Commit Graph

23 Commits

Author SHA1 Message Date
Sergio Benitez 8eef42a256 Compile-time enforce paths as absolute, non-empty, valid segments. 2017-02-06 04:03:30 -08:00
Sergio Benitez 92f22ca63b Fix false positives in unmounted_routes lint due to 'launch'. 2017-02-05 02:11:32 -08:00
Sergio Benitez b69527c392 Reenable the options decorator. 2017-02-02 15:02:32 -08:00
Sergio Benitez ed429cd487 Change FromForm signature. Emit 422 form errors on bad form strings.
This commit changes the way Rocket parses form items. In particular, it now
(liberally) validates form strings, returning a Bad Request on malformed inputs
and Unprocessable Entity on bad parses.

The 'FormItems' iterator was modified to accomodate this. The iterator is now
initialized using 'from': 'FormItems::from(form_string)'. The iterator can be
queried to check for a complete parse using either 'completed()' or
'exhausted()', the latter of which will consume valid keys/values and return
true only if the entire string was consumed.

The 'FromForm' trait now takes a mutable borrow to a 'FormItems' iterator.

The 'Form' and 'FormForm' implementation for 'Form' were modified to use the new
iterfaces and check for 'exhausted' after a parse, returning a Bad Request error
if the iterator cannot be exhausted.

Resolves #46.
2017-02-01 18:22:51 -08:00
Sergio Benitez 3235e1e5e6 Make 'false' the default value for bools in forms. 2017-02-01 00:12:11 -08:00
Sergio Benitez c1697509ba Improve lints: gather info on per-instance basis. 2017-01-31 02:01:30 -08:00
Sergio Benitez 4bc5c20a45 Fix security checks in `PathBuf::FromSegments`.
In #134, @tunz discovered that Rocket does not properly prevent path traversal
or local file inclusion attacks. The issue is caused by a failure to check for
some dangerous characters after decoding. In this case, the path separator '/'
was left as-is after decoding. As such, an attacker could construct a path with
containing any number of `..%2f..` sequences to traverse the file system.

This commit resolves the issue by ensuring that the decoded segment does not
contains any `/` characters. It further hardens the `FromSegments`
implementation by checking for additional risky characters: ':', '>', '<' as the
last character, and '\' on Windows. This is in addition to the already present
checks for '.' and '*' as the first character.

The behavior for a failing check has also changed. Previously, Rocket would skip
segments that contained illegal characters. In this commit, the implementation
instead return an error.

The `Error` type of the `PathBuf::FromSegment` implementations was changed to a
new `SegmentError` type that indicates the condition that failed.

Closes #134.
2017-01-13 13:25:33 -08:00
Sergio Benitez 366eb5d158 Test methods via route attribute. 2016-12-30 01:46:47 -06:00
Sergio Benitez 2de006d9f9 Allow head decorator and options via route decorator. 2016-12-30 01:41:46 -06:00
Sergio Benitez 9da512c60c Warn, but don't error, on unknown route formats.
Partially fixes #66.
2016-12-27 15:30:33 -06:00
Sergio Benitez 71419933a5 Ignore _method field in derived FromForm.
Fixes #45.
2016-12-26 02:41:57 -06:00
Sergio Benitez 62fe734492 URI uses Cow iternally. 2016-12-21 00:09:22 -08:00
Sergio Benitez 004cae7627 Fix codegen tests for new lib. Make UTF8 charset the default for text content types. 2016-11-02 17:39:41 +01:00
Sergio Benitez 639cd425ee Add Debug bound to associated parsing Errors. 2016-10-31 18:31:39 +01:00
Sergio Benitez 2f35b23514 Remove non-streaming requests. Use streaming requests everywhere.
This commit includes the following important API changes:

  * The `form` route parameter has been removed.
  * The `data` route parameter has been added.
  * Forms are not handled via the `data` parameter and `Form` type.
  * Removed the `data` parameter from `Request`.
  * Added `FromData` conversion trate and default implementation.
  * Added `DataOutcome` enum, which is the return type of `from_data`.
  * 'FromData' is now used to automatically derive the `data` parameter.
  * Moved `form` into `request` module.
  * Removed `Failure::new` in favor of direct value construction.

This commit includes the following important package additions:

  * Added a 'raw_upload' example.
  * `manual_routes` example uses `Data` parameter.
  * Now building and running tests with `--all-features` flag.
  * All exmaples have been updated to latest API.
  * Now using upstream Tera.

This commit includes the following important fixes:

  * Any valid ident is now allowed in single-parameter route parameters.
  * Lifetimes are now properly stripped in code generation.
  * `FromForm` derive now works on empty structs.
2016-10-12 00:14:42 -07:00
Sergio Benitez 8c0d11feab Completely new raw API.
Summary of changes:

  * Request no longer has a lifetime parameter.
  * Handler type now includes a `Data` parameter.
  * Response is now an enum that is either `Complete` or `Forward`.
  * Outcome enum is now one of: Success, Failure, Forward.
  * Outcome::Foward for Responses must include StatusCode.
  * Responders are now final: they cannot forward to requests. (!!)
  * Responsers may only forward to catchers. (!!)
  * Response no longer provides wrapping methods.
  * Route is now cloneable.

This change is fundamental to enabling streaming requests.
2016-10-07 23:20:49 -07:00
Sergio Benitez 37e6a367b8 Move the form module under request and outcome to top-level. 2016-10-07 19:27:50 -07:00
Sergio Benitez d321e1de8d Add query param to complete decorator test. 2016-10-07 18:45:55 -07:00
Sergio Benitez bcb9bd860b Allow different lifetimes in handler Request reference and its contents. 2016-10-06 20:38:13 -07:00
Sergio Benitez d4f9525b22 Allow error handlers to take 0, 1, or 2 parameters.
fixes #13
2016-10-04 15:05:25 -07:00
Sergio Benitez 008605bec7 This commit changes parsing traits and documents some of the core library:
* All From* trait methods are now named like the trait.
  * All From* traits have an associated Error type.
  * Document all of the `form` module.
  * Add codegen tests for auto-derived forms.
  * The param parsing traits now live under Request.
2016-09-30 01:25:07 -07:00
Sergio Benitez 3ddc133a0e Add more codegen tests. 2016-09-28 20:39:14 -07:00
Sergio Benitez 46f73ed57c Renamed macros to codegen. 2016-09-08 20:38:58 -07:00