diff options
| author | Sven-Hendrik Haase <svenstaro@gmail.com> | 2020-08-24 21:33:46 +0000 |
|---|---|---|
| committer | Sven-Hendrik Haase <svenstaro@gmail.com> | 2020-08-24 23:15:27 +0000 |
| commit | e0fe92687032385c08bd0e4109d3af002a211d1f (patch) | |
| tree | 433bad0a0b3dc8e2afb6975c9bd2c996b37f7161 | |
| parent | Give up and just duplicate stuff (diff) | |
| download | miniserve-e0fe92687032385c08bd0e4109d3af002a211d1f.tar.gz miniserve-e0fe92687032385c08bd0e4109d3af002a211d1f.zip | |
Fix double-escaping (fixes #354)
Diffstat (limited to '')
| -rw-r--r-- | CHANGELOG.md | 1 | ||||
| -rw-r--r-- | Cargo.lock | 7 | ||||
| -rw-r--r-- | Cargo.toml | 1 | ||||
| -rw-r--r-- | src/listing.rs | 8 | ||||
| -rw-r--r-- | tests/fixtures/mod.rs | 2 | ||||
| -rw-r--r-- | tests/serve_request.rs | 9 |
6 files changed, 13 insertions, 15 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index cfb11a4..a0432c0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/). - Remove percent-encoding in heading and title [#362](https://github.com/svenstaro/miniserve/pull/362) (thanks @ahti) - Make name ordering case-insensitive [#362](https://github.com/svenstaro/miniserve/pull/362) (thanks @ahti) - Give name column more space [#362](https://github.com/svenstaro/miniserve/pull/362) (thanks @ahti) +- Fix double-escaping [#354](https://github.com/svenstaro/miniserve/issues/354) ## [0.8.0] - 2020-07-22 - Accept port 0 to find a random free port and use that [#327](https://github.com/svenstaro/miniserve/pull/327) (thanks @parrotmac) @@ -981,11 +981,6 @@ dependencies = [ ] [[package]] -name = "htmlescape" -version = "0.3.1" -source = "registry+https://github.com/rust-lang/crates.io-index" - -[[package]] name = "http" version = "0.2.1" source = "registry+https://github.com/rust-lang/crates.io-index" @@ -1299,7 +1294,6 @@ dependencies = [ "failure 0.1.8 (registry+https://github.com/rust-lang/crates.io-index)", "futures 0.3.5 (registry+https://github.com/rust-lang/crates.io-index)", "hex 0.4.2 (registry+https://github.com/rust-lang/crates.io-index)", - "htmlescape 0.3.1 (registry+https://github.com/rust-lang/crates.io-index)", "libflate 1.0.2 (registry+https://github.com/rust-lang/crates.io-index)", "log 0.4.11 (registry+https://github.com/rust-lang/crates.io-index)", "maud 0.22.0 (registry+https://github.com/rust-lang/crates.io-index)", @@ -2843,7 +2837,6 @@ dependencies = [ "checksum hex 0.4.2 (registry+https://github.com/rust-lang/crates.io-index)" = "644f9158b2f133fd50f5fb3242878846d9eb792e445c893805ff0e3824006e35" "checksum hostname 0.3.1 (registry+https://github.com/rust-lang/crates.io-index)" = "3c731c3e10504cc8ed35cfe2f1db4c9274c3d35fa486e3b31df46f068ef3e867" "checksum html5ever 0.25.1 (registry+https://github.com/rust-lang/crates.io-index)" = "aafcf38a1a36118242d29b92e1b08ef84e67e4a5ed06e0a80be20e6a32bfed6b" -"checksum htmlescape 0.3.1 (registry+https://github.com/rust-lang/crates.io-index)" = "e9025058dae765dee5070ec375f591e2ba14638c63feff74f13805a72e523163" "checksum http 0.2.1 (registry+https://github.com/rust-lang/crates.io-index)" = "28d569972648b2c512421b5f2a405ad6ac9666547189d0c5477a3f200f3e02f9" "checksum http-body 0.3.1 (registry+https://github.com/rust-lang/crates.io-index)" = "13d5ff830006f7646652e057693569bfe0d51760c0085a071769d142a205111b" "checksum httparse 1.3.4 (registry+https://github.com/rust-lang/crates.io-index)" = "cd179ae861f0c2e53da70d892f5f3029f9594be0c41dc5269cd371691b1dc2f9" @@ -22,7 +22,6 @@ actix-web = "2.0" simplelog = "0.8" percent-encoding = "2.1" port_check = "0.1" -htmlescape = "0.3.1" bytesize = "1.0.0" nanoid = "0.3" alphanumeric-sort = "1.4.0" diff --git a/src/listing.rs b/src/listing.rs index 0ffa2df..89d4e6c 100644 --- a/src/listing.rs +++ b/src/listing.rs @@ -4,7 +4,6 @@ use actix_web::http::StatusCode; use actix_web::web::Query; use actix_web::{HttpRequest, HttpResponse, Result}; use bytesize::ByteSize; -use htmlescape::encode_minimal as escape_html_entity; use percent_encoding::{percent_decode_str, utf8_percent_encode, AsciiSet, CONTROLS}; use qrcodegen::{QrCode, QrCodeEcc}; use serde::Deserialize; @@ -209,8 +208,7 @@ pub fn directory_listing( }; // show file url as relative to static path let file_url = utf8_percent_encode(&p.to_string_lossy(), FRAGMENT).to_string(); - // " -- " & -- & ' -- ' < -- < > -- > - let file_name = escape_html_entity(&entry.file_name().to_string_lossy()); + let file_name = entry.file_name().to_string_lossy().to_string(); // if file is a directory, add '/' to the end of the name if let Ok(metadata) = entry.metadata() { @@ -309,7 +307,7 @@ pub fn directory_listing( path = &dir.path.display().to_string() ); - let filename = format!( + let file_name = format!( "{}.{}", dir.path.file_name().unwrap().to_str().unwrap(), compression_method.extension() @@ -337,7 +335,7 @@ pub fn directory_listing( .header("Content-Transfer-Encoding", "binary") .header( "Content-Disposition", - format!("attachment; filename={:?}", filename), + format!("attachment; filename={:?}", file_name), ) .body(actix_web::body::BodyStream::new(rx)), )) diff --git a/tests/fixtures/mod.rs b/tests/fixtures/mod.rs index cec912a..49ed7bd 100644 --- a/tests/fixtures/mod.rs +++ b/tests/fixtures/mod.rs @@ -8,7 +8,7 @@ pub type Error = Box<dyn std::error::Error>; /// File names for testing purpose #[allow(dead_code)] -pub static FILES: &[&str] = &["test.txt", "test.html", "test.mkv"]; +pub static FILES: &[&str] = &["test.txt", "test.html", "test.mkv", "test \" \' & < >.csv"]; /// Directory names for testing purpose #[allow(dead_code)] diff --git a/tests/serve_request.rs b/tests/serve_request.rs index cc0e059..43b16a0 100644 --- a/tests/serve_request.rs +++ b/tests/serve_request.rs @@ -45,9 +45,16 @@ fn serves_requests_with_non_default_port(tmpdir: TempDir, port: u16) -> Result<( let body = reqwest::blocking::get(format!("http://localhost:{}", port).as_str())? .error_for_status()?; let parsed = Document::from_read(body)?; + for &file in FILES { - assert!(parsed.find(|x: &Node| x.text() == file).next().is_some()); + let f = parsed.find(|x: &Node| x.text() == file).next().unwrap(); + dbg!(f.attr("href")); + assert_eq!( + format!("/{}", file), + percent_encoding::percent_decode_str(f.attr("href").unwrap()).decode_utf8_lossy(), + ); } + for &directory in DIRECTORIES { assert!(parsed .find(|x: &Node| x.text() == directory) |