berkus
/
actix-web
mirror of https://github.com/fafhrd91/actix-web
1
0
Fork 0
Code Issues Releases Wiki Activity

Merge d623e7b269 into 90c19a835d

This commit is contained in:
AverageHelper 2025-03-26 09:35:42 +01:00 committed by GitHub
parent 90c19a835d d623e7b269
commit a577e1dc92
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 35 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
actix-files/CHANGES.md
View File

@ -3,6 +3,7 @@
## Unreleased ## Unreleased
- Minimum supported Rust version (MSRV) is now 1.75. - Minimum supported Rust version (MSRV) is now 1.75.
- Allow serving `.well-known` files when serving dotfiles is otherwise disallowed.
## 0.6.6 ## 0.6.6

34
actix-files/src/path_buf.rs
View File

@ -40,11 +40,12 @@ impl PathBufWrap {
return Err(UriSegmentError::BadChar('/')); return Err(UriSegmentError::BadChar('/'));
} }
// disallow invalid or suspicious path segments
for segment in path.split('/') { for segment in path.split('/') {
if segment == ".." { if segment == ".." {
segment_count -= 1; segment_count -= 1;
buf.pop(); buf.pop();
} else if !hidden_files && segment.starts_with('.') { } else if segment != ".well-known" && !hidden_files && segment.starts_with('.') {
return Err(UriSegmentError::BadStart('.')); return Err(UriSegmentError::BadStart('.'));
} else if segment.starts_with('*') { } else if segment.starts_with('*') {
return Err(UriSegmentError::BadStart('*')); return Err(UriSegmentError::BadStart('*'));
@ -105,6 +106,10 @@ mod tests {
PathBufWrap::from_str("/test/.tt").map(|t| t.0), PathBufWrap::from_str("/test/.tt").map(|t| t.0),
Err(UriSegmentError::BadStart('.')) Err(UriSegmentError::BadStart('.'))
); );
assert_eq!(
PathBufWrap::from_str("/.well-known/test/.tt").map(|t| t.0),
Err(UriSegmentError::BadStart('.'))
);
assert_eq!( assert_eq!(
PathBufWrap::from_str("/test/*tt").map(|t| t.0), PathBufWrap::from_str("/test/*tt").map(|t| t.0),
Err(UriSegmentError::BadStart('*')) Err(UriSegmentError::BadStart('*'))
@ -144,6 +149,33 @@ mod tests {
); );
} }
#[test]
fn test_parse_well_known() {
assert_eq!(
PathBufWrap::parse_path("/.well-known/test/.tt", false).map(|t| t.0),
Err(UriSegmentError::BadStart('.'))
);
assert_eq!(
PathBufWrap::parse_path("/.well-known/test/foo", false)
.unwrap()
.0,
PathBuf::from_iter(vec![".well-known", "test", "foo"])
);
assert_eq!(
PathBufWrap::parse_path("/.well-known/test/.tt", true)
.unwrap()
.0,
PathBuf::from_iter(vec![".well-known", "test", ".tt"])
);
assert_eq!(
PathBufWrap::parse_path("/.well-known/test/foo", true)
.unwrap()
.0,
PathBuf::from_iter(vec![".well-known", "test", "foo"])
);
}
#[test] #[test]
fn path_traversal() { fn path_traversal() {
assert_eq!( assert_eq!(

1
actix-web/CHANGES.md
View File

@ -21,6 +21,7 @@
- On Windows, an error is now returned from `HttpServer::bind()` (or TLS variants) when binding to a socket that's already in use. - On Windows, an error is now returned from `HttpServer::bind()` (or TLS variants) when binding to a socket that's already in use.
- Update `brotli` dependency to `7`. - Update `brotli` dependency to `7`.
- Minimum supported Rust version (MSRV) is now 1.75. - Minimum supported Rust version (MSRV) is now 1.75.
- Allow serving `.well-known` files when serving dotfiles is otherwise disallowed.
## 4.9.0 ## 4.9.0