rwf2
/
Rocket
mirror of https://github.com/rwf2/Rocket.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
384 Commits 7 Branches 63 Tags 23 MiB
Commit Graph

222 Commits

Author SHA1 Message Date
Sergio Benitez e044452b49 New version: 0.1.5. 
This is a security hotfix release.
 2017-01-14 08:37:17 -08:00
Sergio Benitez d58c704d23 Fix security checks in `PathBuf::FromSegments`. 
In #134, @tunz discovered that Rocket does not properly prevent path traversal
or local file inclusion attacks. The issue is caused by a failure to check for
some dangerous characters after decoding. In this case, the path separator '/'
was left as-is after decoding. As such, an attacker could construct a path with
containing any number of `..%2f..` sequences to traverse the file system.

This commit resolves the issue by ensuring that the decoded segment does not
contains any `/` characters. It further hardens the `FromSegments`
implementation by checking for additional risky characters: ':', '>', '<' as the
last character, and '\' on Windows. This is in addition to the already present
checks for '.' and '*' as the first character.

The behavior for a failing check has also changed. Previously, Rocket would skip
segments that contained illegal characters. In this commit, the implementation
instead return an error.

The `Error` type of the `PathBuf::FromSegment` implementations was changed to a
new `SegmentError` type that indicates the condition that failed.

Closes #134.
 2017-01-14 08:28:29 -08:00
Sergio Benitez 855d9b7b00 New version: 0.1.4. 2017-01-04 11:18:49 -06:00
Sergio Benitez 24805bbf16 Treat header names as case-preserving in HeaderMap. 
Fixes #92.
 2017-01-02 21:33:36 -06:00
Sergio Benitez 82f6f78189 Add UncasedAscii{Ref} type(s) that are case-preserving strings. 2017-01-02 21:32:29 -06:00
Sergio Benitez 6fdc6f025f New version: 0.1.3. 2016-12-31 01:31:11 -06:00
Liigo Zhuang 0af01abe5f Fix decoding of String form values. 
@liigo originated a fix and found the problem in #82.
 2016-12-31 01:06:22 -06:00
Sergio Benitez 83bbea7d4a Fix decoding of form value Strings. 2016-12-31 00:48:31 -06:00
Greg Edwards d19cb0349c Only override request methods via '_method' on POST. 2016-12-31 00:00:47 -06:00
Sergio Benitez a1878ad080 Properly resolve dynamic segments, take 2. 
Fixes #86.
 2016-12-30 23:51:23 -06:00
Sergio Benitez 1f373cc83a Rename 'content_type' Route field to 'format'. 2016-12-30 20:15:28 -06:00
Sergio Benitez 20f13f0bc1 Add CSV as a known Content-Type. 2016-12-27 15:42:27 -06:00
Sergio Benitez 1e3f1961cd Remove unnecessary new line. 
(really just trying to trigger Travis)
 2016-12-26 18:46:14 -06:00
Sergio Benitez 2299a3e5a6 Don't depend on path separator in segments tests. 2016-12-26 17:18:15 -06:00
Sergio Benitez 71419933a5 Ignore _method field in derived FromForm. 
Fixes #45.
 2016-12-26 02:41:57 -06:00
Sean Griffin eb8d973abd Fix typo in Outcome formatting: Succcess -> Success. 2016-12-25 21:37:06 -06:00
Sergio Benitez fb7a756cf1 New version: 0.1.2. 2016-12-24 14:15:00 -08:00
Sergio Benitez 9cebab5037 Fix get_raw_segments index argument in route codegen. 
Fixes #41.
 2016-12-24 11:58:24 -08:00
Sergio Benitez 14f79c3733 New version: 0.1.1. NamedFile hotfix. 2016-12-23 12:30:44 -08:00
Sergio Benitez 591963106e Update NamedFile documentation. 2016-12-23 12:02:17 -08:00
Sergio Benitez 16f70480f5 Actually send the file via NamedFile. 2016-12-23 11:51:11 -08:00
Sergio Benitez a94fcf41db New version: 0.1.0. First public release! 2016-12-23 05:03:07 -08:00
Sergio Benitez 22a058d2d5 Add Cargo metadata to contrib and codegen crates. 2016-12-23 04:20:46 -08:00
Sergio Benitez 25a4469791 Add Cargo metadata for packaging. 2016-12-23 03:36:26 -08:00
Sergio Benitez 12302bcadb Document default FromParam impls. 2016-12-23 02:39:34 -08:00
Sergio Benitez 7d97bf04ea Prepend http:// to address:port in launch message. 2016-12-22 05:27:23 -08:00
Sergio Benitez 595cc5be57 Emit warning about disabled session keys. 2016-12-22 01:29:58 -08:00
Sergio Benitez 76073718c7 New version: 0.1.0 release candidate. 2016-12-22 00:05:05 -08:00
Sergio Benitez 2dc1ba29f0 Adds tests for JSON example. Emit warning from JSON FromData. 
This also includes a tiny change to the `mk-docs` script to build a
blank index at the root of the docs.
 2016-12-21 22:56:58 -08:00
Sergio Benitez b9742c1202 Fix broken links in docs. 2016-12-21 01:33:45 -08:00
Sergio Benitez 80632689f4 Document Request. 2016-12-21 01:30:45 -08:00
Sergio Benitez dedf5094fe Remove URIBuf. 2016-12-21 00:20:14 -08:00
Sergio Benitez 62fe734492 URI uses Cow iternally. 2016-12-21 00:09:22 -08:00
Sergio Benitez f3b7b7db5e Add example for FromData. 2016-12-20 18:07:14 -08:00
Sergio Benitez c61e40f5a3 Document config ParsingError. 2016-12-20 17:27:46 -08:00
Sergio Benitez 0acb9eab83 Document Response. Update Config tests. 2016-12-20 17:27:31 -08:00
Sergio Benitez 6e2913fc5c Cleanup Responder documentation. 2016-12-20 13:40:02 -08:00
Sergio Benitez abdb8c2aa1 Document ResponseBuilder. 2016-12-19 23:29:20 -08:00
Sergio Benitez d44c61f1af Redocument ContentType. 2016-12-19 20:40:21 -08:00
Sergio Benitez ddbd7966f7 Document Body. Derive Clone/Copy/PartialEq appropriately in response module. 2016-12-19 20:10:24 -08:00
Sergio Benitez 1851187a2d Reword http module documentation. 2016-12-19 19:50:27 -08:00
Sergio Benitez f101069610 Document Status and StatusClass. 2016-12-19 19:46:49 -08:00
Sergio Benitez 3414266a8a Document Header and HeaderMap. 2016-12-19 18:04:31 -08:00
Sergio Benitez 8d8d504b59 Document Config. Cleaner lib/handler docs. 2016-12-19 16:51:59 -08:00
Sergio Benitez dd7e95b3c5 Panic on illegal, dynamic mount points. 2016-12-17 10:51:44 -08:00
Sergio Benitez f1c7d3e27c Minor code improvements via clippy. 2016-12-17 09:18:30 -08:00
Sergio Benitez d39c47aaf2 Hyper has merged Rocket changes. Update to mainline. 2016-12-16 15:48:16 -08:00
Sergio Benitez e2fcd75325 Use forked compiletest for latest nightly. 2016-12-16 15:14:11 -08:00
Sergio Benitez 2e25ce04dc Automatically handle HEAD requests. 2016-12-16 05:17:16 -08:00
Sergio Benitez 6815a56cb5 Rework Request: add lifetime to future proof, remove unsafe. 2016-12-16 03:07:23 -08:00