We have some news to share for the request index beta feature. We’ve added more options to sort your requests, counters to the individual filters and documentation for the search functionality. Checkout the blog post for more details.

Overview

File libsoup-CVE-2025-32913.patch of Package libsoup.42105

diff -urp libsoup-2.68.4.orig/libsoup/soup-message-headers.c libsoup-2.68.4/libsoup/soup-message-headers.c
--- libsoup-2.68.4.orig/libsoup/soup-message-headers.c	2025-05-29 13:11:11.365235172 -0500
+++ libsoup-2.68.4/libsoup/soup-message-headers.c	2025-05-29 13:11:46.003974760 -0500
@@ -1444,10 +1444,15 @@ soup_message_headers_get_content_disposi
 	 */
 	if (params && g_hash_table_lookup_extended (*params, "filename",
 						    &orig_key, &orig_value)) {
-		char *filename = strrchr (orig_value, '/');
+                if (orig_value) {
+                        char *filename = strrchr (orig_value, '/');
 
-		if (filename)
-			g_hash_table_insert (*params, g_strdup (orig_key), filename + 1);
+                        if (filename)
+                                g_hash_table_insert (*params, g_strdup (orig_key), g_strdup (filename + 1));
+                } else {
+                        /* filename with no value isn't valid. */
+                        g_hash_table_remove (*params, "filename");
+                }
 	}
 	return TRUE;
 }
diff -urp libsoup-2.68.4.orig/tests/header-parsing-test.c libsoup-2.68.4/tests/header-parsing-test.c
--- libsoup-2.68.4.orig/tests/header-parsing-test.c	2025-05-29 13:09:10.577487766 -0500
+++ libsoup-2.68.4/tests/header-parsing-test.c	2025-05-29 13:12:45.884474806 -0500
@@ -1026,6 +1026,7 @@ do_param_list_tests (void)
 #define RFC5987_TEST_HEADER_UTF8     "attachment; filename*=UTF-8''t%C3%A9st.txt; filename=\"test.txt\""
 #define RFC5987_TEST_HEADER_ISO      "attachment; filename=\"test.txt\"; filename*=iso-8859-1''t%E9st.txt"
 #define RFC5987_TEST_HEADER_FALLBACK "attachment; filename*=Unknown''t%FF%FF%FFst.txt; filename=\"test.txt\""
+#define RFC5987_TEST_HEADER_EMPTY_FILENAME ";filename"
 
 static void
 do_content_disposition_tests (void)
@@ -1095,6 +1096,20 @@ do_content_disposition_tests (void)
 	g_assert_cmpstr (filename, ==, RFC5987_TEST_FALLBACK_FILENAME);
 	g_hash_table_destroy (params);
 
+        /* Empty filename */
+        soup_message_headers_clear (hdrs);
+        soup_message_headers_append (hdrs, "Content-Disposition",
+				     RFC5987_TEST_HEADER_EMPTY_FILENAME);
+	if (!soup_message_headers_get_content_disposition (hdrs,
+							   &disposition,
+							   &params)) {
+		soup_test_assert (FALSE, "empty filename decoding FAILED");
+		return;
+	}
+        g_free (disposition);
+        g_assert_false (g_hash_table_contains (params, "filename"));
+	g_hash_table_destroy (params);
+
 	soup_message_headers_free (hdrs);
 
 	/* Ensure that soup-multipart always quotes filename */
openSUSE Build Service is sponsored by
Places