Commit Graph

282 Commits

Author SHA1 Message Date
Sergio Benitez
4f8894f645 Don't allocate a String into after parsing a cookie. 2017-03-08 03:39:57 -08:00
Sergio Benitez
16cb7297ab Initial session support.
This commit includes the following additions:
  * A `session` example was added.
  * `Config::take_session_key` was removed.
  * If a `session_key` is not supplied, one is automatically generated.
  * The `Session` type implements signed, encrypted sessions.
  * A `Session` can be retrieved via its request guard.
2017-03-08 03:28:12 -08:00
Sergio Benitez
722ee93f8b Update to cookie 0.7. Use 256-bit session_keys.
This commit involves several breaking changes:
  * `session_key` config param must be a 256-bit base64 encoded string.
  * `FromRequest` is implemented for `Cookies`, not `Cookie`.
  * Only a single `Cookies` instance can be retrieved at a time.
  * `Config::take_session_key` returns a `Vec<u8>`.
  * `Into<Header>` is implemented for `&Cookie`, not `Cookie`.
2017-03-07 01:19:06 -08:00
Sergio Benitez
6be902162d New version: 0.2.2. 2017-02-26 18:31:15 -08:00
Sergio Benitez
d99de8e05b New version: 0.2.1. 2017-02-24 13:57:33 -08:00
Sergio Benitez
efbfbd1045 Add 'into_bytes' and 'into_inner' methods to Body. 2017-02-24 13:20:35 -08:00
Sergio Benitez
62a75cdde6 Use append_raw to ensure all headers are set.
Fixes #206.
2017-02-22 11:25:30 -08:00
Sergio Benitez
d89c2a0cb5 Presort routes instead of sorting on each route. 2017-02-18 00:23:20 -08:00
Michael Aaron Murphy
4161949a1c Add webp, ttf, otf, woff, and woff2 as known Content-Types. 2017-02-17 19:13:45 -08:00
Sergio Benitez
d8afb4c7fa Implement Display and Error for ConfigError.
Closes #189.
2017-02-15 01:32:57 -08:00
Sergio Benitez
d8b90ebf5f Readd missing config address test. 2017-02-14 23:34:27 -08:00
Sergio Benitez
0c963da1fd Fix IPv6 address parsing and validation. 2017-02-14 23:10:36 -08:00
Sergio Benitez
1e1ff3bd23 Explicitly delete flash cookie so that path is set. 2017-02-08 23:53:29 -08:00
Sergio Benitez
3c8dd0fad8 Fix fallout from latest cargo nightly. 2017-02-08 00:55:22 -08:00
Sergio Benitez
46f753e128 Fix typo in manage docs: referes -> refers. 2017-02-06 10:40:43 -08:00
Sergio Benitez
c7db553286 New version: 0.2.0. 2017-02-06 05:35:19 -08:00
Sergio Benitez
20a548b11b Add percent_encode method to URI. 2017-02-06 03:41:12 -08:00
Sergio Benitez
ad8f55f64b Back to expressibility. 2017-02-05 20:21:57 -08:00
Sergio Benitez
0b69a5d8f7 Ensure routes with and without query params don't collide. 2017-02-05 01:43:53 -08:00
Sergio Benitez
e966925455 Use full URI in codegen routes; log query params in routes. 2017-02-05 01:34:48 -08:00
Sergio Benitez
8b39b88e46 We're searching for expressiveness. 2017-02-03 19:21:19 -08:00
Sergio Benitez
391628dea9 Fix broken link to IntoValue. 2017-02-03 17:15:29 -08:00
Sergio Benitez
0e82eb0b31 Fixup forms documentation for new features. 2017-02-03 16:56:29 -08:00
Sergio Benitez
aefa2f1494 Use pub(crate) to enforce doc(hidden). 2017-02-03 02:17:06 -08:00
Sergio Benitez
bf1b9e76fd Tweak http module docs. 2017-02-03 01:27:41 -08:00
Sergio Benitez
a8356de183 Fully document config module. Deprecate Config::{set, default_for}. 2017-02-03 01:15:01 -08:00
Sergio Benitez
5abb8d99b4 Clarify manage method docs. 2017-02-02 18:16:57 -08:00
Sergio Benitez
988236f272 Add documentation for State request guard. 2017-02-02 18:01:00 -08:00
Sergio Benitez
a9c3b8a919 Silence warnings during testing. 2017-02-02 02:16:21 -08:00
Garrett Squire
11e90f525f Update status code for form processing failure. 2017-02-01 18:29:29 -08:00
Sergio Benitez
ed429cd487 Change FromForm signature. Emit 422 form errors on bad form strings.
This commit changes the way Rocket parses form items. In particular, it now
(liberally) validates form strings, returning a Bad Request on malformed inputs
and Unprocessable Entity on bad parses.

The 'FormItems' iterator was modified to accomodate this. The iterator is now
initialized using 'from': 'FormItems::from(form_string)'. The iterator can be
queried to check for a complete parse using either 'completed()' or
'exhausted()', the latter of which will consume valid keys/values and return
true only if the entire string was consumed.

The 'FromForm' trait now takes a mutable borrow to a 'FormItems' iterator.

The 'Form' and 'FormForm' implementation for 'Form' were modified to use the new
iterfaces and check for 'exhausted' after a parse, returning a Bad Request error
if the iterator cannot be exhausted.

Resolves #46.
2017-02-01 18:22:51 -08:00
Sergio Benitez
cc22836867 Precisely route formats. Make 'content_type' an 'Option' in 'Request'.
This commit changes the routing algorithm. In particular, it enforces
precise matching of formats. With this change, a route with a specified
format only matches requests that have the same format specified. A
route with no format specified matches any request's format. This is
contrast to the previous behavior, where a route without a specified
format would match requests regardless of their format or whether one
was specified.

This commit also changes the following:
  * The return type of the 'content_type' method of 'Request' is now
    'Option<ContentType>'.
  * The 'ContentType' request guard forwards when the request has no
    specified ContentType.
  * The 'add_header' and 'replace_header' methods take the header
    argument generically.

Closes #120.
2017-02-01 03:12:24 -08:00
Sergio Benitez
3235e1e5e6 Make 'false' the default value for bools in forms. 2017-02-01 00:12:11 -08:00
Sergio Benitez
35bbb8b60b Use 'to_string' to format Hyper headers. 2017-01-31 17:32:35 -08:00
Sergio Benitez
374593c2f0 Use 'ContentType::Plain' for 'String' responses.
Resolves #49.
2017-01-31 02:43:19 -08:00
Sergio Benitez
724446cda4 Add categories to Cargo.toml. 2017-01-31 02:01:51 -08:00
Sergio Benitez
06a7317fd9 Update to Hyper 0.10. Use cookie crate directly.
A few interesting notes on this breakage:

  * `Cookie` how has a lifetime. It should be `'static'` everywhere.
  * The `SetCookie` header is no longer reexported.
  * Instead, `Cookie` implements `Into<Header>` for Set-Cookie.
2017-01-26 23:08:15 -08:00
Sergio Benitez
0a0b64b9b6 New version: 0.1.6. 2017-01-26 11:26:50 -08:00
Sergio Benitez
466b58970e Pin Hyper to 0.9.14 due to non-semver breaking change. 2017-01-26 11:11:43 -08:00
Sergio Benitez
c815911705 Introduce Managed State. 2017-01-20 23:17:28 -08:00
Giovanni Capuano
9ef65a8c91 Don't use any features from toml crate. 2017-01-20 16:38:50 -08:00
Sergio Benitez
72b91dfa41 Use shorthand version for hyper dependency. 2017-01-20 16:36:55 -08:00
Ernestas Poskus
59b7cb006f Add SVG as a known Content-Type. 2017-01-19 12:29:39 -08:00
Sergio Benitez
cf82469c52 Document encoding behavior for FormItems. 2017-01-15 02:21:28 -08:00
Sergio Benitez
bb295dc230 Extend FormFormValue docs with details and built-in impls.
Closes #129.
2017-01-15 02:05:17 -08:00
Sergio Benitez
307469dc3a Refuse to build on non-nightly with a nice message. 2017-01-15 01:16:47 -08:00
Sergio Benitez
08278e8f0e New version: 0.1.5. 2017-01-14 08:45:03 -08:00
Eijebong
1398626710 Fix typo in Redirect documentation. 2017-01-14 07:58:28 -08:00
Sergio Benitez
d4d5c5dd29 Override config parameters via environment variables.
Resolves #37.
2017-01-14 07:55:08 -08:00
Sergio Benitez
4bc5c20a45 Fix security checks in PathBuf::FromSegments.
In #134, @tunz discovered that Rocket does not properly prevent path traversal
or local file inclusion attacks. The issue is caused by a failure to check for
some dangerous characters after decoding. In this case, the path separator '/'
was left as-is after decoding. As such, an attacker could construct a path with
containing any number of `..%2f..` sequences to traverse the file system.

This commit resolves the issue by ensuring that the decoded segment does not
contains any `/` characters. It further hardens the `FromSegments`
implementation by checking for additional risky characters: ':', '>', '<' as the
last character, and '\' on Windows. This is in addition to the already present
checks for '.' and '*' as the first character.

The behavior for a failing check has also changed. Previously, Rocket would skip
segments that contained illegal characters. In this commit, the implementation
instead return an error.

The `Error` type of the `PathBuf::FromSegment` implementations was changed to a
new `SegmentError` type that indicates the condition that failed.

Closes #134.
2017-01-13 13:25:33 -08:00