src/server/rest.rs: factor our normalize_path()
This commit is contained in:
parent
8225aa2ff6
commit
141de8374a
|
@ -464,31 +464,40 @@ fn check_auth(method: &hyper::Method, ticket: Option<String>, token: Option<Stri
|
||||||
Ok(username)
|
Ok(username)
|
||||||
}
|
}
|
||||||
|
|
||||||
pub fn handle_request(api: Arc<ApiConfig>, req: Request<Body>) -> BoxFut {
|
|
||||||
|
|
||||||
let (parts, body) = req.into_parts();
|
|
||||||
|
|
||||||
let method = parts.method.clone();
|
|
||||||
let path = parts.uri.path();
|
|
||||||
|
|
||||||
// normalize path
|
// normalize path
|
||||||
// do not allow ".", "..", or hidden files ".XXXX"
|
// do not allow ".", "..", or hidden files ".XXXX"
|
||||||
// also remove empty path components
|
// also remove empty path components
|
||||||
|
fn normalize_path(path: &str) -> Result<(String, Vec<&str>), Error> {
|
||||||
|
|
||||||
let items = path.split('/');
|
let items = path.split('/');
|
||||||
|
|
||||||
let mut path = String::new();
|
let mut path = String::new();
|
||||||
let mut components = vec![];
|
let mut components = vec![];
|
||||||
|
|
||||||
for name in items {
|
for name in items {
|
||||||
if name.is_empty() { continue; }
|
if name.is_empty() { continue; }
|
||||||
if name.starts_with(".") {
|
if name.starts_with(".") {
|
||||||
return Box::new(future::err(http_err!(BAD_REQUEST, "Path contains illegal components.".to_string())));
|
bail!("Path contains illegal components.");
|
||||||
}
|
}
|
||||||
path.push('/');
|
path.push('/');
|
||||||
path.push_str(name);
|
path.push_str(name);
|
||||||
components.push(name);
|
components.push(name);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Ok((path, components))
|
||||||
|
}
|
||||||
|
|
||||||
|
pub fn handle_request(api: Arc<ApiConfig>, req: Request<Body>) -> BoxFut {
|
||||||
|
|
||||||
|
let (parts, body) = req.into_parts();
|
||||||
|
|
||||||
|
let method = parts.method.clone();
|
||||||
|
|
||||||
|
let (path, components) = match normalize_path(parts.uri.path()) {
|
||||||
|
Ok((p,c)) => (p, c),
|
||||||
|
Err(err) => return Box::new(future::err(http_err!(BAD_REQUEST, err.to_string()))),
|
||||||
|
};
|
||||||
|
|
||||||
let comp_len = components.len();
|
let comp_len = components.len();
|
||||||
|
|
||||||
println!("REQUEST {} {}", method, path);
|
println!("REQUEST {} {}", method, path);
|
||||||
|
|
Loading…
Reference in New Issue