From 7d79e347e8b15b4a1c074428693ed36aa54e1fa3 Mon Sep 17 00:00:00 2001 From: AverageHelper Date: Sun, 8 Dec 2024 17:29:06 -0700 Subject: [PATCH 1/4] fix: Permit serving .well-known directories --- actix-files/src/path_buf.rs | 33 ++++++++++++++++++++++++++++++++- 1 file changed, 32 insertions(+), 1 deletion(-) diff --git a/actix-files/src/path_buf.rs b/actix-files/src/path_buf.rs index c1983279..82b13e30 100644 --- a/actix-files/src/path_buf.rs +++ b/actix-files/src/path_buf.rs @@ -44,7 +44,7 @@ impl PathBufWrap { if segment == ".." { segment_count -= 1; buf.pop(); - } else if !hidden_files && segment.starts_with('.') { + } else if segment != ".well-known" && !hidden_files && segment.starts_with('.') { return Err(UriSegmentError::BadStart('.')); } else if segment.starts_with('*') { return Err(UriSegmentError::BadStart('*')); @@ -105,6 +105,10 @@ mod tests { PathBufWrap::from_str("/test/.tt").map(|t| t.0), Err(UriSegmentError::BadStart('.')) ); + assert_eq!( + PathBufWrap::from_str("/.well-known/test/.tt").map(|t| t.0), + Err(UriSegmentError::BadStart('.')) + ); assert_eq!( PathBufWrap::from_str("/test/*tt").map(|t| t.0), Err(UriSegmentError::BadStart('*')) @@ -144,6 +148,33 @@ mod tests { ); } + #[test] + fn test_parse_well_known() { + assert_eq!( + PathBufWrap::parse_path("/.well-known/test/.tt", false).map(|t| t.0), + Err(UriSegmentError::BadStart('.')) + ); + assert_eq!( + PathBufWrap::parse_path("/.well-known/test/foo", false) + .unwrap() + .0, + PathBuf::from_iter(vec![".well-known", "test", "foo"]) + ); + + assert_eq!( + PathBufWrap::parse_path("/.well-known/test/.tt", true) + .unwrap() + .0, + PathBuf::from_iter(vec![".well-known", "test", ".tt"]) + ); + assert_eq!( + PathBufWrap::parse_path("/.well-known/test/foo", true) + .unwrap() + .0, + PathBuf::from_iter(vec![".well-known", "test", "foo"]) + ); + } + #[test] fn path_traversal() { assert_eq!( From 59360be5221a5593578b18a28e13dd13b4e24e6c Mon Sep 17 00:00:00 2001 From: AverageHelper Date: Sun, 8 Dec 2024 17:35:43 -0700 Subject: [PATCH 2/4] chore: Add changelog entry --- actix-files/CHANGES.md | 1 + 1 file changed, 1 insertion(+) diff --git a/actix-files/CHANGES.md b/actix-files/CHANGES.md index afb2d5d2..2cf1e0e2 100644 --- a/actix-files/CHANGES.md +++ b/actix-files/CHANGES.md @@ -3,6 +3,7 @@ ## Unreleased - Minimum supported Rust version (MSRV) is now 1.75. +- Permit serving `.well-known` files when serving dotfiles is otherwise disallowed. ## 0.6.6 From aa764a75f0b61ba4ae1c41f5b356d16461e83831 Mon Sep 17 00:00:00 2001 From: AverageHelper Date: Sun, 8 Dec 2024 17:48:56 -0700 Subject: [PATCH 3/4] chore: Add a doc comment --- actix-files/src/path_buf.rs | 1 + 1 file changed, 1 insertion(+) diff --git a/actix-files/src/path_buf.rs b/actix-files/src/path_buf.rs index 82b13e30..50b9677e 100644 --- a/actix-files/src/path_buf.rs +++ b/actix-files/src/path_buf.rs @@ -40,6 +40,7 @@ impl PathBufWrap { return Err(UriSegmentError::BadChar('/')); } + // disallow invalid or suspicious path segments for segment in path.split('/') { if segment == ".." { segment_count -= 1; From d623e7b2690c54be02855a7ffd53790252935835 Mon Sep 17 00:00:00 2001 From: AverageHelper Date: Sun, 8 Dec 2024 18:06:18 -0700 Subject: [PATCH 4/4] doc: Also add changelog entry to actix-web --- actix-files/CHANGES.md | 2 +- actix-web/CHANGES.md | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/actix-files/CHANGES.md b/actix-files/CHANGES.md index 2cf1e0e2..e6a174ac 100644 --- a/actix-files/CHANGES.md +++ b/actix-files/CHANGES.md @@ -3,7 +3,7 @@ ## Unreleased - Minimum supported Rust version (MSRV) is now 1.75. -- Permit serving `.well-known` files when serving dotfiles is otherwise disallowed. +- Allow serving `.well-known` files when serving dotfiles is otherwise disallowed. ## 0.6.6 diff --git a/actix-web/CHANGES.md b/actix-web/CHANGES.md index cee14dc4..52d8cf97 100644 --- a/actix-web/CHANGES.md +++ b/actix-web/CHANGES.md @@ -5,6 +5,7 @@ - On Windows, an error is now returned from `HttpServer::bind()` (or TLS variants) when binding to a socket that's already in use. - Update `brotli` dependency to `7`. - Minimum supported Rust version (MSRV) is now 1.75. +- Allow serving `.well-known` files when serving dotfiles is otherwise disallowed. ## 4.9.0