* Fix audit issue logging by default peer address
By default log format include remote address that is taken from headers.
This is very easy to replace making log untrusted.
Changing default log format value `%a` to peer address we are getting
this trusted data always. Also, remote address option is maintianed and
relegated to `%{r}a` value.
Related kanidm/kanidm#191.
* Rename peer/remote to remote_addr/realip_remote_addr
Change names to avoid naming confusions. I choose this accord to Nginx
variables and
[ngx_http_realip_module](https://nginx.org/en/docs/http/ngx_http_realip_module.html).
Add more specific documentation about security concerns of using Real IP
in logger.
* Rename security advertise header in doc
* Add fix audit issue logging by default peer adress to changelog
Co-authored-by: Rob Ede <robjtede@icloud.com>
For allowing a more ergonomic use and better integration on the
ecosystem, this adds the `std::error::Error` `impl` for our custom
errors.
We intent to drop this hand made code once `derive_more` finishes the
addition of the Error derive support[1]. Until that is available, we
need to live with that.
1. https://github.com/JelteF/derive_more/issues/92
Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
* Use `OffsetDateTime` instead of `PrimitiveDateTime`
* Parse time strings with `PrimitiveDateTime::parse` instead of `OffsetDateTime::parse`
* Remove unused `time` dependency from actix-multipart
* Fix a few errors with time related tests from the `time` upgrade
* Implement logic to convert a RFC 850 two-digit year into a full length year, and organize time parsing related functions
* Upgrade `time` to 0.2.2
* Correctly parse C's asctime time format using time 0.2's new format patterns
* Update CHANGES.md
* Use `time` without any of its deprecated functions
* Enforce a UTC time offset when converting an `OffsetDateTime` into a Header value
* Use the more readable version of `Duration::seconds(0)`, `Duration::zero()`
* Remove unneeded conversion of time::Duration to std::time::Duration
* Use `OffsetDateTime::as_seconds_f64` instead of manually calculating the amount of seconds from nanoseconds
* Replace a few additional instances of `Duration::seconds(0)` with `Duration::zero()`
* Truncate any nanoseconds from a supplied `Duration` within `Cookie::set_max_age` to ensure two Cookies with the same amount whole seconds equate to one another
* Fix the actix-http:🍪:do_not_panic_on_large_max_ages test
* Convert `Cookie::max_age` and `Cookie::expires` examples to `time` 0.2
Mainly minor changes. Type inference can be used alongside the new
`time::parse` method, such that the type doesn't need to be specified.
This will be useful if a refactoring takes place that changes the type.
There are also new macros, which are used where possible.
One change that is not immediately obvious, in `HttpDate`, there was an
unnecessary conditional. As the time crate allows for negative durations
(and can perform arithmetic with such), the if/else can be removed
entirely.
Time v0.2.3 also has some bug fixes, which is why I am not using a more
general v0.2 in Cargo.toml.
v0.2.3 has been yanked, as it was backwards imcompatible. This version
reverts the breaking change, while still supporting rustc back to
1.34.0.
* Add missing `time::offset` macro import
* Fix type confusion when using `time::parse` followed by `using_offset`
* Update `time` to 0.2.5
* Update CHANGES.md
Co-authored-by: Jacob Pratt <the.z.cuber@gmail.com>
* Skip empty chucks for BodyStream and SizedStream when streaming response (#1267)
* Fix tests to fail on previous implementation
Co-authored-by: Yuki Okushi <huyuumi.dev@gmail.com>
* Replace sha1 dependency with sha-1
This other crate is being maintained, and it offers better performances
when using the `asm` feature (especially [on
AArch64](https://github.com/RustCrypto/hashes/pull/97)).
* Update CHANGES.md with the sha-1 migration
* Add a test for hash_key()
Rationale:
- In Rust, one can omit a semicolon after a function's final expression to make
its value the function's return value. It's common for people to include a
semicolon after the last expression by mistake - common enough that the Rust
compiler suggests removing the semicolon when there's a type mismatch between
the function's signature and body. By implementing Responder for (), Actix makes
this common mistake a silent error in handler functions.
- Functions returning an empty body should return HTTP status 204 ("No Content"),
so the current Responder impl for (), which returns status 200 ("OK"), is not
really what one wants anyway.
- It's not much of a burden to ask handlers to explicitly return
`HttpResponse::Ok()` if that is what they want; all the examples in the
documentation do this already.
* Fix filename encoding in Content-Disposition of acitx_files::NamedFile
* Add more comments on how to use Content-Disposition header properly & Fix some trivial problems
* Improve Content-Disposition filename(*) parameters of actix_files::NamedFile
* Tweak Content-Disposition parse to accept empty param value in quoted-string
* Fix typos in comments in .../content_disposition.rs (pointed out by @JohnTitor)
* Update CHANGES.md
* Update CHANGES.md again
