This is a breaking change to `IntoOutcome`.
The MsgPack and JSON types now use `into_outcome` to generate the final
`Outcome` from their `FromData` implementations.
Resolves#98.
This is a breaking change. A call to `Response::headers()` can be
replaced with `Response::headers().iter()`. A call to
`Response::header_values()` can be replaced with
`Response::headers().get()`.
This is a breaking change. `Request::content_type` now returns a borrow
to `ContentType`. `FromRequest` for `ContentType` is no longer
implemented. Instead, `FromRequest` for `&ContentType` is implemented.
This is a breaking change.
This commit introduces `RawStr` to forms. In particular, after this
commit, the `&str` type no longer implements `FromFormValue`, and so it
cannot be used as a field in forms. Instad, the `&RawStr` can be used.
The `FormItems` iterator now returns an `(&RawStr, &RawStr)` pair.
This is a breaking change.
This commit changes the meaning of the `format` route attribute when
used on non-payload carrying requests (GET, HEAD, CONNECT, TRACE, and
OPTIONS) so that it matches against the preferred media type in the
`Accept` header of the request. The preferred media type is computed
according to the HTTP 1.1 RFC, barring a few specificty rules to come.
This is a (minor) breaking change. If `rocket.launch()` is the last expression
in a function, the return type will change from `()` to `LaunchError`. A simple
workaround that preserves the previous functionality is to simply add a
semicolon after `launch()`: `rocket.launch();`.
resolves#34
This commit includes the following additions:
* A `session` example was added.
* `Config::take_session_key` was removed.
* If a `session_key` is not supplied, one is automatically generated.
* The `Session` type implements signed, encrypted sessions.
* A `Session` can be retrieved via its request guard.
This commit involves several breaking changes:
* `session_key` config param must be a 256-bit base64 encoded string.
* `FromRequest` is implemented for `Cookies`, not `Cookie`.
* Only a single `Cookies` instance can be retrieved at a time.
* `Config::take_session_key` returns a `Vec<u8>`.
* `Into<Header>` is implemented for `&Cookie`, not `Cookie`.
This commit changes the way Rocket parses form items. In particular, it now
(liberally) validates form strings, returning a Bad Request on malformed inputs
and Unprocessable Entity on bad parses.
The 'FormItems' iterator was modified to accomodate this. The iterator is now
initialized using 'from': 'FormItems::from(form_string)'. The iterator can be
queried to check for a complete parse using either 'completed()' or
'exhausted()', the latter of which will consume valid keys/values and return
true only if the entire string was consumed.
The 'FromForm' trait now takes a mutable borrow to a 'FormItems' iterator.
The 'Form' and 'FormForm' implementation for 'Form' were modified to use the new
iterfaces and check for 'exhausted' after a parse, returning a Bad Request error
if the iterator cannot be exhausted.
Resolves#46.
This commit changes the routing algorithm. In particular, it enforces
precise matching of formats. With this change, a route with a specified
format only matches requests that have the same format specified. A
route with no format specified matches any request's format. This is
contrast to the previous behavior, where a route without a specified
format would match requests regardless of their format or whether one
was specified.
This commit also changes the following:
* The return type of the 'content_type' method of 'Request' is now
'Option<ContentType>'.
* The 'ContentType' request guard forwards when the request has no
specified ContentType.
* The 'add_header' and 'replace_header' methods take the header
argument generically.
Closes#120.
A few interesting notes on this breakage:
* `Cookie` how has a lifetime. It should be `'static'` everywhere.
* The `SetCookie` header is no longer reexported.
* Instead, `Cookie` implements `Into<Header>` for Set-Cookie.
In #134, @tunz discovered that Rocket does not properly prevent path traversal
or local file inclusion attacks. The issue is caused by a failure to check for
some dangerous characters after decoding. In this case, the path separator '/'
was left as-is after decoding. As such, an attacker could construct a path with
containing any number of `..%2f..` sequences to traverse the file system.
This commit resolves the issue by ensuring that the decoded segment does not
contains any `/` characters. It further hardens the `FromSegments`
implementation by checking for additional risky characters: ':', '>', '<' as the
last character, and '\' on Windows. This is in addition to the already present
checks for '.' and '*' as the first character.
The behavior for a failing check has also changed. Previously, Rocket would skip
segments that contained illegal characters. In this commit, the implementation
instead return an error.
The `Error` type of the `PathBuf::FromSegment` implementations was changed to a
new `SegmentError` type that indicates the condition that failed.
Closes#134.
This commit also includes the following changes:
* `FromRequest` for `SocketAddr` implemented: extracts remote address.
* All built-in `FromRequest` implementations are documented.
* Request preprocessing overrides remote IP with value from X-Real-IP header.
* `MockRequest` allows setting the remote address with `remote()`.
Resolves#38.
This is a complete rework of `Responder`s and of the http backend in
general. This gets Rocket one step closer to HTTP library independence,
enabling many future features such as transparent async I/O, automatic
HEAD request parsing, pre/post hooks, and more.
Summary of changes:
* `Responder::response` no longer takes in `FreshHyperResponse`.
Instead, it returns a new `Response` type.
* The new `Response` type now encapsulates a full HTTP response. As a
result, `Responder`s now return it.
* The `Handler` type now returns an `Outcome` directly.
* The `ErrorHandler` returns a `Result`. It can no longer forward,
which made no sense previously.
* `Stream` accepts a chunked size parameter.
* `StatusCode` removed in favor of new `Status` type.
* `ContentType` significantly modified.
* New, lightweight `Header` type that plays nicely with `Response`.