From 4ef9ed80cde4074b74219a8284dd86ee01f5a687 Mon Sep 17 00:00:00 2001
From: Wander Nauta <info@wandernauta.nl>
Date: Sat, 27 Jan 2024 14:22:00 +0100
Subject: [PATCH] Treat paths with embedded NUL bytes as invalid (#1765)

Fixes #1763.
---
 httplib.h    |  1 +
 test/test.cc | 15 +++++++++++++++
 2 files changed, 16 insertions(+)

diff --git a/httplib.h b/httplib.h
index 0197b2f..884db99 100644
--- a/httplib.h
+++ b/httplib.h
@@ -2413,6 +2413,7 @@ inline bool is_valid_path(const std::string &path) {
     // Read component
     auto beg = i;
     while (i < path.size() && path[i] != '/') {
+      if (path[i] == '\0') { return false; }
       i++;
     }
 
diff --git a/test/test.cc b/test/test.cc
index 31deb23..1d236ee 100644
--- a/test/test.cc
+++ b/test/test.cc
@@ -71,6 +71,15 @@ TEST(DecodeURLTest, PercentCharacter) {
       R"(descrip=Gastos áéíóúñÑ 6)");
 }
 
+TEST(DecodeURLTest, PercentCharacterNUL) {
+  string expected;
+  expected.push_back('x');
+  expected.push_back('\0');
+  expected.push_back('x');
+
+  EXPECT_EQ(detail::decode_url("x%00x", false), expected);
+}
+
 TEST(EncodeQueryParamTest, ParseUnescapedChararactersTest) {
   string unescapedCharacters = "-_.!~*'()";
 
@@ -2482,6 +2491,12 @@ TEST_F(ServerTest, GetMethodInvalidMountPath) {
   EXPECT_EQ(StatusCode::NotFound_404, res->status);
 }
 
+TEST_F(ServerTest, GetMethodEmbeddedNUL) {
+  auto res = cli_.Get("/mount/dir/test.html%00.js");
+  ASSERT_TRUE(res);
+  EXPECT_EQ(StatusCode::NotFound_404, res->status);
+}
+
 TEST_F(ServerTest, GetMethodOutOfBaseDirMount) {
   auto res = cli_.Get("/mount/../www2/dir/test.html");
   ASSERT_TRUE(res);