From 561cc440b2405746d3de01f6983c9c8616a370fb Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 1 Jan 2024 14:10:13 +0000 Subject: [PATCH 1/3] build(deps): bump taiki-e/install-action from 2.23.0 to 2.23.7 (#3232) Bumps [taiki-e/install-action](https://github.com/taiki-e/install-action) from 2.23.0 to 2.23.7. - [Release notes](https://github.com/taiki-e/install-action/releases) - [Changelog](https://github.com/taiki-e/install-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/taiki-e/install-action/compare/v2.23.0...v2.23.7) --- updated-dependencies: - dependency-name: taiki-e/install-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ci-post-merge.yml | 6 +++--- .github/workflows/ci.yml | 2 +- .github/workflows/coverage.yml | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/ci-post-merge.yml b/.github/workflows/ci-post-merge.yml index f135cd171..df6f21684 100644 --- a/.github/workflows/ci-post-merge.yml +++ b/.github/workflows/ci-post-merge.yml @@ -45,7 +45,7 @@ jobs: toolchain: ${{ matrix.version.version }} - name: Install cargo-hack - uses: taiki-e/install-action@v2.23.0 + uses: taiki-e/install-action@v2.23.7 with: tool: cargo-hack @@ -85,7 +85,7 @@ jobs: uses: actions-rust-lang/setup-rust-toolchain@v1.6.0 - name: Install cargo-hack - uses: taiki-e/install-action@v2.23.0 + uses: taiki-e/install-action@v2.23.7 with: tool: cargo-hack @@ -106,7 +106,7 @@ jobs: uses: actions-rust-lang/setup-rust-toolchain@v1.6.0 - name: Install nextest - uses: taiki-e/install-action@v2.23.0 + uses: taiki-e/install-action@v2.23.7 with: tool: nextest diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 721fc0378..81139fa23 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -50,7 +50,7 @@ jobs: toolchain: ${{ matrix.version.version }} - name: Install cargo-hack - uses: taiki-e/install-action@v2.23.0 + uses: taiki-e/install-action@v2.23.7 with: tool: cargo-hack diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml index 927ac86bb..810ea33dd 100644 --- a/.github/workflows/coverage.yml +++ b/.github/workflows/coverage.yml @@ -23,7 +23,7 @@ jobs: components: llvm-tools-preview - name: Install cargo-llvm-cov - uses: taiki-e/install-action@v2.23.0 + uses: taiki-e/install-action@v2.23.7 with: tool: cargo-llvm-cov From febba786fa00a61c6be6c26db148a29261b056c9 Mon Sep 17 00:00:00 2001 From: Sven-Hendrik Haase Date: Sat, 6 Jan 2024 11:11:40 +0100 Subject: [PATCH 2/3] actix-files: Properly handle newlines in file names (#3235) --- actix-files/CHANGES.md | 1 + actix-files/src/lib.rs | 22 +++++++++++++++++++++- actix-files/src/named.rs | 7 ++++--- 3 files changed, 26 insertions(+), 4 deletions(-) diff --git a/actix-files/CHANGES.md b/actix-files/CHANGES.md index 15c2958f0..81e361a21 100644 --- a/actix-files/CHANGES.md +++ b/actix-files/CHANGES.md @@ -3,6 +3,7 @@ ## Unreleased - Minimum supported Rust version (MSRV) is now 1.68 due to transitive `time` dependency. +- Properly handle newlines in filenames. [#3235] ## 0.6.3 diff --git a/actix-files/src/lib.rs b/actix-files/src/lib.rs index 943130e16..87914c1ce 100644 --- a/actix-files/src/lib.rs +++ b/actix-files/src/lib.rs @@ -568,6 +568,26 @@ mod tests { assert_eq!(bytes, data); } + #[actix_rt::test] + async fn test_static_files_with_newlines() { + // Create the file we want to test against ad-hoc. We can't check it in as otherwise + // Windows can't even checkout this repository. + let tmpdir = tempfile::tempdir().unwrap(); + let file_with_newlines = tmpdir.path().join("test\nnewline.text"); + fs::write(&file_with_newlines, "Look at my newlines").unwrap(); + let srv = test::init_service( + App::new().service(Files::new("", tmpdir.path()).index_file("Cargo.toml")), + ) + .await; + let request = TestRequest::get().uri("/test%0Anewline.text").to_request(); + let response = test::call_service(&srv, request).await; + assert_eq!(response.status(), StatusCode::OK); + + let bytes = test::read_body(response).await; + let data = web::Bytes::from(fs::read(file_with_newlines).unwrap()); + assert_eq!(bytes, data); + } + #[actix_rt::test] async fn test_files_not_allowed() { let srv = test::init_service(App::new().service(Files::new("/", "."))).await; @@ -842,7 +862,7 @@ mod tests { async fn test_percent_encoding_2() { let tmpdir = tempfile::tempdir().unwrap(); let filename = match cfg!(unix) { - true => "ض:?#[]{}<>()@!$&'`|*+,;= %20.test", + true => "ض:?#[]{}<>()@!$&'`|*+,;= %20\n.test", false => "ض#[]{}()@!$&'`+,;= %20.test", }; let filename_encoded = filename diff --git a/actix-files/src/named.rs b/actix-files/src/named.rs index d7795ba73..02dc701ea 100644 --- a/actix-files/src/named.rs +++ b/actix-files/src/named.rs @@ -24,7 +24,6 @@ use bitflags::bitflags; use derive_more::{Deref, DerefMut}; use futures_core::future::LocalBoxFuture; use mime::Mime; -use mime_guess::from_path; use crate::{encoding::equiv_utf8_text, range::HttpRange}; @@ -128,7 +127,7 @@ impl NamedFile { } }; - let ct = from_path(&path).first_or_octet_stream(); + let ct = mime_guess::from_path(&path).first_or_octet_stream(); let disposition = match ct.type_() { mime::IMAGE | mime::TEXT | mime::AUDIO | mime::VIDEO => DispositionType::Inline, @@ -140,7 +139,9 @@ impl NamedFile { _ => DispositionType::Attachment, }; - let mut parameters = vec![DispositionParam::Filename(String::from(filename.as_ref()))]; + // Replace newlines in filenames which could occur on some filesystems. + let filename_s = filename.replace('\n', "%0A"); + let mut parameters = vec![DispositionParam::Filename(filename_s)]; if !filename.is_ascii() { parameters.push(DispositionParam::FilenameExt(ExtendedValue { From 46dde69d502d6800fadec2bf1401586b6090ee11 Mon Sep 17 00:00:00 2001 From: Rob Ede Date: Sat, 6 Jan 2024 10:19:15 +0000 Subject: [PATCH 3/3] chore(actix-files): prepare release 0.6.4 --- actix-files/CHANGES.md | 4 +++- actix-files/Cargo.toml | 2 +- actix-files/README.md | 4 ++-- actix-files/src/lib.rs | 13 +++++++------ 4 files changed, 13 insertions(+), 10 deletions(-) diff --git a/actix-files/CHANGES.md b/actix-files/CHANGES.md index 81e361a21..ac0fbfedc 100644 --- a/actix-files/CHANGES.md +++ b/actix-files/CHANGES.md @@ -2,8 +2,10 @@ ## Unreleased +## 0.6.4 + +- Fix handling of newlines in filenames. - Minimum supported Rust version (MSRV) is now 1.68 due to transitive `time` dependency. -- Properly handle newlines in filenames. [#3235] ## 0.6.3 diff --git a/actix-files/Cargo.toml b/actix-files/Cargo.toml index efecb0889..b7a272515 100644 --- a/actix-files/Cargo.toml +++ b/actix-files/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "actix-files" -version = "0.6.3" +version = "0.6.4" authors = [ "Nikolay Kim ", "Rob Ede ", diff --git a/actix-files/README.md b/actix-files/README.md index 3e656c431..d8d9e4f1f 100644 --- a/actix-files/README.md +++ b/actix-files/README.md @@ -3,11 +3,11 @@ > Static file serving for Actix Web [![crates.io](https://img.shields.io/crates/v/actix-files?label=latest)](https://crates.io/crates/actix-files) -[![Documentation](https://docs.rs/actix-files/badge.svg?version=0.6.3)](https://docs.rs/actix-files/0.6.3) +[![Documentation](https://docs.rs/actix-files/badge.svg?version=0.6.4)](https://docs.rs/actix-files/0.6.4) ![Version](https://img.shields.io/badge/rustc-1.68+-ab6000.svg) ![License](https://img.shields.io/crates/l/actix-files.svg)
-[![dependency status](https://deps.rs/crate/actix-files/0.6.3/status.svg)](https://deps.rs/crate/actix-files/0.6.3) +[![dependency status](https://deps.rs/crate/actix-files/0.6.4/status.svg)](https://deps.rs/crate/actix-files/0.6.4) [![Download](https://img.shields.io/crates/d/actix-files.svg)](https://crates.io/crates/actix-files) [![Chat on Discord](https://img.shields.io/discord/771444961383153695?label=chat&logo=discord)](https://discord.gg/NWpN5mmg3x) diff --git a/actix-files/src/lib.rs b/actix-files/src/lib.rs index 87914c1ce..8ceb59bef 100644 --- a/actix-files/src/lib.rs +++ b/actix-files/src/lib.rs @@ -572,11 +572,12 @@ mod tests { async fn test_static_files_with_newlines() { // Create the file we want to test against ad-hoc. We can't check it in as otherwise // Windows can't even checkout this repository. - let tmpdir = tempfile::tempdir().unwrap(); - let file_with_newlines = tmpdir.path().join("test\nnewline.text"); + let temp_dir = tempfile::tempdir().unwrap(); + let file_with_newlines = temp_dir.path().join("test\nnewline.text"); fs::write(&file_with_newlines, "Look at my newlines").unwrap(); + let srv = test::init_service( - App::new().service(Files::new("", tmpdir.path()).index_file("Cargo.toml")), + App::new().service(Files::new("/", temp_dir.path()).index_file("Cargo.toml")), ) .await; let request = TestRequest::get().uri("/test%0Anewline.text").to_request(); @@ -860,7 +861,7 @@ mod tests { #[actix_rt::test] async fn test_percent_encoding_2() { - let tmpdir = tempfile::tempdir().unwrap(); + let temp_dir = tempfile::tempdir().unwrap(); let filename = match cfg!(unix) { true => "ض:?#[]{}<>()@!$&'`|*+,;= %20\n.test", false => "ض#[]{}()@!$&'`+,;= %20.test", @@ -872,9 +873,9 @@ mod tests { write!(&mut buf, "%{:02X}", c).unwrap(); buf }); - std::fs::File::create(tmpdir.path().join(filename)).unwrap(); + std::fs::File::create(temp_dir.path().join(filename)).unwrap(); - let srv = test::init_service(App::new().service(Files::new("", tmpdir.path()))).await; + let srv = test::init_service(App::new().service(Files::new("/", temp_dir.path()))).await; let req = TestRequest::get() .uri(&format!("/{}", filename_encoded))