1
0
mirror of https://github.com/fafhrd91/actix-web synced 2024-11-30 18:44:35 +01:00

actix-files: Properly handle newlines in file names (#3235)

This commit is contained in:
Sven-Hendrik Haase 2024-01-06 11:11:40 +01:00 committed by GitHub
parent 561cc440b2
commit febba786fa
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 26 additions and 4 deletions

View File

@ -3,6 +3,7 @@
## Unreleased ## Unreleased
- Minimum supported Rust version (MSRV) is now 1.68 due to transitive `time` dependency. - Minimum supported Rust version (MSRV) is now 1.68 due to transitive `time` dependency.
- Properly handle newlines in filenames. [#3235]
## 0.6.3 ## 0.6.3

View File

@ -568,6 +568,26 @@ mod tests {
assert_eq!(bytes, data); assert_eq!(bytes, data);
} }
#[actix_rt::test]
async fn test_static_files_with_newlines() {
// Create the file we want to test against ad-hoc. We can't check it in as otherwise
// Windows can't even checkout this repository.
let tmpdir = tempfile::tempdir().unwrap();
let file_with_newlines = tmpdir.path().join("test\nnewline.text");
fs::write(&file_with_newlines, "Look at my newlines").unwrap();
let srv = test::init_service(
App::new().service(Files::new("", tmpdir.path()).index_file("Cargo.toml")),
)
.await;
let request = TestRequest::get().uri("/test%0Anewline.text").to_request();
let response = test::call_service(&srv, request).await;
assert_eq!(response.status(), StatusCode::OK);
let bytes = test::read_body(response).await;
let data = web::Bytes::from(fs::read(file_with_newlines).unwrap());
assert_eq!(bytes, data);
}
#[actix_rt::test] #[actix_rt::test]
async fn test_files_not_allowed() { async fn test_files_not_allowed() {
let srv = test::init_service(App::new().service(Files::new("/", "."))).await; let srv = test::init_service(App::new().service(Files::new("/", "."))).await;
@ -842,7 +862,7 @@ mod tests {
async fn test_percent_encoding_2() { async fn test_percent_encoding_2() {
let tmpdir = tempfile::tempdir().unwrap(); let tmpdir = tempfile::tempdir().unwrap();
let filename = match cfg!(unix) { let filename = match cfg!(unix) {
true => "ض:?#[]{}<>()@!$&'`|*+,;= %20.test", true => "ض:?#[]{}<>()@!$&'`|*+,;= %20\n.test",
false => "ض#[]{}()@!$&'`+,;= %20.test", false => "ض#[]{}()@!$&'`+,;= %20.test",
}; };
let filename_encoded = filename let filename_encoded = filename

View File

@ -24,7 +24,6 @@ use bitflags::bitflags;
use derive_more::{Deref, DerefMut}; use derive_more::{Deref, DerefMut};
use futures_core::future::LocalBoxFuture; use futures_core::future::LocalBoxFuture;
use mime::Mime; use mime::Mime;
use mime_guess::from_path;
use crate::{encoding::equiv_utf8_text, range::HttpRange}; use crate::{encoding::equiv_utf8_text, range::HttpRange};
@ -128,7 +127,7 @@ impl NamedFile {
} }
}; };
let ct = from_path(&path).first_or_octet_stream(); let ct = mime_guess::from_path(&path).first_or_octet_stream();
let disposition = match ct.type_() { let disposition = match ct.type_() {
mime::IMAGE | mime::TEXT | mime::AUDIO | mime::VIDEO => DispositionType::Inline, mime::IMAGE | mime::TEXT | mime::AUDIO | mime::VIDEO => DispositionType::Inline,
@ -140,7 +139,9 @@ impl NamedFile {
_ => DispositionType::Attachment, _ => DispositionType::Attachment,
}; };
let mut parameters = vec![DispositionParam::Filename(String::from(filename.as_ref()))]; // Replace newlines in filenames which could occur on some filesystems.
let filename_s = filename.replace('\n', "%0A");
let mut parameters = vec![DispositionParam::Filename(filename_s)];
if !filename.is_ascii() { if !filename.is_ascii() {
parameters.push(DispositionParam::FilenameExt(ExtendedValue { parameters.push(DispositionParam::FilenameExt(ExtendedValue {