Commit Graph

109 Commits

Author SHA1 Message Date
Sergio Benitez cf82469c52 Document encoding behavior for FormItems. 2017-01-15 02:21:28 -08:00
Sergio Benitez bb295dc230 Extend FormFormValue docs with details and built-in impls.
Closes #129.
2017-01-15 02:05:17 -08:00
Sergio Benitez 4bc5c20a45 Fix security checks in `PathBuf::FromSegments`.
In #134, @tunz discovered that Rocket does not properly prevent path traversal
or local file inclusion attacks. The issue is caused by a failure to check for
some dangerous characters after decoding. In this case, the path separator '/'
was left as-is after decoding. As such, an attacker could construct a path with
containing any number of `..%2f..` sequences to traverse the file system.

This commit resolves the issue by ensuring that the decoded segment does not
contains any `/` characters. It further hardens the `FromSegments`
implementation by checking for additional risky characters: ':', '>', '<' as the
last character, and '\' on Windows. This is in addition to the already present
checks for '.' and '*' as the first character.

The behavior for a failing check has also changed. Previously, Rocket would skip
segments that contained illegal characters. In this commit, the implementation
instead return an error.

The `Error` type of the `PathBuf::FromSegment` implementations was changed to a
new `SegmentError` type that indicates the condition that failed.

Closes #134.
2017-01-13 13:25:33 -08:00
Sergio Benitez 41aecc3e7f Expose the remote address via `remote()` in `Request`.
This commit also includes the following changes:

  * `FromRequest` for `SocketAddr` implemented: extracts remote address.
  * All built-in `FromRequest` implementations are documented.
  * Request preprocessing overrides remote IP with value from X-Real-IP header.
  * `MockRequest` allows setting the remote address with `remote()`.

Resolves #38.
2017-01-13 07:50:51 -08:00
Liigo Zhuang 0af01abe5f Fix decoding of String form values.
@liigo originated a fix and found the problem in #82.
2016-12-31 01:06:22 -06:00
Sergio Benitez 83bbea7d4a Fix decoding of form value Strings. 2016-12-31 00:48:31 -06:00
Sergio Benitez a1878ad080 Properly resolve dynamic segments, take 2.
Fixes #86.
2016-12-30 23:51:23 -06:00
Sergio Benitez 71419933a5 Ignore _method field in derived FromForm.
Fixes #45.
2016-12-26 02:41:57 -06:00
Sergio Benitez 12302bcadb Document default FromParam impls. 2016-12-23 02:39:34 -08:00
Sergio Benitez 80632689f4 Document Request. 2016-12-21 01:30:45 -08:00
Sergio Benitez 62fe734492 URI uses Cow iternally. 2016-12-21 00:09:22 -08:00
Sergio Benitez f1c7d3e27c Minor code improvements via clippy. 2016-12-17 09:18:30 -08:00
Sergio Benitez 6815a56cb5 Rework Request: add lifetime to future proof, remove unsafe. 2016-12-16 03:07:23 -08:00
Sergio Benitez 08f41816d1 Remove dependence from Hyper in Request/MockRequest. 2016-12-15 16:34:19 -08:00
Sergio Benitez d3e2d829c7 Remove all Hyper* types in favor of hyper::*. 2016-12-15 09:24:29 -08:00
Sergio Benitez 44f5f1998d New HTTP types: ContentType, Status. Responder/Handler/ErrorHandler changed.
This is a complete rework of `Responder`s and of the http backend in
general. This gets Rocket one step closer to HTTP library independence,
enabling many future features such as transparent async I/O, automatic
HEAD request parsing, pre/post hooks, and more.

Summary of changes:

  * `Responder::response` no longer takes in `FreshHyperResponse`.
    Instead, it returns a new `Response` type.
  * The new `Response` type now encapsulates a full HTTP response. As a
    result, `Responder`s now return it.
  * The `Handler` type now returns an `Outcome` directly.
  * The `ErrorHandler` returns a `Result`. It can no longer forward,
    which made no sense previously.
  * `Stream` accepts a chunked size parameter.
  * `StatusCode` removed in favor of new `Status` type.
  * `ContentType` significantly modified.
  * New, lightweight `Header` type that plays nicely with `Response`.
2016-12-15 00:47:31 -08:00
Sergio Benitez 4f89e232aa HTML escape < in FromParam docs. 2016-12-10 17:41:44 -08:00
Sergio Benitez 470dc7f63c Improve FromParam documentation. 2016-12-10 02:55:25 -08:00
Sergio Benitez a2e99985b0 Fix data buffer indexing bug. Add from_request example. 2016-11-21 00:45:44 -08:00
Sergio Benitez ba88fcdc95 Document FromRequest. Clarify FromFormValue::default. 2016-11-06 17:07:47 +01:00
Sergio Benitez c2d3bdccdb Document the Failure and Flash responses. 2016-11-02 18:48:43 +01:00
Sergio Benitez c98d047038 Add URI::percent_decoding helper method. Safeguard Pathbuf FromSegments implementation. 2016-11-02 16:55:56 +01:00
Sergio Benitez 4326c9103e Propogate error types in FromParam and FromSegment parses. 2016-10-31 18:51:19 +01:00
Sergio Benitez 639cd425ee Add Debug bound to associated parsing Errors. 2016-10-31 18:31:39 +01:00
Sergio Benitez 6a8d64f69b Move the data module into the top-level namespace. 2016-10-25 13:24:07 +02:00
Sergio Benitez f5a5ea3a22 Rename `data` to `content` in `response`. Remove `DataOutcome`. 2016-10-25 13:03:50 +02:00
Sergio Benitez 5447f81f77 Remove RequestOutcome, ResponseOutcome in favor of Outcome. Remove Failure response type. 2016-10-25 11:17:49 +02:00
Sergio Benitez 11b6158276 Refine request module API docs. 2016-10-24 10:09:50 +02:00
Sergio Benitez e70fcd78b9 Properly escape ticks for markdown in Form docs. 2016-10-21 09:06:40 -07:00
Sergio Benitez 2da43e24f7 Document most of the request module. 2016-10-21 02:56:57 -07:00
Sergio Benitez 5a1a303c59 Document the http module. 2016-10-17 19:29:58 -07:00
Sergio Benitez bc5ecb31df Implement a small testing framework in the 'testing' module. 2016-10-16 03:16:16 -07:00
Sergio Benitez 722f613686 Use Outcome as the result of all fallible conversions. 2016-10-13 18:39:23 -07:00
Sergio Benitez b4305cb430 Use 'Content-Type' for format routing. Simplify 'raw_upload' example. 2016-10-12 19:08:19 -07:00
Sergio Benitez 2f35b23514 Remove non-streaming requests. Use streaming requests everywhere.
This commit includes the following important API changes:

  * The `form` route parameter has been removed.
  * The `data` route parameter has been added.
  * Forms are not handled via the `data` parameter and `Form` type.
  * Removed the `data` parameter from `Request`.
  * Added `FromData` conversion trate and default implementation.
  * Added `DataOutcome` enum, which is the return type of `from_data`.
  * 'FromData' is now used to automatically derive the `data` parameter.
  * Moved `form` into `request` module.
  * Removed `Failure::new` in favor of direct value construction.

This commit includes the following important package additions:

  * Added a 'raw_upload' example.
  * `manual_routes` example uses `Data` parameter.
  * Now building and running tests with `--all-features` flag.
  * All exmaples have been updated to latest API.
  * Now using upstream Tera.

This commit includes the following important fixes:

  * Any valid ident is now allowed in single-parameter route parameters.
  * Lifetimes are now properly stripped in code generation.
  * `FromForm` derive now works on empty structs.
2016-10-12 00:14:42 -07:00
Sergio Benitez d8db812856 Implement streaming requests. 2016-10-09 04:29:02 -07:00
Sergio Benitez 07204a25dd Remove Rocket::from_hyp in favor of Rocket::new. 2016-10-08 21:37:28 -07:00
Sergio Benitez 619b1d787e Rename Response::new to complete. Add Response::failure using newly added Failure response. 2016-10-08 20:53:04 -07:00
Sergio Benitez 8c0d11feab Completely new raw API.
Summary of changes:

  * Request no longer has a lifetime parameter.
  * Handler type now includes a `Data` parameter.
  * Response is now an enum that is either `Complete` or `Forward`.
  * Outcome enum is now one of: Success, Failure, Forward.
  * Outcome::Foward for Responses must include StatusCode.
  * Responders are now final: they cannot forward to requests. (!!)
  * Responsers may only forward to catchers. (!!)
  * Response no longer provides wrapping methods.
  * Route is now cloneable.

This change is fundamental to enabling streaming requests.
2016-10-07 23:20:49 -07:00
Sergio Benitez 37e6a367b8 Move the form module under request and outcome to top-level. 2016-10-07 19:27:50 -07:00
Sergio Benitez be3530bb44 Make Outcome generic on its encapsulated type. 2016-10-07 19:09:05 -07:00
Sergio Benitez 6578de4615 Always inline appropriate Request methods. 2016-10-06 21:04:35 -07:00
Sergio Benitez 39f7f2d32b Remove unneeded lifetime in Request.
Previously, a Request's only lifetime parameter referred to itself. This
causes many issues and is simply wrong. Instead, use `transmute` to make
the lifetime `static`. As long the contents inside Request don't move or
change, the references are valid. We keep the lifetime as a phantom in
`Request` for future use.
2016-10-06 20:57:17 -07:00
Sergio Benitez bcb9bd860b Allow different lifetimes in handler Request reference and its contents. 2016-10-06 20:38:13 -07:00
Sergio Benitez 650d079b58 Make the `uri` parameter in Request private. 2016-10-06 00:08:00 -07:00
Sergio Benitez 647efe15d1 Move uri module into http namespace. 2016-10-03 17:25:27 -07:00
Sergio Benitez 74ec26db95 Namespace HTTP-related type under `http`. 2016-10-03 17:09:13 -07:00
Sergio Benitez 320f2e0efa Document Request. 2016-09-30 20:22:06 -07:00
Sergio Benitez a29d56c52e Reform top-level libs mostly according to Rustfmt. 2016-09-30 15:20:11 -07:00
Sergio Benitez 008605bec7 This commit changes parsing traits and documents some of the core library:
* All From* trait methods are now named like the trait.
  * All From* traits have an associated Error type.
  * Document all of the `form` module.
  * Add codegen tests for auto-derived forms.
  * The param parsing traits now live under Request.
2016-09-30 01:25:07 -07:00
Sergio Benitez 76cbc14d23 Cleanup core library documentation. 2016-09-29 21:44:27 -07:00
Sergio Benitez e8e85f09cd Add support for flash cookie. Revamp cookie support. 2016-09-11 18:57:04 -07:00
Sergio Benitez b755e53f63 Add trailing params. 2016-09-08 00:02:17 -07:00
Sergio Benitez a6967cb48f Strip lifetimes for generated param types. 2016-09-06 23:24:20 -07:00
Sergio Benitez 8b99016af4 Add `rank` to route attribute. Macrofy is_some ContentType methods. 2016-08-27 05:10:29 -07:00
Sergio Benitez a1ad05e879 This commit is a squash of the following commits:
* Add content-type responsers for JSON, HTML, and plain text.
  * Use content-type responders in content_type example.
  * Conditionally create Request `from` HypRequest.
  * Clean-up dispatching and handling in main rocket.
  * Change Level enum to Logging Level and reexport.
  * Allow users to set logging level before launch.
  * Fix content_type example error handling.
  * Percent decode params when user requests `String`.
2016-08-26 18:37:28 -07:00
Sergio Benitez 90d8621adf Major overhual: Request, ErrorHandler, ContentType. 2016-08-26 01:55:11 -07:00
Sergio Benitez 3a89cb8e2b Can now retrieve cookies from a handler. SWEET! Bumped version to 0.0.5. 2016-08-08 03:48:00 -07:00
Sergio Benitez 95a8a51b76 Added FromRequest and modified macro to use it: any parameters not declared by the user in the attributes will automatically be retrieved using FromRequest. 2016-08-08 03:10:23 -07:00