diff --git a/.github/workflows/ci-post-merge.yml b/.github/workflows/ci-post-merge.yml index 5656978b0..a0aa0a89d 100644 --- a/.github/workflows/ci-post-merge.yml +++ b/.github/workflows/ci-post-merge.yml @@ -46,12 +46,12 @@ jobs: echo "RUSTFLAGS=-C target-feature=+crt-static" >> $GITHUB_ENV - name: Install Rust (${{ matrix.version.name }}) - uses: actions-rust-lang/setup-rust-toolchain@2b1f5e9b395427c92ee4e3331786ca3c37afe2d7 # v1.16.0 + uses: actions-rust-lang/setup-rust-toolchain@46268bd060767258de96ed93c1251119784f2ab6 # v1.16.1 with: toolchain: ${{ matrix.version.version }} - name: Install just, cargo-hack, cargo-nextest, cargo-ci-cache-clean - uses: taiki-e/install-action@db5fb34fa772531a3ece57ca434f579eb334e0fb # v2.75.30 + uses: taiki-e/install-action@d9be7d8cda89035c9c843f78bd44d4f72d8403d4 # v2.79.7 with: tool: just,cargo-hack,cargo-nextest,cargo-ci-cache-clean @@ -84,10 +84,10 @@ jobs: uses: rui314/setup-mold@9c9c13bf4c3f1adef0cc596abc155580bcb04444 # v1 - name: Install Rust - uses: actions-rust-lang/setup-rust-toolchain@2b1f5e9b395427c92ee4e3331786ca3c37afe2d7 # v1.16.0 + uses: actions-rust-lang/setup-rust-toolchain@46268bd060767258de96ed93c1251119784f2ab6 # v1.16.1 - name: Install just, cargo-hack - uses: taiki-e/install-action@db5fb34fa772531a3ece57ca434f579eb334e0fb # v2.75.30 + uses: taiki-e/install-action@d9be7d8cda89035c9c843f78bd44d4f72d8403d4 # v2.79.7 with: tool: just,cargo-hack diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3f8165865..dd3154a27 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -61,12 +61,12 @@ jobs: uses: rui314/setup-mold@9c9c13bf4c3f1adef0cc596abc155580bcb04444 # v1 - name: Install Rust (${{ matrix.version.name }}) - uses: actions-rust-lang/setup-rust-toolchain@2b1f5e9b395427c92ee4e3331786ca3c37afe2d7 # v1.16.0 + uses: actions-rust-lang/setup-rust-toolchain@46268bd060767258de96ed93c1251119784f2ab6 # v1.16.1 with: toolchain: ${{ matrix.version.version }} - name: Install just, cargo-hack, cargo-nextest, cargo-ci-cache-clean - uses: taiki-e/install-action@db5fb34fa772531a3ece57ca434f579eb334e0fb # v2.75.30 + uses: taiki-e/install-action@d9be7d8cda89035c9c843f78bd44d4f72d8403d4 # v2.79.7 with: tool: just,cargo-hack,cargo-nextest,cargo-ci-cache-clean @@ -89,7 +89,7 @@ jobs: - name: deny check if: matrix.version.name == 'stable' && matrix.target.os == 'ubuntu-latest' - uses: EmbarkStudios/cargo-deny-action@91bf2b620e09e18d6eb78b92e7861937469acedb # v2.0.17 + uses: EmbarkStudios/cargo-deny-action@a531616d8ce3b9177443e48a1159bc945a099823 # v2.0.19 io-uring: name: io-uring tests @@ -100,7 +100,7 @@ jobs: persist-credentials: false - name: Install Rust - uses: actions-rust-lang/setup-rust-toolchain@2b1f5e9b395427c92ee4e3331786ca3c37afe2d7 # v1.16.0 + uses: actions-rust-lang/setup-rust-toolchain@46268bd060767258de96ed93c1251119784f2ab6 # v1.16.1 with: toolchain: nightly @@ -118,12 +118,12 @@ jobs: persist-credentials: false - name: Install Rust (nightly) - uses: actions-rust-lang/setup-rust-toolchain@2b1f5e9b395427c92ee4e3331786ca3c37afe2d7 # v1.16.0 + uses: actions-rust-lang/setup-rust-toolchain@46268bd060767258de96ed93c1251119784f2ab6 # v1.16.1 with: toolchain: nightly - name: Install just - uses: taiki-e/install-action@db5fb34fa772531a3ece57ca434f579eb334e0fb # v2.75.30 + uses: taiki-e/install-action@d9be7d8cda89035c9c843f78bd44d4f72d8403d4 # v2.79.7 with: tool: just diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml index 0ed8bd7ee..c6a704a9d 100644 --- a/.github/workflows/coverage.yml +++ b/.github/workflows/coverage.yml @@ -20,13 +20,13 @@ jobs: persist-credentials: false - name: Install Rust (nightly) - uses: actions-rust-lang/setup-rust-toolchain@2b1f5e9b395427c92ee4e3331786ca3c37afe2d7 # v1.16.0 + uses: actions-rust-lang/setup-rust-toolchain@46268bd060767258de96ed93c1251119784f2ab6 # v1.16.1 with: toolchain: nightly components: llvm-tools - name: Install just, cargo-llvm-cov, cargo-nextest - uses: taiki-e/install-action@db5fb34fa772531a3ece57ca434f579eb334e0fb # v2.75.30 + uses: taiki-e/install-action@d9be7d8cda89035c9c843f78bd44d4f72d8403d4 # v2.79.7 with: tool: just,cargo-llvm-cov,cargo-nextest @@ -34,7 +34,7 @@ jobs: run: just test-coverage-codecov - name: Upload coverage to Codecov - uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0 + uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1 with: files: codecov.json fail_ci_if_error: true diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index 4a3f66a95..f33abe101 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -15,4 +15,4 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - - uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6.0.1 + - uses: actions/labeler@f27b608878404679385c85cfa523b85ccb86e213 # v6.1.0 diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 91ce706e7..dc917bc33 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -24,7 +24,7 @@ jobs: with: persist-credentials: false - - uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3 + - uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6 with: advanced-security: false annotations: true @@ -38,7 +38,7 @@ jobs: persist-credentials: false - name: Install Rust (nightly) - uses: actions-rust-lang/setup-rust-toolchain@2b1f5e9b395427c92ee4e3331786ca3c37afe2d7 # v1.16.0 + uses: actions-rust-lang/setup-rust-toolchain@46268bd060767258de96ed93c1251119784f2ab6 # v1.16.1 with: toolchain: nightly components: rustfmt @@ -58,7 +58,7 @@ jobs: persist-credentials: false - name: Install Rust - uses: actions-rust-lang/setup-rust-toolchain@2b1f5e9b395427c92ee4e3331786ca3c37afe2d7 # v1.16.0 + uses: actions-rust-lang/setup-rust-toolchain@46268bd060767258de96ed93c1251119784f2ab6 # v1.16.1 with: components: clippy @@ -79,7 +79,7 @@ jobs: persist-credentials: false - name: Install Rust (nightly) - uses: actions-rust-lang/setup-rust-toolchain@2b1f5e9b395427c92ee4e3331786ca3c37afe2d7 # v1.16.0 + uses: actions-rust-lang/setup-rust-toolchain@46268bd060767258de96ed93c1251119784f2ab6 # v1.16.1 with: toolchain: nightly components: rust-docs @@ -98,12 +98,12 @@ jobs: persist-credentials: false - name: Install Rust (${{ vars.RUST_VERSION_EXTERNAL_TYPES }}) - uses: actions-rust-lang/setup-rust-toolchain@2b1f5e9b395427c92ee4e3331786ca3c37afe2d7 # v1.16.0 + uses: actions-rust-lang/setup-rust-toolchain@46268bd060767258de96ed93c1251119784f2ab6 # v1.16.1 with: toolchain: ${{ vars.RUST_VERSION_EXTERNAL_TYPES }} - name: Install just - uses: taiki-e/install-action@db5fb34fa772531a3ece57ca434f579eb334e0fb # v2.75.30 + uses: taiki-e/install-action@d9be7d8cda89035c9c843f78bd44d4f72d8403d4 # v2.79.7 with: tool: just diff --git a/.github/workflows/semver-checks.yml b/.github/workflows/semver-checks.yml index 2526f5ee8..b5df5541c 100644 --- a/.github/workflows/semver-checks.yml +++ b/.github/workflows/semver-checks.yml @@ -16,12 +16,12 @@ jobs: persist-credentials: false - name: Install Rust - uses: actions-rust-lang/setup-rust-toolchain@2b1f5e9b395427c92ee4e3331786ca3c37afe2d7 # v1.16.0 + uses: actions-rust-lang/setup-rust-toolchain@46268bd060767258de96ed93c1251119784f2ab6 # v1.16.1 with: toolchain: stable - name: Install cargo-semver-checks - uses: taiki-e/install-action@db5fb34fa772531a3ece57ca434f579eb334e0fb # v2.75.30 + uses: taiki-e/install-action@d9be7d8cda89035c9c843f78bd44d4f72d8403d4 # v2.79.7 with: tool: cargo-semver-checks diff --git a/Cargo.lock b/Cargo.lock index 7ff301999..8501f4355 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1298,13 +1298,12 @@ checksum = "9f1f227452a390804cdb637b74a86990f2a7d7ba4b7d5693aac9b4dd6defd8d6" [[package]] name = "filetime" -version = "0.2.27" +version = "0.2.29" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f98844151eee8917efc50bd9e8318cb963ae8b297431495d3f758616ea5c57db" +checksum = "5c287a33c7f0a620c38e641e7f60827713987b3c0f26e8ddc9462cc69cf75759" dependencies = [ "cfg-if", "libc", - "libredox", ] [[package]] @@ -2026,18 +2025,6 @@ version = "0.2.185" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "52ff2c0fe9bc6cb6b14a0592c2ff4fa9ceb83eea9db979b0487cd054946a2b8f" -[[package]] -name = "libredox" -version = "0.1.16" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e02f3bb43d335493c96bf3fd3a321600bf6bd07ed34bc64118e9293bdffea46c" -dependencies = [ - "bitflags 2.11.1", - "libc", - "plain", - "redox_syscall 0.7.4", -] - [[package]] name = "linux-raw-sys" version = "0.12.1" @@ -2221,9 +2208,9 @@ checksum = "c08d65885ee38876c4f86fa503fb49d7b507c2b62552df7c70b2fce627e06381" [[package]] name = "openssl" -version = "0.10.79" +version = "0.10.80" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bf0b434746ee2832f4f0baf10137e1cabb18cbe6912c69e2e33263c45250f542" +checksum = "a45fa2aa886c42762255da344f0a0d313e254066c46aad76f300c3d3da62d967" dependencies = [ "bitflags 2.11.1", "cfg-if", @@ -2252,9 +2239,9 @@ checksum = "7c87def4c32ab89d880effc9e097653c8da5d6ef28e6b539d313baaacfbafcbe" [[package]] name = "openssl-sys" -version = "0.9.115" +version = "0.9.116" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "158fe5b292746440aa6e7a7e690e55aeb72d41505e2804c23c6973ad0e9c9781" +checksum = "f28a22dc7140cda5f096e5e7724a6962ca81a7f8bfd2979f9b18c11af56318c4" dependencies = [ "cc", "libc", @@ -2290,7 +2277,7 @@ checksum = "2621685985a2ebf1c516881c026032ac7deafcda1a2c9b7850dc81e3dfcb64c1" dependencies = [ "cfg-if", "libc", - "redox_syscall 0.5.18", + "redox_syscall", "smallvec", "windows-link", ] @@ -2343,12 +2330,6 @@ version = "0.3.33" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "19f132c84eca552bf34cab8ec81f1c1dcc229b811638f9d283dceabe58c5569e" -[[package]] -name = "plain" -version = "0.2.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b4596b6d070b27117e987119b4dac604f3c58cfb0b191112e24771b2faeac1a6" - [[package]] name = "plotters" version = "0.3.7" @@ -2568,15 +2549,6 @@ dependencies = [ "bitflags 2.11.1", ] -[[package]] -name = "redox_syscall" -version = "0.7.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f450ad9c3b1da563fb6948a8e0fb0fb9269711c9c73d9ea1de5058c79c8d643a" -dependencies = [ - "bitflags 2.11.1", -] - [[package]] name = "regex" version = "1.12.3" @@ -2889,9 +2861,9 @@ dependencies = [ [[package]] name = "serde_json" -version = "1.0.149" +version = "1.0.150" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "83fc039473c5595ace860d8c4fafa220ff474b3fc6bfdb4293327f1a37e94d86" +checksum = "e8014e44b4736ed0538adeecded0fce2a272f22dc9578a7eb6b2d9993c74cfb9" dependencies = [ "itoa", "memchr", @@ -3263,9 +3235,9 @@ checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20" [[package]] name = "tokio" -version = "1.52.1" +version = "1.52.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b67dee974fe86fd92cc45b7a95fdd2f99a36a6d7b0d431a231178d3d670bbcc6" +checksum = "8fc7f01b389ac15039e4dc9531aa973a135d7a4135281b12d7c1bc79fd57fffe" dependencies = [ "bytes", "libc", diff --git a/actix-files/CHANGES.md b/actix-files/CHANGES.md index aea6fe8f4..12c785192 100644 --- a/actix-files/CHANGES.md +++ b/actix-files/CHANGES.md @@ -5,6 +5,7 @@ - Add support for passing multiple root directories to `Files::new`. [#3402] - Add `Files::try_compressed()` to support serving pre-compressed static files [#2615] - Fix handling of `bytes=0-` +- Fix panic in `Files` when `use_hidden_files()` is enabled and request paths contain `.` segments. [#4082] - Fix `NamedFile` panic when serving files with pre-UNIX epoch modification times. [#2748] - Fix invalid `Content-Encoding: identity` header in `NamedFile` range responses. [#3191] - Update `v_htmlescape` dependency to `0.17`. @@ -13,6 +14,7 @@ [#2615]: https://github.com/actix/actix-web/pull/2615 [#2748]: https://github.com/actix/actix-web/issues/2748 [#3191]: https://github.com/actix/actix-web/issues/3191 +[#4082]: https://github.com/actix/actix-web/issues/4082 ## 0.6.10 diff --git a/actix-files/src/lib.rs b/actix-files/src/lib.rs index 3312a621d..8646da1ea 100644 --- a/actix-files/src/lib.rs +++ b/actix-files/src/lib.rs @@ -1094,6 +1094,21 @@ mod tests { assert_eq!(bytes, web::Bytes::from_static(b"default content")); } + #[actix_rt::test] + async fn test_hidden_files_reject_cur_dir_segment() { + let service = Files::new("/", Vec::::new()) + .use_hidden_files() + .default_handler(Files::new("/", ".").use_hidden_files()) + .new_service(()) + .await + .unwrap(); + + let req = TestRequest::with_uri("/./Cargo.toml").to_srv_request(); + let resp = test::call_service(&service, req).await; + + assert_eq!(resp.status(), StatusCode::BAD_REQUEST); + } + #[actix_rt::test] async fn test_serve_index_nested() { let service = Files::new(".", ".") diff --git a/actix-files/src/path_buf.rs b/actix-files/src/path_buf.rs index f12d68593..58b06d70f 100644 --- a/actix-files/src/path_buf.rs +++ b/actix-files/src/path_buf.rs @@ -78,7 +78,9 @@ impl PathBufWrap { } for segment in path.split('/') { - if segment == ".." { + if segment == "." { + return Err(UriSegmentError::BadStart('.')); + } else if segment == ".." { segment_count -= 1; buf.pop(); } else if !hidden_files && segment.starts_with('.') { @@ -180,6 +182,11 @@ mod tests { PathBufWrap::parse_path("/test/.tt", true).unwrap().0, PathBuf::from_iter(vec!["test", ".tt"]) ); + + assert_eq!( + PathBufWrap::parse_path("/test/./file.txt", true).map(|t| t.0), + Err(UriSegmentError::BadStart('.')) + ); } #[test] diff --git a/actix-http/src/h2/dispatcher.rs b/actix-http/src/h2/dispatcher.rs index 400476c88..61a4d4bca 100644 --- a/actix-http/src/h2/dispatcher.rs +++ b/actix-http/src/h2/dispatcher.rs @@ -163,7 +163,7 @@ where Poll::Pending => match this.ping_pong.as_mut() { Some(ping_pong) => loop { if ping_pong.in_flight { - // When there is an in-flight ping-pong, poll pong and and keep-alive + // When there is an in-flight ping-pong, poll pong and keep-alive // timer. On successful pong received, update keep-alive timer to // determine the next timing of ping pong. match ping_pong.ping_pong.poll_pong(cx)? { diff --git a/actix-multipart/src/form/mod.rs b/actix-multipart/src/form/mod.rs index de0eeecaa..51136869b 100644 --- a/actix-multipart/src/form/mod.rs +++ b/actix-multipart/src/form/mod.rs @@ -862,7 +862,7 @@ mod tests { let response = send_form(&srv, form, "/").await; assert_eq!(response.status(), StatusCode::OK); - // Exceeds the the 30 byte limit + // Exceeds the 30 byte limit let mut form = multipart::Form::default(); form.add_text("field", "this string is more than 30 bytes long"); let response = send_form(&srv, form, "/").await; diff --git a/actix-web/README.md b/actix-web/README.md index eab4587b0..b557b9112 100644 --- a/actix-web/README.md +++ b/actix-web/README.md @@ -54,7 +54,7 @@ Please use them in a production environment at your own risk. - [Website & User Guide](https://actix.rs) - [Examples Repository](https://github.com/actix/examples) - [API Documentation](https://docs.rs/actix-web) -- [API Documentation (mainranch)](https://actix.rs/actix-web/actix_web) +- [API Documentation (main branch)](https://actix.rs/actix-web/actix_web) ## Example