Merge d623e7b269 into cede0c6dbb

2025-03-10 14:54:20 -07:00 · 2025-03-10 14:54:20 -07:00 · 68ddd2bbf6
parent cede0c6dbb d623e7b269
commit 68ddd2bbf6
3 changed files with 35 additions and 1 deletions
--- a/actix-files/CHANGES.md
+++ b/actix-files/CHANGES.md
@ -3,6 +3,7 @@
 ## Unreleased

 - Minimum supported Rust version (MSRV) is now 1.75.
+- Allow serving `.well-known` files when serving dotfiles is otherwise disallowed.

 ## 0.6.6

--- a/actix-files/src/path_buf.rs
+++ b/actix-files/src/path_buf.rs
@ -40,11 +40,12 @@ impl PathBufWrap {
            return Err(UriSegmentError::BadChar('/'));
        }

+        // disallow invalid or suspicious path segments
        for segment in path.split('/') {
            if segment == ".." {
                segment_count -= 1;
                buf.pop();
-            } else if !hidden_files && segment.starts_with('.') {
+            } else if segment != ".well-known" && !hidden_files && segment.starts_with('.') {
                return Err(UriSegmentError::BadStart('.'));
            } else if segment.starts_with('*') {
                return Err(UriSegmentError::BadStart('*'));
@ -105,6 +106,10 @@ mod tests {
            PathBufWrap::from_str("/test/.tt").map(|t| t.0),
            Err(UriSegmentError::BadStart('.'))
        );
+        assert_eq!(
+            PathBufWrap::from_str("/.well-known/test/.tt").map(|t| t.0),
+            Err(UriSegmentError::BadStart('.'))
+        );
        assert_eq!(
            PathBufWrap::from_str("/test/*tt").map(|t| t.0),
            Err(UriSegmentError::BadStart('*'))
@ -144,6 +149,33 @@ mod tests {
        );
    }

+    #[test]
+    fn test_parse_well_known() {
+        assert_eq!(
+            PathBufWrap::parse_path("/.well-known/test/.tt", false).map(|t| t.0),
+            Err(UriSegmentError::BadStart('.'))
+        );
+        assert_eq!(
+            PathBufWrap::parse_path("/.well-known/test/foo", false)
+                .unwrap()
+                .0,
+            PathBuf::from_iter(vec![".well-known", "test", "foo"])
+        );
+
+        assert_eq!(
+            PathBufWrap::parse_path("/.well-known/test/.tt", true)
+                .unwrap()
+                .0,
+            PathBuf::from_iter(vec![".well-known", "test", ".tt"])
+        );
+        assert_eq!(
+            PathBufWrap::parse_path("/.well-known/test/foo", true)
+                .unwrap()
+                .0,
+            PathBuf::from_iter(vec![".well-known", "test", "foo"])
+        );
+    }
+
    #[test]
    fn path_traversal() {
        assert_eq!(
--- a/actix-web/CHANGES.md
+++ b/actix-web/CHANGES.md
@ -21,6 +21,7 @@
 - On Windows, an error is now returned from `HttpServer::bind()` (or TLS variants) when binding to a socket that's already in use.
 - Update `brotli` dependency to `7`.
 - Minimum supported Rust version (MSRV) is now 1.75.
+- Allow serving `.well-known` files when serving dotfiles is otherwise disallowed.

 ## 4.9.0