rwf2
/
Rocket
mirror of https://github.com/rwf2/Rocket.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
416 Commits 7 Branches 63 Tags 23 MiB
Commit Graph

234 Commits

Author SHA1 Message Date
Sergio Benitez d4d5c5dd29 Override config parameters via environment variables. 
Resolves #37.
 2017-01-14 07:55:08 -08:00
Sergio Benitez 4bc5c20a45 Fix security checks in `PathBuf::FromSegments`. 
In #134, @tunz discovered that Rocket does not properly prevent path traversal
or local file inclusion attacks. The issue is caused by a failure to check for
some dangerous characters after decoding. In this case, the path separator '/'
was left as-is after decoding. As such, an attacker could construct a path with
containing any number of `..%2f..` sequences to traverse the file system.

This commit resolves the issue by ensuring that the decoded segment does not
contains any `/` characters. It further hardens the `FromSegments`
implementation by checking for additional risky characters: ':', '>', '<' as the
last character, and '\' on Windows. This is in addition to the already present
checks for '.' and '*' as the first character.

The behavior for a failing check has also changed. Previously, Rocket would skip
segments that contained illegal characters. In this commit, the implementation
instead return an error.

The `Error` type of the `PathBuf::FromSegment` implementations was changed to a
new `SegmentError` type that indicates the condition that failed.

Closes #134.
 2017-01-13 13:25:33 -08:00
Sergio Benitez 41aecc3e7f Expose the remote address via `remote()` in `Request`. 
This commit also includes the following changes:

  * `FromRequest` for `SocketAddr` implemented: extracts remote address.
  * All built-in `FromRequest` implementations are documented.
  * Request preprocessing overrides remote IP with value from X-Real-IP header.
  * `MockRequest` allows setting the remote address with `remote()`.

Resolves #38.
 2017-01-13 07:50:51 -08:00
Sergio Benitez c6fbc44888 Add TODO about improving builder finalize error. 2017-01-12 02:43:00 -08:00
Sergio Benitez ddda8fe79b Add workers config parameter. 2017-01-12 02:38:14 -08:00
Sergio Benitez fb24ee315c Overhaul configuration and custom ignition. 
* Add Config::new() and Config::build() for simpler Config creation.
  * Add set_{param} methods to Config.
  * Add ConfigBuilder type for easy building of configurations.
  * Remove builder methods from Config.
  * PartialEq in Config doesn't consider path or session key.
  * Rocket::custom takes Config by value.
  * Rocket::custom takes second (enable_logging) boolean argument.
  * Rocket::custom properly sets the custom config as the active config.
 2017-01-11 18:35:09 -08:00
Dru Sellers a6084ab3e2 Change the type for port to u16 in config. 2017-01-09 16:48:27 -08:00
Sergio Benitez e230ce9b95 Don't overwrite catcher response status if it is set. 
Resolves #113.
 2017-01-06 01:32:43 -06:00
Sergio Benitez 21a1bde7c0 Add Header methods to get name and value as strs. 2017-01-06 01:03:08 -06:00
Sergio Benitez 6165a6705c Add more comments on dispatch logic. 2017-01-06 00:42:24 -06:00
Sergio Benitez 8f8dde812d Remove unnecessary fields in Redirect Response. 2017-01-06 00:42:10 -06:00
Sergio Benitez 042dcadf43 Expose DataStream directly to allow for stream composition. 2017-01-05 15:13:13 -06:00
Sergio Benitez 069f09cb7e Make 'cargo test' work without '--all-features'. 2017-01-05 14:51:00 -06:00
Sergio Benitez 2da08a975c Make Content-Type case-preserving; add 'params' method. 2017-01-05 02:14:44 -06:00
Sergio Benitez 855d9b7b00 New version: 0.1.4. 2017-01-04 11:18:49 -06:00
Sergio Benitez 24805bbf16 Treat header names as case-preserving in HeaderMap. 
Fixes #92.
 2017-01-02 21:33:36 -06:00
Sergio Benitez 82f6f78189 Add UncasedAscii{Ref} type(s) that are case-preserving strings. 2017-01-02 21:32:29 -06:00
Sergio Benitez 6fdc6f025f New version: 0.1.3. 2016-12-31 01:31:11 -06:00
Liigo Zhuang 0af01abe5f Fix decoding of String form values. 
@liigo originated a fix and found the problem in #82.
 2016-12-31 01:06:22 -06:00
Sergio Benitez 83bbea7d4a Fix decoding of form value Strings. 2016-12-31 00:48:31 -06:00
Greg Edwards d19cb0349c Only override request methods via '_method' on POST. 2016-12-31 00:00:47 -06:00
Sergio Benitez a1878ad080 Properly resolve dynamic segments, take 2. 
Fixes #86.
 2016-12-30 23:51:23 -06:00
Sergio Benitez 1f373cc83a Rename 'content_type' Route field to 'format'. 2016-12-30 20:15:28 -06:00
Sergio Benitez 20f13f0bc1 Add CSV as a known Content-Type. 2016-12-27 15:42:27 -06:00
Sergio Benitez 1e3f1961cd Remove unnecessary new line. 
(really just trying to trigger Travis)
 2016-12-26 18:46:14 -06:00
Sergio Benitez 2299a3e5a6 Don't depend on path separator in segments tests. 2016-12-26 17:18:15 -06:00
Sergio Benitez 71419933a5 Ignore _method field in derived FromForm. 
Fixes #45.
 2016-12-26 02:41:57 -06:00
Sean Griffin eb8d973abd Fix typo in Outcome formatting: Succcess -> Success. 2016-12-25 21:37:06 -06:00
Sergio Benitez fb7a756cf1 New version: 0.1.2. 2016-12-24 14:15:00 -08:00
Sergio Benitez 9cebab5037 Fix get_raw_segments index argument in route codegen. 
Fixes #41.
 2016-12-24 11:58:24 -08:00
Sergio Benitez 14f79c3733 New version: 0.1.1. NamedFile hotfix. 2016-12-23 12:30:44 -08:00
Sergio Benitez 591963106e Update NamedFile documentation. 2016-12-23 12:02:17 -08:00
Sergio Benitez 16f70480f5 Actually send the file via NamedFile. 2016-12-23 11:51:11 -08:00
Sergio Benitez a94fcf41db New version: 0.1.0. First public release! 2016-12-23 05:03:07 -08:00
Sergio Benitez 22a058d2d5 Add Cargo metadata to contrib and codegen crates. 2016-12-23 04:20:46 -08:00
Sergio Benitez 25a4469791 Add Cargo metadata for packaging. 2016-12-23 03:36:26 -08:00
Sergio Benitez 12302bcadb Document default FromParam impls. 2016-12-23 02:39:34 -08:00
Sergio Benitez 7d97bf04ea Prepend http:// to address:port in launch message. 2016-12-22 05:27:23 -08:00
Sergio Benitez 595cc5be57 Emit warning about disabled session keys. 2016-12-22 01:29:58 -08:00
Sergio Benitez 76073718c7 New version: 0.1.0 release candidate. 2016-12-22 00:05:05 -08:00
Sergio Benitez 2dc1ba29f0 Adds tests for JSON example. Emit warning from JSON FromData. 
This also includes a tiny change to the `mk-docs` script to build a
blank index at the root of the docs.
 2016-12-21 22:56:58 -08:00
Sergio Benitez b9742c1202 Fix broken links in docs. 2016-12-21 01:33:45 -08:00
Sergio Benitez 80632689f4 Document Request. 2016-12-21 01:30:45 -08:00
Sergio Benitez dedf5094fe Remove URIBuf. 2016-12-21 00:20:14 -08:00
Sergio Benitez 62fe734492 URI uses Cow iternally. 2016-12-21 00:09:22 -08:00
Sergio Benitez f3b7b7db5e Add example for FromData. 2016-12-20 18:07:14 -08:00
Sergio Benitez c61e40f5a3 Document config ParsingError. 2016-12-20 17:27:46 -08:00
Sergio Benitez 0acb9eab83 Document Response. Update Config tests. 2016-12-20 17:27:31 -08:00
Sergio Benitez 6e2913fc5c Cleanup Responder documentation. 2016-12-20 13:40:02 -08:00
Sergio Benitez abdb8c2aa1 Document ResponseBuilder. 2016-12-19 23:29:20 -08:00