Commit Graph

616 Commits

Author SHA1 Message Date
Sergio Benitez d4d5c5dd29 Override config parameters via environment variables.
Resolves #37.
2017-01-14 07:55:08 -08:00
Sergio Benitez 4bc5c20a45 Fix security checks in `PathBuf::FromSegments`.
In #134, @tunz discovered that Rocket does not properly prevent path traversal
or local file inclusion attacks. The issue is caused by a failure to check for
some dangerous characters after decoding. In this case, the path separator '/'
was left as-is after decoding. As such, an attacker could construct a path with
containing any number of `..%2f..` sequences to traverse the file system.

This commit resolves the issue by ensuring that the decoded segment does not
contains any `/` characters. It further hardens the `FromSegments`
implementation by checking for additional risky characters: ':', '>', '<' as the
last character, and '\' on Windows. This is in addition to the already present
checks for '.' and '*' as the first character.

The behavior for a failing check has also changed. Previously, Rocket would skip
segments that contained illegal characters. In this commit, the implementation
instead return an error.

The `Error` type of the `PathBuf::FromSegment` implementations was changed to a
new `SegmentError` type that indicates the condition that failed.

Closes #134.
2017-01-13 13:25:33 -08:00
Sergio Benitez 41aecc3e7f Expose the remote address via `remote()` in `Request`.
This commit also includes the following changes:

  * `FromRequest` for `SocketAddr` implemented: extracts remote address.
  * All built-in `FromRequest` implementations are documented.
  * Request preprocessing overrides remote IP with value from X-Real-IP header.
  * `MockRequest` allows setting the remote address with `remote()`.

Resolves #38.
2017-01-13 07:50:51 -08:00
Sergio Benitez 725191d3c3 Adjust spacing in handlebars_templates example. 2017-01-13 00:22:16 -08:00
FliegendeWurst 99a17b42ae Add tests for handlebars_templates example. 2017-01-13 00:19:58 -08:00
Seth Lopez dec585dbd4 Add tests for content_types example. 2017-01-13 00:05:58 -08:00
Sergio Benitez 6fd0503cea Expose SerdeError. 2017-01-12 23:07:01 -08:00
Sergio Benitez bea9727f44 Correct variance in Iron benchmarks. 2017-01-12 02:56:02 -08:00
Sergio Benitez 3c07cf96df Overhaul templating contrib library: use `register` callback.
This commit improves and changes the templating library in the following ways:

  * Templates are now registered/loaded at initialization.
  * No synchronization is required to read templates.
  * All templates are properly loaded (fixes #122).
  * Tera templates are given the proper name: `index`, not `index.html.tera`.
  * Rendering tests added for both templating engines.

There is one breaking change:

  * Tera templates are given the proper name: `index`, not `index.html.tera`.
2017-01-12 02:52:23 -08:00
Sergio Benitez 36bf704673 Fix config example tests for new Config structure. 2017-01-12 02:47:25 -08:00
Sergio Benitez c6fbc44888 Add TODO about improving builder finalize error. 2017-01-12 02:43:00 -08:00
Sergio Benitez a2f378ab88 Fixed Hyper version number. 2017-01-12 02:39:42 -08:00
Sergio Benitez ddda8fe79b Add workers config parameter. 2017-01-12 02:38:14 -08:00
Sergio Benitez fb24ee315c Overhaul configuration and custom ignition.
* Add Config::new() and Config::build() for simpler Config creation.
  * Add set_{param} methods to Config.
  * Add ConfigBuilder type for easy building of configurations.
  * Remove builder methods from Config.
  * PartialEq in Config doesn't consider path or session key.
  * Rocket::custom takes Config by value.
  * Rocket::custom takes second (enable_logging) boolean argument.
  * Rocket::custom properly sets the custom config as the active config.
2017-01-11 18:35:09 -08:00
Sergio Benitez 31e80cb07b Add Iron to the benchmark mix. 2017-01-11 14:53:04 -08:00
Sergio Benitez dbd427b433 Add Matrix as an official support channel. Add chat badges. 2017-01-11 14:32:12 -08:00
Sergio Benitez 5db5e9f688 Update handlebars to 0.24. 2017-01-10 15:06:00 -08:00
Sergio Benitez b109bb41ff One more clippy warning (in FromForm derive). 2017-01-09 20:45:34 -08:00
Josh Holmer 59043e262a Fix more codegen clippy warnings. 2017-01-09 20:33:54 -08:00
Josh Holmer 17bbd41f73 Fix clippy warnings caused by codegen. 2017-01-09 17:36:47 -08:00
Sergio Benitez e2f342a384 Rearrange formatting in cookies test. 2017-01-09 17:23:04 -08:00
Seth Lopez da7026c781 Add tests for cookies example. 2017-01-09 17:21:19 -08:00
Cliff H 83e33cf0be Add tests for redirect example. 2017-01-09 17:17:47 -08:00
Dru Sellers a6084ab3e2 Change the type for port to u16 in config. 2017-01-09 16:48:27 -08:00
Sergio Benitez 44296980fc Remove proc_macro as a feature - it's stabilized! 2017-01-07 20:59:35 -08:00
Robert e4006c56c8 Add tests for hello_alt_methods example. 2017-01-06 01:41:48 -06:00
Sergio Benitez e230ce9b95 Don't overwrite catcher response status if it is set.
Resolves #113.
2017-01-06 01:32:43 -06:00
Sergio Benitez 21a1bde7c0 Add Header methods to get name and value as strs. 2017-01-06 01:03:08 -06:00
Reilly Tucker Siemens 5e30262378 Add tests for errors example. 2017-01-06 00:43:20 -06:00
Sergio Benitez 6165a6705c Add more comments on dispatch logic. 2017-01-06 00:42:24 -06:00
Sergio Benitez 8f8dde812d Remove unnecessary fields in Redirect Response. 2017-01-06 00:42:10 -06:00
Sergio Benitez ef7d18f15a Add IRC channel to README. 2017-01-06 00:19:01 -06:00
Sergio Benitez 042dcadf43 Expose DataStream directly to allow for stream composition. 2017-01-05 15:13:13 -06:00
Sergio Benitez 069f09cb7e Make 'cargo test' work without '--all-features'. 2017-01-05 14:51:00 -06:00
Sergio Benitez 2da08a975c Make Content-Type case-preserving; add 'params' method. 2017-01-05 02:14:44 -06:00
Sergio Benitez 855d9b7b00 New version: 0.1.4. 2017-01-04 11:18:49 -06:00
Sergio Benitez b202fb9748 Update codegen for 2017-01-03 nightly. 2017-01-04 11:18:22 -06:00
Sergio Benitez 24805bbf16 Treat header names as case-preserving in HeaderMap.
Fixes #92.
2017-01-02 21:33:36 -06:00
Sergio Benitez 82f6f78189 Add UncasedAscii{Ref} type(s) that are case-preserving strings. 2017-01-02 21:32:29 -06:00
Sergio Benitez 2852c526c3 Fix minor typos in CHANGELOG. 2016-12-31 02:08:43 -06:00
Sergio Benitez 16c42289a9 Add crates.io badge. 2016-12-31 02:02:58 -06:00
Sergio Benitez 6fdc6f025f New version: 0.1.3. 2016-12-31 01:31:11 -06:00
Liigo Zhuang 0af01abe5f Fix decoding of String form values.
@liigo originated a fix and found the problem in #82.
2016-12-31 01:06:22 -06:00
Sergio Benitez 83bbea7d4a Fix decoding of form value Strings. 2016-12-31 00:48:31 -06:00
Greg Edwards d19cb0349c Only override request methods via '_method' on POST. 2016-12-31 00:00:47 -06:00
Sergio Benitez a1878ad080 Properly resolve dynamic segments, take 2.
Fixes #86.
2016-12-30 23:51:23 -06:00
Sergio Benitez 1f373cc83a Rename 'content_type' Route field to 'format'. 2016-12-30 20:15:28 -06:00
Sergio Benitez 524a2d889d Fix typo in build warning message. 2016-12-30 20:06:48 -06:00
Sergio Benitez 366eb5d158 Test methods via route attribute. 2016-12-30 01:46:47 -06:00
Sergio Benitez 2de006d9f9 Allow head decorator and options via route decorator. 2016-12-30 01:41:46 -06:00