dearsky/numa
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases 25 Wiki Activity

address PR review: SRV port, drop spike, percent-encoded paths

Browse Source 
- SRV record uses first service's port (was 0, confused dns-sd -L)
- Remove examples/mdns_coexist.rs (served its purpose as spike)
- Reject percent-encoding in route paths (defense-in-depth)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Razvan Dimescu
2026-03-23 11:21:09 +02:00
parent 4748a4a4bb
commit 53ae4d1404
3 changed files with 6 additions and 214 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
src/api.rs
View File

@@ -777,8 +777,11 @@ async fn add_route(
if req.path.is_empty() || !req.path.starts_with('/') {
return Err((StatusCode::BAD_REQUEST, "path must start with /".into()));
}
if req.path.contains("/../") || req.path.ends_with("/..") {
return Err((StatusCode::BAD_REQUEST, "path must not contain '..'".into()));
if req.path.contains("/../") || req.path.ends_with("/..") || req.path.contains("%") {
return Err((
StatusCode::BAD_REQUEST,
"path must not contain '..' or percent-encoding".into(),
));
}
if req.port == 0 {
return Err((StatusCode::BAD_REQUEST, "port must be > 0".into()));