fix(mem): limit the use of std::vector in middleware code that could execute in the context of a request

mathieucarbou · mathieucarbou · commit 7360f9c36aef · 2025-02-05T23:46:31.000+01:00
diff --git a/src/ESPAsyncWebServer.h b/src/ESPAsyncWebServer.h
@@ -789,14 +789,15 @@ class AsyncHeaderFreeMiddleware : public AsyncMiddleware {
   void keep(const char *name) {
     _toKeep.push_back(name);
   }
+
   void unKeep(const char *name) {
-    _toKeep.erase(std::remove(_toKeep.begin(), _toKeep.end(), name), _toKeep.end());
+    _toKeep.remove(name);
   }
 
   void run(AsyncWebServerRequest *request, ArMiddlewareNext next);
 
 private:
-  std::vector<const char *> _toKeep;
+  std::list<const char *> _toKeep;
 };
 
 // filter out specific headers from the incoming request
@@ -805,14 +806,15 @@ class AsyncHeaderFilterMiddleware : public AsyncMiddleware {
   void filter(const char *name) {
     _toRemove.push_back(name);
   }
+
   void unFilter(const char *name) {
-    _toRemove.erase(std::remove(_toRemove.begin(), _toRemove.end(), name), _toRemove.end());
+    _toRemove.remove(name);
   }
 
   void run(AsyncWebServerRequest *request, ArMiddlewareNext next);
 
 private:
-  std::vector<const char *> _toRemove;
+  std::list<const char *> _toRemove;
 };
 
 // curl-like logging of incoming requests
diff --git a/src/Middleware.cpp b/src/Middleware.cpp
@@ -146,20 +146,22 @@ void AsyncAuthenticationMiddleware::run(AsyncWebServerRequest *request, ArMiddle
 }
 
 void AsyncHeaderFreeMiddleware::run(AsyncWebServerRequest *request, ArMiddlewareNext next) {
-  std::vector<const char *> reqHeaders;
-  request->getHeaderNames(reqHeaders);
-  for (const char *h : reqHeaders) {
+  std::list<const char *> toRemove;
+  for (auto &h : request->getHeaders()) {
     bool keep = false;
     for (const char *k : _toKeep) {
-      if (strcasecmp(h, k) == 0) {
+      if (strcasecmp(h.name().c_str(), k) == 0) {
         keep = true;
         break;
       }
     }
     if (!keep) {
-      request->removeHeader(h);
+      toRemove.push_back(h.name().c_str());
     }
   }
+  for (const char *h : toRemove) {
+    request->removeHeader(h);
+  }
   next();
 }
 
diff --git a/src/WebRequest.cpp b/src/WebRequest.cpp
@@ -796,12 +796,11 @@ const AsyncWebHeader *AsyncWebServerRequest::getHeader(size_t num) const {
 }
 
 size_t AsyncWebServerRequest::getHeaderNames(std::vector<const char *> &names) const {
-  const size_t size = _headers.size();
-  names.reserve(size);
+  const size_t size = names.size();
   for (const auto &h : _headers) {
     names.push_back(h.name().c_str());
   }
-  return size;
+  return names.size() - size;
 }
 
 bool AsyncWebServerRequest::removeHeader(const char *name) {

Original file line number	Diff line number	Diff line change
`@@ -146,20 +146,22 @@ void AsyncAuthenticationMiddleware::run(AsyncWebServerRequest *request, ArMiddle`
`146`	`146`	`}`
`147`	`147`
`148`	`148`	`void AsyncHeaderFreeMiddleware::run(AsyncWebServerRequest *request, ArMiddlewareNext next) {`
`149`		`- std::vector<const char *> reqHeaders;`
`150`		`- request->getHeaderNames(reqHeaders);`
`151`		`- for (const char *h : reqHeaders) {`
	`149`	`+ std::list<const char *> toRemove;`
	`150`	`+ for (auto &h : request->getHeaders()) {`
`152`	`151`	`bool keep = false;`
`153`	`152`	`for (const char *k : _toKeep) {`
`154`		`- if (strcasecmp(h, k) == 0) {`
	`153`	`+ if (strcasecmp(h.name().c_str(), k) == 0) {`
`155`	`154`	`keep = true;`
`156`	`155`	`break;`
`157`	`156`	`}`
`158`	`157`	`}`
`159`	`158`	`if (!keep) {`
`160`		`- request->removeHeader(h);`
	`159`	`+ toRemove.push_back(h.name().c_str());`
`161`	`160`	`}`
`162`	`161`	`}`
	`162`	`+ for (const char *h : toRemove) {`
	`163`	`+ request->removeHeader(h);`
	`164`	`+ }`
`163`	`165`	`next();`
`164`	`166`	`}`
`165`	`167`
Original file line number	Diff line number	Diff line change
`@@ -796,12 +796,11 @@ const AsyncWebHeader *AsyncWebServerRequest::getHeader(size_t num) const {`
`796`	`796`	`}`
`797`	`797`
`798`	`798`	`size_t AsyncWebServerRequest::getHeaderNames(std::vector<const char *> &names) const {`
`799`		`- const size_t size = _headers.size();`
`800`		`- names.reserve(size);`
	`799`	`+ const size_t size = names.size();`
`801`	`800`	`for (const auto &h : _headers) {`
`802`	`801`	`names.push_back(h.name().c_str());`
`803`	`802`	`}`
`804`		`- return size;`
	`803`	`+ return names.size() - size;`
`805`	`804`	`}`
`806`	`805`
`807`	`806`	`bool AsyncWebServerRequest::removeHeader(const char *name) {`