From 09ad5775ac78058a1c478f4cc77a27e2f04942ab Mon Sep 17 00:00:00 2001 From: Ali MJ Al-Nasrawy Date: Tue, 1 Jun 2021 15:04:35 +0300 Subject: [PATCH] Remove invalid docs regarding parsing `PathBuf` (#230) This paragraph is no longer valid since v1.0! Also, the example code still compiles fine and this may easily introduce a security vulnerability for the user. --- content/docs/url-dispatch.md | 18 ------------------ examples/url-dispatch/src/main.rs | 1 - examples/url-dispatch/src/pbuf.rs | 18 ------------------ 3 files changed, 37 deletions(-) delete mode 100644 examples/url-dispatch/src/pbuf.rs diff --git a/content/docs/url-dispatch.md b/content/docs/url-dispatch.md index 025f9b7..12eba83 100644 --- a/content/docs/url-dispatch.md +++ b/content/docs/url-dispatch.md @@ -259,24 +259,6 @@ Specific values can be retrieved with [`Path::get()`][pathget]. For this example for path '/a/1/2/', values v1 and v2 will resolve to "1" and "2". -It is possible to create a `PathBuf` from a tail path parameter. The returned `PathBuf` is -percent-decoded. If a segment is equal to "..", the previous segment (if -any) is skipped. - -For security purposes, if a segment meets any of the following conditions, -an `Err` is returned indicating the condition met: - -* Decoded segment starts with any of: `.` (except `..`), `*` -* Decoded segment ends with any of: `:`, `>`, `<` -* Decoded segment contains any of: `/` -* On Windows, decoded segment contains any of: '\' -* Percent-encoding results in invalid UTF8. - -As a result of these conditions, a `PathBuf` parsed from request path parameter is -safe to interpolate within, or use as a suffix of, a path without additional checks. - -{{< include-example example="url-dispatch" file="pbuf.rs" section="pbuf" >}} - ## Path information extractor Actix provides functionality for type safe path information extraction. [*Path*][pathstruct] diff --git a/examples/url-dispatch/src/main.rs b/examples/url-dispatch/src/main.rs index 0f95fea..77765a7 100644 --- a/examples/url-dispatch/src/main.rs +++ b/examples/url-dispatch/src/main.rs @@ -7,7 +7,6 @@ pub mod norm; pub mod norm2; pub mod path; pub mod path2; -pub mod pbuf; pub mod resource; pub mod scope; pub mod url_ext; diff --git a/examples/url-dispatch/src/pbuf.rs b/examples/url-dispatch/src/pbuf.rs deleted file mode 100644 index d6fdd9c..0000000 --- a/examples/url-dispatch/src/pbuf.rs +++ /dev/null @@ -1,18 +0,0 @@ -// -use actix_web::{get, App, HttpRequest, HttpServer, Result}; -use std::path::PathBuf; - -#[get("/a/{tail:.*}")] -async fn index(req: HttpRequest) -> Result { - let path: PathBuf = req.match_info().query("tail").parse().unwrap(); - Ok(format!("Path {:?}", path)) -} - -#[actix_web::main] -async fn main() -> std::io::Result<()> { - HttpServer::new(|| App::new().service(index)) - .bind("127.0.0.1:8080")? - .run() - .await -} -//