src/server/rest.rs: factor our normalize_path()

This commit is contained in:
Dietmar Maurer 2019-02-17 17:31:53 +01:00
parent 8225aa2ff6
commit 141de8374a
1 changed files with 20 additions and 11 deletions

View File

@ -464,31 +464,40 @@ fn check_auth(method: &hyper::Method, ticket: Option<String>, token: Option<Stri
Ok(username) Ok(username)
} }
pub fn handle_request(api: Arc<ApiConfig>, req: Request<Body>) -> BoxFut {
let (parts, body) = req.into_parts();
let method = parts.method.clone();
let path = parts.uri.path();
// normalize path // normalize path
// do not allow ".", "..", or hidden files ".XXXX" // do not allow ".", "..", or hidden files ".XXXX"
// also remove empty path components // also remove empty path components
fn normalize_path(path: &str) -> Result<(String, Vec<&str>), Error> {
let items = path.split('/'); let items = path.split('/');
let mut path = String::new(); let mut path = String::new();
let mut components = vec![]; let mut components = vec![];
for name in items { for name in items {
if name.is_empty() { continue; } if name.is_empty() { continue; }
if name.starts_with(".") { if name.starts_with(".") {
return Box::new(future::err(http_err!(BAD_REQUEST, "Path contains illegal components.".to_string()))); bail!("Path contains illegal components.");
} }
path.push('/'); path.push('/');
path.push_str(name); path.push_str(name);
components.push(name); components.push(name);
} }
Ok((path, components))
}
pub fn handle_request(api: Arc<ApiConfig>, req: Request<Body>) -> BoxFut {
let (parts, body) = req.into_parts();
let method = parts.method.clone();
let (path, components) = match normalize_path(parts.uri.path()) {
Ok((p,c)) => (p, c),
Err(err) => return Box::new(future::err(http_err!(BAD_REQUEST, err.to_string()))),
};
let comp_len = components.len(); let comp_len = components.len();
println!("REQUEST {} {}", method, path); println!("REQUEST {} {}", method, path);