rwf2
/
Rocket
mirror of https://github.com/rwf2/Rocket.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
384 Commits 7 Branches 63 Tags 23 MiB
Commit Graph

384 Commits

Author SHA1 Message Date
Sergio Benitez e044452b49 New version: 0.1.5. 
This is a security hotfix release.
 2017-01-14 08:37:17 -08:00
Sergio Benitez fe2252223f Remove proc_macro as feature. 2017-01-14 08:36:46 -08:00
Sergio Benitez d58c704d23 Fix security checks in `PathBuf::FromSegments`. 
In #134, @tunz discovered that Rocket does not properly prevent path traversal
or local file inclusion attacks. The issue is caused by a failure to check for
some dangerous characters after decoding. In this case, the path separator '/'
was left as-is after decoding. As such, an attacker could construct a path with
containing any number of `..%2f..` sequences to traverse the file system.

This commit resolves the issue by ensuring that the decoded segment does not
contains any `/` characters. It further hardens the `FromSegments`
implementation by checking for additional risky characters: ':', '>', '<' as the
last character, and '\' on Windows. This is in addition to the already present
checks for '.' and '*' as the first character.

The behavior for a failing check has also changed. Previously, Rocket would skip
segments that contained illegal characters. In this commit, the implementation
instead return an error.

The `Error` type of the `PathBuf::FromSegment` implementations was changed to a
new `SegmentError` type that indicates the condition that failed.

Closes #134.
 2017-01-14 08:28:29 -08:00
Sergio Benitez 855d9b7b00 New version: 0.1.4. 2017-01-04 11:18:49 -06:00
Sergio Benitez b202fb9748 Update codegen for 2017-01-03 nightly. 2017-01-04 11:18:22 -06:00
Sergio Benitez 24805bbf16 Treat header names as case-preserving in HeaderMap. 
Fixes #92.
 2017-01-02 21:33:36 -06:00
Sergio Benitez 82f6f78189 Add UncasedAscii{Ref} type(s) that are case-preserving strings. 2017-01-02 21:32:29 -06:00
Sergio Benitez 2852c526c3 Fix minor typos in CHANGELOG. 2016-12-31 02:08:43 -06:00
Sergio Benitez 16c42289a9 Add crates.io badge. 2016-12-31 02:02:58 -06:00
Sergio Benitez 6fdc6f025f New version: 0.1.3. 2016-12-31 01:31:11 -06:00
Liigo Zhuang 0af01abe5f Fix decoding of String form values. 
@liigo originated a fix and found the problem in #82.
 2016-12-31 01:06:22 -06:00
Sergio Benitez 83bbea7d4a Fix decoding of form value Strings. 2016-12-31 00:48:31 -06:00
Greg Edwards d19cb0349c Only override request methods via '_method' on POST. 2016-12-31 00:00:47 -06:00
Sergio Benitez a1878ad080 Properly resolve dynamic segments, take 2. 
Fixes #86.
 2016-12-30 23:51:23 -06:00
Sergio Benitez 1f373cc83a Rename 'content_type' Route field to 'format'. 2016-12-30 20:15:28 -06:00
Sergio Benitez 524a2d889d Fix typo in build warning message. 2016-12-30 20:06:48 -06:00
Sergio Benitez 366eb5d158 Test methods via route attribute. 2016-12-30 01:46:47 -06:00
Sergio Benitez 2de006d9f9 Allow head decorator and options via route decorator. 2016-12-30 01:41:46 -06:00
Sergio Benitez bad0c20cda Check for rustc version incompatibility when building codegen. 2016-12-30 00:22:05 -06:00
Sergio Benitez 337173eaf4 Use register_custom_derive to remove custom_derive deprecation warning. 2016-12-29 22:06:35 -06:00
Sergio Benitez d610e0adff Update Tera dependency to 0.6. 2016-12-29 21:26:22 -06:00
Sergio Benitez f43f77dbfc Improve Template docs and implement Display. 2016-12-29 13:20:30 -06:00
Seth Lopez 9580d6cdfd Add tests for optional_redirect example. 2016-12-29 12:41:51 -06:00
Matt McCoy 21ddb7390f Add tests for query_params example. 2016-12-28 23:20:21 -06:00
Marcus Ball a33e225e71 Properly resolve nested template names on Windows. 2016-12-28 23:04:18 -06:00
Sergio Benitez accfa17e6d Tab regex isn't cross-platform. Use literal. 2016-12-28 22:47:29 -06:00
Sergio Benitez 7a882fd967 Disallow tabs in testing script. 2016-12-28 22:33:56 -06:00
Joel Roller 8deac6dba9 Add '.tera' extension to default Tera escapes. 2016-12-28 21:11:56 -06:00
Seth Lopez ab94e344b4 Add tests for optional_result example. 2016-12-28 21:05:15 -06:00
Sergio Benitez 55a2535896 Clean up config example. 2016-12-28 18:24:54 -06:00
Seth Lopez e650587159 Add tests for config example. 2016-12-28 18:09:19 -06:00
Sergio Benitez 1e2237d726 Add badge linking to Rocket's homepage. 2016-12-27 17:20:24 -06:00
Sergio Benitez e9ad5b5c02 Switch Travis badge to public builds. 2016-12-27 16:09:50 -06:00
Sergio Benitez 20f13f0bc1 Add CSV as a known Content-Type. 2016-12-27 15:42:27 -06:00
Sergio Benitez 9da512c60c Warn, but don't error, on unknown route formats. 
Partially fixes #66.
 2016-12-27 15:30:33 -06:00
Sergio Benitez 3d0f7f2f80 Clarify todo example requirements. 2016-12-27 02:38:21 -06:00
Sergio Benitez 588d95aa58 Remove RDP info from AppVeyor build: it's public. 2016-12-27 02:15:04 -06:00
Sergio Benitez 4f30afc30f Show RDP information when starting AppVeyor build. 2016-12-27 02:04:47 -06:00
Sergio Benitez 622aea973a Remove file unrelated to Rocket in .gitignore. 2016-12-26 19:15:23 -06:00
Eric D. Reichert 13cac7db45 Fix URL to config guide in templates/mod.rs. 2016-12-26 19:05:06 -06:00
Sergio Benitez 1e3f1961cd Remove unnecessary new line. 
(really just trying to trigger Travis)
 2016-12-26 18:46:14 -06:00
Sergio Benitez 2299a3e5a6 Don't depend on path separator in segments tests. 2016-12-26 17:18:15 -06:00
Sergio Benitez 71419933a5 Ignore _method field in derived FromForm. 
Fixes #45.
 2016-12-26 02:41:57 -06:00
Sergio Benitez f86b1cd775 Print a nice message when readlink/readpath support is bad. 2016-12-25 22:23:54 -06:00
Sean Griffin eb8d973abd Fix typo in Outcome formatting: Succcess -> Success. 2016-12-25 21:37:06 -06:00
Sergio Benitez 61fb573622 Check git status in publish script. 2016-12-24 17:33:43 -06:00
Sergio Benitez fb7a756cf1 New version: 0.1.2. 2016-12-24 14:15:00 -08:00
Sergio Benitez 89f42a614d Properly resolve nested template names in contrib. 
Fixes #42.
 2016-12-24 14:03:56 -08:00
Sergio Benitez de6de99caf Add script to automate publishing. 2016-12-24 13:05:32 -08:00
Sergio Benitez 61a998f227 Add script to bump version numbers. 2016-12-24 12:41:30 -08:00