRequired, sizeof(URI_CHAR)); if (queryString == NULL) { return URI_ERROR_MALLOC; } @@ -218,16 +222,16 @@ int URI_FUNC(ComposeQueryEngine)(URI_CHAR * dest, const URI_CHAR * const key = queryList->key; const URI_CHAR * const value = queryList->value; const int worstCase = (normalizeBreaks == URI_TRUE ? 6 : 3); - const int keyLen = (key == NULL) ? 0 : (int)URI_STRLEN(key); + const size_t keyLen = (key == NULL) ? 0 : URI_STRLEN(key); int keyRequiredChars; - const int valueLen = (value == NULL) ? 0 : (int)URI_STRLEN(value); + const size_t valueLen = (value == NULL) ? 0 : URI_STRLEN(value); int valueRequiredChars; - if ((keyLen >= INT_MAX / worstCase) || (valueLen >= INT_MAX / worstCase)) { + if ((keyLen >= (size_t)INT_MAX / worstCase) || (valueLen >= (size_t)INT_MAX / worstCase)) { return URI_ERROR_OUTPUT_TOO_LARGE; } - keyRequiredChars = worstCase * keyLen; - valueRequiredChars = worstCase * valueLen; + keyRequiredChars = worstCase * (int)keyLen; + valueRequiredChars = worstCase * (int)valueLen; if (dest == NULL) { (*charsRequired) += ampersandLen + keyRequiredChars + ((value == NULL) diff --git a/contrib/restricted/uriparser/ya.make b/contrib/restricted/uriparser/ya.make index d78a6d3145..f282121c00 100644 --- a/contrib/restricted/uriparser/ya.make +++ b/contrib/restricted/uriparser/ya.make @@ -1,4 +1,4 @@ -# Generated by devtools/yamaker from nixpkgs 22.05. +# Generated by devtools/yamaker from nixpkgs 22.11. LIBRARY() @@ -6,9 +6,9 @@ LICENSE(BSD-3-Clause) LICENSE_TEXTS(.yandex_meta/licenses.list.txt) -VERSION(0.9.7) +VERSION(0.9.8) -ORIGINAL_SOURCE(https://github.com/uriparser/uriparser/archive/uriparser-0.9.7.tar.gz) +ORIGINAL_SOURCE(https://github.com/uriparser/uriparser/archive/uriparser-0.9.8.tar.gz) PEERDIR( contrib/libs/libc_compat |