Commit Graph

67 Commits

Author SHA1 Message Date
Sergio Benitez 307469dc3a Refuse to build on non-nightly with a nice message. 2017-01-15 01:16:47 -08:00
Sergio Benitez 08278e8f0e New version: 0.1.5. 2017-01-14 08:45:03 -08:00
Sergio Benitez 4bc5c20a45 Fix security checks in `PathBuf::FromSegments`.
In #134, @tunz discovered that Rocket does not properly prevent path traversal
or local file inclusion attacks. The issue is caused by a failure to check for
some dangerous characters after decoding. In this case, the path separator '/'
was left as-is after decoding. As such, an attacker could construct a path with
containing any number of `..%2f..` sequences to traverse the file system.

This commit resolves the issue by ensuring that the decoded segment does not
contains any `/` characters. It further hardens the `FromSegments`
implementation by checking for additional risky characters: ':', '>', '<' as the
last character, and '\' on Windows. This is in addition to the already present
checks for '.' and '*' as the first character.

The behavior for a failing check has also changed. Previously, Rocket would skip
segments that contained illegal characters. In this commit, the implementation
instead return an error.

The `Error` type of the `PathBuf::FromSegment` implementations was changed to a
new `SegmentError` type that indicates the condition that failed.

Closes #134.
2017-01-13 13:25:33 -08:00
Sergio Benitez b109bb41ff One more clippy warning (in FromForm derive). 2017-01-09 20:45:34 -08:00
Josh Holmer 59043e262a Fix more codegen clippy warnings. 2017-01-09 20:33:54 -08:00
Josh Holmer 17bbd41f73 Fix clippy warnings caused by codegen. 2017-01-09 17:36:47 -08:00
Sergio Benitez e230ce9b95 Don't overwrite catcher response status if it is set.
Resolves #113.
2017-01-06 01:32:43 -06:00
Sergio Benitez 2da08a975c Make Content-Type case-preserving; add 'params' method. 2017-01-05 02:14:44 -06:00
Sergio Benitez 855d9b7b00 New version: 0.1.4. 2017-01-04 11:18:49 -06:00
Sergio Benitez b202fb9748 Update codegen for 2017-01-03 nightly. 2017-01-04 11:18:22 -06:00
Sergio Benitez 6fdc6f025f New version: 0.1.3. 2016-12-31 01:31:11 -06:00
Sergio Benitez a1878ad080 Properly resolve dynamic segments, take 2.
Fixes #86.
2016-12-30 23:51:23 -06:00
Sergio Benitez 524a2d889d Fix typo in build warning message. 2016-12-30 20:06:48 -06:00
Sergio Benitez 366eb5d158 Test methods via route attribute. 2016-12-30 01:46:47 -06:00
Sergio Benitez 2de006d9f9 Allow head decorator and options via route decorator. 2016-12-30 01:41:46 -06:00
Sergio Benitez bad0c20cda Check for rustc version incompatibility when building codegen. 2016-12-30 00:22:05 -06:00
Sergio Benitez 337173eaf4 Use register_custom_derive to remove custom_derive deprecation warning. 2016-12-29 22:06:35 -06:00
Sergio Benitez 9da512c60c Warn, but don't error, on unknown route formats.
Partially fixes #66.
2016-12-27 15:30:33 -06:00
Sergio Benitez 71419933a5 Ignore _method field in derived FromForm.
Fixes #45.
2016-12-26 02:41:57 -06:00
Sergio Benitez fb7a756cf1 New version: 0.1.2. 2016-12-24 14:15:00 -08:00
Sergio Benitez 9cebab5037 Fix get_raw_segments index argument in route codegen.
Fixes #41.
2016-12-24 11:58:24 -08:00
Sergio Benitez 14f79c3733 New version: 0.1.1. NamedFile hotfix. 2016-12-23 12:30:44 -08:00
Sergio Benitez 2a1426779c Limit keywords for crates.io. 2016-12-23 05:12:39 -08:00
Sergio Benitez a94fcf41db New version: 0.1.0. First public release! 2016-12-23 05:03:07 -08:00
Sergio Benitez 22a058d2d5 Add Cargo metadata to contrib and codegen crates. 2016-12-23 04:20:46 -08:00
Sergio Benitez d56ea65f27 Fix versions for packaging. 2016-12-23 03:55:59 -08:00
Sergio Benitez b6e3cb6c05 Document segments and debug env var in codegen. 2016-12-23 02:37:57 -08:00
Sergio Benitez 2c26777c75 Expose a single function in codegen to docs build. 2016-12-22 04:15:29 -08:00
Sergio Benitez 7da41112cf Document the codegen crate. 2016-12-22 02:26:02 -08:00
Sergio Benitez 7cf3cb6bc6 Only enable codegen logging with env var. 2016-12-22 00:53:43 -08:00
Sergio Benitez 76073718c7 New version: 0.1.0 release candidate. 2016-12-22 00:05:05 -08:00
Sergio Benitez 62fe734492 URI uses Cow iternally. 2016-12-21 00:09:22 -08:00
Sergio Benitez 1fae041ef5 PR merged. Update to main compiletest. 2016-12-16 15:47:58 -08:00
Sergio Benitez e2fcd75325 Use forked compiletest for latest nightly. 2016-12-16 15:14:11 -08:00
Sergio Benitez 2e25ce04dc Automatically handle HEAD requests. 2016-12-16 05:17:16 -08:00
Sergio Benitez 44f5f1998d New HTTP types: ContentType, Status. Responder/Handler/ErrorHandler changed.
This is a complete rework of `Responder`s and of the http backend in
general. This gets Rocket one step closer to HTTP library independence,
enabling many future features such as transparent async I/O, automatic
HEAD request parsing, pre/post hooks, and more.

Summary of changes:

  * `Responder::response` no longer takes in `FreshHyperResponse`.
    Instead, it returns a new `Response` type.
  * The new `Response` type now encapsulates a full HTTP response. As a
    result, `Responder`s now return it.
  * The `Handler` type now returns an `Outcome` directly.
  * The `ErrorHandler` returns a `Result`. It can no longer forward,
    which made no sense previously.
  * `Stream` accepts a chunked size parameter.
  * `StatusCode` removed in favor of new `Status` type.
  * `ContentType` significantly modified.
  * New, lightweight `Header` type that plays nicely with `Response`.
2016-12-15 00:47:31 -08:00
Sergio Benitez 5fca86c84f New version: 0.0.11. 2016-12-11 22:23:08 -08:00
Sergio Benitez 0731cd6150 Update rocket_codegen for latest nightly. 2016-12-06 00:31:01 -08:00
Sergio Benitez aff3f643f1 Skip testing todo example: Diesel is broken again. 2016-11-21 13:39:28 -08:00
Sergio Benitez 004cae7627 Fix codegen tests for new lib. Make UTF8 charset the default for text content types. 2016-11-02 17:39:41 +01:00
Sergio Benitez 4326c9103e Propogate error types in FromParam and FromSegment parses. 2016-10-31 18:51:19 +01:00
Sergio Benitez 639cd425ee Add Debug bound to associated parsing Errors. 2016-10-31 18:31:39 +01:00
Sergio Benitez 25d55b4b0f Disallow use of data parameter with non-payload methods. 2016-10-25 16:42:10 +02:00
Sergio Benitez 6a8d64f69b Move the data module into the top-level namespace. 2016-10-25 13:24:07 +02:00
Sergio Benitez 722f613686 Use Outcome as the result of all fallible conversions. 2016-10-13 18:39:23 -07:00
Sergio Benitez 2f35b23514 Remove non-streaming requests. Use streaming requests everywhere.
This commit includes the following important API changes:

  * The `form` route parameter has been removed.
  * The `data` route parameter has been added.
  * Forms are not handled via the `data` parameter and `Form` type.
  * Removed the `data` parameter from `Request`.
  * Added `FromData` conversion trate and default implementation.
  * Added `DataOutcome` enum, which is the return type of `from_data`.
  * 'FromData' is now used to automatically derive the `data` parameter.
  * Moved `form` into `request` module.
  * Removed `Failure::new` in favor of direct value construction.

This commit includes the following important package additions:

  * Added a 'raw_upload' example.
  * `manual_routes` example uses `Data` parameter.
  * Now building and running tests with `--all-features` flag.
  * All exmaples have been updated to latest API.
  * Now using upstream Tera.

This commit includes the following important fixes:

  * Any valid ident is now allowed in single-parameter route parameters.
  * Lifetimes are now properly stripped in code generation.
  * `FromForm` derive now works on empty structs.
2016-10-12 00:14:42 -07:00
Sergio Benitez 619b1d787e Rename Response::new to complete. Add Response::failure using newly added Failure response. 2016-10-08 20:53:04 -07:00
Sergio Benitez 8c0d11feab Completely new raw API.
Summary of changes:

  * Request no longer has a lifetime parameter.
  * Handler type now includes a `Data` parameter.
  * Response is now an enum that is either `Complete` or `Forward`.
  * Outcome enum is now one of: Success, Failure, Forward.
  * Outcome::Foward for Responses must include StatusCode.
  * Responders are now final: they cannot forward to requests. (!!)
  * Responsers may only forward to catchers. (!!)
  * Response no longer provides wrapping methods.
  * Route is now cloneable.

This change is fundamental to enabling streaming requests.
2016-10-07 23:20:49 -07:00
Sergio Benitez 37e6a367b8 Move the form module under request and outcome to top-level. 2016-10-07 19:27:50 -07:00
Sergio Benitez d321e1de8d Add query param to complete decorator test. 2016-10-07 18:45:55 -07:00